HIVE-3133: VWHC for ClusterDeploymentCustomization

This was missed in #1672.

Side quest: Dropping `DELETE` from the ClusterPool VWHC added in #2879.
It didn't have functional impact, but would have been wastefully sending
Delete requests to our hiveadmission service.

Also adding some coderabbit config intended to catch this kind of miss
in the future.

Author: 2uasimojo

.coderabbit.yaml

@@ -32,3 +32,29 @@ reviews:
       of these files entirely, as reviewing code changes in kubernetes would be wildly out of scope.
       The one exception to this is `vendor/github.com/openshift/hive/**`, which should be a direct copy
       of the `apis` folder found in the root of the repo, referenced by the CRD generation guidance above.
+  - path: config/hiveadmission/*-webhook.yaml
+    instructions: |-
+      These are configuration files for admission webhooks for hive CRs. Files named *-webhook.yaml
+      contain ValidatingWebhookConfiguration (or, hypothetically, MutatingWebhookConfiguration -- but
+      we don't have any of those at this time) manifests. Please validate:
+      - They have been built into pkg/operator/assets/bindata.go (today our `verify` CI job should
+        also check this).
+      - They are all in the `webhookAssets` list in pkg/operator/hive/hiveadmission.go -- else they
+        will not be deployed!
+      - Each has a corresponding implementation in pkg/validating-webhooks/hive/v1.
+      - When any file in this directory is added or modified, also cross-check ALL other
+        existing *-webhook.yaml files in config/hiveadmission/ to verify their operations
+        are consistent with their implementations. Do not limit the audit to only the file(s)
+        in the diff.
+      - The `Operation`s in `.webhooks[].rules[].operations` must exactly match the
+        operations handled by explicit `case` branches in the implementation's `Validate()`
+        switch. A `default: Allowed: true` branch does NOT count as handling an operation.
+        If an operation appears in the YAML but has no corresponding `case`, flag it; and
+        vice versa.
+  - path: pkg/validating-webhooks/hive/v1/*_admission_hook.go
+    instructions: |-
+      These are implementations for validating (or, hypothetically, mutating -- but we don't have any
+      of those at this time) webhooks handled by our hiveadmission service. Mirroring the above checks
+      for config/hiveadmission/*-webhook.yaml, please validate that each has a corresponding
+      ValidatingWebhookConfiguration (or MutatingWebhookConfiguration) manifest under config/hiveadmission/,
+      built into bindata, with matching `Operation`s, and is listed for installation in hiveadmission.go.

config/hiveadmission/clusterdeploymentcustomization-webhook.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: clusterdeploymentcustomizationvalidators.admission.hive.openshift.io
+webhooks:
+- name: clusterdeploymentcustomizationvalidators.admission.hive.openshift.io
+  admissionReviewVersions:
+  - v1beta1
+  clientConfig:
+    service:
+      # reach the webhook via the registered aggregated API
+      namespace: default
+      name: kubernetes
+      path: /apis/admission.hive.openshift.io/v1/clusterdeploymentcustomizationvalidators
+  rules:
+  - operations:
+    - CREATE
+    - UPDATE
+    apiGroups:
+    - hive.openshift.io
+    apiVersions:
+    - v1
+    resources:
+    - clusterdeploymentcustomizations
+  failurePolicy: Fail
+  sideEffects: None

config/hiveadmission/clusterpool-webhook.yaml

@@ -17,7 +17,6 @@ webhooks:
   - operations:
     - CREATE
     - UPDATE
-    - DELETE
     apiGroups:
     - hive.openshift.io
     apiVersions:

pkg/operator/assets/bindata.go

@@ -50,6 +50,7 @@ const (
 
 var webhookAssets = []string{
 	"config/hiveadmission/clusterdeployment-webhook.yaml",
+	"config/hiveadmission/clusterdeploymentcustomization-webhook.yaml",
 	"config/hiveadmission/clusterimageset-webhook.yaml",
 	"config/hiveadmission/clusterpool-webhook.yaml",
 	"config/hiveadmission/clusterprovision-webhook.yaml",

pkg/operator/hive/hiveadmission.go

@@ -19,7 +19,7 @@ import (
 const (
 	clusterDeploymentCustomizationGroup    = "hive.openshift.io"
 	clusterDeploymentCustomizationVersion  = "v1"
-	clusterDeploymentCustomizationResource = "clusterdeploymentcustomization"
+	clusterDeploymentCustomizationResource = "clusterdeploymentcustomizations"
 
 	clusterDeploymentCustomizationAdmissionGroup   = "admission.hive.openshift.io"
 	clusterDeploymentCustomizationAdmissionVersion = "v1"
@@ -124,7 +124,7 @@ func (a *ClusterDeploymentCustomizationValidatingAdmissionHook) shouldValidate(a
 	}
 
 	if admissionSpec.Resource.Resource != clusterDeploymentCustomizationResource {
-		contextLogger.Info("Returning False, it's our group and version, but not the right resource")
+		contextLogger.WithField("resource", admissionSpec.Resource.Resource).Info("Returning False, it's our group and version, but not the right resource")
 		return false
 	}