refactor snatch

Makefile

@@ -120,10 +120,10 @@ PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
 docker-buildx: ## Build and push docker image for the manager for cross-platform support
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
-	- $(CONTAINER_TOOL) buildx create --name kyma-workloads-webhook-builder
-	$(CONTAINER_TOOL) buildx use kyma-workloads-webhook-builder
+	- $(CONTAINER_TOOL) buildx create --name kim-snatch-builder
+	$(CONTAINER_TOOL) buildx use kim-snatch-builder
 	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
-	- $(CONTAINER_TOOL) buildx rm kyma-workloads-webhook-builder
+	- $(CONTAINER_TOOL) buildx rm kim-snatch-builder
 	rm Dockerfile.cross
 
 .PHONY: build-installer

PROJECT

@@ -5,8 +5,8 @@
 domain: kyma-project.io
 layout:
 - go.kubebuilder.io/v4
-projectName: kyma-workloads-webhook
-repo: github.com/kyma-project/kyma-workloads-webhook
+projectName: kim-snatch-webhook
+repo: github.com/kyma-project/kim-snatch
 resources:
 - core: true
   group: core

cmd/main.go

@@ -31,9 +31,9 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/retry"
 
-	"github.com/kyma-project/kyma-workloads-webhook/internal/webhook/callback"
-	webhook "github.com/kyma-project/kyma-workloads-webhook/internal/webhook/server"
-	webhookcorev1 "github.com/kyma-project/kyma-workloads-webhook/internal/webhook/v1"
+	"github.com/kyma-project/kim-snatch/internal/webhook/callback"
+	webhook "github.com/kyma-project/kim-snatch/internal/webhook/server"
+	webhookcorev1 "github.com/kyma-project/kim-snatch/internal/webhook/v1"
 	admissionregistration "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -153,7 +153,7 @@ func main() {
 				logger.Error(err, "unable to read certificate")
 				os.Exit(1)
 			}
-			logger.Info("certificate loaded", certificateAuthorityName, string(data))
+			logger.Info("certificate loaded")
 
 			updateCABundle := callback.BuildUpdateCABundle(
 				context.Background(),
@@ -217,8 +217,10 @@ func main() {
 
 	defaultPod := webhookcorev1.ApplyDefaults(kymaWorkerPoolName)
 	if len(nodeList.Items) == 0 {
-		logger.Error(err, "kyma worker pool does not exist, switching to fallback",
-			"workerPoolName", kymaWorkerPoolName)
+		errMsg := fmt.Sprintf("worker.gardener.cloud/pool=%s not exist, switching to fallback",
+			kymaWorkerPoolName)
+
+		logger.Error(errInvalidArgument, errMsg)
 		defaultPod = webhookcorev1.ApplyDefaultsFallback(kymaWorkerPoolName)
 	}
 

config/certmanager/issuer.yaml

@@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: kyma
   namespace: kyma-system

config/default/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: kyma-system
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: snatch-
+namePrefix: kim-snatch-
 
 # Labels to add to all resources and selectors.
 #labels:
@@ -16,7 +16,6 @@ namePrefix: snatch-
 
 resources:
 #- ../crd
-- ../manager
 - ../rbac
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
@@ -34,6 +33,7 @@ resources:
 # Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will
 # be able to communicate with the Webhook Server.
 #- ../network-policy
+- ../manager
 
 # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager
 patches:
@@ -52,6 +52,18 @@ patches:
       value: --kyma-worker-pool-name=cpu-worker-0
   target:
     kind: Deployment
+- patch: |-
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: --webhook-cfg-name=kim-snatch-mutating-webhook-configuration
+  target:
+    kind: Deployment
+- patch: |-
+    - op: replace
+      path: /spec/template/spec/containers/0/imagePullPolicy
+      value: IfNotPresent
+  target:
+    kind: Deployment
 
 replacements:
   - source:

config/default/manager_webhook_patch.yaml

@@ -4,7 +4,7 @@ metadata:
   name: controller-manager
   namespace: system
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
 spec:
   template:

config/default/metrics_service.yaml

@@ -3,7 +3,7 @@ kind: Service
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-service
   namespace: system
@@ -15,3 +15,4 @@ spec:
     targetPort: 8443
   selector:
     control-plane: controller-manager
+    app.kubernetes.io/component: kim-snatch

config/gardener/certmanager/certificate.yaml

@@ -2,15 +2,16 @@ apiVersion: cert.gardener.cloud/v1alpha1
 kind: Certificate
 metadata:
   labels:
-    app.kubernetes.io/created-by: kyma-workloads-webhook
-    app.kubernetes.io/part-of: kyma-workloads-webhook
+    app.kubernetes.io/created-by: kim-snatch
+    app.kubernetes.io/part-of: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: kyma
   namespace: system
 spec:
   commonName: snatch-webhook-service.kyma-system
   dnsNames:
-  - snatch-webhook-service.kyma-system.svc
+  - kim-snatch-webhook-service.kyma-system.svc
+  - kim-snatch-webhook-service.kyma-system.svc.cluster.local
   isCA: true
   issuerRef:
     name: kyma

