From 189b42aff5453f6343a36f914696b90929346864 Mon Sep 17 00:00:00 2001
From: Mikalai Radchuk <509198+m1kola@users.noreply.github.com>
Date: Wed, 24 Apr 2024 20:06:22 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Add=20`ValidatingAdmissionPolicy`?=
 =?UTF-8?q?=20to=20enforce=20package=20uniqueness=20across=20`ClusterExten?=
 =?UTF-8?q?sion`=20(#774)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add `ValidatingAdmissionPolicy`

To enforce package uniqueness across `ClusterExtension`

Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com>

* Kustomize `ValidatingAdmissionPolicyBinding`

This is a workaround for kustomize issue where it does not prefix
`ValidatingAdmissionPolicy`'s name in `ValidatingAdmissionPolicyBinding`'s
field `spec.policyName`. This results in manifests which can still be
applied to a cluster, but the policy will not be working due to
broken policy binding.

These APIs are now stable in 1.30 so one might expect that Kustomize
will eventually support these by default. If this happens - we will
be able to remove this change.

Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com>

---------

Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com>
---
 config/admission/admission.yaml       | 37 +++++++++++++++++++++++++++
 config/admission/kustomization.yaml   |  5 ++++
 config/admission/kustomizeconfig.yaml |  9 +++++++
 config/default/kustomization.yaml     |  1 +
 4 files changed, 52 insertions(+)
 create mode 100644 config/admission/admission.yaml
 create mode 100644 config/admission/kustomization.yaml
 create mode 100644 config/admission/kustomizeconfig.yaml

diff --git a/config/admission/admission.yaml b/config/admission/admission.yaml
new file mode 100644
index 000000000..8a795ae96
--- /dev/null
+++ b/config/admission/admission.yaml
@@ -0,0 +1,37 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "clusterextensions-package-uniqueness"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: olm.operatorframework.io/v1alpha1
+    kind: ClusterExtension
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["olm.operatorframework.io"]
+      apiVersions: ["v1alpha1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["clusterextensions"]
+  matchConditions:
+    # Only apply the policy when the request operation is CREATE
+    # or when the package is being changed
+    - name: 'only-create-or-package-change'
+      expression: request.operation == 'CREATE' || oldObject.spec.packageName != object.spec.packageName
+  validations:
+    - expression: object.spec.packageName != params.spec.packageName
+      messageExpression: "'Package \"' + string(object.spec.packageName) + '\" is already installed via ClusterExtension \"' +  string(params.metadata.name) + '\"'"
+      reason: Invalid
+
+---
+
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "clusterextensions-package-uniqueness-binding"
+spec:
+  policyName: "clusterextensions-package-uniqueness"
+  validationActions: [Deny]
+  paramRef:
+    parameterNotFoundAction: Allow
+    selector: {}
diff --git a/config/admission/kustomization.yaml b/config/admission/kustomization.yaml
new file mode 100644
index 000000000..4e1629d33
--- /dev/null
+++ b/config/admission/kustomization.yaml
@@ -0,0 +1,5 @@
+configurations:
+- kustomizeconfig.yaml
+
+resources:
+- admission.yaml
diff --git a/config/admission/kustomizeconfig.yaml b/config/admission/kustomizeconfig.yaml
new file mode 100644
index 000000000..55fc4088a
--- /dev/null
+++ b/config/admission/kustomizeconfig.yaml
@@ -0,0 +1,9 @@
+# This file is for teaching kustomize how to substitute name in ValidatingAdmissionPolicyBinding
+# This might become obsolete depending on the outcome of https://github.com/kubernetes-sigs/kustomize/issues/5674
+nameReference:
+- kind: ValidatingAdmissionPolicy
+  group: admissionregistration.k8s.io
+  fieldSpecs:
+  - kind: ValidatingAdmissionPolicyBinding
+    group: admissionregistration.k8s.io
+    path: spec/policyName
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index 6e2a672dd..2719a8565 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -16,6 +16,7 @@ namePrefix: operator-controller-
 
 resources:
 - ../crd
+- ../admission
 - ../rbac
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in