fix(operator): support running with webhooks disabled

syscod3 · syscod3 · commit 0ac82881db8f · 2026-03-12T01:49:32.000Z
diff --git a/charts/imp/templates/operator/deployment.yaml b/charts/imp/templates/operator/deployment.yaml
@@ -1,3 +1,4 @@
+{{- $webhooksEnabled := and .Values.webhook.enabled .Values.webhook.certManager.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -44,10 +45,13 @@ spec:
         args:
           - --leader-elect
           - --health-probe-bind-address=:8081
+          - --enable-webhooks={{ $webhooksEnabled }}
         ports:
+        {{- if $webhooksEnabled }}
         - name: webhook
           containerPort: 9443
           protocol: TCP
+        {{- end }}
         - name: metrics
           containerPort: 8080
           protocol: TCP
@@ -73,13 +77,13 @@ spec:
           periodSeconds: 10
         resources:
           {{- toYaml .Values.operator.resources | nindent 10 }}
-        {{- if .Values.webhook.certManager.enabled }}
+        {{- if $webhooksEnabled }}
         volumeMounts:
         - name: webhook-tls
           mountPath: /tmp/k8s-webhook-server/serving-certs
           readOnly: true
         {{- end }}
-      {{- if .Values.webhook.certManager.enabled }}
+      {{- if $webhooksEnabled }}
       volumes:
       - name: webhook-tls
         secret:
diff --git a/charts/imp/templates/operator/service.yaml b/charts/imp/templates/operator/service.yaml
@@ -1,3 +1,4 @@
+{{- $webhooksEnabled := and .Values.webhook.enabled .Values.webhook.certManager.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -11,9 +12,11 @@ spec:
     {{- include "imp.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: operator
   ports:
+  {{- if $webhooksEnabled }}
   - name: webhook
     port: 9443
     targetPort: 9443
+  {{- end }}
   - name: metrics
     port: 8080
     targetPort: 8080
diff --git a/charts/imp/templates/webhook/certificate.yaml b/charts/imp/templates/webhook/certificate.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.webhook.certManager.enabled }}
+{{- if and .Values.webhook.enabled .Values.webhook.certManager.enabled }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
diff --git a/charts/imp/templates/webhook/issuer.yaml b/charts/imp/templates/webhook/issuer.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.webhook.certManager.enabled (not .Values.webhook.certManager.issuerRef.name) }}
+{{- if and .Values.webhook.enabled .Values.webhook.certManager.enabled (not .Values.webhook.certManager.issuerRef.name) }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
diff --git a/charts/imp/templates/webhook/mutatingwebhook.yaml b/charts/imp/templates/webhook/mutatingwebhook.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.webhook.certManager.enabled }}
+{{- if and .Values.webhook.enabled .Values.webhook.certManager.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
diff --git a/charts/imp/templates/webhook/validatingwebhook.yaml b/charts/imp/templates/webhook/validatingwebhook.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.webhook.certManager.enabled }}
+{{- if and .Values.webhook.enabled .Values.webhook.certManager.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
diff --git a/charts/imp/tests/operator-deployment_test.yaml b/charts/imp/tests/operator-deployment_test.yaml
@@ -56,3 +56,33 @@ tests:
             name: metrics
             port: 8080
             targetPort: 8080
+
+  - it: disables webhook mount and flag when certManager is disabled
+    template: templates/operator/deployment.yaml
+    set:
+      agent.env.kernelPath: /usr/local/bin/firecracker
+      webhook.certManager.enabled: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: webhook-tls
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: webhook-tls
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --enable-webhooks=false
+
+  - it: omits webhook service port when certManager is disabled
+    template: templates/operator/service.yaml
+    set:
+      webhook.certManager.enabled: false
+    asserts:
+      - notContains:
+          path: spec.ports
+          content:
+            name: webhook
+            port: 9443
+            targetPort: 9443
diff --git a/charts/imp/values.yaml b/charts/imp/values.yaml
@@ -51,6 +51,8 @@ agent:
       path: /var/lib/imp/images
 
 webhook:
+  # When false, operator admission webhooks are disabled.
+  enabled: true
   certManager:
     enabled: true
     issuerRef: {}
diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -118,11 +118,13 @@ func (r *cniDetectRunnable) Start(ctx context.Context) error {
 func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
+	var enableWebhooks bool
 	var probeAddr string
 
