Add fallback for misconfigured worker pool name case

Makefile

@@ -120,10 +120,10 @@ PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
 docker-buildx: ## Build and push docker image for the manager for cross-platform support
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
-	- $(CONTAINER_TOOL) buildx create --name kyma-workloads-webhook-builder
-	$(CONTAINER_TOOL) buildx use kyma-workloads-webhook-builder
+	- $(CONTAINER_TOOL) buildx create --name kim-snatch-builder
+	$(CONTAINER_TOOL) buildx use kim-snatch-builder
 	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
-	- $(CONTAINER_TOOL) buildx rm kyma-workloads-webhook-builder
+	- $(CONTAINER_TOOL) buildx rm kim-snatch-builder
 	rm Dockerfile.cross
 
 .PHONY: build-installer

PROJECT

@@ -5,8 +5,8 @@
 domain: kyma-project.io
 layout:
 - go.kubebuilder.io/v4
-projectName: kyma-workloads-webhook
-repo: github.com/kyma-project/kyma-workloads-webhook
+projectName: kim-snatch-webhook
+repo: github.com/kyma-project/kim-snatch
 resources:
 - core: true
   group: core

cmd/main.go

@@ -26,13 +26,14 @@ import (
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 
+	corev1 "k8s.io/api/core/v1"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/retry"
 
-	"github.com/kyma-project/kyma-workloads-webhook/internal/webhook/callback"
-	webhook "github.com/kyma-project/kyma-workloads-webhook/internal/webhook/server"
-	webhookcorev1 "github.com/kyma-project/kyma-workloads-webhook/internal/webhook/v1"
+	"github.com/kyma-project/kim-snatch/internal/webhook/callback"
+	webhook "github.com/kyma-project/kim-snatch/internal/webhook/server"
+	webhookcorev1 "github.com/kyma-project/kim-snatch/internal/webhook/v1"
 	admissionregistration "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -152,7 +153,7 @@ func main() {
 				logger.Error(err, "unable to read certificate")
 				os.Exit(1)
 			}
-			logger.Info("certificate loaded", certificateAuthorityName, string(data))
+			logger.Info("certificate loaded")
 
 			updateCABundle := callback.BuildUpdateCABundle(
 				context.Background(),
@@ -206,12 +207,26 @@ func main() {
 		os.Exit(1)
 	}
 
-	// nolint:goconst
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
-		if err = webhookcorev1.SetupPodWebhookWithManager(mgr, kymaWorkerPoolName); err != nil {
-			logger.Error(err, "unable to create webhook", "webhook", "Pod")
-			os.Exit(1)
-		}
+	var nodeList corev1.NodeList
+	if err := rtClient.List(context.TODO(), &nodeList, client.MatchingLabels{
+		"worker.gardener.cloud/pool": kymaWorkerPoolName,
+	}); err != nil {
+		logger.Error(err, "unable to fetch node list")
+		os.Exit(1)
+	}
+
+	defaultPod := webhookcorev1.ApplyDefaults(kymaWorkerPoolName)
+	if len(nodeList.Items) == 0 {
+		errMsg := fmt.Sprintf("worker.gardener.cloud/pool=%s not exist, switching to fallback",
+			kymaWorkerPoolName)
+
+		logger.Error(errInvalidArgument, errMsg)
+		defaultPod = webhookcorev1.ApplyDefaultsFallback(kymaWorkerPoolName)
+	}
+
+	if err = webhookcorev1.SetupPodWebhookWithManager(mgr, defaultPod); err != nil {
+		logger.Error(err, "unable to create webhook", "webhook", "Pod")
+		os.Exit(1)
 	}
 	// +kubebuilder:scaffold:builder
 
@@ -230,9 +245,3 @@ func main() {
 		os.Exit(1)
 	}
 }
-
-type MainOpts struct{}
-
-func Main(opts MainOpts) error {
-	panic("not implemented yet")
-}

config/certmanager/issuer.yaml

@@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: kyma
   namespace: kyma-system

config/default/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: kyma-system
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: snatch-
+namePrefix: kim-snatch-
 
 # Labels to add to all resources and selectors.
 #labels:
@@ -16,7 +16,6 @@ namePrefix: snatch-
 
 resources:
 #- ../crd
-- ../manager
 - ../rbac
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
@@ -34,6 +33,7 @@ resources:
 # Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will
 # be able to communicate with the Webhook Server.
 #- ../network-policy
+- ../manager
 
 # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager
 patches:
@@ -46,11 +46,23 @@ patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 - path: manager_webhook_patch.yaml
+- patch: |-
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: --kyma-worker-pool-name=cpu-worker-0
+  target:
+    kind: Deployment
+- patch: |-
+    - op: replace
+      path: /spec/template/spec/containers/0/imagePullPolicy
+      value: IfNotPresent
+  target:
+    kind: Deployment
 
 replacements:
   - source:
-      kind: Namespace
-      fieldPath: metadata.name
+      kind: Deployment
+      fieldPath: metadata.namespace
     targets:
       - select:
           name: kyma

config/default/manager_webhook_patch.yaml

@@ -4,7 +4,7 @@ metadata:
   name: controller-manager
   namespace: system
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
 spec:
   template:

