OCPBUGS-84815: fix: scope webhook to capi namespace, remove unused webhook endpoints

[damdo]

See: https://redhat.atlassian.net/browse/OCPBUGS-84815

On unsupported platforms (e.g. IBMCloud), the openshift-capi-controllers ValidatingWebhookConfiguration is deployed by CVO but the webhook server does not start, causing Cluster creation in any namespace to fail with "connection refused". This blocks MCE/ACM which install CAPI independently and create Cluster objects in their own namespace.

Scope the remaining Cluster webhook to the openshift-cluster-api namespace via namespaceSelector so it no longer intercepts requests in other namespaces.

Remove the coreprovider, infrastructureprovider, and clusterctl provider webhook entries which had no corresponding handler code registered and were for CRDs no longer deployed by this operator.

Summary by CodeRabbit

• Chores

  • Removed obsolete provider validation webhooks and simplified webhook configuration.
  • Restricted Cluster API validation to the designated namespace.
  • Registered additional CRD API types in the test runtime and updated test dependencies.

• Tests

  • Added end-to-end suites validating webhook namespace scoping and in-namespace admission behavior.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@damdo: This pull request references Jira Issue OCPBUGS-84815, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

See: https://redhat.atlassian.net/browse/OCPBUGS-84815

On unsupported platforms (e.g. IBMCloud), the openshift-capi-controllers ValidatingWebhookConfiguration is deployed by CVO but the webhook server does not start, causing Cluster creation in any namespace to fail with "connection refused". This blocks MCE/ACM which install CAPI independently and create Cluster objects in their own namespace.

Scope the remaining Cluster webhook to the openshift-cluster-api namespace via namespaceSelector so it no longer intercepts requests in other namespaces.

Remove the coreprovider, infrastructureprovider, and clusterctl provider webhook entries which had no corresponding handler code registered and were for CRDs no longer deployed by this operator.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Removed several validating webhooks and constrained the remaining Cluster validation webhook to the openshift-cluster-api namespace. Added apiextensions v1 scheme registration to the e2e test harness, promoted the apiextensions dependency, and added E2E tests asserting webhook scoping and admission behavior.

Changes

Webhook manifest changes

Layer / File(s)	Summary
Validation webhook pruning & scoping manifests/0000_30_cluster-api_10_webhooks.yaml	Deleted multiple validating webhook entries (coreprovider/infrastructureprovider v1alpha2 and clusterctl v1alpha3) and added a namespaceSelector that limits validation.cluster.cluster.x-k8s.io to the openshift-cluster-api namespace.

E2E tests and test harness wiring

Layer / File(s)	Summary
Register apiextensions v1 in test scheme e2e/e2e_common.go	Imported k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 and call apiextensionsv1.AddToScheme(scheme.Scheme) in init() so controller-runtime test scheme knows apiextensions/v1 types.
Webhook namespace-scoping and validation tests e2e/webhook_test.go	Added two serial Ginkgo E2E suites: (1) Namespace Scoping — create/update/delete an intentionally invalid clusterv1.Cluster in default and assert operations succeed (webhook not applied). (2) Validation Inside Managed Namespace — attempt create of the same invalid clusterv1.Cluster in framework.CAPINamespace and assert admission is rejected (Forbidden). Includes helpers newTestClusterAPICluster and skipUnlessClusterAPIClusterCRD.
Dependency declaration for apiextensions e2e/go.mod	Promoted k8s.io/apiextensions-apiserver v0.35.3 from indirect to direct require and added/updated several indirect test-related dependencies required by the new test code.

Sequence Diagram(s)

sequenceDiagram
    participant Test as Test Harness
    participant KubeAPI as kube-apiserver
    participant Webhook as ClusterAPI ValidatingWebhook
    participant Etcd as Kubernetes Storage

    Test->>KubeAPI: CREATE Cluster in "default" namespace
    KubeAPI->>Webhook: AdmissionReview (validation request)
    Webhook-->>KubeAPI: No match (namespaceSelector) — Allowed
    KubeAPI->>Etcd: Persist Cluster
    Etcd-->>KubeAPI: Persisted
    KubeAPI-->>Test: 201 Created

    Test->>KubeAPI: CREATE Cluster in "openshift-cluster-api" namespace
    KubeAPI->>Webhook: AdmissionReview (validation request)
    Webhook-->>KubeAPI: Reject with Forbidden (if spec invalid)
    KubeAPI-->>Test: 4xx Admission error

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/cluster-capi-operator#544: Also scopes Cluster API webhooks to the openshift-cluster-api namespace via namespaceSelector.

