(fix) Admission Webhook names must be unique

Problem:
OLM currently creates all ValidatingWebhookConfigurations and
MutatingWebhookConfigurations using the name provided in the
WebhookDescription. This causes an issue when an operator that defines
an admission webhook in the CSV is installed in multiple namespaces,
causes the two operators to fight over the admission webhook.

Solution:
Generate a unique name for each webhook using the GenerateName field in
the Object Metadata.

Author: awgreene

pkg/controller/install/webhook.go

@@ -9,7 +9,6 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 )
@@ -69,80 +68,108 @@ func (i *StrategyDeploymentInstaller) createOrUpdateWebhook(caPEM []byte, desc v
 }
 
 func (i *StrategyDeploymentInstaller) createOrUpdateMutatingWebhook(ogNamespacelabelSelector *metav1.LabelSelector, caPEM []byte, desc v1alpha1.WebhookDescription) error {
-	webhooks := []admissionregistrationv1.MutatingWebhook{
-		desc.GetMutatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
-	}
-	existingHook, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.TODO(), desc.Name, metav1.GetOptions{})
-	if err == nil {
-		// Check if the only owners are this CSV or in this CSV's replacement chain
-		if ownerutil.Adoptable(i.owner, existingHook.GetOwnerReferences()) {
-			ownerutil.AddNonBlockingOwner(existingHook, i.owner)
-		}
+	webhookLabels := ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind)
+	webhookLabels[WebhookDescKey] = desc.Name
+	webhookSelector := labels.SelectorFromSet(webhookLabels).String()
 
-		// Update the list of webhooks
-		existingHook.Webhooks = webhooks
+	existingWebhooks, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		return err
+	}
 
-		// Attempt an update
-		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.TODO(), existingHook, metav1.UpdateOptions{}); err != nil {
-			log.Warnf("could not update MutatingWebhookConfiguration %s", existingHook.GetName())
-			return err
-		}
-	} else if k8serrors.IsNotFound(err) {
+	if len(existingWebhooks.Items) == 0 {
+		// Create a ValidatingWebhookConfiguration
 		hook := admissionregistrationv1.MutatingWebhookConfiguration{
-			ObjectMeta: metav1.ObjectMeta{Name: desc.Name,
-				Namespace: i.owner.GetNamespace(),
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: desc.Name + "-",
+				Namespace:    i.owner.GetNamespace(),
+				Labels:       ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind),
+			},
+			Webhooks: []admissionregistrationv1.MutatingWebhook{
+				desc.GetMutatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
 			},
-			Webhooks: webhooks,
 		}
-		// Add an owner
-		ownerutil.AddNonBlockingOwner(&hook, i.owner)
+		addWebhookLabels(&hook, desc)
+
 		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Create(context.TODO(), &hook, metav1.CreateOptions{}); err != nil {
-			log.Errorf("Webhooks: Error creating mutating MutatingVebhookConfiguration: %v", err)
+			log.Errorf("Webhooks: Error creating ValidationWebhookConfiguration: %v", err)
 			return err
 		}
 	} else {
-		return err
-	}
+		for _, webhook := range existingWebhooks.Items {
+			// Update the list of webhooks
+			webhook.Webhooks = []admissionregistrationv1.MutatingWebhook{
+				desc.GetMutatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
+			}
+
+			// Attempt an update
+			if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.TODO(), &webhook, metav1.UpdateOptions{}); err != nil {
+				log.Warnf("could not update MutatingWebhookConfiguration %s", webhook.GetName())
+				return err
+			}
 
+		}
+	}
 	return nil
 }
 
 func (i *StrategyDeploymentInstaller) createOrUpdateValidatingWebhook(ogNamespacelabelSelector *metav1.LabelSelector, caPEM []byte, desc v1alpha1.WebhookDescription) error {
-	webhooks := []admissionregistrationv1.ValidatingWebhook{
-		desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
-	}
-	existingHook, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), desc.Name, metav1.GetOptions{})
-	if err == nil {
-		// Check if the only owners are this CSV or in this CSV's replacement chain
-		if ownerutil.Adoptable(i.owner, existingHook.GetOwnerReferences()) {
-			ownerutil.AddNonBlockingOwner(existingHook, i.owner)
-		}
+	webhookLabels := ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind)
+	webhookLabels[WebhookDescKey] = desc.Name
+	webhookSelector := labels.SelectorFromSet(webhookLabels).String()
 
-		// Update the list of webhooks
-		existingHook.Webhooks = webhooks
+	existingWebhooks, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		return err
+	}
 