config/gardener/certmanager/issuer.yaml

@@ -2,7 +2,7 @@ apiVersion: cert.gardener.cloud/v1alpha1
 kind: Issuer
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: kyma
   namespace: system

config/k3d/kustomization.yaml

@@ -12,13 +12,25 @@ patches:
       value: --kyma-worker-pool-name=snatch-test
   target:
     kind: Deployment
+- patch: |-
+    - op: replace
+      path: /spec/template/spec/containers/0/imagePullPolicy
+      value: Never
+  target:
+    kind: Deployment
+- patch: |-
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: --webhook-cfg-name=snatch-mutating-webhook-configuration
+  target:
+    kind: Deployment
 
 resources:
-- ../manager
 - ../rbac
 - ../webhook
 - metrics_service.yaml
 - ../certmanager
+- ../manager
 
 sortOptions:
   order: fifo

config/k3d/manager_webhook_patch.yaml

@@ -4,7 +4,7 @@ metadata:
   name: controller-manager
   namespace: system
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
 spec:
   template:

config/k3d/metrics_service.yaml

@@ -3,7 +3,7 @@ kind: Service
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-service
   namespace: system

config/manager/kustomization.yaml

@@ -4,8 +4,8 @@ resources:
 - manager.yaml
 images:
 - name: controller
-  newName: snatch
-  newTag: local
+  newName: ttl.sh/snatch7
+  newTag: 1h
 - name: controller-admission
   newName: IMG=admission-testme
   newTag: latest

config/manager/manager.yaml

@@ -5,8 +5,9 @@ metadata:
   namespace: system
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch-webhook
     app.kubernetes.io/managed-by: kustomize
+    sidecar.istio.io/inject: "false"
 spec:
   selector:
     matchLabels:
@@ -18,6 +19,8 @@ spec:
         kubectl.kubernetes.io/default-container: manager
       labels:
         control-plane: controller-manager
+        app.kubernetes.io/component: kim-snatch
+        sidecar.istio.io/inject: "false"
     spec:
       # TODO(user): Uncomment the following code to configure the nodeAffinity expression
       # according to the platforms which are supported by your solution.
@@ -53,7 +56,6 @@ spec:
         - /manager
         args:
           - --health-probe-bind-address=:8081
-          - --webhook-cfg-name=snatch-mutating-webhook-configuration
         image: controller:latest
         # TODO(dev): Remove this
         imagePullPolicy: Never

config/network-policy/allow-metrics-traffic.yaml

@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: allow-metrics-traffic
   namespace: system

config/network-policy/allow-webhook-traffic.yaml

@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: allow-webhook-traffic
   namespace: system

config/prometheus/monitor.yaml

@@ -4,7 +4,7 @@ kind: ServiceMonitor
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-monitor
   namespace: system

config/rbac/leader_election_role.yaml

@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: leader-election-role
 rules:

config/rbac/leader_election_role_binding.yaml

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: leader-election-rolebinding
 roleRef:

config/rbac/role_binding.yaml

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: manager-rolebinding
 roleRef:

config/rbac/service_account.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager
   namespace: system

config/webhook/kustomization.yaml

@@ -11,6 +11,6 @@ patches:
         path: /webhooks/0/namespaceSelector
         value:
           matchLabels:
-              kyma-project.io/managed-by: kyma
+            operator.kyma-project.io/managed-by: kyma
     target:
       kind: MutatingWebhookConfiguration

config/webhook/manifests.yaml

@@ -12,15 +12,16 @@ webhooks:
       namespace: system
       path: /mutate--v1-pod
   failurePolicy: Ignore
+  matchPolicy: Exact
   name: mpod-v1.kb.io
+  reinvocationPolicy: Never
   rules:
   - apiGroups:
     - ""
     apiVersions:
     - v1
     operations:
     - CREATE
-    - UPDATE
     resources:
     - pods
   sideEffects: None

config/webhook/service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: webhook-service
     app.kubernetes.io/managed-by: kustomize
   name: webhook-service
   namespace: system
@@ -13,3 +13,4 @@ spec:
       targetPort: 9443
   selector:
     control-plane: controller-manager
+    app.kubernetes.io/component: kim-snatch

go.mod

@@ -1,4 +1,4 @@
-module github.com/kyma-project/kyma-workloads-webhook
+module github.com/kyma-project/kim-snatch
 
 go 1.23.0
 

internal/webhook/callback/callback_test.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/kyma-project/kyma-workloads-webhook/internal/webhook/callback"
+	"github.com/kyma-project/kim-snatch/internal/webhook/callback"
 	"github.com/stretchr/testify/assert"
 	admissionregistration "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

internal/webhook/server/server.go

@@ -29,9 +29,9 @@ import (
 	"sync"
 	"time"
 
-	"github.com/kyma-project/kyma-workloads-webhook/internal/httpserver"
-	logf "github.com/kyma-project/kyma-workloads-webhook/internal/log"
-	"github.com/kyma-project/kyma-workloads-webhook/internal/metrics"
+	"github.com/kyma-project/kim-snatch/internal/httpserver"
+	logf "github.com/kyma-project/kim-snatch/internal/log"
+	"github.com/kyma-project/kim-snatch/internal/metrics"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"