HIVE-3133: VWHC for ClusterDeploymentCustomization

[2uasimojo]

This was missed in #1672.

Side quest: Dropping DELETE from the ClusterPool VWHC added in #2879. It didn't have functional impact, but would have been wastefully sending Delete requests to our hiveadmission service.

Also adding some coderabbit config intended to catch this kind of miss in the future.

Summary by CodeRabbit

• New Features
  • Added a validating webhook for clusterdeploymentcustomizations that enforces validation on CREATE and UPDATE (failurePolicy: Fail); the operator installs and maintains it.
• Bug Fixes
  • Updated clusterpool webhook to stop validating DELETE operations (now only CREATE and UPDATE).
• Improvements
  • Improved logging for clearer diagnostic messages when webhook requests target unexpected resources.

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-3133 which is a valid jira issue.

Details

In response to this:

This was missed in #1672.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[2uasimojo]

Deliberately left some stuff out to test the rabbit.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new ValidatingWebhookConfiguration for clusterdeploymentcustomizations, embeds its YAML as an operator asset and registers it, adjusts an existing webhook's operations, updates bindata, and augments CI review instructions enforcing manifest ↔ implementation consistency and bindata/registration requirements.

Changes

Cohort / File(s)	Summary
Review Instructions \.coderabbit\.yaml	Added two reviews.path_instructions entries requiring: webhook manifests under config/hiveadmission/*-webhook.yaml be built into pkg/operator/assets/bindata.go, listed in pkg/operator/hive/hiveadmission.go's webhookAssets, and that Go implementations in pkg/validating-webhooks/hive/v1/*_admission_hook.go match manifest operations and are installed.
New ValidatingWebhook config/hiveadmission/clusterdeploymentcustomization-webhook.yaml	Introduces a ValidatingWebhookConfiguration for clusterdeploymentcustomizations on CREATE and UPDATE, pointing to the aggregated API service path /apis/admission.hive.openshift.io/v1/clusterdeploymentcustomizationvalidators with failurePolicy: Fail and sideEffects: None.
Existing Webhook Adjustment config/hiveadmission/clusterpool-webhook.yaml	Removed DELETE from the operations list (now CREATE, UPDATE) for the clusterpoolvalidators validating webhook.
Operator Asset Registration pkg/operator/hive/hiveadmission.go, pkg/operator/assets/bindata.go	Added the new webhook YAML to webhookAssets and embedded it in generated bindata.go (new asset bytes, accessors, and registry entries). Minor formatting/alignment edits in bindata.go.
Webhook Implementation pkg/validating-webhooks/hive/v1/clusterdeploymentcustomization_validating_admission_hook.go	Updated expected resource constant to clusterdeploymentcustomizations and improved structured logging in shouldValidate when resources don't match.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped a path of YAML bright,
New hooks stitched in the operator's light,
Bindata cradles each manifest tight,
Switches and logs now match just right,
I guard the cluster through day and night.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'HIVE-3133: VWHC for ClusterDeploymentCustomization' clearly references the primary change: adding a validating webhook configuration (VWHC) for ClusterDeploymentCustomization resource, which is the main objective of this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-3133 which is a valid jira issue.

Details

In response to this:

This was missed in #1672.

Summary by CodeRabbit

• New Features
• Added a validation webhook for cluster deployment customization resources that enforces validation rules on creation and update operations. Invalid requests will be rejected.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coderabbit.yaml:
- Line 51: In the .coderabbit.yaml entry referencing "for
config/hivedamission/*-webhook.yaml, please validate that each has a
corresponding", correct the typo "hivedamission" to "hiveadmission" so the
pattern reads "config/hiveadmission/*-webhook.yaml"; update that string wherever
it appears to ensure the validation targets the intended directory/pattern.