-		// Attempt an update
-		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), existingHook, metav1.UpdateOptions{}); err != nil {
-			log.Warnf("could not update ValidatingWebhookConfiguration %s", existingHook.GetName())
-			return err
-		}
-	} else if k8serrors.IsNotFound(err) {
+	if len(existingWebhooks.Items) == 0 {
 		// Create a ValidatingWebhookConfiguration
 		hook := admissionregistrationv1.ValidatingWebhookConfiguration{
-			ObjectMeta: metav1.ObjectMeta{Name: desc.Name,
-				Namespace: i.owner.GetNamespace(),
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: desc.Name + "-",
+				Namespace:    i.owner.GetNamespace(),
+				Labels:       ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind),
+			},
+			Webhooks: []admissionregistrationv1.ValidatingWebhook{
+				desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
 			},
-			Webhooks: webhooks,
 		}
+		addWebhookLabels(&hook, desc)
 
-		// Add an owner
-		ownerutil.AddNonBlockingOwner(&hook, i.owner)
 		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.TODO(), &hook, metav1.CreateOptions{}); err != nil {
-			log.Errorf("Webhooks: Error create creating ValidationVebhookConfiguration: %v", err)
+			log.Errorf("Webhooks: Error creating ValidatingWebhookConfiguration: %v", err)
 			return err
 		}
 	} else {
-		return err
+		for _, webhook := range existingWebhooks.Items {
+
+			// Update the list of webhooks
+			webhook.Webhooks = []admissionregistrationv1.ValidatingWebhook{
+				desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
+			}
+
+			// Attempt an update
+			if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), &webhook, metav1.UpdateOptions{}); err != nil {
+				log.Warnf("could not update ValidatingWebhookConfiguration %s", webhook.GetName())
+				return err
+			}
+
+		}
 	}
 	return nil
 }
+
+const WebhookDescKey = "webhookDescriptionName"
+
+// addWebhookLabels adds webhook labels to an object
+func addWebhookLabels(object metav1.Object, webhookDesc v1alpha1.WebhookDescription) error {
+	labels := object.GetLabels()
+	if labels == nil {
+		labels = map[string]string{}
+	}
+	labels[WebhookDescKey] = webhookDesc.Name
+	object.SetLabels(labels)
+
+	return nil
+}

pkg/controller/operators/olm/apiservices.go

@@ -3,19 +3,22 @@ package olm
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	log "github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs"
 	olmerrors "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/errors"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 )
 
 const (
@@ -271,22 +274,33 @@ func (a *Operator) getCaBundle(csv *v1alpha1.ClusterServiceVersion) ([]byte, err
 	}
 
 	for _, desc := range csv.Spec.WebhookDefinitions {
-		webhookName := desc.Name
-		if desc.Type == "ValidatingAdmissionWebhook" {
-			webhook, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), webhookName, metav1.GetOptions{})
+		if desc.Type == v1alpha1.MutatingAdmissionWebhook {
+			ownerLabels := ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind)
+			ownerLabelStrings := labels.SelectorFromSet(ownerLabels).String()
+
+			existingHooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: ownerLabelStrings})
 			if err != nil {
-				return nil, fmt.Errorf("could not retrieve generated APIService: %v", err)
+				return nil, fmt.Errorf("could not retrieve generated MutatingWebhookConfiguration: %v", err)
 			}
-			if len(webhook.Webhooks[0].ClientConfig.CABundle) > 0 {
-				return webhook.Webhooks[0].ClientConfig.CABundle, nil
+
+			for _, item := range existingHooks.Items {
+				if strings.HasPrefix(item.Name, desc.Name) {
+					return item.Webhooks[0].ClientConfig.CABundle, nil
+				}
 			}
-		} else {
-			webhook, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.TODO(), webhookName, metav1.GetOptions{})
+		} else if desc.Type == v1alpha1.ValidatingAdmissionWebhook {
+			ownerLabels := ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind)
+			ownerLabelStrings := labels.SelectorFromSet(ownerLabels).String()
+
+			existingHooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: ownerLabelStrings})
 			if err != nil {
-				return nil, fmt.Errorf("could not retrieve generated APIService: %v", err)
+				return nil, fmt.Errorf("could not retrieve generated ValidatingWebhookConfiguration: %v", err)
 			}
-			if len(webhook.Webhooks[0].ClientConfig.CABundle) > 0 {
-				return webhook.Webhooks[0].ClientConfig.CABundle, nil
+
+			for _, item := range existingHooks.Items {
+				if strings.HasPrefix(item.Name, desc.Name) {
+					return item.Webhooks[0].ClientConfig.CABundle, nil
+				}
 			}
 		}
 	}

