VWC logic now moved to operator code for both OLM and Helm.

Signed-off-by: Aryan <[email protected]>

Author: aryangorwade

bundle/manifests/k8s-nim-operator.clusterserviceversion.yaml

@@ -1345,6 +1345,18 @@ spec:
               - watch
               - create
               - delete
+            - apiGroups:
+              - admissionregistration.k8s.io
+              resources:
+              - validatingwebhookconfigurations
+              verbs:
+              - get
+              - list
+              - watch
+              - create
+              - update
+              - patch
+              - delete
             - apiGroups:
               - gateway.networking.k8s.io
               resources:
@@ -1357,6 +1369,7 @@ spec:
               - patch
               - update
               - watch
+              - admissionregistration.k8s.io
       deployments:
         - name: k8s-nim-operator
           spec:
@@ -1413,6 +1426,8 @@ spec:
                             fieldPath: metadata.namespace
                       - name: ENABLE_WEBHOOKS
                         value: "true"
+                      - name: OPERATOR_NAME_PREFIX
+                        value: "k8s-nim-operator"
                     image: 'ghcr.io/nvidia/k8s-nim-operator:main'
                     imagePullPolicy: Always
                     livenessProbe:
@@ -1426,6 +1441,10 @@ spec:
                       successThreshold: 1
                       timeoutSeconds: 1
                     name: manager
+                    volumeMounts:
+                      - name: cert
+                        mountPath: /tmp/k8s-webhook-server/serving-certs
+                        readOnly: true
                     readinessProbe:
                       failureThreshold: 3
                       httpGet:
@@ -1447,6 +1466,11 @@ spec:
                       allowPrivilegeEscalation: false
                     terminationMessagePath: /dev/termination-log
                     terminationMessagePolicy: File
+                volumes:
+                  - name: cert
+                    secret:
+                      secretName: k8s-nim-operator-webhook-server-cert
+                      defaultMode: 420
                 dnsPolicy: ClusterFirst
                 imagePullSecrets: []
                 restartPolicy: Always
@@ -1469,46 +1493,4 @@ spec:
     - type: MultiNamespace
       supported: false
     - type: AllNamespaces
-      supported: true
-  webhookdefinitions:
-  - type: ValidatingAdmissionWebhook
-    admissionReviewVersions:
-      - v1
-    containerPort: 9443
-    targetPort: 9443          
-    deploymentName: k8s-nim-operator
-    failurePolicy: Fail
-    generateName: vnimcache-v1alpha1.kb.io
-    rules:
-      - apiGroups:
-          - apps.nvidia.com
-        apiVersions:
-          - v1alpha1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - nimcaches
-    sideEffects: None
-    webhookPath: /validate-apps-nvidia-com-v1alpha1-nimcache
-  - type: ValidatingAdmissionWebhook
-    admissionReviewVersions:
-      - v1
-    containerPort: 9443  
-    targetPort: 9443 
-    deploymentName: k8s-nim-operator
-    failurePolicy: Fail
-    generateName: vnimservice-v1alpha1.kb.io
-    rules:
-      - apiGroups:
-          - apps.nvidia.com
-        apiVersions:
-          - v1alpha1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - nimservices
-    sideEffects: None
-    webhookPath: /validate-apps-nvidia-com-v1alpha1-nimservice
-
+      supported: true

bundle/manifests/k8s-nim-operator.webhookservice.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8s-nim-operator-webhook-service
+  labels:
+    app.kubernetes.io/name: k8s-nim-operator
+    app.kubernetes.io/instance: nim-operator
+    control-plane: controller-manager
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: k8s-nim-operator-webhook-server-cert
+spec:
+  selector:
+    app.kubernetes.io/name: k8s-nim-operator
+    app.kubernetes.io/instance: nim-operator
+    control-plane: controller-manager
+  ports:
+    - port: 443
+      targetPort: 9443
+      protocol: TCP

cmd/main.go

@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"flag"
 	"os"
@@ -34,6 +35,7 @@ import (
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	ctrl "sigs.k8s.io/controller-runtime"
+	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
@@ -45,7 +47,9 @@ import (
 
