Bug 2086198

Summary: Cluster CAPI Operator creates unnecessary defaulting webhooks
Product: OpenShift Container Platform Reporter: Mike Fedosin <mfedosin>
Component: Cloud ComputeAssignee: Mike Fedosin <mfedosin>
Cloud Compute sub component: Other Providers QA Contact: Milind Yadav <miyadav>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: medium CC: ademicev
Version: 4.11   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 11:12:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Fedosin 2022-05-14 16:17:52 UTC 
Description of problem:

Cluster CAPI Operator creates unnecessary defaulting webhooks based on the data from upstream cluster API providers. These webhooks are not used in OpenShift and they cause machine creation to fail.


Version-Release number of selected component (if applicable):
4.11

How reproducible:
Always

Steps to Reproduce:
1. Run ./hack/assets.sh
2. Check generated files in "assets" folder.
3. Ensure that MutatingWebhookConfiguration manifests do not have default webhooks for "cluster" objects (for instance, default.cluster.cluster.x-k8s.io).

Actual results:
Unnecessary webhooks are there.

Expected results:
There are no "cluster" related webhooks.

Additional info:
---
Comment 3 Milind Yadav 2022-05-19 08:04:44 UTC 
Validated looks good to me , hence moving to VERIFIED

Latest nightly containing the fix (7 webhooks) - 4.11.0-0.nightly-2022-05-18-171831
[miyadav@miyadav aws]$ oc get mutatingwebhookconfigurations --kubeconfig kc -n openshift-cluster-api
NAME                                  WEBHOOKS   AGE
capa-mutating-webhook-configuration   7          108m
capi-mutating-webhook-configuration   5          109m
machine-api                           2          163m
pod-identity-webhook                  1          159m

Old nightly without fix (12 webhooks ) 4.11.0-0.nightly-2022-05-11-054135
[miyadav@miyadav aws]$ oc edit featuregate cluster --kubeconfig kc2 
featuregate.config.openshift.io/cluster edited
[miyadav@miyadav aws]$ oc get mutatingwebhookconfigurations --kubeconfig kc2 -n openshift-cluster-api
NAME                                  WEBHOOKS   AGE
capa-mutating-webhook-configuration   12         7m58s
capi-mutating-webhook-configuration   8          8m31s
machine-api                           2          79m
pod-identity-webhook                  1          75m
Comment 4 Milind Yadav 2022-05-19 08:14:23 UTC 
Sorry moving back to ON-QA , wanted to get results reviewed , do you think any extra webhooks are still present .
Comment 5 Mike Fedosin 2022-05-19 11:55:59 UTC 
@ademicev confirmed that all unnecessary webhooks are gone. We keep only mandatory ones now.
Comment 7 Milind Yadav 2022-05-24 05:16:06 UTC 
Did a validation again on the latest build , with   featureSet: TechPreviewNoUpgrade


[miyadav@miyadav ~]$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2022-05-20-213928   True        False         51m     Cluster version is 4.11.0-0.nightly-2022-05-20-213928
[miyadav@miyadav ~]$ oc project openshift-cluster-api
Now using project "openshift-cluster-api" on server "https://api.miyadav-2405.qe.devcluster.openshift.com:6443".
[miyadav@miyadav ~]$ oc get pods 
NAME                                                READY   STATUS    RESTARTS   AGE
capi-operator-controller-manager-5d59ddcbff-6mqjr   2/2     Running   0          49s
cluster-capi-operator-6984b66c5-n4p7t               1/1     Running   0          49s
[miyadav@miyadav ~]$ oc get mutatingwebhookconfigurations  -n openshift-cluster-api
NAME                   WEBHOOKS   AGE
machine-api            2          68m
pod-identity-webhook   1          62m
[miyadav@miyadav ~]$ oc get mutatingwebhookconfigurations  -n openshift-cluster-api
NAME                   WEBHOOKS   AGE
machine-api            2          68m
pod-identity-webhook   1          63m
[miyadav@miyadav ~]$ 

Here I do not see any mutating webhooks related to capa . Please review.
Comment 9 Milind Yadav 2022-06-24 10:53:49 UTC 
As Mike suggested on slack , good to move to VERIFIED . Please feel free to add more info , in case you want to document for later use.
Comment 10 Mike Fedosin 2022-06-24 17:05:23 UTC 
Yes, the issue is fixed now - we don't create unnecessary defaulting webhooks anymore.
Comment 11 errata-xmlrpc 2022-08-10 11:12:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069
Comment 12 Red Hat Bugzilla 2023-09-15 01:54:50 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days