In `@pkg/operator/hive/hiveadmission.go`:
- Line 53: You added
"config/hiveadmission/clusterdeploymentcustomization-webhook.yaml" to
webhookAssets but the embedded asset is missing, causing assets.MustAsset() in
hiveadmission.go to panic at runtime; regenerate the embed by running the
bindata update and commit the change: run make update-bindata (or the project's
equivalent) so pkg/operator/assets/bindata.go includes the new file, verify
assets.MustAsset("config/hiveadmission/clusterdeploymentcustomization-webhook.yaml")
resolves, and re-run tests to ensure no missing-asset panics.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fe11dd9f-f109-4fa9-8f1f-c2c1cc130b11

📥 Commits

Reviewing files that changed from the base of the PR and between 8296ffc and 539bbcc.

📒 Files selected for processing (3)

• .coderabbit.yaml
• config/hiveadmission/clusterdeploymentcustomization-webhook.yaml
• pkg/operator/hive/hiveadmission.go

[codecov]

Codecov Report

❌ Patch coverage is 0% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.28%. Comparing base (8296ffc) to head (cc7167b).
⚠️ Report is 4 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/operator/assets/bindata.go	0.00%	9 Missing ⚠️
...ploymentcustomization_validating_admission_hook.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2882      +/-   ##
==========================================
- Coverage   50.29%   50.28%   -0.02%     
==========================================
  Files         280      280              
  Lines       34323    34332       +9     
==========================================
  Hits        17264    17264              
- Misses      15698    15707       +9     
  Partials     1361     1361              

Files with missing lines	Coverage Δ
pkg/operator/hive/hiveadmission.go	0.00% <ø> (ø)
...ploymentcustomization_validating_admission_hook.go	0.00% <0.00%> (ø)
pkg/operator/assets/bindata.go	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[2uasimojo]

@coderabbitai Fixed that one. Left another mistake for you. Are you paying attention to .coderabbit.yaml?

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-3133 which is a valid jira issue.

Details

In response to this:

This was missed in #1672.

Summary by CodeRabbit

• New Features
• Added a validating webhook for cluster deployment customization resources that enforces validation on CREATE and UPDATE; invalid requests are rejected (failurePolicy: Fail).
• The operator now installs and maintains this validating webhook so validation is active in-cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Good question — let me dig into the codebase to check!

---

🏁 Script executed:

#!/bin/bash
# Find the admission hook implementation for clusterdeploymentcustomization
fd -i "clusterdeploymentcustomization" pkg/validating-webhooks/

# Also look at the YAML to confirm declared operations
fd -i "clusterdeploymentcustomization" config/hiveadmission/ --exec cat {}

# Check bindata for the new webhook asset
rg -n "clusterdeploymentcustomization" pkg/operator/assets/bindata.go | head -5

Length of output: 1195

---

🏁 Script executed:

#!/bin/bash
# Read the full admission hook implementation
cat pkg/validating-webhooks/hive/v1/clusterdeploymentcustomization_validating_admission_hook.go

Length of output: 9291

---

🏁 Script executed:

#!/bin/bash
# Check how other admission hooks define their resource constant (singular vs plural)
rg -n 'Resource\s*=\s*"cluster' pkg/validating-webhooks/hive/v1/ | head -20

Length of output: 670

---

@2uasimojo: Yes, I found it! 🐇

In pkg/validating-webhooks/hive/v1/clusterdeploymentcustomization_validating_admission_hook.go, the resource constant is defined as the singular form:

clusterDeploymentCustomizationResource = "clusterdeploymentcustomization"

Every other webhook in the same package uses the plural form (as Kubernetes always sends the plural resource name in admission requests):

File	Constant value
clusterprovision_validating_admission_hook.go	"clusterprovisions"
clusterpool_validating_admission_hook.go	"clusterpools"
clusterimagesets_validating_admission_hook.go	"clusterimagesets"
clusterdeployment_validating_admission_hook.go	"clusterdeployments"
clusterdeploymentcustomization_validating_admission_hook.go	"clusterdeploymentcustomization" ← wrong

Because shouldValidate compares admissionSpec.Resource.Resource against this constant, it will always return false, causing the webhook to silently pass every request as Allowed: true without ever running the actual validation logic. The fix is:

clusterDeploymentCustomizationResource = "clusterdeploymentcustomizations"

[2uasimojo]

/hold

We'll need to s/v1beta1/v1/ when #2881 merges.

