feat: Admission Controller in OpenShift (#637)

- Add 'openshift' kustomize dir under config/manifests
- Add Admission Controller yamls to CSV
- Fix Mellanox CRD finalizers permission
- Add Env variable to skip validations if needed

api/v1alpha1/hostdevicenetwork_webhook.go

@@ -44,20 +44,35 @@ var _ webhook.Validator = &HostDeviceNetwork{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (w *HostDeviceNetwork) ValidateCreate() error {
+	if skipValidations {
+		nicClusterPolicyLog.Info("skipping CR validation")
+		return nil
+	}
+
 	hostDeviceNetworkLog.Info("validate create", "name", w.Name)
 
 	return w.validateHostDeviceNetwork()
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (w *HostDeviceNetwork) ValidateUpdate(_ runtime.Object) error {
+	if skipValidations {
+		nicClusterPolicyLog.Info("skipping CR validation")
+		return nil
+	}
+
 	hostDeviceNetworkLog.Info("validate update", "name", w.Name)
 
 	return w.validateHostDeviceNetwork()
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
 func (w *HostDeviceNetwork) ValidateDelete() error {
+	if skipValidations {
+		nicClusterPolicyLog.Info("skipping CR validation")
+		return nil
+	}
+
 	hostDeviceNetworkLog.Info("validate delete", "name", w.Name)
 
 	// Validation for delete call is not required

api/v1alpha1/nicclusterpolicy_webhook.go

@@ -39,6 +39,8 @@ var nicClusterPolicyLog = logf.Log.WithName("nicclusterpolicy-resource")
 
 var schemaValidators *schemaValidator
 
+var skipValidations = false
+
 func (w *NicClusterPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	nicClusterPolicyLog.Info("Nic cluster policy webhook admission controller")
 	InitSchemaValidator("./webhook-schemas")
@@ -54,18 +56,33 @@ var _ webhook.Validator = &NicClusterPolicy{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (w *NicClusterPolicy) ValidateCreate() error {
+	if skipValidations {
+		nicClusterPolicyLog.Info("skipping CR validation")
+		return nil
+	}
+
 	nicClusterPolicyLog.Info("validate create", "name", w.Name)
 	return w.validateNicClusterPolicy()
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (w *NicClusterPolicy) ValidateUpdate(_ runtime.Object) error {
+	if skipValidations {
+		nicClusterPolicyLog.Info("skipping CR validation")
+		return nil
+	}
+
 	nicClusterPolicyLog.Info("validate update", "name", w.Name)
 	return w.validateNicClusterPolicy()
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
 func (w *NicClusterPolicy) ValidateDelete() error {
+	if skipValidations {
+		nicClusterPolicyLog.Info("skipping CR validation")
+		return nil
+	}
+
 	nicClusterPolicyLog.Info("validate delete", "name", w.Name)
 
 	// Validation for delete call is not required
@@ -362,3 +379,8 @@ func InitSchemaValidator(schemaPath string) {
 	}
 	schemaValidators = sv
 }
+
+// DisableValidations will disable all CRs admission validations
+func DisableValidations() {
+	skipValidations = true
+}

bundle/manifests/nvidia-network-operator-webhook-service_v1_service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.alpha.openshift.io/serving-cert-secret-name: webhook-server-cert
+  creationTimestamp: null
+  labels:
+    control-plane: nvidia-network-operator-controller
+  name: nvidia-network-operator-webhook-service
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    control-plane: nvidia-network-operator-controller
+status:
+  loadBalancer: {}