fix webhook configuration

Author: Diaphteiros

api/core/v1alpha1/pwconfig_types.go

@@ -3,7 +3,6 @@ package v1alpha1
 import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 // ProjectWorkspaceConfigSpec defines the desired state of ProjectWorkspaceConfig
@@ -54,12 +53,6 @@ type WebhookConfig struct {
 	// Disabled specifies whether the webhooks should be disabled.
 	// +optional
 	Disabled bool `json:"disabled"`
-	// TargetPort is the port of the pod the webhook server listens on.
-	// May be a port number or a named port of the pod.
-	// Defaults to 9443, if not specified.
-	// +kubebuilder:validation:XIntOrString
-	// +optional
-	TargetPort *intstr.IntOrString `json:"targetPort,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -76,12 +69,7 @@ func init() {
 }
 
 // SetDefaults sets the default values for the project workspace configuration when not set.
-func (pwc *ProjectWorkspaceConfig) SetDefaults() {
-	if pwc.Spec.Webhook.TargetPort == nil || pwc.Spec.Webhook.TargetPort.IntValue() == 0 {
-		defaultPort := intstr.FromInt(9443)
-		pwc.Spec.Webhook.TargetPort = &defaultPort
-	}
-}
+func (pwc *ProjectWorkspaceConfig) SetDefaults() {}
 
 // Validate validates the project workspace configuration.
 func (pwc *ProjectWorkspaceConfig) Validate() error {

api/core/v1alpha1/zz_generated.deepcopy.go

@@ -132,15 +132,6 @@ spec:
                     description: Disabled specifies whether the webhooks should be
                       disabled.
                     type: boolean
-                  targetPort:
-                    anyOf:
-                    - type: integer
-                    - type: string
-                    description: |-
-                      TargetPort is the port of the pod the webhook server listens on.
-                      May be a port number or a named port of the pod.
-                      Defaults to 9443, if not specified.
-                    x-kubernetes-int-or-string: true
                 type: object
               workspace:
                 description: WorkspaceConfig contains the configuration for workspaces.

api/crds/manifests/core.openmcp.cloud_projectworkspaceconfigs.yaml

@@ -1,20 +1,22 @@
 package app
 
 import (
-	"context"
 	"fmt"
 	"os"
 
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/spf13/cobra"
 
 	"github.com/openmcp-project/controller-utils/pkg/clusters"
 	"github.com/openmcp-project/controller-utils/pkg/logging"
-	openmcpconst "github.com/openmcp-project/openmcp-operator/api/constants"
+)
+
+const (
+	// WebhookPortPod is the port the webhook server listens on in the pod.
+	WebhookPortPod = 9443
+	// WebhookPortSvc is the port the webhook service exposes.
+	WebhookPortSvc = 443
 )
 
 func NewPlatformServiceProjectWorkspaceCommand() *cobra.Command {
@@ -85,39 +87,3 @@ func (o *SharedOptions) Complete() error {
 
 	return nil
 }
-
-func resolveWebhookPort(ctx context.Context, platformClusterClient client.Client, targetPort intstr.IntOrString) (int, error) {
-	log := logging.FromContextOrDiscard(ctx)
-	webhookPort := targetPort.IntValue()
-	if webhookPort == 0 {
-		// this should only have happened if the user configured a named port
-		portName := targetPort.StrVal
-		if portName == "" {
-			return 0, fmt.Errorf("invalid webhook target port configuration: %v", targetPort)
-		}
-		log.Info("Resolving webhook port from named port", "portName", portName)
-		pod := &corev1.Pod{}
-		pod.Name = os.Getenv(openmcpconst.EnvVariablePodName)
-		pod.Namespace = os.Getenv(openmcpconst.EnvVariablePodNamespace)
-		if pod.Name == "" || pod.Namespace == "" {
-			return 0, fmt.Errorf("environment variables %s and %s must be set to resolve webhook port from named port", openmcpconst.EnvVariablePodName, openmcpconst.EnvVariablePodNamespace)
-		}
-		if err := platformClusterClient.Get(ctx, client.ObjectKey{Name: pod.Name, Namespace: pod.Namespace}, pod); err != nil {
-			return 0, fmt.Errorf("unable to get pod '%s/%s' to resolve webhook port from named port: %w", pod.Namespace, pod.Name, err)
-		}
-		namedPorts := pod.Spec.Containers[0].Ports
-		found := false
-		for _, p := range namedPorts {
-			if p.Name == portName {
-				webhookPort = int(p.ContainerPort)
-				found = true
-				log.Info("Resolved webhook port from named port", "portName", portName, "port", webhookPort)
-				break
-			}
-		}
-		if !found {
-			return 0, fmt.Errorf("unable to find named port '%s' in pod '%s/%s' to resolve webhook port", portName, pod.Namespace, pod.Name)
-		}
-	}
-	return webhookPort, nil
-}

