feat: prevent the creation of new Lumigo resources in namespaces that already have one

README.md

@@ -102,7 +102,7 @@ spec:
 In the logs of the Lumigo operator, you will see a message like the following:
 
 ```
-1.67534267851615e+09    DEBUG   controller-runtime.webhook.webhooks   wrote response   {"webhook": "/v1alpha1/mutate", "code": 200, "reason": "the resource has the 'lumigo.auto-trace' label set to 'false'; resource will not be mutated", "UID": "6d341941-c47b-4245-8814-1913cee6719f", "allowed": true}
+1.67534267851615e+09    DEBUG   controller-runtime.webhook.webhooks   wrote response   {"webhook": "/v1alpha1/inject", "code": 200, "reason": "the resource has the 'lumigo.auto-trace' label set to 'false'; resource will not be mutated", "UID": "6d341941-c47b-4245-8814-1913cee6719f", "allowed": true}
 ```
 
 ### Uninstall

charts/lumigo-operator/templates/injector-webhook-configuration.yaml → charts/lumigo-operator/templates/webhook-configurations.yaml

@@ -1,5 +1,5 @@
-{{- $altNames := list ( printf "%s.%s" (include "helm.fullname" .) .Release.Namespace ) ( printf "%s-service.%s.svc" (include "helm.fullname" .) .Release.Namespace ) ( printf "%s-injector-webhook-service.%s.svc" (include "helm.fullname" .) .Release.Namespace ) -}}
-{{- $ca := genCA "lumigo-injector-webhook-ca" 365 -}}
+{{- $altNames := list ( printf "%s.%s" (include "helm.fullname" .) .Release.Namespace ) ( printf "%s-service.%s.svc" (include "helm.fullname" .) .Release.Namespace ) ( printf "%s-webhooks-service.%s.svc" (include "helm.fullname" .) .Release.Namespace ) -}}
+{{- $ca := genCA "lumigo-webhooks-ca" 365 -}}
 {{- $cert := genSignedCert ( include "helm.name" . ) nil $altNames 365 $ca -}}
 apiVersion: v1
 kind: Secret
@@ -26,9 +26,9 @@ webhooks:
   clientConfig:
     caBundle: {{ default "" ( $ca.Cert | b64enc ) }}
     service:
-      name: '{{ include "helm.fullname" . }}-injector-webhook-service'
+      name: '{{ include "helm.fullname" . }}-webhooks-service'
       namespace: '{{ .Release.Namespace }}'
-      path: /v1alpha1/mutate
+      path: /v1alpha1/inject
   failurePolicy: Ignore
   name: lumigoinjector.kb.io
   rules:
@@ -54,4 +54,37 @@ webhooks:
     resources:
     - cronjobs
     - jobs
-  sideEffects: None
+  scope: "Namespaced"
+  sideEffects: None
+  timeoutSeconds: 5
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ include "helm.fullname" . }}-validator-webhook-configuration
+  labels:
+  {{- include "helm.labels" . | nindent 4 }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    caBundle: {{ default "" ( $ca.Cert | b64enc ) }}
+    service:
+      name: '{{ include "helm.fullname" . }}-webhooks-service'
+      namespace: '{{ .Release.Namespace }}'
+      path: /v1alpha1/validate
+  failurePolicy: Fail
+  name: lumigovalidator.kb.io
+  rules:
+  - apiGroups:
+    - operator.lumigo.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    resources:
+    - lumigoes
+  scope: "Namespaced"
+  sideEffects: None
+  timeoutSeconds: 5

charts/lumigo-operator/templates/injector-webhook-service.yaml → charts/lumigo-operator/templates/webhooks-service.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "helm.fullname" . }}-injector-webhook-service
+  name: {{ include "helm.fullname" . }}-webhooks-service
   labels:
-    app.kubernetes.io/component: injector
+    app.kubernetes.io/component: lumigo
     app.kubernetes.io/created-by: lumigo
     app.kubernetes.io/part-of: lumigo
   {{- include "helm.labels" . | nindent 4 }}

config/default/kustomization.yaml

@@ -16,7 +16,7 @@ bases:
 - ../crd
 - ../rbac
 - ../manager
-- ../webhook
+- ../webhooks
 - ../certmanager
 - ../telemetry-proxy
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.

