chore: delete webhook

.github/ISSUE_TEMPLATE/---release.md

@@ -65,7 +65,6 @@ These versions should be updated to match the new release. The example consts to
 
 - `DefaultDataPlaneTag`
 - `DefaultControlPlaneVersion`
-- `WebhookCertificateConfigBaseImage`
 
 ## GitHub PAT
 

.github/workflows/__release-workflow.yaml

@@ -124,13 +124,7 @@ jobs:
 
   test-integration-current-kubernetes:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-      matrix:
-        webhook-enabled:
-          - "true"
-          - "false"
-    name: "test-integration-current-kubernetes (WEBHOOK_ENABLED=${{ matrix.webhook-enabled }})"
+    name: "test-integration-current-kubernetes"
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -172,15 +166,14 @@ jobs:
         run: make test.integration
         env:
           KONG_LICENSE_DATA: ${{ steps.get-license.outputs.license || '' }} # The license is optional for OSS tests.
-          WEBHOOK_ENABLED: ${{ matrix.webhook-enabled }}
           KONG_TEST_KONNECT_ACCESS_TOKEN: ${{ secrets.konnect-pat }}
           KONG_TEST_KONNECT_SERVER_URL: us.api.konghq.tech
 
       - name: upload diagnostics
         if: always()
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: diagnostics-integration-webhook-enabled-${{ matrix.webhook-enabled }}
+          name: diagnostics-integration
           path: /tmp/ktf-diag*
           if-no-files-found: ignore
 

.github/workflows/tests.yaml

@@ -315,13 +315,7 @@ jobs:
 
   integration-tests:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-      matrix:
-        webhook-enabled:
-          - "true"
-          - "false"
-    name: "integration-tests (WEBHOOK_ENABLED=${{ matrix.webhook-enabled }})"
+    name: integration-tests
     steps:
     - name: checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -340,9 +334,8 @@ jobs:
       env:
         KONG_TEST_DISABLE_CERTMANAGER: "true"
         KONG_PLUGIN_IMAGE_REGISTRY_CREDENTIALS: ${{ secrets.KONG_PLUGIN_IMAGE_REGISTRY_CREDENTIALS }}
-        WEBHOOK_ENABLED: ${{ matrix.webhook-enabled }}
         KONG_CONTROLLER_OUT: stdout
-        GOTESTSUM_JUNITFILE: integration-tests-webhook-enabled-${{ matrix.webhook-enabled }}.xml
+        GOTESTSUM_JUNITFILE: integration-tests.xml
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         KONG_TEST_KONNECT_ACCESS_TOKEN: ${{ secrets.KONG_TEST_KONNECT_ACCESS_TOKEN }}
         KONG_TEST_KONNECT_SERVER_URL: us.api.konghq.tech
@@ -351,32 +344,26 @@ jobs:
       if: always()
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
-        name: diagnostics-integration-webhook-enabled-${{ matrix.webhook-enabled }}
+        name: diagnostics-integration
         path: /tmp/ktf-diag*
         if-no-files-found: ignore
 
     - name: collect test coverage
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
-        name: coverage-integration-webhook-enabled-${{ matrix.webhook-enabled }}
+        name: coverage-integration
         path: coverage.integration.out
 
     - name: collect test report
       if: ${{ always() }}
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
-        name: tests-report-integration-webhook-enabled-${{ matrix.webhook-enabled }}
-        path: integration-tests-webhook-enabled-${{ matrix.webhook-enabled }}.xml
+        name: tests-report-integration
+        path: integration-tests.xml
 
