Configuring OLM Deployment for Validating Admission Webhooks (for NIMService and NIMCache) + bundle.Dockerfile version bug fix

[aryangorwade]

Summary

Updates bundle/manifests/k8s-nim-operator.clusterserviceversion.yaml with webhookdefinitions and adds ENABLE_WEBHOOKS as a secret in the CSV's env.

Updates deployments/container/bundle.Dockerfile to remove version number to fix building bundle errors.

COPY bundle/manifests            /manifests/
COPY bundle/metadata             /metadata/

Verification

Verified that webhook secret exists:

> kubectl -n nim-operator get secrets

NAME                            TYPE                DATA   AGE
k8s-nim-operator-service-cert   kubernetes.io/tls   3      8m18s 

> kubectl -n nim-operator get secret k8s-nim-operator-service-cert -o yaml | \
yq '{
  "name": .metadata.name,
  "tlsKey": (.data."tls.key" != null),
  "tlsCrt": (.data."tls.crt" != null)
}'

name: k8s-nim-operator-service-cert
tlsKey: true
tlsCrt: true

And that the secret is mounted in the operator at:

> kubectl -n nim-operator describe pod k8s-nim-operator-589b95d5c5-bwgzc

Containers:
  <other content> 
  manager
    Mounts:
      /apiserver.local.config/certificates from apiservice-cert (rw)
      /tmp/k8s-webhook-server/serving-certs from webhook-cert (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-hkrks (ro)
Volumes:
  apiservice-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  k8s-nim-operator-service-cert
    Optional:    false
  webhook-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  k8s-nim-operator-service-cert
    Optional:    false

Updated specs document: https://docs.google.com/document/d/11pir7oqXmDNUB_BrfCnbj7wa8VNbsos43a-jif01C98/edit?tab=t.tl2rv9t8yoz1#heading=h.7f4p8ydi9p3v

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[shivamerla]

thanks @aryangorwade i see that you have tested and enabled webhooks by default on OCP. This is good. We can re-evaluate this during the release.