(fix) Admission Webhook names must be unique

Problem:
OLM currently creates all ValidatingWebhookConfigurations and
MutatingWebhookConfigurations using the name provided in the
WebhookDescription. This causes an issue when an operator that defines
an admission webhook in the CSV is installed in multiple namespaces,
causes the two operators to fight over the admission webhook.

Solution:
Generate a unique name for each webhook using the GenerateName field in
the Object Metadata.

Author: awgreene

pkg/controller/install/webhook.go

@@ -9,7 +9,6 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 )
@@ -69,80 +68,108 @@ func (i *StrategyDeploymentInstaller) createOrUpdateWebhook(caPEM []byte, desc v
 }
 
 func (i *StrategyDeploymentInstaller) createOrUpdateMutatingWebhook(ogNamespacelabelSelector *metav1.LabelSelector, caPEM []byte, desc v1alpha1.WebhookDescription) error {
-	webhooks := []admissionregistrationv1.MutatingWebhook{
-		desc.GetMutatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
-	}
-	existingHook, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.TODO(), desc.Name, metav1.GetOptions{})
-	if err == nil {
-		// Check if the only owners are this CSV or in this CSV's replacement chain
-		if ownerutil.Adoptable(i.owner, existingHook.GetOwnerReferences()) {
-			ownerutil.AddNonBlockingOwner(existingHook, i.owner)
-		}
+	webhookLabels := ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind)
+	webhookLabels[WebhookDescKey] = desc.Name
+	webhookSelector := labels.SelectorFromSet(webhookLabels).String()
 
-		// Update the list of webhooks
-		existingHook.Webhooks = webhooks
+	existingWebhooks, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		return err
+	}
 
-		// Attempt an update
-		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.TODO(), existingHook, metav1.UpdateOptions{}); err != nil {
-			log.Warnf("could not update MutatingWebhookConfiguration %s", existingHook.GetName())
-			return err
-		}
-	} else if k8serrors.IsNotFound(err) {
-		hook := admissionregistrationv1.MutatingWebhookConfiguration{
-			ObjectMeta: metav1.ObjectMeta{Name: desc.Name,
-				Namespace: i.owner.GetNamespace(),
+	if len(existingWebhooks.Items) == 0 {
+		// Create a MutatingWebhookConfiguration
+		webhook := admissionregistrationv1.MutatingWebhookConfiguration{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: desc.Name + "-",
+				Namespace:    i.owner.GetNamespace(),
+				Labels:       ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind),
+			},
+			Webhooks: []admissionregistrationv1.MutatingWebhook{
+				desc.GetMutatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
 			},
-			Webhooks: webhooks,
 		}
-		// Add an owner
-		ownerutil.AddNonBlockingOwner(&hook, i.owner)
-		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Create(context.TODO(), &hook, metav1.CreateOptions{}); err != nil {
-			log.Errorf("Webhooks: Error creating mutating MutatingVebhookConfiguration: %v", err)
+		addWebhookLabels(&webhook, desc)
+
+		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Create(context.TODO(), &webhook, metav1.CreateOptions{}); err != nil {
+			log.Errorf("Webhooks: Error creating MutatingWebhookConfiguration: %v", err)
 			return err
 		}
 	} else {
-		return err
-	}
+		for _, webhook := range existingWebhooks.Items {
+			// Update the list of webhooks
+			webhook.Webhooks = []admissionregistrationv1.MutatingWebhook{
+				desc.GetMutatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
+			}
 
