Merge pull request #5099 from bryan-cox/fix-webhook-registration

Move webhook registration behind feature gate flag

api/v1beta1/azuremanagedcluster_webhook.go

@@ -18,13 +18,9 @@ package v1beta1
 
 import (
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-	capifeature "sigs.k8s.io/cluster-api/feature"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-
-	"sigs.k8s.io/cluster-api-provider-azure/feature"
 )
 
 // SetupWebhookWithManager sets up and registers the webhook with the manager.
@@ -40,14 +36,6 @@ var _ webhook.Validator = &AzureManagedCluster{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *AzureManagedCluster) ValidateCreate() (admission.Warnings, error) {
-	// NOTE: AzureManagedCluster relies upon MachinePools, which is behind a feature gate flag.
-	// The webhook must prevent creating new objects in case the feature flag is disabled.
-	if !feature.Gates.Enabled(capifeature.MachinePool) {
-		return nil, field.Forbidden(
-			field.NewPath("spec"),
-			"can be set only if the Cluster API 'MachinePool' feature flag is enabled",
-		)
-	}
 	return nil, nil
 }
 

api/v1beta1/azuremanagedcluster_webhook_test.go

@@ -22,7 +22,6 @@ import (
 	. "github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilfeature "k8s.io/component-base/featuregate/testing"
-	"k8s.io/utils/ptr"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	capifeature "sigs.k8s.io/cluster-api/feature"
 
@@ -142,12 +141,6 @@ func TestAzureManagedCluster_ValidateCreateFailure(t *testing.T) {
 		featureGateEnabled *bool
 		expectError        bool
 	}{
-		{
-			name:               "feature gate explicitly disabled",
-			amc:                getKnownValidAzureManagedCluster(),
-			featureGateEnabled: ptr.To(false),
-			expectError:        true,
-		},
 		{
 			name:               "feature gate implicitly enabled",
 			amc:                getKnownValidAzureManagedCluster(),

api/v1beta1/azuremanagedclustertemplate_webhook.go

@@ -18,13 +18,9 @@ package v1beta1
 
 import (
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-	capifeature "sigs.k8s.io/cluster-api/feature"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-
-	"sigs.k8s.io/cluster-api-provider-azure/feature"
 )
 
 // SetupWebhookWithManager sets up and registers the webhook with the manager.
@@ -40,14 +36,6 @@ var _ webhook.Validator = &AzureManagedClusterTemplate{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *AzureManagedClusterTemplate) ValidateCreate() (admission.Warnings, error) {
-	// NOTE: AzureManagedClusterTemplate relies upon MachinePools, which is behind a feature gate flag.
-	// The webhook must prevent creating new objects in case the feature flag is disabled.
-	if !feature.Gates.Enabled(capifeature.MachinePool) {
-		return nil, field.Forbidden(
-			field.NewPath("spec"),
-			"cannot be set if the Cluster API 'MachinePool' feature flag is not enabled",
-		)
-	}
 	return nil, nil
 }
 

api/v1beta1/azuremanagedcontrolplane_webhook.go

@@ -31,12 +31,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
-	capifeature "sigs.k8s.io/cluster-api/feature"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	"sigs.k8s.io/cluster-api-provider-azure/feature"
 	"sigs.k8s.io/cluster-api-provider-azure/util/versions"
 	webhookutils "sigs.k8s.io/cluster-api-provider-azure/util/webhook"
 )
@@ -100,14 +98,6 @@ func (mw *azureManagedControlPlaneWebhook) ValidateCreate(_ context.Context, obj
 	if !ok {
 		return nil, apierrors.NewBadRequest("expected an AzureManagedControlPlane")
 	}
-	// NOTE: AzureManagedControlPlane relies upon MachinePools, which is behind a feature gate flag.
-	// The webhook must prevent creating new objects in case the feature flag is disabled.
-	if !feature.Gates.Enabled(capifeature.MachinePool) {
-		return nil, field.Forbidden(
-			field.NewPath("spec"),
-			"can be set only if the Cluster API 'MachinePool' feature flag is enabled",
-		)
-	}
 
