operator-framework
diff --git a/‎crds/operators.coreos.com_clusterserviceversions.yaml‎
Lines changed: 142 additions & 0 deletions b/‎crds/operators.coreos.com_clusterserviceversions.yaml‎
Lines changed: 142 additions & 0 deletions
diff --git a/‎crds/zz_defs.go‎
Lines changed: 7 additions & 7 deletions b/‎crds/zz_defs.go‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎pkg/operators/v1/operatorgroup_types.go‎
Lines changed: 26 additions & 1 deletion b/‎pkg/operators/v1/operatorgroup_types.go‎
Lines changed: 26 additions & 1 deletion
diff --git a/‎pkg/operators/v1alpha1/clusterserviceversion_types.go‎
Lines changed: 95 additions & 0 deletions b/‎pkg/operators/v1alpha1/clusterserviceversion_types.go‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎pkg/operators/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 70 additions & 0 deletions b/‎pkg/operators/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 70 additions & 0 deletions
@@ -8374,6 +8374,148 @@ spec:
               description: OperatorVersion is a wrapper around semver.Version which
                 supports correct marshaling to YAML and JSON.
               type: string
+            webhookdefinitions:
+              type: array
+              items:
+                description: WebhookDescription provides details to OLM about required
+                  webhooks
+                type: object
+                required:
+                - admissionReviewVersions
+                - name
+                - sideEffects
+                - type
+                properties:
+                  admissionReviewVersions:
+                    type: array
+                    items:
+                      type: string
+                  containerPort:
+                    type: integer
+                    format: int32
+                  deploymentName:
+                    type: string
+                  failurePolicy:
+                    type: string
+                  matchPolicy:
+                    description: MatchPolicyType specifies the type of match policy
+                    type: string
+                  name:
+                    type: string
+                  objectSelector:
+                    description: A label selector is a label query over a set of resources.
+                      The result of matchLabels and matchExpressions are ANDed. An
+                      empty label selector matches all objects. A null label selector
+                      matches no objects.
+                    type: object
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector
+                          requirements. The requirements are ANDed.
+                        type: array
+                        items:
+                          description: A label selector requirement is a selector
+                            that contains values, a key, and an operator that relates
+                            the key and values.
+                          type: object
+                          required:
+                          - key
+                          - operator
+                          properties:
+                            key:
+                              description: key is the label key that the selector
+                                applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship
+                                to a set of values. Valid operators are In, NotIn,
+                                Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If
+                                the operator is In or NotIn, the values array must
+                                be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty. This array is replaced
+                                during a strategic merge patch.
+                              type: array
+                              items:
+                                type: string
+                      matchLabels:
+                        description: matchLabels is a map of {key,value} pairs. A
+                          single {key,value} in the matchLabels map is equivalent
+                          to an element of matchExpressions, whose key field is "key",
+                          the operator is "In", and the values array contains only
+                          "value". The requirements are ANDed.
+                        type: object
+                        additionalProperties:
+                          type: string
+                  reinvocationPolicy:
+                    description: ReinvocationPolicyType specifies what type of policy
+                      the admission hook uses.
+                    type: string
+                  rules:
+                    type: array
+                    items:
+                      description: RuleWithOperations is a tuple of Operations and
+                        Resources. It is recommended to make sure that all the tuple
+                        expansions are valid.
+                      type: object
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong
+                            to. '*' is all groups. If '*' is present, the length of
+                            the slice must be one. Required.
+                          type: array
+                          items:
+                            type: string
+                        apiVersions:
+                          description: APIVersions is the API versions the resources
+                            belong to. '*' is all versions. If '*' is present, the
+                            length of the slice must be one. Required.
+                          type: array
+                          items:
+                            type: string
+                        operations:
+                          description: Operations is the operations the admission
+                            hook cares about - CREATE, UPDATE, or * for all operations.
+                            If '*' is present, the length of the slice must be one.
+                            Required.
+                          type: array
+                          items:
+                            type: string
+                        resources:
+                          description: "Resources is a list of resources this rule
+                            applies to. \n For example: 'pods' means pods. 'pods/log'
+                            means the log subresource of pods. '*' means all resources,
+                            but not subresources. 'pods/*' means all subresources
+                            of pods. '*/scale' means all scale subresources. '*/*'
+                            means all resources and their subresources. \n If wildcard
+                            is present, the validation rule will ensure resources
+                            do not overlap with each other. \n Depending on the enclosing
+                            object, subresources might not be allowed. Required."
+                          type: array
+                          items:
+                            type: string
+                        scope:
+                          description: scope specifies the scope of this rule. Valid
+                            values are "Cluster", "Namespaced", and "*" "Cluster"
+                            means that only cluster-scoped resources will match this
+                            rule. Namespace API objects are cluster-scoped. "Namespaced"
+                            means that only namespaced resources will match this rule.
+                            "*" means that there are no scope restrictions. Subresources
+                            match the scope of their parent resource. Default is "*".
+                          type: string
+                  sideEffects:
+                    type: string
+                  timeoutSeconds:
+                    type: integer
+                    format: int32
+                  type:
+                    description: WebhookAdmissionType is the type of admission webhooks
+                      supported by OLM
+                    type: string
+                  webhookPath:
+                    type: string
         status:
           description: ClusterServiceVersionStatus represents information about the
             status of a pod. Status may trail the actual state of a system.
 