+			// Attempt an update
+			if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.TODO(), &webhook, metav1.UpdateOptions{}); err != nil {
+				log.Warnf("could not update MutatingWebhookConfiguration %s", webhook.GetName())
+				return err
+			}
+
+		}
+	}
 	return nil
 }
 
 func (i *StrategyDeploymentInstaller) createOrUpdateValidatingWebhook(ogNamespacelabelSelector *metav1.LabelSelector, caPEM []byte, desc v1alpha1.WebhookDescription) error {
-	webhooks := []admissionregistrationv1.ValidatingWebhook{
-		desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
-	}
-	existingHook, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), desc.Name, metav1.GetOptions{})
-	if err == nil {
-		// Check if the only owners are this CSV or in this CSV's replacement chain
-		if ownerutil.Adoptable(i.owner, existingHook.GetOwnerReferences()) {
-			ownerutil.AddNonBlockingOwner(existingHook, i.owner)
-		}
+	webhookLabels := ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind)
+	webhookLabels[WebhookDescKey] = desc.Name
+	webhookSelector := labels.SelectorFromSet(webhookLabels).String()
 
-		// Update the list of webhooks
-		existingHook.Webhooks = webhooks
+	existingWebhooks, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		return err
+	}
 
-		// Attempt an update
-		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), existingHook, metav1.UpdateOptions{}); err != nil {
-			log.Warnf("could not update ValidatingWebhookConfiguration %s", existingHook.GetName())
-			return err
-		}
-	} else if k8serrors.IsNotFound(err) {
+	if len(existingWebhooks.Items) == 0 {
 		// Create a ValidatingWebhookConfiguration
-		hook := admissionregistrationv1.ValidatingWebhookConfiguration{
-			ObjectMeta: metav1.ObjectMeta{Name: desc.Name,
-				Namespace: i.owner.GetNamespace(),
+		webhook := admissionregistrationv1.ValidatingWebhookConfiguration{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: desc.Name + "-",
+				Namespace:    i.owner.GetNamespace(),
+				Labels:       ownerutil.OwnerLabel(i.owner, i.owner.GetObjectKind().GroupVersionKind().Kind),
+			},
+			Webhooks: []admissionregistrationv1.ValidatingWebhook{
+				desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
 			},
-			Webhooks: webhooks,
 		}
+		addWebhookLabels(&webhook, desc)
 
-		// Add an owner
-		ownerutil.AddNonBlockingOwner(&hook, i.owner)
-		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.TODO(), &hook, metav1.CreateOptions{}); err != nil {
-			log.Errorf("Webhooks: Error create creating ValidationVebhookConfiguration: %v", err)
+		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.TODO(), &webhook, metav1.CreateOptions{}); err != nil {
+			log.Errorf("Webhooks: Error creating ValidatingWebhookConfiguration: %v", err)
 			return err
 		}
 	} else {
-		return err
+		for _, webhook := range existingWebhooks.Items {
+
+			// Update the list of webhooks
+			webhook.Webhooks = []admissionregistrationv1.ValidatingWebhook{
+				desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
+			}
+
+			// Attempt an update
+			if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), &webhook, metav1.UpdateOptions{}); err != nil {
+				log.Warnf("could not update ValidatingWebhookConfiguration %s", webhook.GetName())
+				return err
+			}
+
+		}
+	}
+	return nil
+}
+
+const WebhookDescKey = "webhookDescriptionName"
+
+// addWebhookLabels adds webhook labels to an object
+func addWebhookLabels(object metav1.Object, webhookDesc v1alpha1.WebhookDescription) error {
+	labels := object.GetLabels()
+	if labels == nil {
+		labels = map[string]string{}
 	}
+	labels[WebhookDescKey] = webhookDesc.Name
+	object.SetLabels(labels)
+
 	return nil
 }

pkg/controller/operators/olm/apiservices.go

@@ -10,12 +10,14 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs"
 	olmerrors "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/errors"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 )
 
 const (
@@ -255,10 +257,8 @@ func (a *Operator) areAPIServicesAvailable(csv *v1alpha1.ClusterServiceVersion)
 	return true, nil
 }
 
