feat(config): add webhook as kustomize component

Makefile

@@ -64,8 +64,9 @@ IMG_TAG ?= latest
 
 # ENABLE_METRICS: If set to true, includes Prometheus Service and ServiceMonitor resources.
 ENABLE_METRICS ?= false
-# ENABLE_TLS: If set to true (and ENABLE_METRICS is true), configures metrics to use HTTPS with CertManager.
 ENABLE_TLS ?= false
+# ENABLE_WEBHOOK: If set to true, includes validating webhook. Requires ENABLE_TLS=true.
+ENABLE_WEBHOOK ?= false
 
 # Default value for ignore-not-found flag in undeploy target
 ignore-not-found ?= true
@@ -235,21 +236,30 @@ endif
 # Temporary directory for building manifests
 BUILD_DIR := $(ROOT_DIR)/bin/build
 
-# Internal target to build manifests in a temporary directory to keep the source config clean.
-# This prevents 'kustomize edit' from modifying your local git state.
-# Features (Metrics, TLS) are enabled by adding Kustomize Components to the temporary copy.
-# TODO: we can do better for prometheus metrics ports that are added by manager_prometheus_metrics.yaml
+# Build manifests in a temp directory to keep source config clean.
+# Features are enabled by adding Kustomize Components.
 .PHONY: build-manifests-temp
 build-manifests-temp: manifests $(KUSTOMIZE)
 	@mkdir -p $(BUILD_DIR)
 	@rm -rf $(BUILD_DIR)/config
 	@cp -r config $(BUILD_DIR)/
 	@cd $(BUILD_DIR)/config/manager && $(KUSTOMIZE) edit set image controller=${IMG_PREFIX}:${IMG_TAG}
+	@# TLS: Add certmanager component for certificates
+	@if [ "$(ENABLE_TLS)" = "true" ]; then \
+		cd $(BUILD_DIR)/config/default && $(KUSTOMIZE) edit add component ../certmanager; \
+	fi
+	@# Webhook: Requires TLS for certificates
+	@if [ "$(ENABLE_WEBHOOK)" = "true" ]; then \
+		if [ "$(ENABLE_TLS)" != "true" ]; then \
+			echo "ERROR: ENABLE_WEBHOOK=true requires ENABLE_TLS=true"; exit 1; \
+		fi; \
+		cd $(BUILD_DIR)/config/default && $(KUSTOMIZE) edit add component ../webhook; \
+	fi
+	@# Metrics: Add prometheus, with TLS config if enabled
 	@if [ "$(ENABLE_METRICS)" = "true" ]; then \
 		cd $(BUILD_DIR)/config/default && $(KUSTOMIZE) edit add component ../prometheus; \
 		if [ "$(ENABLE_TLS)" = "true" ]; then \
-			cd $(BUILD_DIR)/config/default && $(KUSTOMIZE) edit add component ../certmanager && \
-			$(KUSTOMIZE) edit add component ../prometheus/tls; \
+			cd $(BUILD_DIR)/config/default && $(KUSTOMIZE) edit add component ../prometheus/tls; \
 		else \
 			cd $(BUILD_DIR)/config/prometheus && $(KUSTOMIZE) edit add patch --path manager_prometheus_metrics.yaml --kind Deployment --name controller-manager; \
 		fi; \
@@ -278,21 +288,52 @@ undeploy: build-manifests-temp ## Undeploy controller from the K8s cluster. Use
 
 .PHONY: deploy-with-metrics
 deploy-with-metrics: ENABLE_METRICS=true
-deploy-with-metrics: deploy ## Deploy with metrics enabled.
+deploy-with-metrics: deploy ## Deploy with metrics (HTTP).
 
