Revert moving webhook templates out of library chart (#805)

PhilippMatthes · web-flow · commit e239d66ecc8b · 2026-05-06T10:48:52.000+02:00
Commit 33cb060 moved webhook Kubernetes resources (Service, Certificate, ValidatingWebhookConfiguration) from the shared library chart into only the cortex-nova bundle, assuming non-nova bundles don't implement webhooks. In reality all bundles (manila, cinder, ironcore, pods) register pipeline validation webhooks in the Go code and need these resources deployed. Without them the manager crashes on startup trying to load TLS certs from /tmp/k8s-webhook-server/serving-certs/tls.crt. This reverts that commit to restore the webhook templates in the library chart and re-enables webhook/certmanager in all bundle values. Assisted-by: Claude Code:claude-opus-4-20250514 [Bash] [Read]
diff --git a/Tiltfile b/Tiltfile
@@ -60,25 +60,26 @@ helm_repo(
 )
 
 ########### Certmanager
-# Certmanager is required for the validating webhook in the cortex-nova bundle.
-def setup_certmanager():
-    cache_dir = '.tilt/cert-manager'
-    cert_manager_version = 'v1.19.3'
-    if not os.path.exists(cache_dir):
-        local('mkdir -p ' + cache_dir)
-    if not os.path.exists(cache_dir + '/cert-manager-' + cert_manager_version + '.yaml'):
-        url = 'https://github.com/cert-manager/cert-manager/releases/download/' + cert_manager_version + '/cert-manager.yaml'
-        local('curl -L ' + url + ' -o ' + cache_dir + '/cert-manager-' + cert_manager_version + '.yaml')
-    local('kubectl apply -f ' + cache_dir + '/cert-manager-' + cert_manager_version + '.yaml')
-    # Patch all three cert-manager deployments to add runAsUser for Docker Desktop compatibility
-    patch_json = '{"spec":{"template":{"spec":{"securityContext":{"runAsUser":1000}}}}}'
-    local('kubectl patch deployment cert-manager -n cert-manager --type=strategic -p \'' + patch_json + '\'')
-    local('kubectl patch deployment cert-manager-cainjector -n cert-manager --type=strategic -p \'' + patch_json + '\'')
-    local('kubectl patch deployment cert-manager-webhook -n cert-manager --type=strategic -p \'' + patch_json + '\'')
-    # Wait for all three deployments to be ready
-    local('kubectl wait --namespace cert-manager --for=condition=available deployment/cert-manager --timeout=120s')
-    local('kubectl wait --namespace cert-manager --for=condition=available deployment/cert-manager-cainjector --timeout=120s')
-    local('kubectl wait --namespace cert-manager --for=condition=available deployment/cert-manager-webhook --timeout=120s')
+# Certmanager is required for the validating webhooks in the cortex bundles, so
+# we need to deploy it before the bundles. If you don't need the webhooks locally,
+# you can disable them in the values.yaml and skip deploying certmanager.
+cache_dir = '.tilt/cert-manager'
+cert_manager_version = 'v1.19.3'
+if not os.path.exists(cache_dir):
+    local('mkdir -p ' + cache_dir)
+if not os.path.exists(cache_dir + '/cert-manager-' + cert_manager_version + '.yaml'):
+    url = 'https://github.com/cert-manager/cert-manager/releases/download/' + cert_manager_version + '/cert-manager.yaml'
+    local('curl -L ' + url + ' -o ' + cache_dir + '/cert-manager-' + cert_manager_version + '.yaml')
+local('kubectl apply -f ' + cache_dir + '/cert-manager-' + cert_manager_version + '.yaml')
+# Patch all three cert-manager deployments to add runAsUser for Docker Desktop compatibility
+patch_json = '{"spec":{"template":{"spec":{"securityContext":{"runAsUser":1000}}}}}'
+local('kubectl patch deployment cert-manager -n cert-manager --type=strategic -p \'' + patch_json + '\'')
+local('kubectl patch deployment cert-manager-cainjector -n cert-manager --type=strategic -p \'' + patch_json + '\'')
+local('kubectl patch deployment cert-manager-webhook -n cert-manager --type=strategic -p \'' + patch_json + '\'')
+# Wait for all three deployments to be ready
+local('kubectl wait --namespace cert-manager --for=condition=available deployment/cert-manager --timeout=120s')
+local('kubectl wait --namespace cert-manager --for=condition=available deployment/cert-manager-cainjector --timeout=120s')
+local('kubectl wait --namespace cert-manager --for=condition=available deployment/cert-manager-webhook --timeout=120s')
 