@@ -108,7 +108,32 @@ func (o *OperatorGroup) HasServiceAccountSynced() bool {
 // GetLabel returns a label that is applied to Namespaces to signify that the
 // namespace is a part of the OperatorGroup using selectors.
 func (o *OperatorGroup) GetLabel() string {
-	return fmt.Sprintf(OperatorGroupLabelTemplate, o.GetNamespace(), o.GetName())
+	key, _ := o.OGLabelKeyAndValue()
+	return key
+}
+
+// OGLabelKeyAndValue returns a key and value that should be applied to namespaces listed in the OperatorGroup.
+func (o *OperatorGroup) OGLabelKeyAndValue() (string, string) {
+	return fmt.Sprintf(OperatorGroupLabelTemplate, o.GetNamespace(), o.GetName()), ""
+}
+
+// NamespaceLabelSelector provides a selector that can be used to filter namespaces that belong to the OperatorGroup.
+func (o *OperatorGroup) NamespaceLabelSelector() *metav1.LabelSelector {
+	if len(o.Spec.TargetNamespaces) == 0 {
+		// If no target namespaces are set, check if a selector exists.
+		if o.Spec.Selector != nil {
+			return o.Spec.Selector
+		}
+		// No selector exists, return nil which should be used to select EVERYTHING.
+		return nil
+	}
+	// Return a label that should be present on all namespaces defined in the OperatorGroup.Spec.TargetNamespaces field.
+	ogKey, ogValue := o.OGLabelKeyAndValue()
+	return &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			ogKey: ogValue,
+		},
+	}
 }
 
 // IsOperatorGroupLabel returns true if the label is an OperatorGroup label.
 
@@ -4,6 +4,9 @@ import (
 	"encoding/json"
 	"fmt"
 	"sort"
+	"strings"
+
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 
 	appsv1 "k8s.io/api/apps/v1"
 	rbac "k8s.io/api/rbac/v1"
@@ -148,6 +151,87 @@ func (d APIServiceDescription) GetName() string {
 	return fmt.Sprintf("%s.%s", d.Version, d.Group)
 }
 