@coderabbitai Wow, nice find! But that's not the one I was talking about...

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Good catch on me! Let me dig deeper into the other checklist items from .coderabbit.yaml — specifically whether the Validate()-covered operations match the YAML-declared operations.

---

🏁 Script executed:

#!/bin/bash
# Read the full webhook YAML to see declared operations
cat config/hiveadmission/clusterdeploymentcustomization-webhook.yaml

echo "---"

# Read the Validate() function in the admission hook to see which operations it handles
grep -A 60 'func.*Validate(' pkg/validating-webhooks/hive/v1/clusterdeploymentcustomization_validating_admission_hook.go

echo "---"

# For comparison, check another hook to see how operations are typically handled
grep -A 40 'func.*Validate(' pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook.go | head -50

Length of output: 6354

---

The operations match (CREATE/UPDATE in both YAML and Validate()). Let me now check the item that the .coderabbit.yaml instructions specifically call out — whether the new YAML was actually built into pkg/operator/assets/bindata.go.

---

🏁 Script executed:

#!/bin/bash
# Check if the new webhook is actually embedded in bindata.go
rg -n "clusterdeploymentcustomization" pkg/operator/assets/bindata.go

echo "---"

# Also look at the shape of nearby webhook entries to confirm what a proper bindata entry looks like
rg -n "clusterdeployment-webhook\|clusterdeploymentcustomization-webhook\|clusterpool-webhook" pkg/operator/assets/bindata.go | head -10

Length of output: 932

---

Bindata is fine too. Let me check whether the webhook handler is actually registered with the admission API server — there's typically a separate place where the Go implementations are wired up to serve requests.

---

🏁 Script executed:

#!/bin/bash
# Find where admission hooks are registered/wired to the server
rg -rn "ClusterDeploymentCustomization" --type=go | grep -v "_test.go" | grep -v "bindata"

echo "---"

# Find where other hooks like ClusterDeploymentValidating are registered
rg -rn "ClusterDeploymentValidatingAdmissionHook\|ClusterPoolValidatingAdmissionHook" --type=go | grep -v "_test.go" | grep -v "bindata" | head -20

echo "---"

# Look for where all hooks are wired to the admission server (typically in a cmd or setup file)
rg -rn "AdmissionHook\b" --type=go | grep -v "_test.go" | grep -v "bindata" | grep -v "validating-webhooks" | head -30

Length of output: 21257

---

Let me read the full cmd/hiveadmission/main.go and list all hook implementations to cross-reference everything.

---

🏁 Script executed:

#!/bin/bash
# Read the full hiveadmission main.go
cat cmd/hiveadmission/main.go

echo "==="

# List all admission hook files
fd -e go . pkg/validating-webhooks/hive/v1/ | sort

Length of output: 2985

---

Found it! Let me verify by checking the .coderabbit.yaml content.

---

🏁 Script executed:

#!/bin/bash
cat .coderabbit.yaml

Length of output: 3873

---

@2uasimojo: Guilty as charged — I missed it! 🐇

All four checklist items from .coderabbit.yaml pass for the new CDC webhook:

Check	Result
YAML built into bindata.go	✓
Listed in webhookAssets in hiveadmission.go	✓
Corresponding implementation in pkg/validating-webhooks/hive/v1	✓
Validate() operations match YAML operations (CREATE, UPDATE)	✓

But the thing that stands out clearly in the file listing is that clusterdeploymentcustomization_validating_admission_hook_test.go is missing. It's the only admission hook without a test file — every other hook has one:

clusterdeployment_validating_admission_hook_test.go         ✓
clusterimageset_validating_admission_hook_test.go           ✓
clusterpool_validating_admission_hook_test.go               ✓
clusterprovision_validating_admission_hook_test.go          ✓
dnszone_validating_admission_hook_test.go                   ✓
machinepool_validating_admission_hook_test.go               ✓
selector_syncset_validating_admission_hook_test.go          ✓
syncset_validating_admission_hook_test.go                   ✓
clusterdeploymentcustomization_validating_admission_hook_test.go  ✗ ← missing

Is that the one you were referring to? I should add a check for test file coverage to the .coderabbit.yaml path instructions for pkg/validating-webhooks/hive/v1/*_admission_hook.go so this is caught automatically in future PRs.