-// updateDeploymentSpecsWithApiServiceData transforms an install strategy to include information about apiservices
-// it is used in generating hashes for deployment specs to know when something in the spec has changed,
-// but duplicates a lot of installAPIServiceRequirements and should be refactored.
-func (a *Operator) getCaBundle(csv *v1alpha1.ClusterServiceVersion) ([]byte, error) {
+// getCABundle returns the CA associated with a deployment
+func (a *Operator) getCABundle(csv *v1alpha1.ClusterServiceVersion) ([]byte, error) {
 	for _, desc := range csv.GetOwnedAPIServiceDescriptions() {
 		apiServiceName := desc.GetName()
 		apiService, err := a.lister.APIRegistrationV1().APIServiceLister().Get(apiServiceName)
@@ -271,22 +271,27 @@ func (a *Operator) getCaBundle(csv *v1alpha1.ClusterServiceVersion) ([]byte, err
 	}
 
 	for _, desc := range csv.Spec.WebhookDefinitions {
-		webhookName := desc.Name
-		if desc.Type == "ValidatingAdmissionWebhook" {
-			webhook, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), webhookName, metav1.GetOptions{})
+		webhookLabels := ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind)
+		webhookLabels[install.WebhookDescKey] = desc.Name
+		webhookSelector := labels.SelectorFromSet(webhookLabels).String()
+		if desc.Type == v1alpha1.MutatingAdmissionWebhook {
+			existingWebhooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
 			if err != nil {
-				return nil, fmt.Errorf("could not retrieve generated APIService: %v", err)
+				return nil, fmt.Errorf("could not retrieve generated MutatingWebhookConfiguration: %v", err)
 			}
-			if len(webhook.Webhooks[0].ClientConfig.CABundle) > 0 {
-				return webhook.Webhooks[0].ClientConfig.CABundle, nil
+
+			if len(existingWebhooks.Items) > 0 {
+				return existingWebhooks.Items[0].Webhooks[0].ClientConfig.CABundle, nil
 			}
-		} else {
-			webhook, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.TODO(), webhookName, metav1.GetOptions{})
+
+		} else if desc.Type == v1alpha1.ValidatingAdmissionWebhook {
+			existingWebhooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
 			if err != nil {
-				return nil, fmt.Errorf("could not retrieve generated APIService: %v", err)
+				return nil, fmt.Errorf("could not retrieve generated ValidatingWebhookConfiguration: %v", err)
 			}
-			if len(webhook.Webhooks[0].ClientConfig.CABundle) > 0 {
-				return webhook.Webhooks[0].ClientConfig.CABundle, nil
+
+			if len(existingWebhooks.Items) > 0 {
+				return existingWebhooks.Items[0].Webhooks[0].ClientConfig.CABundle, nil
 			}
 		}
 	}
@@ -313,7 +318,7 @@ func (a *Operator) updateDeploymentSpecsWithApiServiceData(csv *v1alpha1.Cluster
 		depSpecs[sddSpec.Name] = sddSpec.Spec
 	}
 
-	caBundle, err := a.getCaBundle(csv)
+	caBundle, err := a.getCABundle(csv)
 	if err != nil {
 		return nil, fmt.Errorf("could not retrieve caBundle: %v", err)
 	}