   integration-tests-bluegreen:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-      matrix:
-        webhook-enabled:
-          - "true"
-          - "false"
-    name: "integration-tests-bluegreen (WEBHOOK_ENABLED=${{ matrix.webhook-enabled }})"
+    name: integration-tests-bluegreen
     steps:
     - name: checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -394,81 +381,30 @@ jobs:
       run: make test.integration_bluegreen
       env:
         KONG_TEST_DISABLE_CERTMANAGER: "true"
-        WEBHOOK_ENABLED: ${{ matrix.webhook-enabled }}
         KONG_CONTROLLER_OUT: stdout
-        GOTESTSUM_JUNITFILE: integration-tests-bluegreen-webhook-enabled-${{ matrix.webhook-enabled }}.xml
+        GOTESTSUM_JUNITFILE: integration-tests-bluegreen.xml
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     - name: upload diagnostics
       if: always()
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
-        name: diagnostics-integration-bluegreen-webhook-enabled-${{ matrix.webhook-enabled }}
+        name: diagnostics-integration-bluegreen
         path: /tmp/ktf-diag*
         if-no-files-found: ignore
 
     - name: collect test coverage
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
-        name: coverage-integration-bluegreen-webhook-enabled-${{ matrix.webhook-enabled }}
+        name: coverage-integration-bluegreen
         path: coverage.integration-bluegreen.out
 
     - name: collect test report
       if: always()
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
-        name: tests-report-integration-bluegreen-webhook-enabled-${{ matrix.webhook-enabled }}
-        path: integration-tests-bluegreen-webhook-enabled-${{ matrix.webhook-enabled }}.xml
-
-  # Test reconciling Gateway with provisioning DataPlane failures.
-  # This test introduces a wrong gateway that will have errors on validation all `DataPlane`s, so it should run isolated.
-  integration-tests-provision-fail:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-    name: integration-tests-provision-dataplane-fail
-    steps:
-    - name: checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-    - name: setup golang
-      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
-      with:
-        go-version-file: go.mod
-
-    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2.1.11
-      with:
-        install: false
-
-    - name: run integration tests
-      run: make test.integration_provision_dataplane_fail
-      env:
-        KONG_TEST_DISABLE_CERTMANAGER: "true"
-        KONG_CONTROLLER_OUT: stdout
-        KONG_PLUGIN_IMAGE_REGISTRY_CREDENTIALS: ${{ secrets.KONG_PLUGIN_IMAGE_REGISTRY_CREDENTIALS }}
-        GOTESTSUM_JUNITFILE: integration-tests-provision-dataplane-fail.xml
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: upload diagnostics
-      if: always()
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-      with:
-        name: diagnostics-integration-provision-fail
-        path: /tmp/ktf-diag*
-        if-no-files-found: ignore
-
-    - name: collect test coverage
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-      with:
-        name: coverage-integration-tests-provision-fail
-        path: coverage.integration-provision-dataplane-fail.out
-
-    - name: collect test report
-      if: always()
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-      with:
-        name: tests-report-integration-tests-provision-fail
-        path: integration-tests-provision-dataplane-fail.xml
+        name: tests-report-integration-bluegreen
+        path: integration-tests-bluegreen.xml
 
   e2e-tests:
     runs-on: ubuntu-latest
@@ -498,7 +434,6 @@ jobs:
       env:
         KONG_TEST_DISABLE_CERTMANAGER: "true"
         KONG_TEST_GATEWAY_OPERATOR_IMAGE_LOAD: gateway-operator:e2e-${{ github.sha }}
-        WEBHOOK_ENABLED: "false"
         GOTESTSUM_JUNITFILE: "e2e-tests.xml"
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

Makefile

@@ -297,9 +297,8 @@ CONFIG_CRD_PATH = config/crd
 CONFIG_CRD_BASE_PATH = $(CONFIG_CRD_PATH)/bases
 
 .PHONY: manifests
-manifests: controller-gen manifests.versions manifests.crds ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+manifests: controller-gen manifests.versions manifests.crds ## Generate ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) paths="$(CONTROLLER_GEN_PATHS)" rbac:roleName=manager-role output:rbac:dir=config/rbac/role
-	$(CONTROLLER_GEN) paths="$(CONTROLLER_GEN_PATHS)" webhook
 
 .PHONY: manifests.crds
 manifests.crds: controller-gen manifests.versions ## Generate CustomResourceDefinition objects.
@@ -400,7 +399,7 @@ test.crds-validation.pretty:
 	$(MAKE) _test.envtest GOTESTSUM_FORMAT=testname ENVTEST_TEST_PATHS=./test/crdsvalidation/...
 
