(fix) Admission Webhook names must be unique

Problem:
OLM currently creates all ValidatingWebhookConfigurations and
MutatingWebhookConfigurations using the name provided in the
WebhookDescription. This causes an issue when an operator that defines
an admission webhook in the CSV is installed in multiple namespaces,
causes the two operators to fight over the admission webhook.

Solution:
Generate a unique name for each webhook using the GenerateName field in
the Object Metadata.

Author: awgreene

pkg/controller/install/webhook.go

@@ -3,13 +3,13 @@ package install
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 
 	log "github.com/sirupsen/logrus"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 )
@@ -69,80 +69,105 @@ func (i *StrategyDeploymentInstaller) createOrUpdateWebhook(caPEM []byte, desc v
 }
 
 func (i *StrategyDeploymentInstaller) createOrUpdateMutatingWebhook(ogNamespacelabelSelector *metav1.LabelSelector, caPEM []byte, desc v1alpha1.WebhookDescription) error {
-	webhooks := []admissionregistrationv1.MutatingWebhook{
-		desc.GetMutatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
+	webhookSelector := labels.SelectorFromSet(ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind)).String()
+	existingWebhooks, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		return err
+	}
+
+	var webhook *admissionregistrationv1.MutatingWebhookConfiguration
+	for _, item := range existingWebhooks.Items {
+		if strings.HasPrefix(item.Name, desc.Name) {
+			webhook = &item
+			break
+		}
 	}
-	existingHook, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.TODO(), desc.Name, metav1.GetOptions{})
-	if err == nil {
+
+	if webhook != nil {
 		// Check if the only owners are this CSV or in this CSV's replacement chain
-		if ownerutil.Adoptable(i.owner, existingHook.GetOwnerReferences()) {
-			ownerutil.AddNonBlockingOwner(existingHook, i.owner)
+		if ownerutil.AdoptableLabels(webhook.GetLabels(), false, i.owner) {
+			ownerutil.AddOwnerLabels(webhook, i.owner)
 		}
 
 		// Update the list of webhooks
-		existingHook.Webhooks = webhooks
+		webhook.Webhooks = []admissionregistrationv1.MutatingWebhook{
+			desc.GetMutatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
+		}
 
 		// Attempt an update
-		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.TODO(), existingHook, metav1.UpdateOptions{}); err != nil {
-			log.Warnf("could not update MutatingWebhookConfiguration %s", existingHook.GetName())
+		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.TODO(), webhook, metav1.UpdateOptions{}); err != nil {
+			log.Warnf("could not update MutatingWebhookConfiguration %s", webhook.GetName())
 			return err
 		}
-	} else if k8serrors.IsNotFound(err) {
-		hook := admissionregistrationv1.MutatingWebhookConfiguration{
-			ObjectMeta: metav1.ObjectMeta{Name: desc.Name,
-				Namespace: i.owner.GetNamespace(),
+	} else {
+		// Create a ValidatingWebhookConfiguration
+		hook := admissionregistrationv1.ValidatingWebhookConfiguration{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: desc.Name + "-",
+				Namespace:    i.owner.GetNamespace(),
+				Labels:       ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind),
+			},
+			Webhooks: []admissionregistrationv1.ValidatingWebhook{
+				desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
 			},
-			Webhooks: webhooks,
 		}
-		// Add an owner
-		ownerutil.AddNonBlockingOwner(&hook, i.owner)
-		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Create(context.TODO(), &hook, metav1.CreateOptions{}); err != nil {
-			log.Errorf("Webhooks: Error creating mutating MutatingVebhookConfiguration: %v", err)
+
+		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.TODO(), &hook, metav1.CreateOptions{}); err != nil {
+			log.Errorf("Webhooks: Error creating ValidationWebhookConfiguration: %v", err)
 			return err
 		}
-	} else {
-		return err
 	}
-
 	return nil
 }
 