 	return nil, m.Validate(mw.Client)
 }

api/v1beta1/azuremanagedcontrolplane_webhook_test.go

@@ -1657,12 +1657,6 @@ func TestAzureManagedControlPlane_ValidateCreateFailure(t *testing.T) {
 		featureGateEnabled *bool
 		expectError        bool
 	}{
-		{
-			name:               "feature gate explicitly disabled",
-			amcp:               getKnownValidAzureManagedControlPlane(),
-			featureGateEnabled: ptr.To(false),
-			expectError:        true,
-		},
 		{
 			name:               "feature gate implicitly enabled",
 			amcp:               getKnownValidAzureManagedControlPlane(),

api/v1beta1/azuremanagedcontrolplanetemplate_webhook.go

@@ -23,12 +23,10 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	capifeature "sigs.k8s.io/cluster-api/feature"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	"sigs.k8s.io/cluster-api-provider-azure/feature"
 	"sigs.k8s.io/cluster-api-provider-azure/util/versions"
 	webhookutils "sigs.k8s.io/cluster-api-provider-azure/util/webhook"
 )
@@ -66,14 +64,6 @@ func (mcpw *azureManagedControlPlaneTemplateWebhook) ValidateCreate(_ context.Co
 	if !ok {
 		return nil, apierrors.NewBadRequest("expected an AzureManagedControlPlaneTemplate")
 	}
-	// NOTE: AzureManagedControlPlaneTemplate relies upon MachinePools, which is behind a feature gate flag.
-	// The webhook must prevent creating new objects in case the feature flag is disabled.
-	if !feature.Gates.Enabled(capifeature.MachinePool) {
-		return nil, field.Forbidden(
-			field.NewPath("spec"),
-			"can be set only if the Cluster API 'MachinePool' feature flag is enabled",
-		)
-	}
 
 	return nil, mcp.validateManagedControlPlaneTemplate(mcpw.Client)
 }

api/v1beta1/azuremanagedmachinepool_webhook.go

@@ -32,12 +32,10 @@ import (
 	"k8s.io/utils/ptr"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	clusterctlv1alpha3 "sigs.k8s.io/cluster-api/cmd/clusterctl/api/v1alpha3"
-	capifeature "sigs.k8s.io/cluster-api/feature"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	"sigs.k8s.io/cluster-api-provider-azure/feature"
 	azureutil "sigs.k8s.io/cluster-api-provider-azure/util/azure"
 	webhookutils "sigs.k8s.io/cluster-api-provider-azure/util/webhook"
 )
@@ -91,14 +89,6 @@ func (mw *azureManagedMachinePoolWebhook) ValidateCreate(_ context.Context, obj
 	if !ok {
 		return nil, apierrors.NewBadRequest("expected an AzureManagedMachinePool")
 	}
-	// NOTE: AzureManagedMachinePool relies upon MachinePools, which is behind a feature gate flag.
-	// The webhook must prevent creating new objects in case the feature flag is disabled.
-	if !feature.Gates.Enabled(capifeature.MachinePool) {
-		return nil, field.Forbidden(
-			field.NewPath("spec"),
-			"can be set only if the Cluster API 'MachinePool' feature flag is enabled",
-		)
-	}
 
 	var errs []error
 

api/v1beta1/azuremanagedmachinepool_webhook_test.go

@@ -1311,12 +1311,6 @@ func TestAzureManagedMachinePool_ValidateCreateFailure(t *testing.T) {
 		featureGateEnabled *bool
 		expectError        bool
 	}{
-		{
-			name:               "feature gate explicitly disabled",
-			ammp:               getKnownValidAzureManagedMachinePool(),
-			featureGateEnabled: ptr.To(false),
-			expectError:        true,
-		},
 		{
 			name:               "feature gate implicitly enabled",
 			ammp:               getKnownValidAzureManagedMachinePool(),

api/v1beta1/azuremanagedmachinepooltemplate_webhook.go

@@ -25,12 +25,10 @@ import (
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
-	capifeature "sigs.k8s.io/cluster-api/feature"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	"sigs.k8s.io/cluster-api-provider-azure/feature"
 	webhookutils "sigs.k8s.io/cluster-api-provider-azure/util/webhook"
 )
 