Suggested labels

lgtm

Suggested reviewers

• mdbooth
• nrb

🚥 Pre-merge checks | ✅ 9 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	All Eventually() calls lack explicit timeouts, using Gomega's 1-second default. This is insufficient for cluster operations and inconsistent with codebase patterns that use explicit timeouts.	Add explicit timeout and interval parameters to all Eventually() calls using capiframework.WaitShort/WaitMedium and RetryShort/RetryMedium, consistent with existing tests in the codebase.
Microshift Test Compatibility	⚠️ Warning	New tests use config.openshift.io/v1 Infrastructure API via util.GetCAPITypesForInfrastructure(infra), which is unavailable on MicroShift. No protection mechanisms present.	Add [apigroup:config.openshift.io] tags to test names or guard with exutil.IsMicroShiftCluster() check using g.Skip() to protect from MicroShift CI.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main changes: scoping the webhook to the CAPI namespace and removing unused webhook endpoints, which aligns with the core problem statement and proposed fixes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in e2e/webhook_test.go are stable and deterministic. Test titles use static, descriptive strings with no dynamic information, and dynamic values are properly placed in test bodies only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	New webhook e2e tests make no multi-node assumptions. They manipulate Cluster API objects for webhook validation, with no pod scheduling, node topology, or infrastructure assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies webhook configuration and adds test code only. No pod deployment specs, affinity rules, or topology-unaware scheduling constraints were introduced. Not applicable to this check.
Ote Binary Stdout Contract	✅ Passed	No OTE Stdout Contract violations. Process-level code (init, BeforeSuite) contains no stdout writes. All test code is within Ginkgo test blocks where stdout is safely intercepted per spec.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No IPv4 assumptions or external connectivity. Test only uses cluster-internal Kubernetes client operations. No hardcoded IPs, IP parsing, or external service calls.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[damdo]

/assign @serngawy @mdbooth @nrb

[damdo]

/cc @marek-veber @RadekCap

[damdo]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@damdo: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[damdo]

/pipeline auto

[openshift-merge-bot]

Pipeline controller notification

The pipeline-auto label has been added to this PR. Second-stage tests will be triggered automatically when all first-stage tests pass.

[damdo]

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-disconnected-techpreview
/test e2e-aws-capi-techpreview
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[mdbooth]

I'd really like to see an e2e for this. It could be really simple: create and delete a Cluster in the default namespace. It should pass on all platforms, regardless of whether the VWC is present or even operating correctly. It should continue to pass when we replace this webhook with a VAP.

I understand the temptation to do the e2e later, but we should resist it.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@e2e/webhook_test.go`:
- Around line 57-100: Add an unconditional cleanup that always tries to delete
the test Cluster to avoid cross-run flakes: after the BeforeAll that sets up the
cluster (symbol: cluster) add an AfterEach or AfterAll block which, regardless
of test outcome, attempts to delete the Cluster (call cl.Delete(ctx, cluster) or
wrap with client.IgnoreNotFound/DeleteIfExists) and swallow
NotFound/AlreadyDeleted errors; ensure the cleanup runs even if create/update
failed by guarding on cluster != nil and apply the same cleanup pattern to the
other group of specs referenced (the tests around lines 117-149) so leftover
objects cannot cause "AlreadyExists" on subsequent runs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6677217d-dd8b-46b3-b345-abcfd1d18219

📥 Commits

Reviewing files that changed from the base of the PR and between ccc62de and 94cc3c7.

📒 Files selected for processing (3)

• e2e/e2e_common.go
• e2e/webhook_test.go
• manifests/0000_30_cluster-api_10_webhooks.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• manifests/0000_30_cluster-api_10_webhooks.yaml

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[damdo]

/test e2e-aws-capi-techpreview

[damdo]

/test e2e-aws-capi-techpreview

[damdo]

/retest

[mdbooth]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mdbooth

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [mdbooth]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-disconnected-techpreview
/test e2e-aws-capi-techpreview
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[damdo]

/jira refresh

[openshift-ci-robot]

@damdo: This pull request references Jira Issue OCPBUGS-84815, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[damdo]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@damdo: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[damdo]

/retest

[damdo]

/retest

[damdo]

/retest

[openshift-ci]

@damdo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn-techpreview	185c6c5	link	false	/test e2e-azure-ovn-techpreview
ci/prow/e2e-openstack-ovn-techpreview	185c6c5	link	false	/test e2e-openstack-ovn-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[damdo]

/verified by new E2Es

[openshift-ci-robot]

@damdo: This PR has been marked as verified by new E2Es.

Details

In response to this:

/verified by new E2Es

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@damdo: Jira Issue Verification Checks: Jira Issue OCPBUGS-84815
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-84815 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

See: https://redhat.atlassian.net/browse/OCPBUGS-84815

On unsupported platforms (e.g. IBMCloud), the openshift-capi-controllers ValidatingWebhookConfiguration is deployed by CVO but the webhook server does not start, causing Cluster creation in any namespace to fail with "connection refused". This blocks MCE/ACM which install CAPI independently and create Cluster objects in their own namespace.

Scope the remaining Cluster webhook to the openshift-cluster-api namespace via namespaceSelector so it no longer intercepts requests in other namespaces.

Remove the coreprovider, infrastructureprovider, and clusterctl provider webhook entries which had no corresponding handler code registered and were for CRDs no longer deployed by this operator.

Summary by CodeRabbit

• Chores

• Removed obsolete provider validation webhooks and simplified webhook configuration.

• Restricted Cluster API validation to the designated namespace.

• Registered additional CRD API types in the test runtime and updated test dependencies.

• Tests

• Added end-to-end suites validating webhook namespace scoping and in-namespace admission behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@damdo: #543 failed to apply on top of branch "release-4.22":

Applying: fix: scope webhook to capi namespace, remove unused webhook endpoints
Applying: e2e: Add webhook namespace scoping tests
Using index info to reconstruct a base tree...
M	e2e/e2e_common.go
M	e2e/go.mod
M	e2e/go.sum
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
CONFLICT (content): Merge conflict in vendor/modules.txt
Auto-merging e2e/go.sum
CONFLICT (content): Merge conflict in e2e/go.sum
Auto-merging e2e/go.mod
CONFLICT (content): Merge conflict in e2e/go.mod
Auto-merging e2e/e2e_common.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0002 e2e: Add webhook namespace scoping tests

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.