From 05e5d1c2784bdd076d8413386cd74027d875ccc1 Mon Sep 17 00:00:00 2001 From: Per Goncalves da Silva Date: Thu, 4 Sep 2025 13:33:08 +0200 Subject: [PATCH] UPSTREAM: Update webhook ote tests to use latest webhook-operator Signed-off-by: Per Goncalves da Silva --- .../experimental-e2e/experimental_e2e_test.go | 2 +- ...horization.k8s.io_v1beta1_clusterrole.yaml | 8 +- ...ebhook-operator.clusterserviceversion.yaml | 432 ++++++++++-------- ...hook.operators.coreos.io_webhooktests.yaml | 336 ++++++++++---- 4 files changed, 497 insertions(+), 281 deletions(-) diff --git a/test/experimental-e2e/experimental_e2e_test.go b/test/experimental-e2e/experimental_e2e_test.go index eba429b913..234d73d8db 100644 --- a/test/experimental-e2e/experimental_e2e_test.go +++ b/test/experimental-e2e/experimental_e2e_test.go @@ -180,7 +180,7 @@ func TestWebhookSupport(t *testing.T) { t.Log("By waiting for webhook-operator deployment to be available") require.EventuallyWithT(t, func(ct *assert.CollectT) { deployment := &appsv1.Deployment{} - require.NoError(ct, c.Get(t.Context(), types.NamespacedName{Namespace: namespace.GetName(), Name: "webhook-operator-webhook"}, deployment)) + require.NoError(ct, c.Get(t.Context(), types.NamespacedName{Namespace: namespace.GetName(), Name: "webhook-operator-controller-manager"}, deployment)) available := false for _, cond := range deployment.Status.Conditions { if cond.Type == appsv1.DeploymentAvailable { diff --git a/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook-operator-metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml b/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook-operator-metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml index 20f88a1595..2394392b68 100644 --- a/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook-operator-metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml +++ b/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook-operator-metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml @@ -4,7 +4,7 @@ metadata: creationTimestamp: null name: webhook-operator-metrics-reader rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - nonResourceURLs: + - /metrics + verbs: + - get diff --git a/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook-operator.clusterserviceversion.yaml b/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook-operator.clusterserviceversion.yaml index 26506bd532..902ce0ca91 100644 --- a/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook-operator.clusterserviceversion.yaml +++ b/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook-operator.clusterserviceversion.yaml @@ -8,224 +8,274 @@ metadata: "apiVersion": "webhook.operators.coreos.io/v1", "kind": "WebhookTest", "metadata": { - "name": "webhooktest-sample", - "namespace": "webhook-operator-system" + "labels": { + "app.kubernetes.io/managed-by": "kustomize", + "app.kubernetes.io/name": "webhook-operator" + }, + "name": "webhooktest-sample" }, - "spec": { - "valid": true - } + "spec": null + }, + { + "apiVersion": "webhook.operators.coreos.io/v2", + "kind": "WebhookTest", + "metadata": { + "labels": { + "app.kubernetes.io/managed-by": "kustomize", + "app.kubernetes.io/name": "webhook-operator" + }, + "name": "webhooktest-sample" + }, + "spec": null } ] capabilities: Basic Install - operators.operatorframework.io/builder: operator-sdk-v1.0.0 - operators.operatorframework.io/project_layout: go + createdAt: "2025-09-04T14:17:32Z" + operators.operatorframework.io/builder: operator-sdk-v1.40.0+git + operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 name: webhook-operator.v0.0.1 namespace: placeholder spec: apiservicedefinitions: {} customresourcedefinitions: owned: - - kind: WebhookTest - name: webhooktests.webhook.operators.coreos.io - version: v1 + - description: WebhookTest is the Schema for the webhooktests API + displayName: Webhook Test + kind: WebhookTest + name: webhooktests.webhook.operators.coreos.io + version: v1 + - description: WebhookTest is the Schema for the webhooktests API + displayName: Webhook Test + kind: WebhookTest + name: webhooktests.webhook.operators.coreos.io + version: v2 description: Webhook Operator description. TODO. displayName: Webhook Operator icon: - - base64data: "" - mediatype: "" + - base64data: "" + mediatype: "" install: spec: clusterPermissions: - - rules: - - apiGroups: - - webhook.operators.coreos.io - resources: - - webhooktests - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - webhook.operators.coreos.io - resources: - - webhooktests/status - verbs: - - get - - patch - - update - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - serviceAccountName: default + - rules: + - apiGroups: + - webhook.operators.coreos.io + resources: + - webhooktests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - webhook.operators.coreos.io + resources: + - webhooktests/finalizers + verbs: + - update + - apiGroups: + - webhook.operators.coreos.io + resources: + - webhooktests/status + verbs: + - get + - patch + - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + serviceAccountName: webhook-operator-controller-manager deployments: - - name: webhook-operator-webhook - spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - strategy: {} - template: - metadata: - labels: + - label: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: webhook-operator + control-plane: controller-manager + name: webhook-operator-controller-manager + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook-operator control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: {} - - args: - - --metrics-addr=127.0.0.1:8080 - - --enable-leader-election - command: - - /manager - image: quay.io/olmtest/webhook-operator:0.0.3 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - requests: - cpu: 100m - memory: 20Mi - terminationGracePeriodSeconds: 10 + strategy: {} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app.kubernetes.io/name: webhook-operator + control-plane: controller-manager + spec: + containers: + - args: + - --leader-elect + - --health-probe-bind-address=:8081 + - --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs + command: + - /manager + image: quay.io/olmtest/webhook-operator:0.0.4 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs + readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: webhook-operator-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: webhook-certs + secret: + secretName: webhook-server-cert permissions: - - rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch - - apiGroups: - - "" - resources: - - events - verbs: - - create - serviceAccountName: default + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: webhook-operator-controller-manager strategy: deployment installModes: - - supported: false - type: OwnNamespace - - supported: false - type: SingleNamespace - - supported: false - type: MultiNamespace - - supported: true - type: AllNamespaces + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces keywords: - - webhook-operator + - webhook-operator links: - - name: Webhook Operator - url: https://webhook-operator.domain + - name: Webhook Operator + url: https://webhook-operator.domain maintainers: - - email: your@email.com - name: Maintainer Name + - email: your@email.com + name: Maintainer Name maturity: alpha provider: name: Provider Name url: https://your.domain version: 0.0.1 webhookdefinitions: - - admissionReviewVersions: - - v1beta1 - - v1 - containerPort: 443 - targetPort: 4343 - deploymentName: webhook-operator-webhook - failurePolicy: Fail - generateName: vwebhooktest.kb.io - rules: - - apiGroups: - - webhook.operators.coreos.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - webhooktests - sideEffects: None - type: ValidatingAdmissionWebhook - webhookPath: /validate-webhook-operators-coreos-io-v1-webhooktest - - admissionReviewVersions: - - v1beta1 - - v1 - containerPort: 443 - targetPort: 4343 - deploymentName: webhook-operator-webhook - failurePolicy: Fail - generateName: mwebhooktest.kb.io - rules: - - apiGroups: - - webhook.operators.coreos.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - webhooktests - sideEffects: None - type: MutatingAdmissionWebhook - webhookPath: /mutate-webhook-operators-coreos-io-v1-webhooktest - - admissionReviewVersions: - - v1beta1 - - v1 - containerPort: 443 - targetPort: 4343 - deploymentName: webhook-operator-webhook - failurePolicy: Fail - generateName: cwebhooktest.kb.io - rules: - - apiGroups: - - webhook.operators.coreos.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - webhooktests - sideEffects: None - type: ConversionWebhook - webhookPath: /convert - conversionCRDs: - - webhooktests.webhook.operators.coreos.io + - admissionReviewVersions: + - v1 + containerPort: 443 + conversionCRDs: + - webhooktests.webhook.operators.coreos.io + deploymentName: webhook-operator-controller-manager + generateName: cwebhooktests.kb.io + sideEffects: None + targetPort: 9443 + type: ConversionWebhook + webhookPath: /convert + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: webhook-operator-controller-manager + failurePolicy: Fail + generateName: mwebhooktest-v1.kb.io + rules: + - apiGroups: + - webhook.operators.coreos.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - webhooktests + sideEffects: None + targetPort: 9443 + type: MutatingAdmissionWebhook + webhookPath: /mutate-webhook-operators-coreos-io-v1-webhooktest + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: webhook-operator-controller-manager + failurePolicy: Fail + generateName: vwebhooktest-v1.kb.io + rules: + - apiGroups: + - webhook.operators.coreos.