 func (i *StrategyDeploymentInstaller) createOrUpdateValidatingWebhook(ogNamespacelabelSelector *metav1.LabelSelector, caPEM []byte, desc v1alpha1.WebhookDescription) error {
-	webhooks := []admissionregistrationv1.ValidatingWebhook{
-		desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
+	webhookSelector := labels.SelectorFromSet(ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind)).String()
+	existingWebhooks, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		return err
+	}
+
+	var webhook *admissionregistrationv1.ValidatingWebhookConfiguration
+	for _, item := range existingWebhooks.Items {
+		if strings.HasPrefix(item.Name, desc.Name) {
+			webhook = &item
+			break
+		}
 	}
-	existingHook, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), desc.Name, metav1.GetOptions{})
-	if err == nil {
+
+	if webhook != nil {
 		// Check if the only owners are this CSV or in this CSV's replacement chain
-		if ownerutil.Adoptable(i.owner, existingHook.GetOwnerReferences()) {
-			ownerutil.AddNonBlockingOwner(existingHook, i.owner)
+		if ownerutil.AdoptableLabels(webhook.GetLabels(), false, i.owner) {
+			ownerutil.AddOwnerLabels(webhook, i.owner)
 		}
 
 		// Update the list of webhooks
-		existingHook.Webhooks = webhooks
+		webhook.Webhooks = []admissionregistrationv1.ValidatingWebhook{
+			desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
+		}
 
 		// Attempt an update
-		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), existingHook, metav1.UpdateOptions{}); err != nil {
-			log.Warnf("could not update ValidatingWebhookConfiguration %s", existingHook.GetName())
+		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), webhook, metav1.UpdateOptions{}); err != nil {
+			log.Warnf("could not update ValidatingWebhookConfiguration %s", webhook.GetName())
 			return err
 		}
-	} else if k8serrors.IsNotFound(err) {
+	} else {
 		// Create a ValidatingWebhookConfiguration
 		hook := admissionregistrationv1.ValidatingWebhookConfiguration{
-			ObjectMeta: metav1.ObjectMeta{Name: desc.Name,
-				Namespace: i.owner.GetNamespace(),
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: desc.Name + "-",
+				Namespace:    i.owner.GetNamespace(),
+				Labels:       ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind),
+			},
+			Webhooks: []admissionregistrationv1.ValidatingWebhook{
+				desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
 			},
-			Webhooks: webhooks,
 		}
 
-		// Add an owner
-		ownerutil.AddNonBlockingOwner(&hook, i.owner)
 		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.TODO(), &hook, metav1.CreateOptions{}); err != nil {
-			log.Errorf("Webhooks: Error create creating ValidationVebhookConfiguration: %v", err)
+			log.Errorf("Webhooks: Error creating ValidationWebhookConfiguration: %v", err)
 			return err
 		}
-	} else {
-		return err
 	}
 	return nil
 }

pkg/controller/operators/olm/apiservices.go

@@ -3,19 +3,22 @@ package olm
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	log "github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs"
 	olmerrors "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/errors"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 )
 
 const (
@@ -271,22 +274,33 @@ func (a *Operator) getCaBundle(csv *v1alpha1.ClusterServiceVersion) ([]byte, err
 	}
 
 	for _, desc := range csv.Spec.WebhookDefinitions {
-		webhookName := desc.Name
-		if desc.Type == "ValidatingAdmissionWebhook" {
-			webhook, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), webhookName, metav1.GetOptions{})
+		if desc.Type == v1alpha1.MutatingAdmissionWebhook {
+			ownerLabels := ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind)
+			ownerLabelStrings := labels.SelectorFromSet(ownerLabels).String()
+
+			existingHooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: ownerLabelStrings})
 			if err != nil {
-				return nil, fmt.Errorf("could not retrieve generated APIService: %v", err)
+				return nil, fmt.Errorf("could not retrieve generated MutatingWebhookConfiguration: %v", err)
 			}
-			if len(webhook.Webhooks[0].ClientConfig.CABundle) > 0 {
-				return webhook.Webhooks[0].ClientConfig.CABundle, nil
+
+			for _, item := range existingHooks.Items {
+				if strings.HasPrefix(item.Name, desc.Name) {
+					return item.Webhooks[0].ClientConfig.CABundle, nil
+				}
 			}
-		} else {
-			webhook, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.TODO(), webhookName, metav1.GetOptions{})
+		} else if desc.Type == v1alpha1.ValidatingAdmissionWebhook {
+			ownerLabels := ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind)
+			ownerLabelStrings := labels.SelectorFromSet(ownerLabels).String()
+
+			existingHooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: ownerLabelStrings})
 			if err != nil {
-				return nil, fmt.Errorf("could not retrieve generated APIService: %v", err)
+				return nil, fmt.Errorf("could not retrieve generated ValidatingWebhookConfiguration: %v", err)
 			}
-			if len(webhook.Webhooks[0].ClientConfig.CABundle) > 0 {
-				return webhook.Webhooks[0].ClientConfig.CABundle, nil
+
+			for _, item := range existingHooks.Items {
+				if strings.HasPrefix(item.Name, desc.Name) {
+					return item.Webhooks[0].ClientConfig.CABundle, nil
+				}
 			}
 		}
 	}

