NVIDIA · enoodle · Nov 5, 2025 · Oct 30, 2025 · Nov 5, 2025
diff --git a/pkg/operator/operands/admission/admission.go b/pkg/operator/operands/admission/admission.go
@@ -15,40 +15,44 @@ import (
 type Admission struct {
 	namespace        string
 	lastDesiredState []client.Object
+	BaseResourceName string
 }
 
 type resourceForKAIConfig func(ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config) ([]client.Object, error)
 
-func (b *Admission) DesiredState(
+func (a *Admission) DesiredState(
 	ctx context.Context, runtimeClient client.Reader,
 	kaiConfig *kaiv1.Config,
 ) ([]client.Object, error) {
-	b.namespace = kaiConfig.Spec.Namespace
+	a.namespace = kaiConfig.Spec.Namespace
+	if a.BaseResourceName == "" {
+		a.BaseResourceName = defaultResourceName
+	}
 
 	if kaiConfig.Spec.Admission == nil || kaiConfig.Spec.Admission.Service.Enabled == nil ||
 		!*kaiConfig.Spec.Admission.Service.Enabled {
-		b.lastDesiredState = []client.Object{}
+		a.lastDesiredState = []client.Object{}
 		return nil, nil
 	}
 
-	err, secret, webhookName := upsertKAIAdmissionCertSecret(ctx, runtimeClient, kaiConfig)
+	err, secret, webhookName := a.upsertKAIAdmissionCertSecret(ctx, runtimeClient, kaiConfig)
 	if err != nil {
 		return nil, err
 	}
 
 	objects := []client.Object{secret}
 	for _, resourceFunc := range []resourceForKAIConfig{
-		deploymentForKAIConfig,
-		serviceAccountForKAIConfig,
-		serviceForKAIConfig,
+		a.deploymentForKAIConfig,
+		a.serviceAccountForKAIConfig,
+		a.serviceForKAIConfig,
 		func(_ context.Context, _ client.Reader, _ *kaiv1.Config) ([]client.Object, error) {
 			return []client.Object{secret}, nil
 		},
 		func(ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config) ([]client.Object, error) {
-			return mutatingWCForKAIConfig(ctx, runtimeClient, kaiConfig, secret, webhookName)
+			return a.mutatingWCForKAIConfig(ctx, runtimeClient, kaiConfig, secret, webhookName)
 		},
 		func(ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config) ([]client.Object, error) {
-			return validatingWCForKAIConfig(ctx, runtimeClient, kaiConfig, secret, webhookName)
+			return a.validatingWCForKAIConfig(ctx, runtimeClient, kaiConfig, secret, webhookName)
 		},
 	} {
 		newResources, err := resourceFunc(ctx, runtimeClient, kaiConfig)
@@ -58,22 +62,22 @@ func (b *Admission) DesiredState(
 		objects = append(objects, newResources...)
 	}
 
-	b.lastDesiredState = objects
+	a.lastDesiredState = objects
 	return objects, nil
 }
 
-func (b *Admission) IsDeployed(ctx context.Context, readerClient client.Reader) (bool, error) {
-	return common.AllObjectsExists(ctx, readerClient, b.lastDesiredState)
+func (a *Admission) IsDeployed(ctx context.Context, readerClient client.Reader) (bool, error) {
+	return common.AllObjectsExists(ctx, readerClient, a.lastDesiredState)
 }
 
-func (b *Admission) IsAvailable(ctx context.Context, readerClient client.Reader) (bool, error) {
-	return common.AllControllersAvailable(ctx, readerClient, b.lastDesiredState)
+func (a *Admission) IsAvailable(ctx context.Context, readerClient client.Reader) (bool, error) {
+	return common.AllControllersAvailable(ctx, readerClient, a.lastDesiredState)
 }
 
-func (b *Admission) Name() string {
+func (a *Admission) Name() string {
 	return "KAIAdmission"
 }
 
-func (b *Admission) Monitor(ctx context.Context, runtimeReader client.Reader, kaiConfig *kaiv1.Config) error {
+func (a *Admission) Monitor(ctx context.Context, runtimeReader client.Reader, kaiConfig *kaiv1.Config) error {
 	return nil
 }
diff --git a/pkg/operator/operands/admission/admission_test.go b/pkg/operator/operands/admission/admission_test.go
@@ -86,8 +86,8 @@ var _ = Describe("Admission", func() {
 				Expect(validatingWebhook.Webhooks).To(HaveLen(1))
 				Expect(validatingWebhook.Webhooks[0].ClientConfig.CABundle).To(Equal(secret.Data[certKey]))
 
