VWC logic now moved to operator code for both OLM and Helm.

Signed-off-by: Aryan <[email protected]>

Author: aryangorwade

bundle/manifests/k8s-nim-operator.clusterserviceversion.yaml

@@ -1345,6 +1345,18 @@ spec:
               - watch
               - create
               - delete
+            - apiGroups:
+              - admissionregistration.k8s.io
+              resources:
+              - validatingwebhookconfigurations
+              verbs:
+              - get
+              - list
+              - watch
+              - create
+              - update
+              - patch
+              - delete
       deployments:
         - name: k8s-nim-operator
           spec:
@@ -1401,6 +1413,8 @@ spec:
                             fieldPath: metadata.namespace
                       - name: ENABLE_WEBHOOKS
                         value: "true"
+                      - name: OPERATOR_NAME_PREFIX
+                        value: "k8s-nim-operator"
                     image: 'ghcr.io/nvidia/k8s-nim-operator:main'
                     imagePullPolicy: Always
                     livenessProbe:
@@ -1414,6 +1428,10 @@ spec:
                       successThreshold: 1
                       timeoutSeconds: 1
                     name: manager
+                    volumeMounts:
+                      - name: cert
+                        mountPath: /tmp/k8s-webhook-server/serving-certs
+                        readOnly: true
                     readinessProbe:
                       failureThreshold: 3
                       httpGet:
@@ -1435,6 +1453,11 @@ spec:
                       allowPrivilegeEscalation: false
                     terminationMessagePath: /dev/termination-log
                     terminationMessagePolicy: File
+                volumes:
+                  - name: cert
+                    secret:
+                      secretName: k8s-nim-operator-webhook-server-cert
+                      defaultMode: 420
                 dnsPolicy: ClusterFirst
                 imagePullSecrets: []
                 restartPolicy: Always
@@ -1457,46 +1480,4 @@ spec:
     - type: MultiNamespace
       supported: false
     - type: AllNamespaces
-      supported: true
-  webhookdefinitions:
-  - type: ValidatingAdmissionWebhook
-    admissionReviewVersions:
-      - v1
-    containerPort: 9443
-    targetPort: 9443          
-    deploymentName: k8s-nim-operator
-    failurePolicy: Fail
-    generateName: vnimcache-v1alpha1.kb.io
-    rules:
-      - apiGroups:
-          - apps.nvidia.com
-        apiVersions:
-          - v1alpha1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - nimcaches
-    sideEffects: None
-    webhookPath: /validate-apps-nvidia-com-v1alpha1-nimcache
-  - type: ValidatingAdmissionWebhook
-    admissionReviewVersions:
-      - v1
-    containerPort: 9443  
-    targetPort: 9443 
-    deploymentName: k8s-nim-operator
-    failurePolicy: Fail
-    generateName: vnimservice-v1alpha1.kb.io
-    rules:
-      - apiGroups:
-          - apps.nvidia.com
-        apiVersions:
-          - v1alpha1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - nimservices
-    sideEffects: None
-    webhookPath: /validate-apps-nvidia-com-v1alpha1-nimservice
-
+      supported: true

bundle/manifests/k8s-nim-operator.webhookservice.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8s-nim-operator-webhook-service
+  labels:
+    app.kubernetes.io/name: k8s-nim-operator
+    app.kubernetes.io/instance: nim-operator
+    control-plane: controller-manager
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: k8s-nim-operator-webhook-server-cert
+spec:
+  selector:
+    app.kubernetes.io/name: k8s-nim-operator
+    app.kubernetes.io/instance: nim-operator
+    control-plane: controller-manager
+  ports:
+    - port: 443
+      targetPort: 9443
+      protocol: TCP

deployments/helm/k8s-nim-operator/templates/manager-rbac.yaml

@@ -582,8 +582,10 @@ rules:
   - get
   - list
   - watch
-  - patch
+  - create
   - update
+  - patch
+  - delete
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

internal/config/config.go

@@ -0,0 +1,7 @@
+package config
+
+import "github.com/NVIDIA/k8s-nim-operator/internal/k8sutil"
+
+var (
+	OrchestratorType   k8sutil.OrchestratorType
+)