 .PHONY: undeploy-with-metrics
 undeploy-with-metrics: ENABLE_METRICS=true
-undeploy-with-metrics: undeploy ## Undeploy with metrics enabled.
-
-.PHONY: deploy-with-metrics-tls-enabled
-deploy-with-metrics-tls-enabled: ENABLE_TLS=true
-deploy-with-metrics-tls-enabled: ENABLE_METRICS=true
-deploy-with-metrics-tls-enabled: deploy ## Deploy with metrics and TLS enabled.
-
-.PHONY: undeploy-with-metrics-tls-enabled
-undeploy-with-metrics-tls-enabled: ENABLE_TLS=true
-undeploy-with-metrics-tls-enabled: ENABLE_METRICS=true
-undeploy-with-metrics-tls-enabled: undeploy ## Undeploy with metrics and TLS enabled.
+undeploy-with-metrics: undeploy ## Undeploy with metrics.
+
+.PHONY: deploy-with-metrics-and-tls
+deploy-with-metrics-and-tls: ENABLE_METRICS=true
+deploy-with-metrics-and-tls: ENABLE_TLS=true
+deploy-with-metrics-and-tls: deploy ## Deploy with metrics and TLS.
+
+.PHONY: undeploy-with-metrics-and-tls
+undeploy-with-metrics-and-tls: ENABLE_METRICS=true
+undeploy-with-metrics-and-tls: ENABLE_TLS=true
+undeploy-with-metrics-and-tls: undeploy ## Undeploy with metrics and TLS.
+
+.PHONY: deploy-with-tls
+deploy-with-tls: ENABLE_TLS=true
+deploy-with-tls: deploy ## Deploy with TLS (cert-manager).
+
+.PHONY: undeploy-with-tls
+undeploy-with-tls: ENABLE_TLS=true
+undeploy-with-tls: undeploy ## Undeploy with TLS.
+
+.PHONY: deploy-with-webhook
+deploy-with-webhook: ENABLE_TLS=true
+deploy-with-webhook: ENABLE_WEBHOOK=true
+deploy-with-webhook: deploy ## Deploy with webhook (includes TLS).
+
+.PHONY: undeploy-with-webhook
+undeploy-with-webhook: ENABLE_TLS=true
+undeploy-with-webhook: ENABLE_WEBHOOK=true
+undeploy-with-webhook: undeploy ## Undeploy with webhook.
+
+# Deploy with all features: metrics, TLS, webhook.
+.PHONY: deploy-full
+deploy-full: ENABLE_METRICS=true
+deploy-full: ENABLE_TLS=true
+deploy-full: ENABLE_WEBHOOK=true
+deploy-full: deploy ## Deploy with all features: metrics, TLS, webhook.
+
+.PHONY: undeploy-full
+undeploy-full: ENABLE_METRICS=true
+undeploy-full: ENABLE_TLS=true
+undeploy-full: ENABLE_WEBHOOK=true
+undeploy-full: undeploy ## Undeploy with all features.
 
 ## --------------------------------------
 ## Testing

config/certmanager/certificate.yaml

@@ -8,17 +8,3 @@ metadata:
 spec:
   selfSigned: {}
 ---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: metrics-certs
-  namespace: system
-spec:
-  commonName: nrr-metrics
-  dnsNames:
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
-  issuerRef:
-    kind: Issuer
-    name: selfsigned-issuer
-  secretName: metrics-server-cert

config/manager/manager.yaml

@@ -74,7 +74,6 @@ spec:
         args:
           - --leader-elect
           - --health-probe-bind-address=:8081
-          - --enable-webhook=false
         image: controller:latest
         imagePullPolicy: IfNotPresent
         name: manager

config/prometheus/kustomization.yaml

@@ -1,22 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 resources:
-- monitor.yaml
 - metrics_service.yaml
 