config/default/metrics_service.yaml

@@ -3,7 +3,7 @@ kind: Service
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-service
   namespace: system
@@ -15,3 +15,4 @@ spec:
     targetPort: 8443
   selector:
     control-plane: controller-manager
+    app.kubernetes.io/component: kim-snatch

config/gardener/certmanager/certificate.yaml

@@ -2,15 +2,16 @@ apiVersion: cert.gardener.cloud/v1alpha1
 kind: Certificate
 metadata:
   labels:
-    app.kubernetes.io/created-by: kyma-workloads-webhook
-    app.kubernetes.io/part-of: kyma-workloads-webhook
+    app.kubernetes.io/created-by: kim-snatch
+    app.kubernetes.io/part-of: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: kyma
   namespace: system
 spec:
   commonName: snatch-webhook-service.kyma-system
   dnsNames:
   - snatch-webhook-service.kyma-system.svc
+  - snatch-webhook-service.kyma-system.svc.cluster.local
   isCA: true
   issuerRef:
     name: kyma

config/gardener/certmanager/issuer.yaml

@@ -2,7 +2,7 @@ apiVersion: cert.gardener.cloud/v1alpha1
 kind: Issuer
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: kyma
   namespace: system

config/k3d/kustomization.yaml

@@ -12,13 +12,19 @@ patches:
       value: --kyma-worker-pool-name=snatch-test
   target:
     kind: Deployment
+- patch: |-
+    - op: replace
+      path: /spec/template/spec/containers/0/imagePullPolicy
+      value: Never
+  target:
+    kind: Deployment
 
 resources:
-- ../manager
 - ../rbac
 - ../webhook
 - metrics_service.yaml
 - ../certmanager
+- ../manager
 
 sortOptions:
   order: fifo

config/k3d/manager_webhook_patch.yaml

@@ -4,7 +4,7 @@ metadata:
   name: controller-manager
   namespace: system
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
 spec:
   template:

config/k3d/metrics_service.yaml

@@ -3,7 +3,7 @@ kind: Service
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-service
   namespace: system

config/manager/manager.yaml

@@ -5,8 +5,9 @@ metadata:
   namespace: system
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch-webhook
     app.kubernetes.io/managed-by: kustomize
+    sidecar.istio.io/inject: "false"
 spec:
   selector:
     matchLabels:
@@ -18,6 +19,8 @@ spec:
         kubectl.kubernetes.io/default-container: manager
       labels:
         control-plane: controller-manager
+        app.kubernetes.io/component: kim-snatch
+        sidecar.istio.io/inject: "false"
     spec:
       # TODO(user): Uncomment the following code to configure the nodeAffinity expression
       # according to the platforms which are supported by your solution.

config/network-policy/allow-metrics-traffic.yaml

@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: allow-metrics-traffic
   namespace: system

config/network-policy/allow-webhook-traffic.yaml

@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: allow-webhook-traffic
   namespace: system

config/prometheus/monitor.yaml

@@ -4,7 +4,7 @@ kind: ServiceMonitor
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-monitor
   namespace: system

config/rbac/leader_election_role.yaml

@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: leader-election-role
 rules:

config/rbac/leader_election_role_binding.yaml

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: leader-election-rolebinding
 roleRef:

config/rbac/role.yaml

@@ -4,6 +4,12 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
 - apiGroups:
   - admissionregistration.k8s.io
   resources:

config/rbac/role_binding.yaml

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: manager-rolebinding
 roleRef:

config/rbac/service_account.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: kim-snatch
     app.kubernetes.io/managed-by: kustomize
   name: controller-manager
   namespace: system

config/webhook/kustomization.yaml

@@ -11,6 +11,6 @@ patches:
         path: /webhooks/0/namespaceSelector
         value:
           matchLabels:
-              managed-by: kyma
+            operator.kyma-project.io/managed-by: kyma
     target:
       kind: MutatingWebhookConfiguration

config/webhook/manifests.yaml

@@ -12,15 +12,16 @@ webhooks:
       namespace: system
       path: /mutate--v1-pod
   failurePolicy: Ignore
+  matchPolicy: Exact
   name: mpod-v1.kb.io
+  reinvocationPolicy: IfNeeded
   rules:
   - apiGroups:
     - ""
     apiVersions:
     - v1
     operations:
     - CREATE
-    - UPDATE
     resources:
     - pods
   sideEffects: None

config/webhook/service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app.kubernetes.io/name: kyma-workloads-webhook
+    app.kubernetes.io/name: webhook-service
     app.kubernetes.io/managed-by: kustomize
   name: webhook-service
   namespace: system
@@ -13,3 +13,4 @@ spec:
       targetPort: 9443
   selector:
     control-plane: controller-manager
+    app.kubernetes.io/component: kim-snatch

go.mod

@@ -1,4 +1,4 @@
-module github.com/kyma-project/kyma-workloads-webhook
+module github.com/kyma-project/kim-snatch
 
 go 1.23.0
 

internal/webhook/callback/callback_test.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/kyma-project/kyma-workloads-webhook/internal/webhook/callback"
+	"github.com/kyma-project/kim-snatch/internal/webhook/callback"
 	"github.com/stretchr/testify/assert"
 	admissionregistration "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"