 .PHONY: _test.integration
-_test.integration: webhook-certs-dir gotestsum
+_test.integration: gotestsum
 	GOFLAGS=$(GOFLAGS) \
 		GOTESTSUM_FORMAT=$(GOTESTSUM_FORMAT) \
 		$(GOTESTSUM) -- $(GOTESTFLAGS) \
@@ -413,7 +412,7 @@ _test.integration: webhook-certs-dir gotestsum
 .PHONY: test.integration
 test.integration:
 	@$(MAKE) _test.integration \
-		GOTESTFLAGS="-skip='BlueGreen|TestGatewayProvisionDataPlaneFail' $(GOTESTFLAGS)" \
+		GOTESTFLAGS="-skip='BlueGreen' $(GOTESTFLAGS)" \
 		COVERPROFILE="coverage.integration.out"
 
 .PHONY: test.integration_bluegreen
@@ -423,13 +422,6 @@ test.integration_bluegreen:
 		GOTESTFLAGS="-run='BlueGreen|TestDataPlane' $(GOTESTFLAGS)" \
 		COVERPROFILE="coverage.integration-bluegreen.out" \
 
-.PHONY: test.integration_provision_dataplane_fail
-test.integration_provision_dataplane_fail:
-	@$(MAKE) _test.integration \
-		WEBHOOK_ENABLED=true \
-		GOTESTFLAGS="-run=TestGatewayProvisionDataPlaneFail $(GOTESTFLAGS)" \
-		COVERPROFILE="coverage.integration.out"
-
 .PHONY: _test.e2e
 _test.e2e: gotestsum
 		GOTESTSUM_FORMAT=$(GOTESTSUM_FORMAT) \
@@ -521,22 +513,18 @@ ifndef ignore-not-found
   ignore-not-found = false
 endif
 
-.PHONY: webhook-certs-dir
-webhook-certs-dir:
-	@mkdir -p /tmp/k8s-webhook-server/serving-certs/
-
 .PHONY: _ensure-kong-system-namespace
 _ensure-kong-system-namespace:
 	@kubectl create ns kong-system 2>/dev/null || true
 
 # Run a controller from your host.
 .PHONY: run
-run: webhook-certs-dir manifests generate install.all _ensure-kong-system-namespace install.rbacs
+run: manifests generate install.all _ensure-kong-system-namespace install.rbacs
 	@$(MAKE) _run
 
 # Run a controller from your host and make it impersonate the controller-manager service account from kong-system namespace.
 .PHONY: run.with_impersonate
-run.with_impersonate: webhook-certs-dir manifests generate install.all _ensure-kong-system-namespace install.rbacs
+run.with_impersonate: manifests generate install.all _ensure-kong-system-namespace install.rbacs
 	@$(MAKE) _run.with-impersonate
 
 KUBECONFIG ?= $(HOME)/.kube/config
@@ -588,7 +576,7 @@ run.skaffold:
 		$(MAKE) _skaffold
 
 .PHONY: debug
-debug: webhook-certs-dir manifests generate install.all _ensure-kong-system-namespace
+debug: manifests generate install.all _ensure-kong-system-namespace
 	GATEWAY_OPERATOR_DEVELOPMENT_MODE=true dlv debug ./cmd/main.go -- \
 		--no-leader-election \
 		-cluster-ca-secret-namespace kong-system \

config/debug/manager_debug.yaml

@@ -33,7 +33,6 @@ spec:
             - -zap-log-level=debug
             - -enable-controller-kongplugininstallation
             - -enable-controller-konnect
-            - -enable-validating-webhook
           name: manager
           env:
             - name: GATEWAY_OPERATOR_DEVELOPMENT_MODE