pkg/controller/operators/olm/operator.go

@@ -11,6 +11,7 @@ import (
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubestate"
 	"github.com/sirupsen/logrus"
 	log "github.com/sirupsen/logrus"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	extinf "k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions"
@@ -632,6 +633,44 @@ func (a *Operator) syncGCObject(obj interface{}) (syncError error) {
 			break
 		}
 		logger.Debugf("Deleted cluster role binding %v due to no owning CSV", metaObj.GetName())
+	case *admissionregistrationv1.MutatingWebhookConfiguration:
+		if name, ns, ok := ownerutil.GetOwnerByKindLabel(metaObj, v1alpha1.ClusterServiceVersionKind); ok {
+			_, err := a.lister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(ns).Get(name)
+			if err == nil {
+				logger.Debugf("CSV still present, must wait until it is deleted (owners=%v)", name)
+				syncError = fmt.Errorf("cleanup must wait")
+				return
+			} else if !k8serrors.IsNotFound(err) {
+				logger.Infof("error CSV retrieval error")
+				syncError = err
+				return
+			}
+		}
+
+		if err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(context.TODO(), metaObj.GetName(), metav1.DeleteOptions{}); err != nil {
+			logger.WithError(err).Warn("cannot delete MutatingWebhookConfiguration")
+			break
+		}
+		logger.Debugf("Deleted MutatingWebhookConfiguration %v due to no owning CSV", metaObj.GetName())
+	case *admissionregistrationv1.ValidatingWebhookConfiguration:
+		if name, ns, ok := ownerutil.GetOwnerByKindLabel(metaObj, v1alpha1.ClusterServiceVersionKind); ok {
+			_, err := a.lister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(ns).Get(name)
+			if err == nil {
+				logger.Debugf("CSV still present, must wait until it is deleted (owners=%v)", name)
+				syncError = fmt.Errorf("cleanup must wait")
+				return
+			} else if !k8serrors.IsNotFound(err) {
+				logger.Infof("Error CSV retrieval error")
+				syncError = err
+				return
+			}
+		}
+
+		if err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(context.TODO(), metaObj.GetName(), metav1.DeleteOptions{}); err != nil {
+			logger.WithError(err).Warn("cannot delete ValidatingWebhookConfiguration")
+			break
+		}
+		logger.Debugf("Deleted ValidatingWebhookConfiguration %v due to no owning CSV", metaObj.GetName())
 	}
 
 	return
@@ -920,6 +959,25 @@ func (a *Operator) handleClusterServiceVersionDeletion(obj interface{}) {
 		syncError := a.objGCQueueSet.RequeueEvent("", kubestate.NewResourceEvent(kubestate.ResourceUpdated, cr))
 		logger.Debugf("handleCSVdeletion - requeued update event for %v, res=%v", cr, syncError)
 	}
+
+	webhookSelector := labels.SelectorFromSet(ownerutil.OwnerLabel(clusterServiceVersion, v1alpha1.ClusterServiceVersionKind)).String()
+	mWebhooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		logger.WithError(err).Warn("cannot list MutatingWebhookConfigurations")
+	}
+	for _, webhook := range mWebhooks.Items {
+		syncError := a.objGCQueueSet.RequeueEvent("", kubestate.NewResourceEvent(kubestate.ResourceUpdated, &webhook))
+		logger.Debugf("handleCSVdeletion - requeued update event for %v, res=%v", webhook, syncError)
+	}
+
+	vWebhooks, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		logger.WithError(err).Warn("cannot list ValidatingWebhookConfigurations")
+	}
+	for _, webhook := range vWebhooks.Items {
+		syncError := a.objGCQueueSet.RequeueEvent("", kubestate.NewResourceEvent(kubestate.ResourceUpdated, &webhook))
+		logger.Debugf("handleCSVdeletion - requeued update event for %v, res=%v", webhook, syncError)
+	}
 }
 
 func (a *Operator) removeDanglingChildCSVs(csv *v1alpha1.ClusterServiceVersion) error {
@@ -1381,8 +1439,16 @@ func (a *Operator) transitionCSVState(in v1alpha1.ClusterServiceVersion) (out *v
 			return
 		}
 
-		// Check if Webhooks have valid rules
+		// Create a map to track unique names
+		webhookNames := map[string]struct{}{}
+		// Check if Webhooks have valid rules and unique names
 		for _, desc := range out.Spec.WebhookDefinitions {
+			_, present := webhookNames[desc.Name]
+			if present {
+				out.SetPhaseWithEventIfChanged(v1alpha1.CSVPhaseFailed, v1alpha1.CSVReasonUnsupportedWebhookRules, "CSV contains repeated WebhookDescription name", now, a.recorder)
+				return
+			}
+			webhookNames[desc.Name] = struct{}{}
 			if syncError = install.ValidWebhookRules(desc.Rules); syncError != nil {
 				out.SetPhaseWithEventIfChanged(v1alpha1.CSVPhaseFailed, v1alpha1.CSVReasonUnsupportedWebhookRules, syncError.Error(), now, a.recorder)
 				return