 ########### Dependency CRDs
 # Make sure the local cluster is running if you are running into startup issues here.
@@ -194,7 +195,6 @@ k8s_yaml(helm('./helm/bundles/cortex-crds', name='cortex-crds', set=crd_extra_va
 
 if 'nova' in ACTIVE_DEPLOYMENTS:
     print("Activating Cortex Nova bundle")
-    setup_certmanager()
     k8s_yaml(helm('./helm/bundles/cortex-nova', name='cortex-nova', values=tilt_values, set=env_set_overrides))
     k8s_resource('cortex-nova-postgresql-v18', labels=['Cortex-Nova'], port_forwards=[
         port_forward(8000, 5432),
diff --git a/helm/bundles/cortex-cinder/values.yaml b/helm/bundles/cortex-cinder/values.yaml
@@ -105,6 +105,9 @@ cortex: &cortex
 cortex-scheduling-controllers:
   <<: *cortex
   namePrefix: cortex-cinder-scheduling
+  # Enable webhook that will validate CRDs for the scheduling controllers.
+  webhook: {enable: true}
+  certmanager: {enable: true} # Needed for the webhook TLS certificates.
   conf:
     <<: *cortexConf
     leaderElectionID: cortex-cinder-scheduling
diff --git a/helm/bundles/cortex-ironcore/values.yaml b/helm/bundles/cortex-ironcore/values.yaml
@@ -24,6 +24,9 @@ cortex:
   crd: {enable: false}
   # Use this to unambiguate multiple cortex deployments in the same cluster.
   namePrefix: cortex-ironcore
+  # Enable webhook that will validate CRDs for the scheduling controllers.
+  webhook: {enable: true}
+  certmanager: {enable: true} # Needed for the webhook TLS certificates.
   conf:
     # The operator will only touch CRs with this scheduling domain name.
     schedulingDomain: machines
diff --git a/helm/bundles/cortex-manila/values.yaml b/helm/bundles/cortex-manila/values.yaml
@@ -105,6 +105,9 @@ cortex: &cortex
 cortex-scheduling-controllers:
   <<: *cortex
   namePrefix: cortex-manila-scheduling
+  # Enable webhook that will validate CRDs for the scheduling controllers.
+  webhook: {enable: true}
+  certmanager: {enable: true} # Needed for the webhook TLS certificates.
   conf:
     <<: *cortexConf
     leaderElectionID: cortex-manila-scheduling
diff --git a/helm/bundles/cortex-nova/templates/webhook.yaml b/helm/bundles/cortex-nova/templates/webhook.yaml
diff --git a/helm/bundles/cortex-nova/values.yaml b/helm/bundles/cortex-nova/values.yaml
@@ -114,9 +114,9 @@ cortex: &cortex
 cortex-scheduling-controllers:
   <<: *cortex
   namePrefix: cortex-nova-scheduling
-  # Enable webhook port, args, and cert volume mounts on the manager container.
+  # Enable webhook that will validate CRDs for the scheduling controllers.
   webhook: {enable: true}
-  certmanager: {enable: true}
+  certmanager: {enable: true} # Needed for the webhook TLS certificates.
   conf:
     <<: *cortexConf
     leaderElectionID: cortex-nova-scheduling
diff --git a/helm/bundles/cortex-pods/values.yaml b/helm/bundles/cortex-pods/values.yaml
@@ -24,6 +24,9 @@ cortex:
   crd: { enable: false }
   # Use this to unambiguate multiple cortex deployments in the same cluster.
   namePrefix: cortex-pods
+  # Enable webhook that will validate CRDs for the scheduling controllers.
+  webhook: {enable: true}
+  certmanager: {enable: true} # Needed for the webhook TLS certificates.
   conf:
     # The operator will only touch CRs with this scheduling domain name.
     schedulingDomain: pods
diff --git a/helm/library/cortex/templates/certmanager/certificate.yaml b/helm/library/cortex/templates/certmanager/certificate.yaml