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - webhooktests + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-webhook-operators-coreos-io-v1-webhooktest diff --git a/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook.operators.coreos.io_webhooktests.yaml b/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook.operators.coreos.io_webhooktests.yaml index 9c52620395..0f936d9621 100644 --- a/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook.operators.coreos.io_webhooktests.yaml +++ b/testdata/images/bundles/webhook-operator/v0.0.1/manifests/webhook.operators.coreos.io_webhooktests.yaml @@ -2,11 +2,20 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.3.0 + controller-gen.kubebuilder.io/version: v0.18.0 creationTimestamp: null name: webhooktests.webhook.operators.coreos.io spec: - preserveUnknownFields: false + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: webhook-operator-webhook-service + namespace: webhook-operator-system + path: /convert + conversionReviewVersions: + - v1 group: webhook.operators.coreos.io names: kind: WebhookTest @@ -14,92 +23,249 @@ spec: plural: webhooktests singular: webhooktest scope: Namespaced - version: v1 versions: - - name: v1 - schema: - openAPIV3Schema: - description: WebhookTest is the Schema for the webhooktests API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: WebhookTestSpec defines the desired state of WebhookTest - properties: - mutate: - description: Mutate is a field that will be set to true by the mutating - webhook. - type: boolean - valid: - description: Valid must be set to true or the validation webhook will - reject the resource. - type: boolean - required: - - valid - type: object - status: - description: WebhookTestStatus defines the observed state of WebhookTest - type: object - type: object - served: true - storage: true - - name: v2 - schema: - openAPIV3Schema: - description: WebhookTest is the Schema for the webhooktests API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: WebhookTestSpec defines the desired state of WebhookTest - properties: - conversion: - description: Conversion is an example field of WebhookTest. Edit WebhookTest_types.go - to remove/update - properties: - mutate: - description: Mutate is a field that will be set to true by the - mutating webhook. - type: boolean - valid: - description: Valid must be set to true or the validation webhook - will reject the resource. - type: boolean - required: + - name: v1 + schema: + openAPIV3Schema: + description: WebhookTest is the Schema for the webhooktests API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec defines the desired state of WebhookTest + properties: + mutate: + description: Mutate is a field that will be set to true by the mutating + webhook. + type: boolean + valid: + description: Valid must be set to true or the validation webhook will + reject the resource. + type: boolean + required: - valid - type: object - required: - - conversion - type: object - status: - description: WebhookTestStatus defines the observed state of WebhookTest - type: object - type: object - served: true - storage: false + type: object + status: + description: status defines the observed state of WebhookTest + properties: + conditions: + description: |- + conditions represent the current state of the WebhookTest resource. + Each condition has a unique type and reflects the status of a specific aspect of the resource. + + Standard condition types include: + - "Available": the resource is fully functional + - "Progressing": the resource is being created or updated + - "Degraded": the resource failed to reach or maintain its desired state + + The status of each condition is one of True, False, or Unknown. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - name: v2 + schema: + openAPIV3Schema: + description: WebhookTest is the Schema for the webhooktests API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec defines the desired state of WebhookTest + properties: + conversion: + description: Conversion is an example field of WebhookTest. Edit WebhookTest_types.go + to remove/update + properties: + mutate: + description: Mutate is a field that will be set to true by the + mutating webhook. + type: boolean + valid: + description: Valid must be set to true or the validation webhook + will reject the resource. + type: boolean + required: + - valid + type: object + required: + - conversion + type: object + status: + description: status defines the observed state of WebhookTest + properties: + conditions: + description: |- + conditions represent the current state of the WebhookTest resource. + Each condition has a unique type and reflects the status of a specific aspect of the resource. + + Standard condition types include: + - "Available": the resource is fully functional + - "Progressing": the resource is being created or updated + - "Degraded": the resource failed to reach or maintain its desired state + + The status of each condition is one of True, False, or Unknown. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} status: acceptedNames: kind: "" plural: "" - conditions: [] - storedVersions: [] + conditions: null + storedVersions: null