@@ -79,13 +77,6 @@ func (mpw *azureManagedMachinePoolTemplateWebhook) ValidateCreate(_ context.Cont
 		return nil, apierrors.NewBadRequest("expected an AzureManagedMachinePoolTemplate")
 	}
 
-	if !feature.Gates.Enabled(capifeature.MachinePool) {
-		return nil, field.Forbidden(
-			field.NewPath("spec"),
-			"can be set only if the Cluster API 'MachinePool' feature flag is enabled",
-		)
-	}
-
 	var errs []error
 
 	errs = append(errs, validateMaxPods(

exp/api/v1beta1/azuremachinepool_webhook.go

@@ -29,13 +29,11 @@ import (
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	capifeature "sigs.k8s.io/cluster-api/feature"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
-	"sigs.k8s.io/cluster-api-provider-azure/feature"
 	azureutil "sigs.k8s.io/cluster-api-provider-azure/util/azure"
 )
 
@@ -73,14 +71,7 @@ func (ampw *azureMachinePoolWebhook) ValidateCreate(_ context.Context, obj runti
 	if !ok {
 		return nil, apierrors.NewBadRequest("expected an AzureMachinePool")
 	}
-	// NOTE: AzureMachinePool is behind MachinePool feature gate flag; the webhook
-	// must prevent creating new objects in case the feature flag is disabled.
-	if !feature.Gates.Enabled(capifeature.MachinePool) {
-		return nil, field.Forbidden(
-			field.NewPath("spec"),
-			"can be set only if the MachinePool feature flag is enabled",
-		)
-	}
+
 	return nil, amp.Validate(nil, ampw.Client)
 }
 

exp/api/v1beta1/azuremachinepool_webhook_test.go

@@ -706,12 +706,6 @@ func TestAzureMachinePool_ValidateCreateFailure(t *testing.T) {
 		featureGateEnabled *bool
 		expectError        bool
 	}{
-		{
-			name:               "feature gate explicitly disabled",
-			amp:                getKnownValidAzureMachinePool(),
-			featureGateEnabled: ptr.To(false),
-			expectError:        true,
-		},
 		{
 			name:               "feature gate implicitly enabled",
 			amp:                getKnownValidAzureMachinePool(),

exp/api/v1beta1/azuremachinepoolmachine_webhook.go

@@ -19,13 +19,9 @@ package v1beta1
 import (
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-	capifeature "sigs.k8s.io/cluster-api/feature"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-
-	"sigs.k8s.io/cluster-api-provider-azure/feature"
 )
 
 // SetupWebhookWithManager sets up and registers the webhook with the manager.
@@ -46,15 +42,6 @@ func (ampm *AzureMachinePoolMachine) ValidateCreate() (admission.Warnings, error
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.
 func (ampm *AzureMachinePoolMachine) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
-	// NOTE: AzureMachinePoolMachine is behind MachinePool feature gate flag; the webhook
-	// must prevent creating new objects new case the feature flag is disabled.
-	if !feature.Gates.Enabled(capifeature.MachinePool) {
-		return nil, field.Forbidden(
-			field.NewPath("spec"),
-			"can be set only if the MachinePool feature flag is enabled",
-		)
-	}
-
 	oldMachine, ok := old.(*AzureMachinePoolMachine)
 	if !ok {
 		return nil, errors.New("expected and AzureMachinePoolMachine")