-				Expect(mutatingWebhook.Webhooks[0].ClientConfig.Service.Name).To(Equal(mainResourceName))
-				Expect(validatingWebhook.Webhooks[0].ClientConfig.Service.Name).To(Equal(mainResourceName))
+				Expect(mutatingWebhook.Webhooks[0].ClientConfig.Service.Name).To(Equal(defaultResourceName))
+				Expect(validatingWebhook.Webhooks[0].ClientConfig.Service.Name).To(Equal(defaultResourceName))
 			})
 
 			It("should preserve existing deployment labels", func() {
@@ -106,7 +106,7 @@ var _ = Describe("Admission", func() {
 
 			It("should configure service with correct selector", func() {
 				service := getService(objects)
-				Expect(service.Spec.Selector).To(HaveKeyWithValue("app", mainResourceName))
+				Expect(service.Spec.Selector).To(HaveKeyWithValue("app", defaultResourceName))
 			})
 		})
 	})

diff --git a/pkg/operator/operands/admission/resources.go b/pkg/operator/operands/admission/resources.go
@@ -25,18 +25,18 @@ import (
 )
 
 const (
-	mainResourceName              = "admission"
+	defaultResourceName           = "admission"
 	kaiAdmissionWebhookSecretName = "kai-admission-webhook-tls-secret"
 	certKey                       = "tls.crt"
 	keyKey                        = "tls.key"
 )
 
-func deploymentForKAIConfig(
+func (a *Admission) deploymentForKAIConfig(
 	ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config,
 ) ([]client.Object, error) {
 
 	config := kaiConfig.Spec.Admission
-	deployment, err := common.DeploymentForKAIConfig(ctx, runtimeClient, kaiConfig, config.Service, mainResourceName)
+	deployment, err := common.DeploymentForKAIConfig(ctx, runtimeClient, kaiConfig, config.Service, a.BaseResourceName)
 	if err != nil {
 		return nil, err
 	}
@@ -85,10 +85,10 @@ func deploymentForKAIConfig(
 	return []client.Object{deployment}, nil
 }
 
-func serviceAccountForKAIConfig(
+func (a *Admission) serviceAccountForKAIConfig(
 	ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config,
 ) ([]client.Object, error) {
-	sa, err := common.ObjectForKAIConfig(ctx, runtimeClient, &v1.ServiceAccount{}, mainResourceName,
+	sa, err := common.ObjectForKAIConfig(ctx, runtimeClient, &v1.ServiceAccount{}, a.BaseResourceName,
 		kaiConfig.Spec.Namespace)
 	if err != nil {
 		return nil, err
@@ -100,10 +100,10 @@ func serviceAccountForKAIConfig(
 	return []client.Object{sa}, err
 }
 
-func serviceForKAIConfig(
+func (a *Admission) serviceForKAIConfig(
 	ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config,
 ) ([]client.Object, error) {
-	serviceObj, err := common.ObjectForKAIConfig(ctx, runtimeClient, &v1.Service{}, mainResourceName,
+	serviceObj, err := common.ObjectForKAIConfig(ctx, runtimeClient, &v1.Service{}, a.BaseResourceName,
 		kaiConfig.Spec.Namespace)
 	if err != nil {
 		return nil, err
@@ -131,7 +131,7 @@ func serviceForKAIConfig(
 		},
 	}
 	service.Spec.Selector = map[string]string{
-		"app": mainResourceName,
+		"app": a.BaseResourceName,
 	}
 
 	service.Spec.SessionAffinity = v1.ServiceAffinityNone
@@ -180,18 +180,18 @@ func buildWebhookSelectors(kaiConfig *kaiv1.Config) (namespaceSelector *metav1.L
 	return namespaceSelector, objectSelector
 }
 
-func buildWebhookClientConfig(kaiConfig *kaiv1.Config, secret *v1.Secret, webhookPath string) admissionv1.WebhookClientConfig {
+func (a *Admission) buildWebhookClientConfig(kaiConfig *kaiv1.Config, secret *v1.Secret, webhookPath string) admissionv1.WebhookClientConfig {
 	return admissionv1.WebhookClientConfig{
 		Service: &admissionv1.ServiceReference{
 			Namespace: kaiConfig.Spec.Namespace,
-			Name:      mainResourceName,
+			Name:      a.BaseResourceName,
 			Path:      ptr.To(webhookPath),
 		},
 		CABundle: secret.Data[certKey],
 	}
 }
 
