Add ValidatingAdmissionPolicy

To enforce package uniqueness across `ClusterExtension`

Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com>

config/admission/admission.yaml

@@ -0,0 +1,37 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "clusterextensions-package-uniqueness.olm.operatorframework.io"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: olm.operatorframework.io/v1alpha1
+    kind: ClusterExtension
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["olm.operatorframework.io"]
+      apiVersions: ["v1alpha1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["clusterextensions"]
+  matchConditions:
+    # only apply the policy when the request operation is CREATE, or when on an UPDATE
+    # the package is being changed
+    - name: 'only-create-or-package-change'
+      expression: request.operation == 'CREATE' || oldObject.spec.packageName != object.spec.packageName
+  validations:
+    - expression: object.spec.packageName != params.spec.packageName
+      messageExpression: "'Package \"' + string(object.spec.packageName) + '\" is already installed via ClusterExtension \"' +  string(params.metadata.name) + '\"'"
+      reason: Invalid
+
+---
+
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "clusterextensions-package-uniqueness-binding.olm.operatorframework.io"
+spec:
+  policyName: "clusterextensions-package-uniqueness.olm.operatorframework.io"
+  validationActions: [Deny]
+  paramRef:
+    parameterNotFoundAction: Allow
+    selector: {}

config/admission/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- admission.yaml

config/default/kustomization.yaml

@@ -16,6 +16,7 @@ namePrefix: operator-controller-
 
 resources:
 - ../crd
+- ../admission
 - ../rbac
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in