fix

Signed-off-by: SequeI <[email protected]>

Author: SequeI

.github/actions/kind-cluster/action.yml

@@ -125,10 +125,6 @@ runs:
     - name: Install Cert-Manager
       shell: bash
       run: |
-        CERT_MANAGER_VERSION="v1.13.2"
-          
-        kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.crds.yaml
-        kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml
-          
+        kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.1/cert-manager.yaml
         kubectl wait --for=condition=available deployment/cert-manager-webhook -n cert-manager --timeout=5m
         kubectl wait --for=condition=available deployment/cert-manager -n cert-manager --timeout=5m

internal/webhook/securesign_validator.go

@@ -13,13 +13,8 @@ import (
 	admission "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
-func (v *SecureSignValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+func (v *SecureSignValidator) validateNamespacePolicy(ctx context.Context, operandCR *rhtasv1alpha1.Securesign) (admission.Warnings, error) {
 	reqLog := logf.FromContext(ctx)
-	operandCR, ok := obj.(*rhtasv1alpha1.Securesign)
-	if !ok {
-		return nil, fmt.Errorf("expected SecureSign CR but got %T", obj)
-	}
-
 	targetNamespace := operandCR.GetNamespace()
 
 	if targetNamespace == "default" {
@@ -47,10 +42,23 @@ func (v *SecureSignValidator) ValidateCreate(ctx context.Context, obj runtime.Ob
 	return nil, nil
 }
 
+func (v *SecureSignValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	operandCR, ok := obj.(*rhtasv1alpha1.Securesign)
+	if !ok {
+		return nil, fmt.Errorf("expected SecureSign CR but got %T", obj)
+	}
+	return v.validateNamespacePolicy(ctx, operandCR)
+}
+
 func (v *SecureSignValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
-	return nil, nil
+	operandCR, ok := newObj.(*rhtasv1alpha1.Securesign)
+	if !ok {
+		return nil, fmt.Errorf("expected SecureSign CR but got %T", newObj)
+	}
+	return v.validateNamespacePolicy(ctx, operandCR)
 }
 
 func (v *SecureSignValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	// Allow all delete operations
 	return nil, nil
 }

test/e2e/custom_install/suite_test.go

@@ -25,11 +25,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	yamlutil "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/utils/ptr"
-	k8sYaml "sigs.k8s.io/yaml"
 
 	runtimeCli "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -81,50 +79,8 @@ func installOperator(ctx context.Context, cli runtimeCli.Client, ns string, opts
 		Expect(cli.Create(ctx, o)).To(Succeed())
 	}
 
-	GinkgoWriter.Printf("Waiting for webhook-server-tls Secret to be ready...\n")
-	Eventually(func(ctx context.Context) error {
-		secret := &v1.Secret{}
-		return cli.Get(ctx, types.NamespacedName{Name: "webhook-server-tls", Namespace: ns}, secret)
-	}).WithContext(ctx).Should(Succeed(), "Failed to wait for webhook-server-tls Secret to be created by Cert-Manager.")
-
-	GinkgoWriter.Printf("Waiting for ValidatingWebhookConfiguration caBundle injection...\n")
-	Eventually(func(ctx context.Context) (bool, error) {
-		webhookConfig := &admissionv1.ValidatingWebhookConfiguration{}
-		err := cli.Get(ctx, types.NamespacedName{Name: "validation.securesigns.rhtas.redhat.com"}, webhookConfig)
-		if err != nil {
-			return false, err
-		}
-		if len(webhookConfig.Webhooks) > 0 && len(webhookConfig.Webhooks[0].ClientConfig.CABundle) > 0 {
-			return true, nil
-		}
-		return false, nil
-	}).WithContext(ctx).Should(BeTrue(), "Cert-Manager failed to inject CA bundle into Webhook Config.")
-
 	Expect(cli.Create(ctx, managerPod(ns, opts...))).To(Succeed())
 
-	GinkgoWriter.Printf("Waiting for manager Pod to appear...\n")
-	Eventually(func(ctx context.Context) error {
-		pod := &v1.Pod{}
-		return cli.Get(ctx, types.NamespacedName{Name: managerPodName, Namespace: ns}, pod)
-	}).WithContext(ctx).Should(Succeed(), "Manager Pod failed to appear in API server after creation.")
-
-	GinkgoWriter.Printf("Waiting for Service Endpoints to appear...\n")
-	Eventually(func(ctx context.Context) error {
-		endpoints := &v1.Endpoints{}
-		err := cli.Get(ctx, types.NamespacedName{Name: "controller-manager-webhook-service", Namespace: ns}, endpoints)
-
-		if err != nil {
-			return err
-		}
-
-		if len(endpoints.Subsets) == 0 || len(endpoints.Subsets[0].Addresses) == 0 {
-			return fmt.Errorf("webhook service has no ready endpoints yet")
-		}
-
-		return nil
-	}).WithContext(ctx).WithTimeout(1*time.Minute).Should(Succeed(),
-		"Webhook service failed to register a ready endpoint.")
-
 	time.Sleep(1 * time.Minute)
 
 }
@@ -341,7 +297,12 @@ func webhookInfra(ns string) []runtimeCli.Object {
 				service["namespace"] = ns
 
 				webhooks[0] = webhook
-				unstructured.SetNestedSlice(u.Object, webhooks, "webhooks")
+				err = unstructured.SetNestedSlice(u.Object, webhooks, "webhooks")
+
+				if err != nil {
+					Fail(fmt.Errorf("failed to set Namespace on ValidatingWebhookConfiguration resource: %w", err).Error())
+				}
+
 			}
 
 			if kind == "Certificate" {
@@ -361,14 +322,6 @@ func webhookInfra(ns string) []runtimeCli.Object {
 				}
 			}
 
-			finalYAML, err := k8sYaml.Marshal(u.Object)
-			if err != nil {
-				GinkgoWriter.Printf("Warning: Failed to marshal object %s/%s for debugging: %v\n", kind, u.GetName(), err)
-			} else {
-				GinkgoWriter.Printf("\n--- YAML DEBUG START: %s/%s ---\n%s\n--- YAML DEBUG END ---\n",
-					kind, u.GetName(), string(finalYAML))
-			}
-
 			objects = append(objects, u)
 		}
 	}