-patches:
-# Bind metrics to port 8080 for HTTP. 
-# This matches the Service and ServiceMonitor configuration in this directory.
-# - path: manager_prometheus_metrics.yaml
-#   target:
-#     kind: Deployment
-#     name: controller-manager
-
-# By default, metrics are disabled in the manager (default : "0").
-# This component adds the Service and ServiceMonitor for Prometheus,
-# and applies the patch to bind the manager to port :8080(it is done in Makefile for now).
-
-# Patches for TLS are in the 'tls' component which will:
-# 1. Overlay the HTTPS args (:8443) and security flags
-# 2. Add ServiceMonitor TLS config
-# 3. Mount CertManager secrets

config/prometheus/metrics_service.yaml

@@ -5,7 +5,7 @@ metadata:
     control-plane: controller-manager
     app.kubernetes.io/name: nrrcontroller
     app.kubernetes.io/managed-by: kustomize
-  name: controller-manager-metrics-service
+  name: metrics-service
   namespace: system
 spec:
   ports:

config/prometheus/tls/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: metrics-certs
+  namespace: system
+spec:
+  dnsNames:
+  - nrr-metrics-service.nrr-system.svc
+  - nrr-metrics-service.nrr-system.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: metrics-server-cert

config/prometheus/tls/kustomization.yaml

@@ -1,15 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
+resources:
+- certificate.yaml
+
 patches:
 # Enable HTTPS args in Deployment
 - path: manager_prometheus_metrics_tls.yaml
   target:
     kind: Deployment
-# Configure ServiceMonitor for TLS
-- path: monitor_tls_patch.yaml
-  target:
-    kind: ServiceMonitor
 # Mount CertManager secrets in Deployment
 - path: cert_metrics_manager_patch.yaml
   target:
@@ -18,63 +17,3 @@ patches:
 - path: metrics_service_tls_patch.yaml
   target:
     kind: Service
-
-replacements:
-  - source:
-      kind: Service
-      version: v1
-      name: controller-manager-metrics-service
-      fieldPath: metadata.name
-    targets:
-      - select:
-          kind: Certificate
-          group: cert-manager.io
-          version: v1
-          name: metrics-certs
-        fieldPaths:
-          - spec.dnsNames.0
-          - spec.dnsNames.1
-        options:
-          delimiter: '.'
-          index: 0
-          create: true
-      - select:
-          kind: ServiceMonitor
-          group: monitoring.coreos.com
-          version: v1
-          name: controller-manager-metrics-monitor
-        fieldPaths:
-          - spec.endpoints.0.tlsConfig.serverName
-        options:
-          delimiter: '.'
-          index: 0
-          create: true
-  - source:
-      kind: Service
-      version: v1
-      name: controller-manager-metrics-service
-      fieldPath: metadata.namespace
-    targets:
-      - select:
-          kind: Certificate
-          group: cert-manager.io
-          version: v1
-          name: metrics-certs
-        fieldPaths:
-          - spec.dnsNames.0
-          - spec.dnsNames.1
-        options:
-          delimiter: '.'
-          index: 1
-          create: true
-      - select:
-          kind: ServiceMonitor
-          group: monitoring.coreos.com
-          version: v1
-          name: controller-manager-metrics-monitor
-        fieldPaths:
-          - spec.endpoints.0.tlsConfig.serverName
-        options:
-          delimiter: '.'
-          index: 1
-          create: true

config/prometheus/tls/metrics_service_tls_patch.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: controller-manager-metrics-service
+  name: metrics-service
   namespace: system
 spec:
   ports:

config/webhook/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: serving-cert
+  namespace: system
+spec:
+  dnsNames:
+  - nrr-webhook-service.nrr-system.svc
+  - nrr-webhook-service.nrr-system.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: webhook-server-certs

config/webhook/kustomization.yaml

@@ -1,9 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
 resources:
 - manifests.yaml
 - service.yaml
+- certificate.yaml
 
 configurations:
 - kustomizeconfig.yaml
 
-patchesStrategicMerge:
-- webhook_patch.yaml
+patches:
+- path: webhook_patch.yaml
+  target:
+    kind: ValidatingWebhookConfiguration
+- path: manager_webhook_patch.yaml
+  target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: controller-manager
+    namespace: system