fix(webhook): scope v1alpha1 DNSRecord webhook to v1alpha1 requests

golgoth31 · claude · golgoth31 · commit e21d0f715116 · 2026-06-18T20:09:26.000+02:00
The vdnsrecord-v1alpha1 validating webhook had no matchPolicy, so it
defaulted to Equivalent: the apiserver converted v1alpha2 DNSRecord
writes to v1alpha1 and routed them through this webhook too. Since the
v2-&gt;v1 conversion stamps every record with the v1alpha2-spec annotation
the validator keys on, it rejected the DNS controller's own v1alpha2
auto-record updates ("... cannot be modified via v1alpha1"), looping the
DNS reconcile.

Set matchPolicy=Exact so the webhook only fires for genuine v1alpha1
requests, leaving v1alpha2 controller writes untouched. A v1alpha1-native
edit of a v2-backed record is still blocked (intended — it preserves the
controller-SA reservation on origin=auto and the v2-only data). Reworded
the message/var since it applies to any v2-backed record, not only manual.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -98,6 +98,7 @@ webhooks:
       namespace: system
       path: /validate-sreportal-io-v1alpha1-dnsrecord
   failurePolicy: Fail
+  matchPolicy: Exact
   name: vdnsrecord-v1alpha1.kb.io
   rules:
   - apiGroups:
diff --git a/helm/templates/validating-webhook-configuration.yaml b/helm/templates/validating-webhook-configuration.yaml
@@ -55,6 +55,7 @@ webhooks:
       namespace: '{{ .Release.Namespace }}'
       path: /validate-sreportal-io-v1alpha1-dnsrecord
   failurePolicy: Fail
+  matchPolicy: Exact
   name: vdnsrecord-v1alpha1.kb.io
   rules:
   - apiGroups:
diff --git a/internal/webhook/v1alpha1/dnsrecord_webhook.go b/internal/webhook/v1alpha1/dnsrecord_webhook.go
@@ -35,11 +35,16 @@ func SetupDNSRecordWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
-// +kubebuilder:webhook:path=/validate-sreportal-io-v1alpha1-dnsrecord,mutating=false,failurePolicy=fail,sideEffects=None,groups=sreportal.io,resources=dnsrecords,verbs=update,versions=v1alpha1,name=vdnsrecord-v1alpha1.kb.io,admissionReviewVersions=v1
+// matchPolicy=Exact so this webhook only fires for genuine v1alpha1 requests.
+// With the default (Equivalent), the apiserver converts v1alpha2 writes to
+// v1alpha1 and routes them here too — which wrongly blocks the DNS controller's
+// own v1alpha2 record updates (conversion stamps every record with the
+// v1alpha2-spec annotation this validator keys on).
+// +kubebuilder:webhook:path=/validate-sreportal-io-v1alpha1-dnsrecord,mutating=false,failurePolicy=fail,matchPolicy=Exact,sideEffects=None,groups=sreportal.io,resources=dnsrecords,verbs=update,versions=v1alpha1,name=vdnsrecord-v1alpha1.kb.io,admissionReviewVersions=v1
 
-// DNSRecordValidator rejects updates that would silently clobber the manual
-// entries stored in the v1alpha2 spec annotation when a client edits through
-// the v1alpha1 surface.
+// DNSRecordValidator rejects updates that would silently clobber the v1alpha2-only
+// data (origin, entries) stored in the spec annotation when a client edits a
+// v1alpha2-backed record through the v1alpha1 surface.
 type DNSRecordValidator struct{}
 
 func (v *DNSRecordValidator) ValidateCreate(_ context.Context, _ *sreportalv1alpha1.DNSRecord) (admission.Warnings, error) {
@@ -50,10 +55,10 @@ func (v *DNSRecordValidator) ValidateUpdate(_ context.Context, oldObj, _ *srepor
 	if oldObj == nil {
 		return nil, nil
 	}
-	if _, manual := oldObj.Annotations[annotationV1Alpha2DNSRecordSpec]; !manual {
+	if _, backedByV2 := oldObj.Annotations[annotationV1Alpha2DNSRecordSpec]; !backedByV2 {
 		return nil, nil
 	}
-	return nil, fmt.Errorf("manual DNSRecord cannot be modified via v1alpha1; use sreportal.io/v1alpha2")
+	return nil, fmt.Errorf("DNSRecord backed by v1alpha2 cannot be modified via v1alpha1; use sreportal.io/v1alpha2")
 }
 
 func (v *DNSRecordValidator) ValidateDelete(_ context.Context, _ *sreportalv1alpha1.DNSRecord) (admission.Warnings, error) {
diff --git a/internal/webhook/v1alpha1/dnsrecord_webhook_test.go b/internal/webhook/v1alpha1/dnsrecord_webhook_test.go
@@ -45,7 +45,7 @@ var _ = Describe("DNSRecord v1alpha1 Webhook", func() {
 
 			warnings, err := validator.ValidateUpdate(context.Background(), old, newObj)
 			Expect(err).To(HaveOccurred())
-			Expect(err.Error()).To(ContainSubstring("manual DNSRecord cannot be modified via v1alpha1"))
+			Expect(err.Error()).To(ContainSubstring("DNSRecord backed by v1alpha2 cannot be modified via v1alpha1"))
 			Expect(warnings).To(BeEmpty())
 		})
 
