Adding validating admission webhooks for NIMService/NIMCache with Helm deployment updates

[aryangorwade]

Adds validating admission webhooks (ValidateCreate and ValidateUpdate) with cert-manager TLS integration for both NIMService and NIMCache CRDs and wires them into the Helm chart so they are deployed automatically with the operator.

Webhook and Helm deployment follows the style of https://github.com/Mellanox/network-operator.

Specification document: https://docs.google.com/document/d/11pir7oqXmDNUB_BrfCnbj7wa8VNbsos43a-jif01C98/edit?usp=sharing

Key Changes

1. Webhook Implementations (each file has a helper file)

   • internal/webhook/apps/v1alpha1/nimservice_webhook.go
   • internal/webhook/apps/v1alpha1/nimcache_webhook.go
     Each file defines:
   • Detailed validation logic in ValidateCreate and ValidateUpdate.
   • A no-op ValidateDelete stub (required by admission.CustomValidator, but never invoked because the webhook is registered for create and update only).

2. Controller Wiring

   • SetupNIMServiceWebhookWithManager and SetupNIMCacheWebhookWithManager register the validators with the controller-runtime manager.
   • main.go now invokes both Setup*WebhookWithManager helpers so the webhooks start with the operator.

3. Generated Manifests

   • Running make manifests now produces the corresponding ValidatingWebhookConfiguration YAML under config/webhook/.
   • Each rule includes verbs=create;update; deletion is intentionally excluded.
   • Paths follow the required pattern (e.g., /validate-apps-nvidia-com-v1alpha1-nimservice).

4. Helm Chart Updates (TLS + Webhook Packaging)

• Align the NIM Operator chart (deployments/helm/k8s-nim-operator/) with the Network Operator’s admission-controller pattern.
• New template: templates/admission_controller.yaml
  • Generates the webhook Service, ValidatingWebhookConfiguration, and TLS assets.
  • Supports two modes, driven by values:
    • useCertManager: true – create Issuer and Certificate resources for self-signed certs.
    • useCertManager: false – load a user-supplied Secret containing caCrt, tlsCrt, tlsKey.
  • Entire block gated by operator.admissionController.enabled.
• values.yaml additions

  operator:
    admissionController:
      enabled: true          # enable webhooks by default
      useCertManager: true   # toggle between cert-manager or custom certs
      # certificate:
      #   caCrt: |-
      #   tlsCrt: |-
      #   tlsKey: |-

• deployment.yaml tweaks
  • Conditionally expose webhook port 9443.
  • Mount the webhook-server-cert secret at /tmp/k8s-webhook-server/serving-certs.
  • Add ENABLE_WEBHOOKS=true env var when admissionController.enabled is set.
• Static Kubebuilder manifests in config/certmanager and config/webhook remain for local dev (make manifests && make deploy).

5. RBAC Adjustments

   • ClusterRole/Role expanded to allow:
     • Reading secrets for TLS
     • Reading/writing validatingwebhookconfigurations to enable certificate patching

6. Testing & CI

   • Manual testing with a variety of YAMLS for every specification in the document has been done

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[visheshtanksale]

• Fix the linter error.
• Take latest updates from main and rebase your changes on top of it.
• Its generally a good practice to start PR with a single commit.

[aryangorwade]

Addressed all concerns-edited code to pass linting tests as well. Linting caught NIMCache.Spec.Storage.HostPath being deprecated, so it was removed from the code.

[aryangorwade]

All concerns addressed.

There are these lines in config/manager/kustomization.yaml:

images: 
- name: controller
    newName: localhost:5000/k8s-nim-operator
    newTag: dev

Also, in deployments/helm/k8s-nim-operator/values.yaml:

image: 
    repository: localhost:5000/k8s-nim-operator
    tag: dev

These were changed for local development and testing. Should they be changed back to their original values of

images: 
- name: controller
     newName: nvcr.io/nvidia/cloud-native/nim-operator
     newTag: v1.0.0

image: 
    repository: ghcr.io/nvidia/k8s-nim-operator
    tag: main

Additionally, Kustomization files were changed. Does anything need to be done about those changes?

[shivamerla]

All concerns addressed.

There are these lines in config/manager/kustomization.yaml:

images: 
- name: controller
    newName: localhost:5000/k8s-nim-operator
    newTag: dev

Also, in deployments/helm/k8s-nim-operator/values.yaml:

image: 
    repository: localhost:5000/k8s-nim-operator
    tag: dev

These were changed for local development and testing. Should they be changed back to their original values of

images: 
- name: controller
     newName: nvcr.io/nvidia/cloud-native/nim-operator
     newTag: v1.0.0

image: 
    repository: ghcr.io/nvidia/k8s-nim-operator
    tag: main

Additionally, Kustomization files were changed. Does anything need to be done about those changes?

Yes, we should change these to original values.

[aryangorwade]

Addressed these concerns @shivamerla, please review

[aryangorwade]

Code coverage is 64%. Should I aim for 100%?

ok  	github.com/NVIDIA/k8s-nim-operator/internal/webhook/apps/v1alpha1	0.043s	coverage: 64.0% of statements

[varunrsekar]

LGTM! Thanks for the change!

Reg the DCO check failure, please sign-off on all your commits