Remove "all" namespace from managed namespaces

[naemono]

Don't append the 'all' namespaces when storage class validation is enabled, as it causes 'unknown namespace' errors in controller-runtime, and cluster-scoped resources are handled properly now in ctrl-runtime. This will supersede #5058, as it's a much simpler implementation to solve the same issue as the below PR better handles these types of situations in controller-runtime:

kubernetes-sigs/controller-runtime#1418

Tested with validation of storage class enabled, and successfully resized volumes from 100GB -> 200GB.

Known Issues

Validating webhooks for things such as ES PV resizing are created "unscoped"

- admissionReviewVersions:
  - v1beta1
  clientConfig:
    service:
      name: elastic-operator-webhook
      namespace: elastic-system
      path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch
      port: 443
  failurePolicy: Ignore
  matchPolicy: Exact
  name: elastic-es-validation-v1.k8s.elastic.co
  namespaceSelector: {}
  objectSelector: {}
  rules:
  - apiGroups:
    - elasticsearch.k8s.elastic.co
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - elasticsearches
    scope: '*'    <--- Here

https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/

The scope field specifies if only cluster-scoped resources ("Cluster") or namespace-scoped resources ("Namespaced") will match this rule. "∗" means that there are no scope restrictions.

This means that the webhook[s] get resources across the whole cluster, in namespaces that they do not manage, which generates the dreaded

"unable to get: elastic/testing-es-masters because of unknown namespace for the cache"

There seems to be 2 approaches to handles this situation:

1. Pass along managedNamespaces slice to webhook, and if the crud operation is outside of it's managed namespaces, allow it, which brings up the question: "How are the same webhook, with different names, all cluster scoped, and with the same rules (when having the operator installed twice in a cluster, and validating ES objects) handled? Do all have to validate, or just one?" (validated all webhooks with appropriate rules receive the request, and any can allow/deny)
2. Work to get these webhooks Namespaced (which by looking at the operator framework docs, It wasn't clear how exactly to do this)

[barkbay]

This means that the webhook[s] get resources across the whole cluster, in namespaces that they do not manage, which generates the dreaded

I don't think it makes a lot of sense to deploy several "restricted" operators and expect one of them to validate resources at the cluster level. Using a single service to validate/mutate resources is a limitation of K8S itself.

Pass along managedNamespaces slice to webhook, and if the crud operation is outside of it's managed namespaces

👍 we could do that as a best effort. I'm not familiar with the scope field, I'm not sure to understand how it works.

[naemono]

👍 we could do that as a best effort. I'm not familiar with the scope field, I'm not sure to understand how it works.

The scope field of the webhook configuration allows a webhook to be namespace-scoped, instead of cluster scoped, which would be the right setting if we're managing a set of namespaces, but seems to indicate that the webhook would only work for the namespace that it's within.... I'll test this a bit more and update with my findings...

[pebrc]

As I understand the scope field it only helps restricting a rule in a webhook to match only on namespaced API resources or cluster scoped API resources, it does not help with what we are trying to do here which is untangle overlapping webhook instances.

The only mechanism the webhook API has to restrict responsibility to a namespace or multiple namespaces is the namespaceSelector property but that AFAIK relies on the namespaces being labeled with something we can select on which is not the case by default.

So maybe it would make sense to implement the little managedNamespaces hack @naemono suggested. Another option could be to have a different client for the webhook that is not namespace restricted but that might be a problem from a memory footprint perspective as I would assume we would then cache everything twice. We could also think about having a webhook only mode where one instance of the operator would just run the webhook and other instances would be namespace restricted and do the orchestration work.

[naemono]

Ok, I clearly made a mistake when rebasing this branch... going to try to fix this.... ignore this for now.

[naemono]

run full pr build

[naemono]

@pebrc, @barkbay I've updated this PR to include a change where the webhooks also know what namespaces are being managed, and ignore requests from namespaces that they don't manage. Let me know if this works. Thanks.

[pebrc]

I think we need to cover the other webhooks as well see my comments. Also something is wrong with GH web UI today I have a hard time leaving review comments that are not markup garbage, I hope I got them all fixed up now.

[naemono]

run full pr build

[naemono]

I noticed the ci tests failing yesterday, and thought I resolved them all, but something is now failing in the e2e test. I'm investigating.

[pebrc]

I think it's almost there but the upgrade validation is not working correctly.

[pebrc]

Suggested change

	err = v.decoder.DecodeRaw(req.Object, oldObj)
	err = v.decoder.DecodeRaw(req.OldObject, oldObj)

This is currently a NOOP validation comparing the new object with itself. This tells me that we are missing a unit test or if that's too complicated an e2e test to validate the webhook is actually validating what it is supposed to.

[naemono]

I've fixed this in the latest commit. I will add a unit, or e2e test to ensure properly functionality next. I misread the documentation for decoder.Decode, which state If you want decode the OldObject in the AdmissionRequest, use DecodeRaw....

I'll update when this test has been added.

[naemono]

Unit test added.

[pebrc]

LGTM!

[pebrc]

I would be in favour of using keys in these structs instead of positional initialisation.

[naemono]

No problem, and done. I'll merge this after ensuring all of the checks pass again.