diff --git a/operator/roles/forkliftcontroller/tasks/main.yml b/operator/roles/forkliftcontroller/tasks/main.yml index 72721fa47..d823f6485 100644 --- a/operator/roles/forkliftcontroller/tasks/main.yml +++ b/operator/roles/forkliftcontroller/tasks/main.yml @@ -125,16 +125,41 @@ state: present definition: "{{ lookup('template', 'api/deployment-forklift-api.yml.j2') }}" - - name: "Setup api validating webhook configuration" + - name: "Delete aggregated validation webhook configurations" k8s: - state: present + state: absent definition: "{{ lookup('template', 'api/validatingwebhookconfiguration-forklift-api.yml.j2') }}" - - name: "Setup api mutating webhook configuration" + - name: "Setup secrets validating webhook configuration" + k8s: + state: present + definition: "{{ lookup('template', 'api/validatingwebhookconfiguration-secrets.yml.j2') }}" + + - name: "Setup plans validating webhook configuration" k8s: state: present + definition: "{{ lookup('template', 'api/validatingwebhookconfiguration-plans.yml.j2') }}" + + - name: "Setup providers validating webhook configuration" + k8s: + state: present + definition: "{{ lookup('template', 'api/validatingwebhookconfiguration-providers.yml.j2') }}" + + - name: "Delete aggregated mutating webhook configurations" + k8s: + state: absent definition: "{{ lookup('template', 'api/mutatingwebhookconfiguration-forklift-api.yml.j2') }}" + - name: "Setup secrets mutating webhook configuration" + k8s: + state: present + definition: "{{ lookup('template', 'api/mutatingwebhookconfiguration-secrets.yml.j2') }}" + + - name: "Setup plans mutating webhook configuration" + k8s: + state: present + definition: "{{ lookup('template', 'api/mutatingwebhookconfiguration-plans.yml.j2') }}" + - name: "Setup default provider" k8s: state: present diff --git a/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-forklift-api.yml.j2 b/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-forklift-api.yml.j2 index 6cdbc6050..f34ba079b 100644 --- a/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-forklift-api.yml.j2 +++ b/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-forklift-api.yml.j2 @@ -1,67 +1,8 @@ +# Do not add webhooks to this file +# This configuration has been deprecated --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: {{ api_deployment_name }} namespace: "" - annotations: -{% if k8s_cluster|bool %} - cert-manager.io/inject-ca-from: {{ app_namespace }}/{{ api_certificate_name }} -{% else %} - service.beta.openshift.io/inject-cabundle: "true" -{% endif %} -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: {{ api_service_name }} - namespace: {{ app_namespace }} - path: /secret-mutate - port: 443 - failurePolicy: Fail - matchPolicy: Equivalent - name: ca-mutatur.forklift.konveyor - namespaceSelector: {} - objectSelector: - matchExpressions: - - key: createdForProviderType - operator: Exists - rules: - - apiGroups: - - '' - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - secrets - scope: Namespaced - sideEffects: None - timeoutSeconds: 30 -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: {{ api_service_name }} - namespace: {{ app_namespace }} - path: /plan-mutate - port: 443 - failurePolicy: Fail - matchPolicy: Equivalent - name: plans.forklift.konveyor - namespaceSelector: {} - objectSelector: {} - rules: - - apiGroups: - - forklift.konveyor.io - resources: - - plans - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - sideEffects: None - timeoutSeconds: 30 diff --git a/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-plans.yml.j2 b/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-plans.yml.j2 new file mode 100644 index 000000000..a764b6a29 --- /dev/null +++ b/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-plans.yml.j2 @@ -0,0 +1,38 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ api_deployment_name }}-plans + namespace: "" + annotations: +{% if k8s_cluster|bool %} + cert-manager.io/inject-ca-from: {{ app_namespace }}/{{ api_certificate_name }} +{% else %} + service.beta.openshift.io/inject-cabundle: "true" +{% endif %} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ api_service_name }} + namespace: {{ app_namespace }} + path: /plan-mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: plans.forklift.konveyor + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - forklift.konveyor.io + resources: + - plans + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + sideEffects: None + timeoutSeconds: 30 diff --git a/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-secrets.yml.j2 b/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-secrets.yml.j2 new file mode 100644 index 000000000..92717d6e7 --- /dev/null +++ b/operator/roles/forkliftcontroller/templates/api/mutatingwebhookconfiguration-secrets.yml.j2 @@ -0,0 +1,42 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ api_deployment_name }}-secrets + namespace: "" + annotations: +{% if k8s_cluster|bool %} + cert-manager.io/inject-ca-from: {{ app_namespace }}/{{ api_certificate_name }} +{% else %} + service.beta.openshift.io/inject-cabundle: "true" +{% endif %} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ api_service_name }} + namespace: {{ app_namespace }} + path: /secret-mutate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: ca-mutatur.forklift.konveyor + namespaceSelector: {} + objectSelector: + matchExpressions: + - key: createdForProviderType + operator: Exists + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + scope: Namespaced + sideEffects: None + timeoutSeconds: 30 diff --git a/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-forklift-api.yml.j2 b/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-forklift-api.yml.j2 index 7a3659a13..1fb07014c 100644 --- a/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-forklift-api.yml.j2 +++ b/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-forklift-api.yml.j2 @@ -1,89 +1,8 @@ +# Do not add webhooks to this file +# This configuration has been deprecated --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: {{ api_deployment_name }} namespace: "" - annotations: -{% if k8s_cluster|bool %} - cert-manager.io/inject-ca-from: {{ app_namespace }}/{{ api_certificate_name }} -{% else %} - service.beta.openshift.io/inject-cabundle: "true" -{% endif %} -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: {{ api_service_name }} - namespace: {{ app_namespace }} - path: /secret-validate - port: 443 - failurePolicy: Fail - matchPolicy: Equivalent - name: secrets.forklift.konveyor - namespaceSelector: {} - objectSelector: - matchExpressions: - - key: createdForResourceType - operator: Exists - rules: - - apiGroups: - - '' - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - secrets - scope: Namespaced - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: {{ api_service_name }} - namespace: {{ app_namespace }} - path: /plan-validate - port: 443 - failurePolicy: Fail - matchPolicy: Equivalent - name: plans.forklift.konveyor - namespaceSelector: {} - objectSelector: {} - rules: - - apiGroups: - - forklift.konveyor.io - resources: - - plans - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: {{ api_service_name }} - namespace: {{ app_namespace }} - path: /provider-validate - port: 443 - failurePolicy: Fail - matchPolicy: Equivalent - name: providers.forklift.konveyor - namespaceSelector: {} - objectSelector: {} - rules: - - apiGroups: - - forklift.konveyor.io - resources: - - providers - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - sideEffects: None diff --git a/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-plans.yml.j2 b/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-plans.yml.j2 new file mode 100644 index 000000000..569493681 --- /dev/null +++ b/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-plans.yml.j2 @@ -0,0 +1,37 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ api_deployment_name }}-plans + namespace: "" + annotations: +{% if k8s_cluster|bool %} + cert-manager.io/inject-ca-from: {{ app_namespace }}/{{ api_certificate_name }} +{% else %} + service.beta.openshift.io/inject-cabundle: "true" +{% endif %} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ api_service_name }} + namespace: {{ app_namespace }} + path: /plan-validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: plans.forklift.konveyor + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - forklift.konveyor.io + resources: + - plans + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + sideEffects: None diff --git a/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-providers.yml.j2 b/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-providers.yml.j2 new file mode 100644 index 000000000..351e0da49 --- /dev/null +++ b/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-providers.yml.j2 @@ -0,0 +1,37 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ api_deployment_name }}-providers + namespace: "" + annotations: +{% if k8s_cluster|bool %} + cert-manager.io/inject-ca-from: {{ app_namespace }}/{{ api_certificate_name }} +{% else %} + service.beta.openshift.io/inject-cabundle: "true" +{% endif %} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ api_service_name }} + namespace: {{ app_namespace }} + path: /provider-validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: providers.forklift.konveyor + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - forklift.konveyor.io + resources: + - providers + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + sideEffects: None diff --git a/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-secrets.yml.j2 b/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-secrets.yml.j2 new file mode 100644 index 000000000..8f24080b0 --- /dev/null +++ b/operator/roles/forkliftcontroller/templates/api/validatingwebhookconfiguration-secrets.yml.j2 @@ -0,0 +1,41 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ api_deployment_name }}-secrets + namespace: "" + annotations: +{% if k8s_cluster|bool %} + cert-manager.io/inject-ca-from: {{ app_namespace }}/{{ api_certificate_name }} +{% else %} + service.beta.openshift.io/inject-cabundle: "true" +{% endif %} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ api_service_name }} + namespace: {{ app_namespace }} + path: /secret-validate + port: 443 + failurePolicy: Fail + matchPolicy: Equivalent + name: secrets.forklift.konveyor + namespaceSelector: {} + objectSelector: + matchExpressions: + - key: createdForResourceType + operator: Exists + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + scope: Namespaced + sideEffects: None