Webhooks deployed and managed by the API Connect Operator
The API Connect Operator deploys and manages various Kubernetes API webhooks in the cluster to assist in management of its custom resources.
The webhooks included admission controllers and conversion webhooks.
Defaulting webhook
- Purpose
The defaulting webhook is a type of Mutating Admission Webhook which runs against Custom Resources (CRs) at
CREATE
orUPDATE
time to populate default values in the CR'sspec
. - Creation
Currently the defaulting webhook runtime is part of the API Connect Operator runtime, that is it exists within the API Connect Operator pod and container. When the operator boots, it creates
MutatingWebhookConfiguration
resources for each CRD (listed below). ThisMutatingWebhookConfiguration
is a cluster-scope resource, but the configuration within will be specific to the namespace and operator instance which created it. If more than one instance of the API Connect Operator is deployed across a cluster (in different namespaces) there will be a set of webhook configurations for each API Connect Operator instance and namespace.The name for the
MutatingWebhookConfiguration
resource for each CRD will take the following form:<namespace>.<crd-name>.defaulter[.<component>].apiconnect.ibm.com
The following CustomResourceDefinitions utilize a defaulting webhook:
AnalyticsCluster ApiconnectCluster GatewayCluster ManagementCluster ManagementDBUpgrade ManagementRestore PortalCluster
- Lifecycle
While the defaulting webhook runtime itself lives within the API Connect Operator pod, the
MutatingWebhookConfiguration
is a cluster-scope resource and is stand-alone. When it is created, anownerReference
is set on it that references the API Connect Operator'sClusterRole
. Thus, the lifecycle of theMutatingWebhookConfiguration
resources will be linked with theClusterRole
, which is linked with the installation of the operator itself.When the operator is uninstalled, the
MutatingWebhookConfiguration
resources for that operator instance are also removed. - Example
The below output shows the defaulting webhook configurations created for an operator deployed in the
apiconnect-operator
namespace. One can be seen for each CRD.$ oc get mutatingwebhookconfiguration NAME WEBHOOKS AGE apiconnect-operator.analyticsclusters.defaulter.analytics.apiconnect.ibm.com 1 4d4h apiconnect-operator.apiconnectclusters.defaulter.apiconnect.ibm.com 1 4d4h apiconnect-operator.gatewayclusters.defaulter.gateway.apiconnect.ibm.com 1 4d4h apiconnect-operator.managementclusters.defaulter.management.apiconnect.ibm.com 1 4d4h apiconnect-operator.managementdbupgrades.defaulter.management.apiconnect.ibm.com 1 4d4h apiconnect-operator.managementrestores.defaulter.management.apiconnect.ibm.com 1 4d4h apiconnect-operator.portalclusters.defaulter.portal.apiconnect.ibm.com 1 4d4h
Validating webhook
- Purpose
The validating webhook is a type of ValidatingAdmissionWebhook which runs against Custom Resources (CRs) at
CREATE
orUPDATE
time to validate the CR contains a configuration which will yield an operable cluster. The CustomResourceDefinitions use OpenAPI schema validation for basic property checks (such as integer bounds and non-empty strings), but more complex validation of the configuration is done via the webhook. - Creation
Currently the validating webhook runtime is part of the API Connect Operator runtime, i.e. it exists within the API Connect Operator pod and container. When the operator boots, it creates
ValidatingWebhookConfiguration
resources for each CRD (listed below). ThisValidatingWebhookConfiguration
is a cluster-scope resource, but the configuration within will be specific to the namespace and operator instance which created it. If more than one instance of the API Connect Operator is deployed across a cluster (in different namespaces) there will be a set of webhook configurations for each API Connect Operator instance and namespace.The name for the
ValidatingWebhookConfiguration
resource for each CRD will take the following form:<namespace>.<crd-name>.validator[.<component>].apiconnect.ibm.com
The following CustomResourceDefinitions utilize a validating webhook:
AnalyticsCluster ApiconnectCluster GatewayCluster ManagementCluster ManagementDBUpgrade ManagementRestore PortalCluster
- Lifecycle
While the validating webhook runtime itself lives within the API Connect Operator pod, the
ValidatingWebhookConfiguration
is a cluster-scope resource and is stand-alone. When it is created, anownerReference
is set on it that references the API Connect Operator'sClusterRole
. Thus, the lifecycle of theValidatingWebhookConfiguration
resources will be linked with theClusterRole
, which is linked with the installation of the operator itself.When the operator is uninstalled, the
ValidatingWebhookConfiguration
resources for that operator instance are also removed. - Example
The below output shows the validating webhook configurations created for an operator deployed in the
apiconnect-operator
namespace. One can be seen for each CRD.validatingwebhookconfiguration NAME WEBHOOKS AGE apiconnect-operator.analyticsclusters.validator.analytics.apiconnect.ibm.com 1 4d4h apiconnect-operator.apiconnectclusters.validator.apiconnect.ibm.com 1 4d4h apiconnect-operator.gatewayclusters.validator.gateway.apiconnect.ibm.com 1 4d4h apiconnect-operator.managementclusters.validator.management.apiconnect.ibm.com 1 4d4h apiconnect-operator.managementdbupgrades.validator.management.apiconnect.ibm.com 1 4d4h apiconnect-operator.managementrestores.validator.management.apiconnect.ibm.com 1 4d4h apiconnect-operator.portalclusters.validator.portal.apiconnect.ibm.com 1 4d4h