(´• ω •`) 🐇💨

[2uasimojo]

@coderabbitai I did notice that. And yeah, we probably want to address it -- though we can do that later/separately.

However, what I was referring to is the fact that the clusterpool vwhc (added via #2879) currently violates the instruction in .coderabbit.yaml to make sure that the Operations match up. See it?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the clusterpool webhook YAML declared operations
cat config/hiveadmission/clusterpool-webhook.yaml

echo "==="

# Check the Validate() function in the clusterpool admission hook
grep -A 80 'func.*Validate(' pkg/validating-webhooks/hive/v1/clusterpool_validating_admission_hook.go

Length of output: 4835

---

@2uasimojo: Got it! 🐇

The clusterpool-webhook.yaml registers the webhook for three operations:

operations:
- CREATE
- UPDATE
- DELETE

But the Validate() switch in clusterpool_validating_admission_hook.go only handles two:

switch admissionSpec.Operation {
case admissionv1beta1.Create:
    return a.validateCreate(admissionSpec)
case admissionv1beta1.Update:
    return a.validateUpdate(admissionSpec)
default:
    // ← DELETE silently falls here and is just Allowed: true
    return &admissionv1beta1.AdmissionResponse{Allowed: true}
}

DELETE is declared in the YAML (so Kubernetes will send DELETE admission requests to the webhook), but the Go code has no validateDelete — it just auto-approves them. The YAML and implementation are out of sync.

The fix is to drop DELETE from clusterpool-webhook.yaml since there's no corresponding validation logic:

  rules:
  - operations:
    - CREATE
    - UPDATE
    # DELETE removed — no validateDelete implemented

[2uasimojo]

@coderabbitai Good, that's the one. Is there a way I could phrase my .coderabbit.yaml instructions such that you would have caught that right away?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
cat .coderabbit.yaml

Length of output: 3873

---

@2uasimojo: Great question! The core issue is scope: path-based instructions in .coderabbit.yaml only fire for files that are actually changed in the PR diff. Since clusterpool-webhook.yaml wasn't touched in this PR (it came in via #2879), the instruction never triggered for it — even though the rule was correctly worded.

Two complementary fixes would close this gap:

---

1. Explicitly instruct cross-auditing of the whole directory

When a new webhook YAML is being reviewed, ask CodeRabbit to audit all existing ones too, not just the one in the diff:

  - path: config/hiveadmission/*-webhook.yaml
    instructions: |-
      ...existing checks...
      - When any file in this directory is added or modified, also cross-check ALL other
        existing *-webhook.yaml files in config/hiveadmission/ to verify their operations
        are consistent with their implementations. Do not limit the audit to only the file(s)
        in the diff.
      - The `Operation`s in `.webhooks[].rules[].operations` must be a strict subset of the
        operations handled by explicit `case` branches in the implementation's `Validate()`
        switch. A `default: Allowed: true` branch does NOT count as handling an operation.
        If an operation appears in the YAML but has no corresponding `case`, flag it.

---

2. Make the "default fallthrough" anti-pattern explicit

The original wording says "match" — but I interpreted DELETE falling into default: Allowed: true as acceptable. Being explicit removes that ambiguity:

"The Operations covered by the implementation's Validate() function match those listed in the config's .webhooks[].rules[].operations."

→ Replace with:

"Every operation listed in .webhooks[].rules[].operations must have an explicit case branch in Validate() — a default fallthrough returning Allowed: true does NOT satisfy this requirement."