+// WebhookAdmissionType is the type of admission webhooks supported by OLM
+type WebhookAdmissionType string
+
+const (
+	// ValidatingAdmissionWebhook is for validating admission webhooks
+	ValidatingAdmissionWebhook WebhookAdmissionType = "ValidatingAdmissionWebhook"
+	// MutatingAdmissionWebhook is for mutating admission webhooks
+	MutatingAdmissionWebhook WebhookAdmissionType = "MutatingAdmissionWebhook"
+)
+
+// WebhookDescription provides details to OLM about required webhooks
+// +k8s:openapi-gen=true
+type WebhookDescription struct {
+	Name                    string                                          `json:"name"`
+	Type                    WebhookAdmissionType                            `json:"type"`
+	DeploymentName          string                                          `json:"deploymentName,omitempty"`
+	ContainerPort           int32                                           `json:"containerPort,omitempty"`
+	Rules                   []admissionregistrationv1.RuleWithOperations    `json:"rules,omitempty"`
+	FailurePolicy           *admissionregistrationv1.FailurePolicyType      `json:"failurePolicy,omitempty"`
+	MatchPolicy             *admissionregistrationv1.MatchPolicyType        `json:"matchPolicy,omitempty"`
+	ObjectSelector          *metav1.LabelSelector                           `json:"objectSelector,omitempty"`
+	SideEffects             *admissionregistrationv1.SideEffectClass        `json:"sideEffects"`
+	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
+	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions"`
+	ReinvocationPolicy      *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
+	WebhookPath             *string                                         `json:"webhookPath,omitempty"`
+}
+
+// GetValidatingWebhook returns a ValidatingWebhook generated from the WebhookDescription
+func (w *WebhookDescription) GetValidatingWebhook(namespace string, namespaceSelector *metav1.LabelSelector, caBundle []byte) admissionregistrationv1.ValidatingWebhook {
+	return admissionregistrationv1.ValidatingWebhook{
+		Name:                    w.Name,
+		Rules:                   w.Rules,
+		FailurePolicy:           w.FailurePolicy,
+		MatchPolicy:             w.MatchPolicy,
+		NamespaceSelector:       namespaceSelector,
+		ObjectSelector:          w.ObjectSelector,
+		SideEffects:             w.SideEffects,
+		TimeoutSeconds:          w.TimeoutSeconds,
+		AdmissionReviewVersions: w.AdmissionReviewVersions,
+		ClientConfig: admissionregistrationv1.WebhookClientConfig{
+			Service: &admissionregistrationv1.ServiceReference{
+				Name:      w.DomainName() + "-service",
+				Namespace: namespace,
+				Path:      w.WebhookPath,
+			},
+			CABundle: caBundle,
+		},
+	}
+}
+
+// GetMutatingWebhook returns a MutatingWebhook generated from the WebhookDescription
+func (w *WebhookDescription) GetMutatingWebhook(namespace string, namespaceSelector *metav1.LabelSelector, caBundle []byte) admissionregistrationv1.MutatingWebhook {
+	return admissionregistrationv1.MutatingWebhook{
+		Name:                    w.Name,
+		Rules:                   w.Rules,
+		FailurePolicy:           w.FailurePolicy,
+		MatchPolicy:             w.MatchPolicy,
+		NamespaceSelector:       namespaceSelector,
+		ObjectSelector:          w.ObjectSelector,
+		SideEffects:             w.SideEffects,
+		TimeoutSeconds:          w.TimeoutSeconds,
+		AdmissionReviewVersions: w.AdmissionReviewVersions,
+		ClientConfig: admissionregistrationv1.WebhookClientConfig{
+			Service: &admissionregistrationv1.ServiceReference{
+				Name:      w.DomainName() + "-service",
+				Namespace: namespace,
+				Path:      w.WebhookPath,
+			},
+			CABundle: caBundle,
+		},
+		ReinvocationPolicy: w.ReinvocationPolicy,
+	}
+}
+
+// DomainName returns the result of replacing all periods in the given Webhook name with hyphens
+func (w *WebhookDescription) DomainName() string {
+	// Replace all '.'s with "-"s to convert to a DNS-1035 label
+	return strings.Replace(w.DeploymentName, ".", "-", -1)
+}
+
 // CustomResourceDefinitions declares all of the CRDs managed or required by
 // an operator being ran by ClusterServiceVersion.
 //
@@ -174,6 +258,7 @@ type ClusterServiceVersionSpec struct {
 	Maturity                  string                    `json:"maturity,omitempty"`
 	CustomResourceDefinitions CustomResourceDefinitions `json:"customresourcedefinitions,omitempty"`
 	APIServiceDefinitions     APIServiceDefinitions     `json:"apiservicedefinitions,omitempty"`
+	WebhookDefinitions        []WebhookDescription      `json:"webhookdefinitions,omitempty"`
 	NativeAPIs                []metav1.GroupVersionKind `json:"nativeAPIs,omitempty"`
 	MinKubeVersion            string                    `json:"minKubeVersion,omitempty"`
 	DisplayName               string                    `json:"displayName"`
@@ -280,8 +365,18 @@ const (
 	CSVReasonInterOperatorGroupOwnerConflict             ConditionReason = "InterOperatorGroupOwnerConflict"
 	CSVReasonCannotModifyStaticOperatorGroupProvidedAPIs ConditionReason = "CannotModifyStaticOperatorGroupProvidedAPIs"
 	CSVReasonDetectedClusterChange                       ConditionReason = "DetectedClusterChange"
+	CSVReasonUnsupportedWebhookRules                     ConditionReason = "UnsupportedWebhookRules"
 )
 
+// HasCaResources returns true if the CSV has owned APIServices or Webhooks.
+func (c *ClusterServiceVersion) HasCAResources() bool {
+	// Return early if there are no owned APIServices
+	if len(c.Spec.APIServiceDefinitions.Owned)+len(c.Spec.WebhookDefinitions) == 0 {
+		return false
+	}
+	return true
+}
+
 // Conditions appear in the status as a record of state transitions on the ClusterServiceVersion
 type ClusterServiceVersionCondition struct {
 	// Condition of the ClusterServiceVersion