-func mutatingWCForKAIConfig(
+func (a *Admission) mutatingWCForKAIConfig(
 	ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config,
 	secret *v1.Secret, webhookName string,
 ) ([]client.Object, error) {
@@ -206,10 +206,10 @@ func mutatingWCForKAIConfig(
 	if mutatingWebhookConfiguration.Labels == nil {
 		mutatingWebhookConfiguration.Labels = map[string]string{}
 	}
-	mutatingWebhookConfiguration.Labels["app"] = mainResourceName
+	mutatingWebhookConfiguration.Labels["app"] = a.BaseResourceName
 
 	namespaceSelector, objectSelector := buildWebhookSelectors(kaiConfig)
-	clientConfig := buildWebhookClientConfig(kaiConfig, secret, "/mutate--v1-pod")
+	clientConfig := a.buildWebhookClientConfig(kaiConfig, secret, "/mutate--v1-pod")
 
 	mutatingWebhookConfiguration.Webhooks = []admissionv1.MutatingWebhook{
 		{
@@ -238,7 +238,7 @@ func mutatingWCForKAIConfig(
 	return []client.Object{mutatingWebhookConfiguration}, nil
 }
 
-func validatingWCForKAIConfig(
+func (a *Admission) validatingWCForKAIConfig(
 	ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config,
 	secret *v1.Secret, webhookName string,
 ) ([]client.Object, error) {
@@ -254,10 +254,10 @@ func validatingWCForKAIConfig(
 	if validatingWebhookConfiguration.Labels == nil {
 		validatingWebhookConfiguration.Labels = map[string]string{}
 	}
-	validatingWebhookConfiguration.Labels["app"] = mainResourceName
+	validatingWebhookConfiguration.Labels["app"] = a.BaseResourceName
 
 	namespaceSelector, objectSelector := buildWebhookSelectors(kaiConfig)
-	clientConfig := buildWebhookClientConfig(kaiConfig, secret, "/validate--v1-pod")
+	clientConfig := a.buildWebhookClientConfig(kaiConfig, secret, "/validate--v1-pod")
 
 	validatingWebhookConfiguration.Webhooks = []admissionv1.ValidatingWebhook{
 		{
@@ -285,7 +285,7 @@ func validatingWCForKAIConfig(
 	return []client.Object{validatingWebhookConfiguration}, nil
 }
 
-func upsertKAIAdmissionCertSecret(ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config) (
+func (a *Admission) upsertKAIAdmissionCertSecret(ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config) (
 	error, *v1.Secret, string) {
 	secretObj, err := common.ObjectForKAIConfig(ctx, runtimeClient, &v1.Secret{},
 		kaiAdmissionWebhookSecretName, kaiConfig.Spec.Namespace)
@@ -298,7 +298,7 @@ func upsertKAIAdmissionCertSecret(ctx context.Context, runtimeClient client.Read
 		Kind:       "Secret",
 		APIVersion: "v1",
 	}
-	webhookName := calculateServiceUrl(mainResourceName, kaiConfig.Spec.Namespace)
+	webhookName := calculateServiceUrl(a.BaseResourceName, kaiConfig.Spec.Namespace)
 	if err = updateSelfSigned(secret, webhookName); err != nil {
 		return err, nil, ""
 	}

diff --git a/pkg/operator/operands/admission/resources_test.go b/pkg/operator/operands/admission/resources_test.go
@@ -205,19 +205,17 @@ func TestDeploymentForKAIConfig(t *testing.T) {
 			client := fake.NewClientBuilder().Build()
 
 			tt.config.Spec.SetDefaultsWhereNeeded()
-			objects, err := deploymentForKAIConfig(ctx, client, tt.config)
+			a := &Admission{BaseResourceName: defaultResourceName}
+			objects, err := a.deploymentForKAIConfig(ctx, client, tt.config)
 			require.NoError(t, err)
 			require.Len(t, objects, 1)
 
-			deployment := objects[0]
-			assert.Equal(t, "admission", deployment.GetName())
-			assert.Equal(t, constants.DefaultKAINamespace, deployment.GetNamespace())
+			deploymentObj := objects[0]
+			assert.Equal(t, "admission", deploymentObj.GetName())
+			assert.Equal(t, constants.DefaultKAINamespace, deploymentObj.GetNamespace())
 
-			// Type assert to access Spec
-			deploymentObj, ok := deployment.(*appsv1.Deployment)
-			require.True(t, ok, "deployment should be of type *appsv1.Deployment")
-
-			container := deploymentObj.Spec.Template.Spec.Containers[0]
+			deployment := deploymentObj.(*appsv1.Deployment)
+			container := deployment.Spec.Template.Spec.Containers[0]
 			args := container.Args
 
 			// Check expected args
@@ -322,11 +320,13 @@ func TestMutatingWCForKAIConfig(t *testing.T) {
 
 			tt.config.Spec.SetDefaultsWhereNeeded()
 