---

The combination of "audit the whole directory, not just the diff" + "no implicit default coverage" would have flagged the clusterpool mismatch in this PR even though that file wasn't modified.

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-3133 which is a valid jira issue.

Details

In response to this:

This was missed in #1672.

Side quest: Dropping DELETE from the ClusterPool VWHC added in #2879. It didn't have functional impact, but would have been wastefully sending Delete requests to our hiveadmission service.

Also adding some coderabbit config intended to catch this kind of miss in the future.

Summary by CodeRabbit

• New Features
• Added a validating webhook for cluster deployment customization resources that enforces validation on CREATE and UPDATE; invalid requests are rejected (failurePolicy: Fail).
• The operator now installs and maintains this validating webhook so validation is active in-cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-3133 which is a valid jira issue.

Details

In response to this:

This was missed in #1672.

Side quest: Dropping DELETE from the ClusterPool VWHC added in #2879. It didn't have functional impact, but would have been wastefully sending Delete requests to our hiveadmission service.

Also adding some coderabbit config intended to catch this kind of miss in the future.

Summary by CodeRabbit

• New Features
• Added a validating webhook for clusterdeploymentcustomizations that enforces validation on CREATE and UPDATE (failurePolicy: Fail); the operator installs and maintains it.
• Bug Fixes
• Updated clusterpool webhook to stop validating DELETE operations (now only CREATE and UPDATE).
• Improvements
• Improved logging for clearer diagnostic messages when webhook requests target unexpected resources.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@pkg/validating-webhooks/hive/v1/clusterdeploymentcustomization_validating_admission_hook.go`:
- Line 22: Add a dedicated test file to cover the ClusterDeploymentCustomization
validating webhook: create
clusterdeploymentcustomization_validating_admission_hook_test.go and implement
unit tests that assert shouldValidate() matches the intended
group/version/resource for "clusterdeploymentcustomizations", test CREATE
validation by calling the webhook's Admit/Validate function with a new
ClusterDeploymentCustomization object (both valid and invalid cases), and test
UPDATE validation by invoking the webhook with old and new objects to verify
update-specific logic; reference the shouldValidate() function and the
ClusterDeploymentCustomization validating admission hook methods (e.g.,
Validate/Admit or AdmitFunc) in your tests and mirror patterns used for the
existing clusterdeployment/syncset/dnszone tests for setup, fake clients, and
expected error assertions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 41fca1fb-ea5e-47ae-a3ee-90ce2e1a6bc3

📥 Commits

Reviewing files that changed from the base of the PR and between f633e20 and cc7167b.

📒 Files selected for processing (6)

• .coderabbit.yaml
• config/hiveadmission/clusterdeploymentcustomization-webhook.yaml
• config/hiveadmission/clusterpool-webhook.yaml
• pkg/operator/assets/bindata.go
• pkg/operator/hive/hiveadmission.go
• pkg/validating-webhooks/hive/v1/clusterdeploymentcustomization_validating_admission_hook.go

💤 Files with no reviewable changes (1)

• config/hiveadmission/clusterpool-webhook.yaml

✅ Files skipped from review due to trivial changes (2)

• pkg/operator/hive/hiveadmission.go
• config/hiveadmission/clusterdeploymentcustomization-webhook.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .coderabbit.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Find ClusterDeploymentCustomization validating hook tests"
fd 'clusterdeploymentcustomization.*_test\.go$' pkg || true

echo
echo "2) Find test coverage for this hook/resource/operations"
rg -nP --type=go '(ClusterDeploymentCustomizationValidatingAdmissionHook|clusterdeploymentcustomizations|admissionv1beta1\.(Create|Update))' pkg -g '*_test.go' || true

Repository: openshift/hive

Length of output: 31435

---

🏁 Script executed:

cat -n pkg/validating-webhooks/hive/v1/clusterdeploymentcustomization_validating_admission_hook.go | head -80