pkg/controller/operators/olm/operator.go

@@ -11,6 +11,7 @@ import (
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubestate"
 	"github.com/sirupsen/logrus"
 	log "github.com/sirupsen/logrus"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	extinf "k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions"
@@ -632,6 +633,44 @@ func (a *Operator) syncGCObject(obj interface{}) (syncError error) {
 			break
 		}
 		logger.Debugf("Deleted cluster role binding %v due to no owning CSV", metaObj.GetName())
+	case *admissionregistrationv1.MutatingWebhookConfiguration:
+		if name, ns, ok := ownerutil.GetOwnerByKindLabel(metaObj, v1alpha1.ClusterServiceVersionKind); ok {
+			_, err := a.lister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(ns).Get(name)
+			if err == nil {
+				logger.Debugf("CSV still present, must wait until it is deleted (owners=%v)", name)
+				syncError = fmt.Errorf("cleanup must wait")
+				return
+			} else if !k8serrors.IsNotFound(err) {
+				logger.Infof("error CSV retrieval error")
+				syncError = err
+				return
+			}
+		}
+
+		if err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(context.TODO(), metaObj.GetName(), metav1.DeleteOptions{}); err != nil {
+			logger.WithError(err).Warn("cannot delete MutatingWebhookConfiguration")
+			break
+		}
+		logger.Debugf("Deleted MutatingWebhookConfiguration %v due to no owning CSV", metaObj.GetName())
+	case *admissionregistrationv1.ValidatingWebhookConfiguration:
+		if name, ns, ok := ownerutil.GetOwnerByKindLabel(metaObj, v1alpha1.ClusterServiceVersionKind); ok {
+			_, err := a.lister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(ns).Get(name)
+			if err == nil {
+				logger.Debugf("CSV still present, must wait until it is deleted (owners=%v)", name)
+				syncError = fmt.Errorf("cleanup must wait")
+				return
+			} else if !k8serrors.IsNotFound(err) {
+				logger.Infof("Error CSV retrieval error")
+				syncError = err
+				return
+			}
+		}
+
+		if err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(context.TODO(), metaObj.GetName(), metav1.DeleteOptions{}); err != nil {
+			logger.WithError(err).Warn("cannot delete ValidatingWebhookConfiguration")
+			break
+		}
+		logger.Debugf("Deleted ValidatingWebhookConfiguration %v due to no owning CSV", metaObj.GetName())
 	}
 
 	return
@@ -920,6 +959,25 @@ func (a *Operator) handleClusterServiceVersionDeletion(obj interface{}) {
 		syncError := a.objGCQueueSet.RequeueEvent("", kubestate.NewResourceEvent(kubestate.ResourceUpdated, cr))
 		logger.Debugf("handleCSVdeletion - requeued update event for %v, res=%v", cr, syncError)
 	}
+
+	webhookSelector := labels.SelectorFromSet(ownerutil.OwnerLabel(clusterServiceVersion, v1alpha1.ClusterServiceVersionKind)).String()
+	mWebhooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		logger.WithError(err).Warn("cannot list MutatingWebhookConfigurations")
+	}
+	for _, webhook := range mWebhooks.Items {
+		syncError := a.objGCQueueSet.RequeueEvent("", kubestate.NewResourceEvent(kubestate.ResourceUpdated, &webhook))
+		logger.Debugf("handleCSVdeletion - requeued update event for %v, res=%v", webhook, syncError)
+	}
+
+	vWebhooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		logger.WithError(err).Warn("cannot list MutatingWebhookConfigurations")
+	}
+	for _, webhook := range vWebhooks.Items {
+		syncError := a.objGCQueueSet.RequeueEvent("", kubestate.NewResourceEvent(kubestate.ResourceUpdated, &webhook))
+		logger.Debugf("handleCSVdeletion - requeued update event for %v, res=%v", webhook, syncError)
+	}
 }
 
 func (a *Operator) removeDanglingChildCSVs(csv *v1alpha1.ClusterServiceVersion) error {