+			a := &Admission{BaseResourceName: defaultResourceName}
+
 			// Create a secret first since the function now requires it
-			err, secret, webhookName := upsertKAIAdmissionCertSecret(ctx, client, tt.config)
+			err, secret, webhookName := a.upsertKAIAdmissionCertSecret(ctx, client, tt.config)
 			require.NoError(t, err)
 
-			objects, err := mutatingWCForKAIConfig(ctx, client, tt.config, secret, webhookName)
+			objects, err := a.mutatingWCForKAIConfig(ctx, client, tt.config, secret, webhookName)
 			require.NoError(t, err)
 			require.Len(t, objects, 1) // webhook only (secret is created separately now)
 
@@ -452,12 +452,13 @@ func TestValidatingWCForKAIConfig(t *testing.T) {
 			client := fake.NewClientBuilder().Build()
 
 			tt.config.Spec.SetDefaultsWhereNeeded()
+			a := &Admission{BaseResourceName: defaultResourceName}
 
 			// Create a secret first since the function now requires it
-			err, secret, webhookName := upsertKAIAdmissionCertSecret(ctx, client, tt.config)
+			err, secret, webhookName := a.upsertKAIAdmissionCertSecret(ctx, client, tt.config)
 			require.NoError(t, err)
 
-			objects, err := validatingWCForKAIConfig(ctx, client, tt.config, secret, webhookName)
+			objects, err := a.validatingWCForKAIConfig(ctx, client, tt.config, secret, webhookName)
 			require.NoError(t, err)
 			require.Len(t, objects, 1) // webhook only (secret is created separately now)
 
@@ -498,7 +499,8 @@ func TestServiceAccountForKAIConfig(t *testing.T) {
 		},
 	}
 
-	objects, err := serviceAccountForKAIConfig(ctx, client, config)
+	a := &Admission{BaseResourceName: defaultResourceName}
+	objects, err := a.serviceAccountForKAIConfig(ctx, client, config)
 	require.NoError(t, err)
 	require.Len(t, objects, 1)
 
@@ -525,7 +527,8 @@ func TestServiceForKAIConfig(t *testing.T) {
 		},
 	}
 
-	objects, err := serviceForKAIConfig(ctx, client, config)
+	a := &Admission{BaseResourceName: defaultResourceName}
+	objects, err := a.serviceForKAIConfig(ctx, client, config)
 	require.NoError(t, err)
 	require.Len(t, objects, 1)
 

diff --git a/pkg/operator/operands/binder/binder.go b/pkg/operator/operands/binder/binder.go
@@ -14,6 +14,7 @@ import (
 type Binder struct {
 	namespace        string
 	lastDesiredState []client.Object
+	BaseResourceName string
 }
 
 type resourceForKAIConfig func(ctx context.Context, runtimeClient client.Reader, kaiConfig *kaiv1.Config) ([]client.Object, error)
@@ -23,6 +24,9 @@ func (b *Binder) DesiredState(
 	kaiConfig *kaiv1.Config,
 ) ([]client.Object, error) {
 	b.namespace = kaiConfig.Spec.Namespace
+	if b.BaseResourceName == "" {
+		b.BaseResourceName = defaultResourceName
+	}
 
 	if kaiConfig.Spec.Binder == nil || kaiConfig.Spec.Binder.Service.Enabled == nil || !*kaiConfig.Spec.Binder.Service.Enabled {
 		b.lastDesiredState = []client.Object{}
@@ -31,9 +35,9 @@ func (b *Binder) DesiredState(
 
 	objects := []client.Object{}
 	for _, resourceFunc := range []resourceForKAIConfig{
-		deploymentForKAIConfig,
-		serviceAccountForKAIConfig,
-		serviceForKAIConfig,
+		b.deploymentForKAIConfig,
+		b.serviceAccountForKAIConfig,
+		b.serviceForKAIConfig,
 		resourceReservationServiceAccount,
 	} {
 		newResources, err := resourceFunc(ctx, runtimeClient, kaiConfig)

diff --git a/pkg/operator/operands/binder/binder_test.go b/pkg/operator/operands/binder/binder_test.go
@@ -66,7 +66,7 @@ var _ = Describe("Binder", func() {
 				Expect(deploymentT).NotTo(BeNil())
 				deployment := *deploymentT
 				Expect(deployment).NotTo(BeNil())
-				Expect(deployment.Name).To(Equal(mainResourceName))
+				Expect(deployment.Name).To(Equal(defaultResourceName))
 			})
 
 			It("the deployment should keep labels from existing deployment", func(ctx context.Context) {