OSD-24266 : Disabled IDMS/ICSP validatingwebhook in HCP

samanthajayasinghe · samanthajayasinghe · commit 00f46b72cf62 · 2024-07-23T13:32:52.000+12:00
diff --git a/config/package/resources.yaml.gotmpl b/config/package/resources.yaml.gotmpl
@@ -173,48 +173,6 @@ webhooks:
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
-metadata:
-  annotations:
-    package-operator.run/phase: webhooks
-    service.beta.openshift.io/inject-cabundle: "false"
-  creationTimestamp: null
-  name: sre-imagecontentpolicies-validation
-webhooks:
-- admissionReviewVersions:
-  - v1
-  clientConfig:
-    caBundle: '{{.config.serviceca | b64enc }}'
-    url: https://validation-webhook.{{.package.metadata.namespace}}.svc.cluster.local/imagecontentpolicies-validation
-  failurePolicy: Fail
-  matchPolicy: Equivalent
-  name: imagecontentpolicies-validation.managed.openshift.io
-  rules:
-  - apiGroups:
-    - config.openshift.io
-    apiVersions:
-    - '*'
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - imagedigestmirrorsets
-    - imagetagmirrorsets
-    scope: Cluster
-  - apiGroups:
-    - operator.openshift.io
-    apiVersions:
-    - '*'
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - imagecontentsourcepolicies
-    scope: Cluster
-  sideEffects: None
-  timeoutSeconds: 2
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
     package-operator.run/phase: webhooks
diff --git a/pkg/webhooks/imagecontentpolicies/imagecontentpolicies.go b/pkg/webhooks/imagecontentpolicies/imagecontentpolicies.go
@@ -170,7 +170,7 @@ func (w *ImageContentPoliciesWebhook) ClassicEnabled() bool {
 }
 
 func (w *ImageContentPoliciesWebhook) HypershiftEnabled() bool {
-	return true
+	return false
 }
 
 // authorizeImageDigestMirrorSet should reject an ImageDigestMirrorSet that matches an unauthorized mirror list
diff --git a/pkg/webhooks/imagecontentpolicies/imagecontentpolicies_test.go b/pkg/webhooks/imagecontentpolicies/imagecontentpolicies_test.go
@@ -504,6 +504,13 @@ func TestImageContentPolicy(t *testing.T) {
 					t.Errorf("expected allowed request with code: %d, got %d", http.StatusForbidden, resp.Result.Code)
 				}
 			}
+
+			enabled := hook.HypershiftEnabled()
+
+			if enabled {
+				t.Error("expected to disable in hypershift")
+			}
+
 		})
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -170,7 +170,7 @@ func (w *ImageContentPoliciesWebhook) ClassicEnabled() bool {`
`170`	`170`	`}`
`171`	`171`
`172`	`172`	`func (w *ImageContentPoliciesWebhook) HypershiftEnabled() bool {`
`173`		`- return true`
	`173`	`+ return false`
`174`	`174`	`}`
`175`	`175`
`176`	`176`	`// authorizeImageDigestMirrorSet should reject an ImageDigestMirrorSet that matches an unauthorized mirror list`
Original file line number	Diff line number	Diff line change
`@@ -504,6 +504,13 @@ func TestImageContentPolicy(t *testing.T) {`
`504`	`504`	`t.Errorf("expected allowed request with code: %d, got %d", http.StatusForbidden, resp.Result.Code)`
`505`	`505`	`}`
`506`	`506`	`}`
	`507`	`+`
	`508`	`+ enabled := hook.HypershiftEnabled()`
	`509`	`+`
	`510`	`+ if enabled {`
	`511`	`+ t.Error("expected to disable in hypershift")`
	`512`	`+ }`
	`513`	`+`
`507`	`514`	`})`
`508`	`515`	`}`
`509`	`516`	`}`