config/default/kustomization.yaml

@@ -11,4 +11,3 @@ resources:
 
 patches:
 - path: manager_metrics_access_filter_rbac_patch.yaml
-- path: manager_webhook_certificates_patch.yaml

config/rbac/role/role.yaml

@@ -46,7 +46,6 @@ rules:
   resources:
   - secrets
   verbs:
-  - create
   - delete
   - get
   - list
@@ -101,14 +100,6 @@ rules:
   - list
   - patch
   - watch
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - create
-  - delete
-  - get
 - apiGroups:
   - configuration.konghq.com
   resources:
@@ -462,12 +453,3 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - rolebindings
-  - roles
-  verbs:
-  - create
-  - delete
-  - get

modules/cli/cli.go

@@ -62,9 +62,12 @@ func New(m metadata.Info) *CLI {
 	flagSet.UintVar(&cfg.KonnectMaxConcurrentReconciles, "konnect-controller-max-concurrent-reconciles", consts.DefaultKonnectMaxConcurrentReconciles, "Maximum number of concurrent reconciles for Konnect entities.")
 
 	// webhook and validation options
-	flagSet.BoolVar(&cfg.ValidatingWebhookEnabled, "enable-validating-webhook", false, "Enable the validating webhook.")
-	flagSet.StringVar(&cfg.WebhookCertificateConfigBaseImage, "webhook-certificate-config-base-image", consts.WebhookCertificateConfigBaseImage, "The base image for the certgen Jobs.")
-	flagSet.StringVar(&cfg.WebhookCertificateConfigShellImage, "webhook-certificate-config-shell-image", consts.WebhookCertificateConfigShellImage, "The shell image for the certgen Jobs.")
+	var validatingWebhookEnabled bool
+	flagSet.BoolVar(&validatingWebhookEnabled, "enable-validating-webhook", false, "Enable the validating webhook. DEPRECATED: This flag is no-op and will be removed in a future release.")
+	var validatingWebhookConfigBaseImage string
+	flagSet.StringVar(&validatingWebhookConfigBaseImage, "webhook-certificate-config-base-image", consts.WebhookCertificateConfigBaseImage, "The base image for the certgen Jobs. DEPRECATED: This flag is no-op and will be removed in a future release.")
+	var validatingWebhookConfigShellImage string
+	flagSet.StringVar(&validatingWebhookConfigShellImage, "webhook-certificate-config-shell-image", consts.WebhookCertificateConfigShellImage, "The shell image for the certgen Jobs. DEPRECATED: This flag is no-op and will be removed in a future release.")
 
 	flagSet.BoolVar(&deferCfg.Version, "version", false, "Print version information.")
 
@@ -150,11 +153,7 @@ func (c *CLI) Parse(arguments []string) manager.Config {
 		developmentModeEnabled = true
 	}
 
-	webhookCertDir := manager.DefaultConfig().WebhookCertDir
 	// TODO: clean env handling https://github.com/Kong/gateway-operator-archive/issues/19
-	if certDir := os.Getenv("WEBHOOK_CERT_DIR"); certDir != "" {
-		webhookCertDir = certDir
-	}
 
 	// Flags take precedence over environment variables,
 	// so we bind env vars first then parse aruments to override the values from flags.
@@ -220,9 +219,7 @@ func (c *CLI) Parse(arguments []string) manager.Config {
 	c.cfg.LeaderElection = leaderElection
 	c.cfg.ControllerNamespace = controllerNamespace
 	c.cfg.ClusterCASecretNamespace = clusterCASecretNamespace
-	c.cfg.WebhookCertDir = webhookCertDir
 	c.cfg.LoggerOpts = logging.SetupLogEncoder(c.cfg.DevelopmentMode || c.loggerOpts.Development, c.loggerOpts)
-	c.cfg.WebhookPort = manager.DefaultConfig().WebhookPort
 	c.cfg.LeaderElectionNamespace = controllerNamespace
 	c.cfg.AnonymousReports = anonymousReportsEnabled