config/webhook/kustomization.yaml → config/webhooks/kustomization.yaml

@@ -1,6 +1,6 @@
 resources:
 - manifests.yaml
-- service.yaml
+- services.yaml
 
 configurations:
 - kustomizeconfig.yaml

config/webhooks/manifests.yaml

@@ -0,0 +1,74 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: injector-webhook-configuration
+webhooks:
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: webhooks-service
+      namespace: system
+      path: /v1alpha1/inject
+  failurePolicy: Ignore
+  admissionReviewVersions:
+  - v1
+  - v1beta1
+  name: lumigoinjector.kb.io
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - daemonsets
+    - deployments
+    - replicasets
+    - statefulsets
+  - apiGroups:
+    - batch
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - cronjobs
+    - jobs
+  scope: "Namespaced"
+  sideEffects: None
+  timeoutSeconds: 5
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: validator-webhook-configuration
+webhooks:
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: webhooks-service
+      namespace: system
+      path: /v1alpha1/validate
+  failurePolicy: Fail
+  admissionReviewVersions:
+  - v1
+  - v1beta1
+  name: lumigovalidator.kb.io
+  rules:
+  - apiGroups:
+    - operator.lumigo.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    resources:
+    - lumigoes
+  scope: "Namespaced"
+  sideEffects: None
+  timeoutSeconds: 5

config/webhook/service.yaml → config/webhooks/services.yaml

@@ -1,15 +1,15 @@
-
+---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app.kubernetes.io/name: injector-webhook-service
-    app.kubernetes.io/instance: injector-webhook-service
-    app.kubernetes.io/component: injector
+    app.kubernetes.io/name: webhooks-service
+    app.kubernetes.io/instance: webhooks-service
+    app.kubernetes.io/component: lumigo
     app.kubernetes.io/created-by: lumigo
     app.kubernetes.io/part-of: lumigo
     app.kubernetes.io/managed-by: kustomize
-  name: injector-webhook-service
+  name: webhooks-service
   namespace: system
 spec:
   ports:

main.go

@@ -34,6 +34,7 @@ import (
 	operatorv1alpha1 "github.com/lumigo-io/lumigo-kubernetes-operator/api/v1alpha1"
 	"github.com/lumigo-io/lumigo-kubernetes-operator/controllers"
 	"github.com/lumigo-io/lumigo-kubernetes-operator/webhooks/injector"
+	"github.com/lumigo-io/lumigo-kubernetes-operator/webhooks/validator"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -123,15 +124,24 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err = (&injector.LumigoWebhookHandler{
+	if err = (&injector.LumigoInjectorWebhookHandler{
 		LumigoOperatorVersion:        lumigoOperatorVersion,
 		LumigoInjectorImage:          lumigoInjectorImage,
 		TelemetryProxyOtlpServiceUrl: telemetryProxyOtlpService,
 		Log:                          logger,
 	}).SetupWebhookWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create webhook", "webhook", "Lumigo")
+		setupLog.Error(err, "unable to create injector webhook", "webhook", "lumigo-injector")
 		os.Exit(1)
 	}
+
+	if err = (&validator.LumigoValidatorWebhookHandler{
+		LumigoOperatorVersion: lumigoOperatorVersion,
+		Log:                   logger,
+	}).SetupWebhookWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create validator-webhook", "webhook", "lumigo-validator")
+		os.Exit(1)
+	}
+
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

webhooks/injector/injector_webhook.go

@@ -44,7 +44,7 @@ var (
 	decoder = scheme.Codecs.UniversalDecoder()
 )
 
-type LumigoWebhookHandler struct {
+type LumigoInjectorWebhookHandler struct {
 	client                       client.Client
 	decoder                      *admission.Decoder
 	LumigoOperatorVersion        string
@@ -53,7 +53,7 @@ type LumigoWebhookHandler struct {
 	Log                          logr.Logger
 }
 
-func (h *LumigoWebhookHandler) SetupWebhookWithManager(mgr ctrl.Manager) error {
+func (h *LumigoInjectorWebhookHandler) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	webhook := &admission.Webhook{
 		Handler: h,
 	}
@@ -62,24 +62,24 @@ func (h *LumigoWebhookHandler) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	if err != nil {
 		return err
 	}
-	mgr.GetWebhookServer().Register("/v1alpha1/mutate", handler)
+	mgr.GetWebhookServer().Register("/v1alpha1/inject", handler)
 
 	return nil
 }
 
 // The client is automatically injected by the Webhook machinery
-func (h *LumigoWebhookHandler) InjectClient(c client.Client) error {
+func (h *LumigoInjectorWebhookHandler) InjectClient(c client.Client) error {
 	h.client = c
 	return nil
 }
 
 // The decoder is automatically injected by the Webhook machinery
-func (h *LumigoWebhookHandler) InjectDecoder(d *admission.Decoder) error {
+func (h *LumigoInjectorWebhookHandler) InjectDecoder(d *admission.Decoder) error {
 	h.decoder = d
 	return nil
 }
 
-func (h *LumigoWebhookHandler) Handle(ctx context.Context, request admission.Request) admission.Response {
+func (h *LumigoInjectorWebhookHandler) Handle(ctx context.Context, request admission.Request) admission.Response {
 	log := logf.Log.WithName("lumigo-injector-webhook").WithValues("resource_gvk", request.Kind)
 
 	if request.Operation == admissionv1.Delete {