@@ -33,4 +33,23 @@ spec:
     name: {{ .Values.namePrefix }}-selfsigned-issuer
   secretName: metrics-server-cert
 {{- end }}
+{{- if .Values.webhook.enable }}
+---
+# Certificate for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  name: {{ .Values.namePrefix }}-webhook-cert
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+    - {{ .Values.namePrefix }}-webhook-service.{{ .Release.Namespace }}.svc
+    - {{ .Values.namePrefix }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: {{ .Values.namePrefix }}-selfsigned-issuer
+  secretName: {{ .Values.namePrefix }}-webhook-server-cert
+{{- end }}
 {{- end }}
diff --git a/helm/library/cortex/templates/webhook/validating-webhook-configuration.yaml b/helm/library/cortex/templates/webhook/validating-webhook-configuration.yaml
@@ -0,0 +1,48 @@
+{{- if .Values.webhook.enable }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ .Values.namePrefix }}-validating-webhook-configuration
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  {{- if .Values.certmanager.enable }}
+  annotations:
+    "cert-manager.io/inject-ca-from": {{ .Release.Namespace }}/{{ .Values.namePrefix }}-webhook-cert
+  {{- end }}
+webhooks:
+  # This webhook validates the creation and update of cortex pipelines.
+  - name: {{ .Values.namePrefix }}-validate-v1alpha1-pipeline.cortex.cloud
+    admissionReviewVersions: [v1]
+    clientConfig:
+      # If we want to talk to the cortex webhook in another kubernetes cluster,
+      # we can template this out to use the ingress url provided by cortex. E.g.:
+      # url: "https://<my ingress url>/validate-cortex-cloud-v1alpha1-pipeline" for cross-cluster
+      service:
+        name: {{ .Values.namePrefix }}-webhook-service
+        namespace: {{ .Release.Namespace }}
+        # This path is managed by controller-runtime. It will route to the
+        # correct validating webhook handler based on the path.
+        path: /validate-cortex-cloud-v1alpha1-pipeline
+      {{- if not .Values.certmanager.enable }}
+      {{- if .Values.webhook.caBundle }}
+      caBundle: {{ .Values.webhook.caBundle }}
+      {{- end }}
+      {{- end }}
+    timeoutSeconds: 10
+    failurePolicy: Ignore
+    rules:
+      - apiGroups:
+          - cortex.cloud
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - pipelines
+    sideEffects: None
+    {{- if .Values.webhook.namespaceSelector }}
+    namespaceSelector:
+      {{- toYaml .Values.webhook.namespaceSelector | nindent 6 }}
+    {{- end }}
+{{- end }}
diff --git a/helm/library/cortex/templates/webhook/webhook-service.yaml b/helm/library/cortex/templates/webhook/webhook-service.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.webhook.enable }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.namePrefix }}-webhook-service
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 9443
+  selector:
+    {{- include "chart.selectorLabels" . | nindent 4 }}
+    control-plane: controller-manager
+{{- end }}
diff --git a/helm/library/cortex/values.yaml b/helm/library/cortex/values.yaml
@@ -90,7 +90,8 @@ prometheus:
 certmanager:
   enable: false
 
-# [WEBHOOK]: To enable webhook args, ports, and cert volume mounts on the manager
+# [WEBHOOK]: To enable validating webhook for Pipeline resources set true
+# Note: When enabled, cert-manager is typically also required for TLS certificates
 webhook:
   enable: false
 