Repository: openshift/hive

Length of output: 4442

---

🏁 Script executed:

find config -name '*clusterdeploymentcustomization*' -o -name '*webhook*' | grep -i customization || echo "No webhook config found for customization"

Repository: openshift/hive

Length of output: 189

---

🏁 Script executed:

rg -l 'clusterdeploymentcustomizations|ClusterDeploymentCustomization' config/ || echo "No matches in config/"

Repository: openshift/hive

Length of output: 358

---

🏁 Script executed:

cat -n pkg/validating-webhooks/hive/v1/clusterdeploymentcustomization_validating_admission_hook.go | tail -100

Repository: openshift/hive

Length of output: 4476

---

🏁 Script executed:

cat -n config/hiveadmission/clusterdeploymentcustomization-webhook.yaml

Repository: openshift/hive

Length of output: 982

---

🏁 Script executed:

rg -n 'ClusterDeploymentCustomization' pkg/ -g 'hiveadmission.go' -A 3 -B 3

Repository: openshift/hive

Length of output: 40

---

🏁 Script executed:

find pkg -name 'hiveadmission.go' -type f

Repository: openshift/hive

Length of output: 92

---

🏁 Script executed:

rg -n 'NewClusterDeploymentCustomization|clusterdeploymentcustomization' pkg/ --type go -i | grep -i admission

Repository: openshift/hive

Length of output: 8251

---

🏁 Script executed:

rg -A 10 -B 5 'clusterdeploymentcustomization-webhook.yaml' pkg/operator/hive/hiveadmission.go

Repository: openshift/hive

Length of output: 835

---

Add dedicated test file for ClusterDeploymentCustomization validating webhook.

This hook lacks regression tests despite other similar hooks (clusterdeployment, syncset, dnszone, etc.) having comprehensive test coverage. Create a clusterdeploymentcustomization_validating_admission_hook_test.go to cover:

• Resource matching via shouldValidate() (group, version, resource)
• CREATE operation validation
• UPDATE operation validation with old/new object handling

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@pkg/validating-webhooks/hive/v1/clusterdeploymentcustomization_validating_admission_hook.go`
at line 22, Add a dedicated test file to cover the
ClusterDeploymentCustomization validating webhook: create
clusterdeploymentcustomization_validating_admission_hook_test.go and implement
unit tests that assert shouldValidate() matches the intended
group/version/resource for "clusterdeploymentcustomizations", test CREATE
validation by calling the webhook's Admit/Validate function with a new
ClusterDeploymentCustomization object (both valid and invalid cases), and test
UPDATE validation by invoking the webhook with old and new objects to verify
update-specific logic; reference the shouldValidate() function and the
ClusterDeploymentCustomization validating admission hook methods (e.g.,
Validate/Admit or AdmitFunc) in your tests and mirror patterns used for the
existing clusterdeployment/syncset/dnszone tests for setup, fake clients, and
expected error assertions.

[2uasimojo]

/retest

[red-hat-konflux]

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
hive-mce-210-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-211-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-217-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-26-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-27-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-28-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-29-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-3133 which is a valid jira issue.

Details

In response to this:

This was missed in #1672.

Side quest: Dropping DELETE from the ClusterPool VWHC added in #2879. It didn't have functional impact, but would have been wastefully sending Delete requests to our hiveadmission service.

Also adding some coderabbit config intended to catch this kind of miss in the future.

Summary by CodeRabbit

• New Features
• Added a validating webhook for clusterdeploymentcustomizations that enforces validation on CREATE and UPDATE (failurePolicy: Fail); the operator installs and maintains it.
• Bug Fixes
• Updated clusterpool webhook to stop validating DELETE operations (now only CREATE and UPDATE).
• Improvements
• Improved logging for clearer diagnostic messages when webhook requests target unexpected resources.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[2uasimojo]

/assign @dlom

/cc @abraverm

[dlom]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, dlom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo,dlom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[2uasimojo]

/hold cancel

[openshift-ci]

@2uasimojo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.