improved appwrapper webhook configuration

Define mock appwrapper webhooks to enable reasonable error
messages for users when AppWrappers are disabled by configuration.

Author: dgrove-oss

main.go

@@ -144,8 +144,9 @@ func main() {
 			MTLSEnabled:              ptr.To(true),
 		},
 		AppWrapper: &config.AppWrapperConfiguration{
-			Enabled: ptr.To(false),
-			Config:  awconfig.NewAppWrapperConfig(),
+			Enabled:            ptr.To(false),
+			ExternalController: ptr.To(false),
+			Config:             awconfig.NewAppWrapperConfig(),
 		},
 	}
 
@@ -236,14 +237,20 @@ func waitForRayClusterAPIandSetupController(ctx context.Context, mgr ctrl.Manage
 func setupAppWrapperComponents(ctx context.Context, cancel context.CancelFunc, mgr ctrl.Manager,
 	cfg *config.CodeFlareOperatorConfiguration, certsReady chan struct{}) error {
 	if cfg.AppWrapper == nil || !ptr.Deref(cfg.AppWrapper.Enabled, false) {
-		setupLog.Info("AppWrappers are disabled by operator configuration")
+		setupLog.Info("Embedded AppWrapper controller is disabled by config")
+		externalController := cfg.AppWrapper != nil && ptr.Deref(cfg.AppWrapper.ExternalController, false)
+		go func() {
+			<-certsReady
+			setupLog.Info("Setting up mock AppWrapper webhooks", "externalController", externalController)
+			exitOnError(controllers.SetupMockAppWrapperWebhooks(mgr, externalController), "unable to setup AppWrapper webhooks")
+		}()
 		return nil
 	}
 
 	// AppWrapper webhook doesn't depend on WorkloadAPI availablity but does need certsReady
 	go func() {
 		<-certsReady
-		setupLog.Info("Setting up AppWrapper webhook")
+		setupLog.Info("Setting up AppWrapper webhooks")
 		exitOnError(awctrl.SetupWebhooks(mgr, cfg.AppWrapper.Config), "unable to setup AppWrapper webhooks")
 	}()
 

pkg/config/config.go

@@ -38,6 +38,8 @@ type CodeFlareOperatorConfiguration struct {
 type AppWrapperConfiguration struct {
 	// Enabled controls whether or not the AppWrapper Controller is enabled
 	Enabled *bool `json:"enabled,omitempty"`
+	// ExternalController indicates that an AppWrapper Controller external to the Codeflare Operator is deployed
+	ExternalController *bool `json:"externalController,omitempty"`
 	// AppWrapper contains the AppWrapper controller configuration
 	Config *awconfig.AppWrapperConfig `json:"config,omitempty"`
 }

pkg/controllers/appwrapper_controller.go

@@ -40,11 +40,3 @@ package controllers
 // +kubebuilder:rbac:groups=kueue.x-k8s.io,resources=workloads/finalizers,verbs=update
 // +kubebuilder:rbac:groups=kueue.x-k8s.io,resources=resourceflavors,verbs=get;list;watch
 // +kubebuilder:rbac:groups=kueue.x-k8s.io,resources=workloadpriorityclasses,verbs=get;list;watch
-
-// webhook configuration
-//+kubebuilder:webhook:path=/mutate-workload-codeflare-dev-v1beta2-appwrapper,mutating=true,failurePolicy=fail,sideEffects=None,groups=workload.codeflare.dev,resources=appwrappers,verbs=create,versions=v1beta2,name=mappwrapper.kb.io,admissionReviewVersions=v1
-//+kubebuilder:webhook:path=/validate-workload-codeflare-dev-v1beta2-appwrapper,mutating=false,failurePolicy=fail,sideEffects=None,groups=workload.codeflare.dev,resources=appwrappers,verbs=create;update,versions=v1beta2,name=vappwrapper.kb.io,admissionReviewVersions=v1
-
-// permissions needed by Webhook to enable SubjectAccessReview
-//+kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
-//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=list

pkg/controllers/appwrapper_webhook.go

@@ -0,0 +1,74 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+	"context"
+	"fmt"
+
+	awv1beta2 "github.com/project-codeflare/appwrapper/api/v1beta2"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+// webhook configuration
+//+kubebuilder:webhook:path=/mutate-workload-codeflare-dev-v1beta2-appwrapper,mutating=true,failurePolicy=fail,sideEffects=None,groups=workload.codeflare.dev,resources=appwrappers,verbs=create,versions=v1beta2,name=mappwrapper.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate-workload-codeflare-dev-v1beta2-appwrapper,mutating=false,failurePolicy=fail,sideEffects=None,groups=workload.codeflare.dev,resources=appwrappers,verbs=create;update,versions=v1beta2,name=vappwrapper.kb.io,admissionReviewVersions=v1
+
+// permissions needed by the "real" Webhook in the appwrapper project to enable SubjectAccessReview
+//+kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
+//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=list
+
+type appwrapperWebhook struct {
+	externalController bool
+}
+
+var _ webhook.CustomDefaulter = &appwrapperWebhook{}
+
+func (w *appwrapperWebhook) Default(ctx context.Context, obj runtime.Object) error {
+	return nil
+}
+
+var _ webhook.CustomValidator = &appwrapperWebhook{}
+
+func (w *appwrapperWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	if w.externalController {
+		return nil, nil
+	} else {
+		return nil, fmt.Errorf("AppWrappers disabled by CodeFlare operator configuration")
+	}
+}
+
+func (w *appwrapperWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (w *appwrapperWebhook) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func SetupMockAppWrapperWebhooks(mgr ctrl.Manager, externalController bool) error {
+	wh := &appwrapperWebhook{externalController: externalController}
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&awv1beta2.AppWrapper{}).
+		WithDefaulter(wh).
+		WithValidator(wh).
+		Complete()
+}