complete coverage

Author: taskbot

cmd/thv-operator/api/v1alpha1/virtualmcpcompositetooldefinition_webhook.go

@@ -1,13 +1,49 @@
 package v1alpha1
 
 import (
+	"context"
 	"fmt"
 	"regexp"
 	"text/template"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
+// SetupWebhookWithManager registers the webhook with the manager
+func (r *VirtualMCPCompositeToolDefinition) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+//nolint:lll // kubebuilder webhook marker cannot be split
+// +kubebuilder:webhook:path=/validate-toolhive-stacklok-dev-v1alpha1-virtualmcpcompositetooldefinition,mutating=false,failurePolicy=fail,sideEffects=None,groups=toolhive.stacklok.dev,resources=virtualmcpcompositetooldefinitions,verbs=create;update,versions=v1alpha1,name=vvirtualmcpcompositetooldefinition.kb.io,admissionReviewVersions=v1
+
+var _ webhook.CustomValidator = &VirtualMCPCompositeToolDefinition{}
+
+// ValidateCreate implements webhook.CustomValidator
+func (r *VirtualMCPCompositeToolDefinition) ValidateCreate(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	return nil, r.Validate()
+}
+
+// ValidateUpdate implements webhook.CustomValidator
+//
+//nolint:lll // function signature cannot be shortened
+func (r *VirtualMCPCompositeToolDefinition) ValidateUpdate(_ context.Context, _ runtime.Object, _ runtime.Object) (admission.Warnings, error) {
+	return nil, r.Validate()
+}
+
+// ValidateDelete implements webhook.CustomValidator
+func (*VirtualMCPCompositeToolDefinition) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	// No validation needed on delete
+	return nil, nil
+}
+
 // Validate performs validation for VirtualMCPCompositeToolDefinition
-// This method can be called by the controller during reconciliation
+// This method can be called by the controller during reconciliation or by the webhook
 func (r *VirtualMCPCompositeToolDefinition) Validate() error {
 	var errors []string
 

cmd/thv-operator/api/v1alpha1/virtualmcpserver_webhook.go

@@ -1,11 +1,45 @@
 package v1alpha1
 
 import (
+	"context"
 	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
+// SetupWebhookWithManager registers the webhook with the manager
+func (r *VirtualMCPServer) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+//nolint:lll // kubebuilder webhook marker cannot be split
+// +kubebuilder:webhook:path=/validate-toolhive-stacklok-dev-v1alpha1-virtualmcpserver,mutating=false,failurePolicy=fail,sideEffects=None,groups=toolhive.stacklok.dev,resources=virtualmcpservers,verbs=create;update,versions=v1alpha1,name=vvirtualmcpserver.kb.io,admissionReviewVersions=v1
+
+var _ webhook.CustomValidator = &VirtualMCPServer{}
+
+// ValidateCreate implements webhook.CustomValidator
+func (r *VirtualMCPServer) ValidateCreate(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	return nil, r.Validate()
+}
+
+// ValidateUpdate implements webhook.CustomValidator
+func (r *VirtualMCPServer) ValidateUpdate(_ context.Context, _ runtime.Object, _ runtime.Object) (admission.Warnings, error) {
+	return nil, r.Validate()
+}
+
+// ValidateDelete implements webhook.CustomValidator
+func (*VirtualMCPServer) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	// No validation needed on delete
+	return nil, nil
+}
+
 // Validate performs validation for VirtualMCPServer
-// This method can be called by the controller during reconciliation
+// This method can be called by the controller during reconciliation or by the webhook
 func (r *VirtualMCPServer) Validate() error {
 	// Validate GroupRef is set (required field)
 	if r.Spec.GroupRef.Name == "" {

cmd/thv-operator/main.go

@@ -5,6 +5,7 @@ package main
 import (
 	"context"
 	"flag"
+	"fmt"
 	"os"
 	"strings"
 
@@ -72,12 +73,44 @@ func main() {
 	}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), options)
-
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
 	}
 
+	if err := setupControllersAndWebhooks(mgr); err != nil {
+		setupLog.Error(err, "unable to setup controllers and webhooks")
+		os.Exit(1)
+	}
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	podNamespace, _ := os.LookupEnv("POD_NAMESPACE")
+	// Set up telemetry service - only runs when elected as leader
+	telemetryService := telemetry.NewService(mgr.GetClient(), podNamespace)
+	if err := mgr.Add(&telemetry.LeaderTelemetryRunnable{
+		TelemetryService: telemetryService,
+	}); err != nil {
+		setupLog.Error(err, "unable to add telemetry runnable")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}
+
+// setupControllersAndWebhooks sets up all controllers and webhooks with the manager
+func setupControllersAndWebhooks(mgr ctrl.Manager) error {
 	// Set up field indexing for MCPServer.Spec.GroupRef
 	if err := mgr.GetFieldIndexer().IndexField(
 		context.Background(),
@@ -91,8 +124,7 @@ func main() {
 			return []string{mcpServer.Spec.GroupRef}
 		},
 	); err != nil {
-		setupLog.Error(err, "unable to create field index for spec.groupRef")
-		os.Exit(1)
+		return fmt.Errorf("unable to create field index for spec.groupRef: %w", err)
 	}
 
 	// Create a shared platform detector for all controllers
@@ -105,80 +137,61 @@ func main() {
 		ImageValidation:  validation.ImageValidationAlwaysAllow,
 	}
 
-	if err = rec.SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "MCPServer")
-		os.Exit(1)
+	if err := rec.SetupWithManager(mgr); err != nil {
+		return fmt.Errorf("unable to create controller MCPServer: %w", err)
 	}
 