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metrics endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager.")
+	flag.BoolVar(&enableWebhooks, "enable-webhooks", true, "Enable admission webhooks.")
 
 	opts := zap.Options{Development: true}
 	opts.BindFlags(flag.CommandLine)
@@ -218,26 +220,30 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err = builder.WebhookManagedBy(mgr, &impv1alpha1.ImpVM{}).
-		WithDefaulter(&webhookv1alpha1.ImpVMWebhook{}).
-		WithValidator(&webhookv1alpha1.ImpVMWebhook{}).
-		Complete(); err != nil {
-		setupLog.Error(err, "unable to register webhook", "webhook", "ImpVM")
-		os.Exit(1)
-	}
+	if enableWebhooks {
+		if err = builder.WebhookManagedBy(mgr, &impv1alpha1.ImpVM{}).
+			WithDefaulter(&webhookv1alpha1.ImpVMWebhook{}).
+			WithValidator(&webhookv1alpha1.ImpVMWebhook{}).
+			Complete(); err != nil {
+			setupLog.Error(err, "unable to register webhook", "webhook", "ImpVM")
+			os.Exit(1)
+		}
 
-	if err = builder.WebhookManagedBy(mgr, &impv1alpha1.ImpVMClass{}).
-		WithValidator(&webhookv1alpha1.ImpVMClassWebhook{}).
-		Complete(); err != nil {
-		setupLog.Error(err, "unable to register webhook", "webhook", "ImpVMClass")
-		os.Exit(1)
-	}
+		if err = builder.WebhookManagedBy(mgr, &impv1alpha1.ImpVMClass{}).
+			WithValidator(&webhookv1alpha1.ImpVMClassWebhook{}).
+			Complete(); err != nil {
+			setupLog.Error(err, "unable to register webhook", "webhook", "ImpVMClass")
+			os.Exit(1)
+		}
 
-	if err = builder.WebhookManagedBy(mgr, &impv1alpha1.ImpVMTemplate{}).
-		WithValidator(&webhookv1alpha1.ImpVMTemplateWebhook{}).
-		Complete(); err != nil {
-		setupLog.Error(err, "unable to register webhook", "webhook", "ImpVMTemplate")
-		os.Exit(1)
+		if err = builder.WebhookManagedBy(mgr, &impv1alpha1.ImpVMTemplate{}).
+			WithValidator(&webhookv1alpha1.ImpVMTemplateWebhook{}).
+			Complete(); err != nil {
+			setupLog.Error(err, "unable to register webhook", "webhook", "ImpVMTemplate")
+			os.Exit(1)
+		}
+	} else {
+		setupLog.Info("admission webhooks disabled")
 	}
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-{{- if .Values.webhook.certManager.enabled }}`
	`1`	`+{{- if and .Values.webhook.enabled .Values.webhook.certManager.enabled }}`
`2`	`2`	`apiVersion: cert-manager.io/v1`
`3`	`3`	`kind: Certificate`
`4`	`4`	`metadata:`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-{{- if and .Values.webhook.certManager.enabled (not .Values.webhook.certManager.issuerRef.name) }}`
	`1`	`+{{- if and .Values.webhook.enabled .Values.webhook.certManager.enabled (not .Values.webhook.certManager.issuerRef.name) }}`
`2`	`2`	`apiVersion: cert-manager.io/v1`
`3`	`3`	`kind: Issuer`
`4`	`4`	`metadata:`