internal/webhook/apps/v1alpha1/configuration.go

@@ -0,0 +1,150 @@
+package v1alpha1
+
+import (
+	"context"
+	"encoding/json"
+
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/NVIDIA/k8s-nim-operator/internal/config"
+	"github.com/NVIDIA/k8s-nim-operator/internal/k8sutil"
+)
+
+// EnsureValidatingWebhook creates or updates the ValidatingWebhookConfiguration
+// that used to be templated by Helm.  It is a best-effort reconciliation and
+// returns an error only when we cannot make the desired state match the spec.
+func EnsureValidatingWebhook(
+	ctx context.Context,
+	apiReader client.Reader,
+	writer client.Client,
+	namespace string,
+	fullNamePrefix string,
+) error {
+	// Desired validatingwebhookconfiguration spec.
+	desired := buildConfigurationSpec(namespace, fullNamePrefix)
+
+	// Check if there is already a spec.
+	existing := &admissionv1.ValidatingWebhookConfiguration{}
+	err := apiReader.Get(ctx, types.NamespacedName{Name: desired.Name}, existing)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+
+	if errors.IsNotFound(err) {
+		return writer.Create(ctx, desired)
+	}
+
+	// Deep-compare; update only if something differs.
+	cur, _ := json.Marshal(existing.Webhooks)
+	want, _ := json.Marshal(desired.Webhooks)
+
+	if string(cur) == string(want) {
+		return nil
+	}
+
+	existing.Webhooks = desired.Webhooks
+	existing.Annotations = desired.Annotations
+	return writer.Update(ctx, existing)
+}
+
+// buildDesired reproduces the spec that used to be in Helm.
+func buildConfigurationSpec(namespace, namePrefix string) *admissionv1.ValidatingWebhookConfiguration {
+	pathCache := "/validate-apps-nvidia-com-v1alpha1-nimcache"
+	pathService := "/validate-apps-nvidia-com-v1alpha1-nimservice"
+
+	// Use appropriate annotations/labels as per deployment mode.
+	var annotations map[string]string
+	var labels map[string]string
+	var clientconfignimcache admissionv1.WebhookClientConfig
+	var clientconfignimservice admissionv1.WebhookClientConfig
+
+	clientconfignimcache = admissionv1.WebhookClientConfig{
+		Service: &admissionv1.ServiceReference{
+			Namespace: namespace,
+			Name:      namePrefix + "-webhook-service",
+			Path:      &pathCache,
+		},
+	}
+	clientconfignimservice = admissionv1.WebhookClientConfig{
+		Service: &admissionv1.ServiceReference{
+			Namespace: namespace,
+			Name:      namePrefix + "-webhook-service",
+			Path:      &pathService,
+		},
+	}
+
+	// Deployment specific values.
+	if config.OrchestratorType == k8sutil.K8s {
+		annotations = map[string]string{"cert-manager.io/inject-ca-from": namespace + "/" + namePrefix + "-serving-cert"}
+		labels = map[string]string{
+			"app.kubernetes.io/name":       "k8s-nim-operator",
+			"app.kubernetes.io/managed-by": "helm",
+		}
+	} else {
+		annotations = map[string]string{"service.beta.openshift.io/inject-cabundle": "true"}
+		labels = map[string]string{
+			"app.kubernetes.io/name":       "k8s-nim-operator",
+			"app.kubernetes.io/managed-by": "openshift",
+		}
+	}
+
+	return &admissionv1.ValidatingWebhookConfiguration{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        namePrefix + "-validating-webhook-configuration",
+			Annotations: annotations,
+			Labels:      labels,
+		},
+		Webhooks: []admissionv1.ValidatingWebhook{
+			{
+				Name:                    "vnimcache-v1alpha1.kb.io",
+				AdmissionReviewVersions: []string{"v1"},
+				ClientConfig:            clientconfignimcache,
+				FailurePolicy: func() *admissionv1.FailurePolicyType {
+					fp := admissionv1.Fail
+					return &fp
+				}(),
+				SideEffects: func() *admissionv1.SideEffectClass {
+					s := admissionv1.SideEffectClassNone
+					return &s
+				}(),
+				Rules: []admissionv1.RuleWithOperations{{
+					Operations: []admissionv1.OperationType{
+						admissionv1.Create, admissionv1.Update,
+					},
+					Rule: admissionv1.Rule{
+						APIGroups:   []string{"apps.nvidia.com"},
+						APIVersions: []string{"v1alpha1"},
+						Resources:   []string{"nimcaches"},
+					},
+				}},
+			},
+			{
+				Name:                    "vnimservice-v1alpha1.kb.io",
+				AdmissionReviewVersions: []string{"v1"},
+				ClientConfig:            clientconfignimservice,
+				FailurePolicy: func() *admissionv1.FailurePolicyType {
+					fp := admissionv1.Fail
+					return &fp
+				}(),
+				SideEffects: func() *admissionv1.SideEffectClass {
+					s := admissionv1.SideEffectClassNone
+					return &s
+				}(),
+				Rules: []admissionv1.RuleWithOperations{{
+					Operations: []admissionv1.OperationType{
+						admissionv1.Create, admissionv1.Update,
+					},
+					Rule: admissionv1.Rule{
+						APIGroups:   []string{"apps.nvidia.com"},
+						APIVersions: []string{"v1alpha1"},
+						Resources:   []string{"nimservices"},
+					},
+				}},
+			},
+		},
+	}
+}