 	// Register MCPToolConfig controller
-	if err = (&controllers.ToolConfigReconciler{
+	if err := (&controllers.ToolConfigReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "MCPToolConfig")
-		os.Exit(1)
+		return fmt.Errorf("unable to create controller MCPToolConfig: %w", err)
 	}
 
 	// Register MCPExternalAuthConfig controller
-	if err = (&controllers.MCPExternalAuthConfigReconciler{
+	if err := (&controllers.MCPExternalAuthConfigReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "MCPExternalAuthConfig")
-		os.Exit(1)
+		return fmt.Errorf("unable to create controller MCPExternalAuthConfig: %w", err)
 	}
 
 	// Register MCPRemoteProxy controller
-	if err = (&controllers.MCPRemoteProxyReconciler{
+	if err := (&controllers.MCPRemoteProxyReconciler{
 		Client:           mgr.GetClient(),
 		Scheme:           mgr.GetScheme(),
 		PlatformDetector: ctrlutil.NewSharedPlatformDetector(),
 	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "MCPRemoteProxy")
-		os.Exit(1)
+		return fmt.Errorf("unable to create controller MCPRemoteProxy: %w", err)
 	}
 
 	// Only register MCPRegistry controller if feature flag is enabled
 	rec.ImageValidation = validation.ImageValidationRegistryEnforcing
 
-	if err = (controllers.NewMCPRegistryReconciler(mgr.GetClient(), mgr.GetScheme())).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "MCPRegistry")
-		os.Exit(1)
+	if err := (controllers.NewMCPRegistryReconciler(mgr.GetClient(), mgr.GetScheme())).SetupWithManager(mgr); err != nil {
+		return fmt.Errorf("unable to create controller MCPRegistry: %w", err)
 	}
 
 	// Set up MCPGroup controller
-	if err = (&controllers.MCPGroupReconciler{
+	if err := (&controllers.MCPGroupReconciler{
 		Client: mgr.GetClient(),
 	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "MCPGroup")
-		os.Exit(1)
+		return fmt.Errorf("unable to create controller MCPGroup: %w", err)
 	}
-	//+kubebuilder:scaffold:builder
 
-	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
-		setupLog.Error(err, "unable to set up health check")
-		os.Exit(1)
-	}
-	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
-		setupLog.Error(err, "unable to set up ready check")
-		os.Exit(1)
+	// Set up VirtualMCPServer webhook
+	if err := (&mcpv1alpha1.VirtualMCPServer{}).SetupWebhookWithManager(mgr); err != nil {
+		return fmt.Errorf("unable to create webhook VirtualMCPServer: %w", err)
 	}
 
-	podNamespace, _ := os.LookupEnv("POD_NAMESPACE")
-	// Set up telemetry service - only runs when elected as leader
-	telemetryService := telemetry.NewService(mgr.GetClient(), podNamespace)
-	if err := mgr.Add(&telemetry.LeaderTelemetryRunnable{
-		TelemetryService: telemetryService,
-	}); err != nil {
-		setupLog.Error(err, "unable to add telemetry runnable")
-		os.Exit(1)
+	// Set up VirtualMCPCompositeToolDefinition webhook
+	if err := (&mcpv1alpha1.VirtualMCPCompositeToolDefinition{}).SetupWebhookWithManager(mgr); err != nil {
+		return fmt.Errorf("unable to create webhook VirtualMCPCompositeToolDefinition: %w", err)
 	}
+	//+kubebuilder:scaffold:builder
 
-	setupLog.Info("starting manager")
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
-		setupLog.Error(err, "problem running manager")
-		os.Exit(1)
-	}
+	return nil
 }
 
 // getDefaultNamespaces returns a map of namespaces to cache.Config for the operator to watch.

config/webhook/manifests.yaml

@@ -4,6 +4,26 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
 webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-toolhive-stacklok-dev-v1alpha1-virtualmcpcompositetooldefinition
+  failurePolicy: Fail
+  name: vvirtualmcpcompositetooldefinition.kb.io
+  rules:
+  - apiGroups:
+    - toolhive.stacklok.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - virtualmcpcompositetooldefinitions
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

deploy/charts/operator/templates/validating-webhook.yaml

@@ -0,0 +1,53 @@
+{{- if .Values.webhook.enabled }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ include "operator.fullname" . }}-validating-webhook-configuration
+  labels:
+    {{- include "operator.labels" . | nindent 4 }}
+  {{- if .Values.webhook.certManager.enabled }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "operator.fullname" . }}-serving-cert
+  {{- end }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ include "operator.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-toolhive-stacklok-dev-v1alpha1-virtualmcpserver
+  failurePolicy: Fail
+  name: vvirtualmcpserver.kb.io
+  rules:
+  - apiGroups:
+    - toolhive.stacklok.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - virtualmcpservers
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ include "operator.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-toolhive-stacklok-dev-v1alpha1-virtualmcpcompositetooldefinition
+  failurePolicy: Fail
+  name: vvirtualmcpcompositetooldefinition.kb.io
+  rules:
+  - apiGroups:
+    - toolhive.stacklok.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - virtualmcpcompositetooldefinitions
+  sideEffects: None
+{{- end }}

deploy/charts/operator/values.yaml

@@ -188,6 +188,15 @@ operator:
   # -- Affinity settings for the operator pod
   affinity: {}
 
+# -- Webhook configuration for admission control
+webhook:
+  # -- Enable webhook admission control
+  enabled: false
+  # -- Cert-manager integration for webhook certificates
+  certManager:
+    # -- Use cert-manager to generate webhook certificates
+    enabled: false
+
 # -- All values for the registry API deployment and associated resources
 registryAPI:
   # -- Container image for the registry API