 	appsv1alpha1 "github.com/NVIDIA/k8s-nim-operator/api/apps/v1alpha1"
 	"github.com/NVIDIA/k8s-nim-operator/internal/conditions"
+	"github.com/NVIDIA/k8s-nim-operator/internal/config"
 	"github.com/NVIDIA/k8s-nim-operator/internal/controller"
+	"github.com/NVIDIA/k8s-nim-operator/internal/k8sutil"
 	"github.com/NVIDIA/k8s-nim-operator/internal/render"
 	webhookappsv1alpha1 "github.com/NVIDIA/k8s-nim-operator/internal/webhook/apps/v1alpha1"
 	// +kubebuilder:scaffold:imports
@@ -264,17 +268,38 @@ func main() {
 
 	// nolint:goconst
 	// Parse ENABLE_WEBHOOKS environment variable once as a boolean.
-	var enableWebhooks bool
 	if val, ok := os.LookupEnv("ENABLE_WEBHOOKS"); ok {
 		var err error
-		enableWebhooks, err = strconv.ParseBool(val)
+		enableWebhooks, err := strconv.ParseBool(val)
 		if err != nil {
 			setupLog.Error(err, "invalid value for ENABLE_WEBHOOKS, expected boolean")
 			os.Exit(1)
 		}
+		config.EnableWebhooks = enableWebhooks
+	}
+	if val, ok := os.LookupEnv("OPERATOR_NAME_PREFIX"); ok {
+		config.OperatorNamePrefix = val
+	}
+	if val, ok := os.LookupEnv("OPERATOR_NAMESPACE"); ok {
+		config.OperatorNamespace = val
 	}
 
-	if enableWebhooks {
+	cfg := ctrl.GetConfigOrDie()
+	liveClient, err := crclient.New(cfg, crclient.Options{Scheme: scheme})
+	if err != nil {
+		setupLog.Error(err, "unable to construct live client")
+		os.Exit(1)
+	}
+	ctx := context.Background()
+	orch, err := k8sutil.GetOrchestratorType(ctx, liveClient) // uses direct REST calls
+	if err != nil {
+		setupLog.Error(err, "failed to detect orchestrator type")
+		os.Exit(1)
+	}
+	config.OrchestratorType = orch
+	setupLog.Info("detected orchestrator", "type", orch)
+
+	if config.EnableWebhooks {
 		if err := webhookappsv1alpha1.SetupNIMCacheWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "NIMCache")
 			os.Exit(1)
@@ -284,6 +309,17 @@ func main() {
 			setupLog.Error(err, "unable to create webhook", "webhook", "NIMService")
 			os.Exit(1)
 		}
+		// Set up cluster-level ValidatingWebhookConfiguration.
+		if err := webhookappsv1alpha1.EnsureValidatingWebhook(
+			context.TODO(),
+			mgr.GetAPIReader(),
+			mgr.GetClient(),
+			config.OperatorNamespace,
+			config.OperatorNamePrefix,
+		); err != nil {
+			setupLog.Error(err, "unable to ensure ValidatingWebhookConfiguration")
+			os.Exit(1)
+		}
 	}
 	// +kubebuilder:scaffold:builder
 

deployments/helm/k8s-nim-operator/templates/deployment.yaml

@@ -51,6 +51,8 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: OPERATOR_NAME_PREFIX
+            value: {{ include "k8s-nim-operator.fullname" . }}
           - name: ENABLE_WEBHOOKS
             value: "{{ .Values.operator.admissionController.enabled }}"
         livenessProbe:

deployments/helm/k8s-nim-operator/templates/manager-rbac.yaml

@@ -582,8 +582,10 @@ rules:
   - get
   - list
   - watch
-  - patch
+  - create
   - update
+  - patch
+  - delete
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
@@ -596,7 +598,6 @@ rules:
   - patch
   - update
   - watch
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

internal/config/config.go

@@ -0,0 +1,10 @@
+package config
+
+import "github.com/NVIDIA/k8s-nim-operator/internal/k8sutil"
+
+var (
+	EnableWebhooks     bool
+	OperatorNamePrefix string
+	OperatorNamespace  string
+	OrchestratorType   k8sutil.OrchestratorType
+)