pkg/controller/operators/olm/operator.go

@@ -11,6 +11,7 @@ import (
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubestate"
 	"github.com/sirupsen/logrus"
 	log "github.com/sirupsen/logrus"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	extinf "k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions"
@@ -632,6 +633,44 @@ func (a *Operator) syncGCObject(obj interface{}) (syncError error) {
 			break
 		}
 		logger.Debugf("Deleted cluster role binding %v due to no owning CSV", metaObj.GetName())
+	case *admissionregistrationv1.MutatingWebhookConfiguration:
+		if name, ns, ok := ownerutil.GetOwnerByKindLabel(metaObj, v1alpha1.ClusterServiceVersionKind); ok {
+			_, err := a.lister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(ns).Get(name)
+			if err == nil {
+				logger.Debugf("CSV still present, must wait until it is deleted (owners=%v)", name)
+				syncError = fmt.Errorf("cleanup must wait")
+				return
+			} else if !k8serrors.IsNotFound(err) {
+				logger.Infof("error CSV retrieval error")
+				syncError = err
+				return
+			}
+		}
+
+		if err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(context.TODO(), metaObj.GetName(), metav1.DeleteOptions{}); err != nil {
+			logger.WithError(err).Warn("cannot delete MutatingWebhookConfiguration")
+			break
+		}
+		logger.Debugf("Deleted MutatingWebhookConfiguration %v due to no owning CSV", metaObj.GetName())
+	case *admissionregistrationv1.ValidatingWebhookConfiguration:
+		if name, ns, ok := ownerutil.GetOwnerByKindLabel(metaObj, v1alpha1.ClusterServiceVersionKind); ok {
+			_, err := a.lister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(ns).Get(name)
+			if err == nil {
+				logger.Debugf("CSV still present, must wait until it is deleted (owners=%v)", name)
+				syncError = fmt.Errorf("cleanup must wait")
+				return
+			} else if !k8serrors.IsNotFound(err) {
+				logger.Infof("Error CSV retrieval error")
+				syncError = err
+				return
+			}
+		}
+
+		if err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(context.TODO(), metaObj.GetName(), metav1.DeleteOptions{}); err != nil {
+			logger.WithError(err).Warn("cannot delete ValidatingWebhookConfiguration")
+			break
+		}
+		logger.Debugf("Deleted ValidatingWebhookConfiguration %v due to no owning CSV", metaObj.GetName())
 	}
 
 	return
@@ -920,6 +959,25 @@ func (a *Operator) handleClusterServiceVersionDeletion(obj interface{}) {
 		syncError := a.objGCQueueSet.RequeueEvent("", kubestate.NewResourceEvent(kubestate.ResourceUpdated, cr))
 		logger.Debugf("handleCSVdeletion - requeued update event for %v, res=%v", cr, syncError)
 	}
+
+	webhookSelector := labels.SelectorFromSet(ownerutil.OwnerLabel(clusterServiceVersion, v1alpha1.ClusterServiceVersionKind)).String()
+	mWebhooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		logger.WithError(err).Warn("cannot list MutatingWebhookConfigurations")
+	}
+	for _, webhook := range mWebhooks.Items {
+		syncError := a.objGCQueueSet.RequeueEvent("", kubestate.NewResourceEvent(kubestate.ResourceUpdated, &webhook))
+		logger.Debugf("handleCSVdeletion - requeued update event for %v, res=%v", webhook, syncError)
+	}
+
+	vWebhooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		logger.WithError(err).Warn("cannot list MutatingWebhookConfigurations")
+	}
+	for _, webhook := range vWebhooks.Items {
+		syncError := a.objGCQueueSet.RequeueEvent("", kubestate.NewResourceEvent(kubestate.ResourceUpdated, &webhook))
+		logger.Debugf("handleCSVdeletion - requeued update event for %v, res=%v", webhook, syncError)
+	}
 }
 
 func (a *Operator) removeDanglingChildCSVs(csv *v1alpha1.ClusterServiceVersion) error {
@@ -1381,8 +1439,16 @@ func (a *Operator) transitionCSVState(in v1alpha1.ClusterServiceVersion) (out *v
 			return
 		}
 
-		// Check if Webhooks have valid rules
+		// Create a map to track unique names
+		unqiueWebhookNames := map[string]struct{}{}
+		// Check if Webhooks have valid rules and unique names
 		for _, desc := range out.Spec.WebhookDefinitions {
+			_, present := unqiueWebhookNames[desc.Name]
+			if present {
+				out.SetPhaseWithEventIfChanged(v1alpha1.CSVPhaseFailed, v1alpha1.CSVReasonUnsupportedWebhookRules, "CSV contains repeated WebhookDescription name", now, a.recorder)
+				return
+			}
+			unqiueWebhookNames[desc.Name] = struct{}{}
 			if syncError = install.ValidWebhookRules(desc.Rules); syncError != nil {
 				out.SetPhaseWithEventIfChanged(v1alpha1.CSVPhaseFailed, v1alpha1.CSVReasonUnsupportedWebhookRules, syncError.Error(), now, a.recorder)
 				return