fix: proxy-webhook selector matches operator pods

bowling233 · bowling233 · commit e524931ca172 · 2026-06-11T19:02:57.000Z
Both the `tekton-operator` and `tekton-operator-proxy-webhook`
Deployments label their Pods with `name: tekton-operator`. The
`tekton-operator-proxy-webhook` Service uses this same label as
its only selector, so it inadvertently load-balances traffic
across both Deployments. Because `tekton-operator` pods do not
serve on port 8443, ~50% of admission webhook requests fail:

  failed calling webhook "proxy.operator.tekton.dev":
  Post ".../tekton-operator-proxy-webhook.../defaulting":
  dial tcp &lt;ClusterIP&gt;:443: connect: connection refused

Because MutatingWebhookConfiguration has `failurePolicy: Fail`,
each such failure immediately rejects TaskRun Pod creation.

Rename the proxy-webhook Deployment's selector matchLabels and
pod template label from `name: tekton-operator` to
`name: tekton-operator-proxy-webhook`, and update the Service
selector to match. The `app: tekton-operator` label is left
unchanged. Applies to both Kubernetes and OpenShift manifests.

Adding a set-based (NotIn) expression to the Service selector
instead was not viable as Kubernetes Services only support
equality-based (matchLabels) selectors.
diff --git a/cmd/kubernetes/operator/kodata/webhook/webhook.yaml b/cmd/kubernetes/operator/kodata/webhook/webhook.yaml
@@ -92,11 +92,11 @@ spec:
   replicas: 1
   selector:
     matchLabels:
-      name: tekton-operator
+      name: tekton-operator-proxy-webhook
   template:
     metadata:
       labels:
-        name: tekton-operator
+        name: tekton-operator-proxy-webhook
         app: tekton-operator
     spec:
       serviceAccountName: tekton-operators-proxy-webhook
@@ -152,7 +152,7 @@ spec:
       port: 443
       targetPort: 8443
   selector:
-    name: tekton-operator
+    name: tekton-operator-proxy-webhook
 
 ---
 
diff --git a/cmd/openshift/operator/kodata/webhook/webhook.yaml b/cmd/openshift/operator/kodata/webhook/webhook.yaml
@@ -99,11 +99,11 @@ spec:
   replicas: 1
   selector:
     matchLabels:
-      name: tekton-operator
+      name: tekton-operator-proxy-webhook
   template:
     metadata:
       labels:
-        name: tekton-operator
+        name: tekton-operator-proxy-webhook
         app: tekton-operator
     spec:
       securityContext:
@@ -160,7 +160,7 @@ spec:
       port: 443
       targetPort: 8443
   selector:
-    name: tekton-operator
+    name: tekton-operator-proxy-webhook
 
 ---
 
