Refactor(webhook): remove AgentRuntimeOverrides from injection path#427
Open
r3v5 wants to merge 3 commits into
Open
Refactor(webhook): remove AgentRuntimeOverrides from injection path#427r3v5 wants to merge 3 commits into
r3v5 wants to merge 3 commits into
Conversation
…n path Remove the per-workload AgentRuntime CR override layer from the mutating webhook, aligning it with the controller's 2-layer config model (platform defaults + namespace ConfigMap). - Delete agentruntime_config.go (AgentRuntimeOverrides struct, ReadAgentRuntimeOverrides, extractOverrides) - Remove AllowedAudiences injection from per-agent ConfigMap - Remove AR branches from mTLS and authBridgeMode resolution chains - Simplify ResolveConfig from 3-param to 2-param signature - Remove injectAllowedAudiences helper function - Update constants.go comments to reflect 2-layer model - Remove slices and agentv1alpha1 imports from webhook injector This eliminates a List AgentRuntime API call on the webhook hot path (every pod CREATE), reducing webhook latency. No clusters use AR overrides today; the CRD describes AllowedAudiences as "transitional". Ref: RHAIENG-4936 Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Ian Miller <milleryan2003@gmail.com>
Update all webhook tests to match the 2-layer config model (platform + namespace only, no AgentRuntime CR overrides). - Remove newAgentRuntime and newAgentRuntimeWithMode test helpers - Remove agentv1alpha1 import and scheme registration from tests - Switch mode-selection tests from CR-based to namespace ConfigMap-based - Rename CRBeatsNamespaceConfigMap → NamespaceConfigMapWinsOverCR - Rename CRBeatsAnnotation → AnnotationWinsOverCR - Remove AllowedAudiences injection test cases - Update integration test to create namespace ConfigMap instead of AgentRuntime CR for envoy-sidecar mode selection - Simplify ResolveConfig tests to 2-param signature Ref: RHAIENG-4936 Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Ian Miller <milleryan2003@gmail.com>
Update pod_mutator_test.go to match production code changes from the AgentRuntimeOverrides removal. - Remove newAgentRuntime and newAgentRuntimeWithMode test helpers - Remove agentv1alpha1 import and scheme registration - Switch mode-selection tests from CR-based to namespace ConfigMap-based - Rename CRBeatsNamespaceConfigMap → NamespaceConfigMapWinsOverCR - Rename CRBeatsAnnotation → AnnotationWinsOverCR - Remove AllowedAudiences injection test cases - Remove allowedAudiences param from ensurePerAgentConfigMap calls Ref: RHAIENG-4936 Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Ian Miller <milleryan2003@gmail.com>
r3v5
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
List AgentRuntimeAPI call on the webhook hot path (every pod CREATE)ResolveConfigfrom 3-param to 2-param, deleteagentruntime_config.goentirelyChanges
Deleted:
agentruntime_config.go—AgentRuntimeOverridesstruct,ReadAgentRuntimeOverrides(),extractOverrides()agentruntime_config_test.go— all AR config testsModified:
pod_mutator.go— removed AR override call, AllowedAudiences injection, AR branches from mTLS/mode resolutionresolved_config.go— simplifiedResolveConfigto 2-layer (platform + namespace)constants.go— updated comments to reflect 2-layer modelcontainer_builder.go— updatedResolveConfigcall signaturepod_mutator_test.go— switched from CR-based to namespace ConfigMap-based mode selectionresolved_config_test.go— removed AR-specific testsauthbridge_webhook_test.go— updated integration test to use namespace ConfigMapMotivation
The controller already uses a 2-layer model (cluster + namespace). This aligns the webhook to the same model. No clusters use AR overrides today. The CRD describes
AllowedAudiencesas "transitional" (ref).Test plan
go build ./...— clean compilationgo test ./...— all unit/integration tests pass (excluding e2e which needs Kind)grep -r "AgentRuntimeOverrides" internal/webhook/— zero references remainauthbridge-proxyinjectedmode: envoy-sidecar→envoy-proxyinjectedauthBridgeMode: waypointignored → pod mutated with default proxy-sidecarRef: RHAIENG-4936
🤖 Generated with Claude Code