cmd/project-workspace-operator/app/app.go

@@ -9,6 +9,7 @@ import (
 	"github.com/spf13/cobra"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -150,18 +151,13 @@ func (o *InitOptions) Run(ctx context.Context) error {
 		return fmt.Errorf("unable to determine webhook secret name: %w", err)
 	}
 
-	webhookPort, err := resolveWebhookPort(ctx, o.PlatformCluster.Client(), *pwc.Spec.Webhook.TargetPort)
-	if err != nil {
-		return err
-	}
-
 	// setup gateway for webhooks
 	dnsInstance := &dns.Instance{
 		Name:            whServiceName,
 		Namespace:       providerSystemNamespace,
 		SubDomainPrefix: "pwo-webhooks",
 		BackendName:     whServiceName,
-		BackendPort:     int32(webhookPort),
+		BackendPort:     int32(WebhookPortSvc),
 	}
 	dnsReconciler := dns.NewReconciler()
 	timeout := 3 * time.Minute
@@ -214,8 +210,9 @@ func (o *InitOptions) Run(ctx context.Context) error {
 		webhooks.WithWebhookService{Name: whServiceName, Namespace: providerSystemNamespace},
 		webhooks.WithWebhookSecret{Name: whSecretName, Namespace: providerSystemNamespace},
 		webhooks.WithRemoteClient{Client: onboardingCluster.Client()},
+		webhooks.WithWebhookServicePort(WebhookPortSvc),
 		webhooks.WithManagedWebhookService{
-			TargetPort: *pwc.Spec.Webhook.TargetPort,
+			TargetPort: intstr.FromInt32(WebhookPortPod),
 			SelectorLabels: map[string]string{
 				"app.kubernetes.io/component":  "controller",
 				"app.kubernetes.io/managed-by": "openmcp-operator",
@@ -224,11 +221,14 @@ func (o *InitOptions) Run(ctx context.Context) error {
 			},
 		},
 	}
+	if o.PlatformCluster.RESTConfig().Host != onboardingCluster.RESTConfig().Host {
+		// create a URL-based webhook otherwise
+		opts = append(opts, webhooks.WithCustomBaseURL(fmt.Sprintf("https://%s:%d", gatewayResult.HostName, WebhookPortSvc)))
+	}
 
 	// webhook options we might or might not support at a later time
 	/*
 		opts = append(opts, webhooks.WithoutCA)
-		opts = append(opts, webhooks.WithCustomBaseURL("todo"))
 		opts = append(opts, webhooks.WithCustomCA{todo})
 	*/
 

cmd/project-workspace-operator/app/init.go

@@ -309,14 +309,9 @@ func (o *RunOptions) Run(ctx context.Context) error {
 		}
 	}
 
-	webhookPort, err := resolveWebhookPort(ctx, o.PlatformCluster.Client(), *pwc.Spec.Webhook.TargetPort)
-	if err != nil {
-		return err
-	}
-
 	webhookServer := webhook.NewServer(webhook.Options{
 		TLSOpts: o.WebhookTLSOpts,
-		Port:    webhookPort,
+		Port:    WebhookPortPod,
 	})
 
 	mgr, err := ctrl.NewManager(onboardingCluster.RESTConfig(), ctrl.Options{

cmd/project-workspace-operator/app/run.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/openmcp-project/controller-utils/pkg/clusters"
-	"github.com/openmcp-project/controller-utils/pkg/controller"
 	"github.com/openmcp-project/controller-utils/pkg/logging"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/utils/ptr"
@@ -226,6 +225,5 @@ func getBaseDomain(gateway *gatewayv1.Gateway) (string, bool) {
 }
 
 func getHostName(baseDomain string, instance *Instance) string {
-	subDomain := controller.NameHashSHAKE128Base32(instance.Name, instance.Namespace)
-	return fmt.Sprintf("%s-%s.%s", instance.SubDomainPrefix, subDomain, baseDomain)
+	return fmt.Sprintf("%s.%s", instance.SubDomainPrefix, baseDomain)
 }