From 3172bcd3b37301637e8fb9f8a51a132c29ec32d8 Mon Sep 17 00:00:00 2001
From: Jonathan Innis <joinnis@amazon.com>
Date: Wed, 25 Sep 2024 18:31:27 -0700
Subject: [PATCH] FORK: Give users the ability to disable namespace ownership
 of webhook configurations (#3095)

(cherry picked from commit c4843b746d24b1e091ebcc9d05b096e8ecbc2391)
---
 webhook/configmaps/configmaps.go              | 17 ++++++++++-------
 webhook/configmaps/controller.go              |  5 +++--
 .../defaulting/controller.go                  |  7 ++++---
 .../defaulting/defaulting.go                  | 17 ++++++++++-------
 .../validation/controller.go                  |  7 ++++---
 .../validation/reconcile_config.go            | 19 +++++++++++--------
 webhook/webhook.go                            |  4 ++++
 7 files changed, 46 insertions(+), 30 deletions(-)

diff --git a/webhook/configmaps/configmaps.go b/webhook/configmaps/configmaps.go
index 5a4c4d8888..5cd1a5a46a 100644
--- a/webhook/configmaps/configmaps.go
+++ b/webhook/configmaps/configmaps.go
@@ -58,7 +58,8 @@ type reconciler struct {
 	vwhlister    admissionlisters.ValidatingWebhookConfigurationLister
 	secretlister corelisters.SecretLister
 
-	secretName string
+	secretName                string
+	disableNamespaceOwnership bool
 }
 
 var _ controller.Reconciler = (*reconciler)(nil)
@@ -136,13 +137,15 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b
 
 	webhook := configuredWebhook.DeepCopy()
 
-	// Set the owner to namespace.
-	ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
-	if err != nil {
-		return fmt.Errorf("failed to fetch namespace: %w", err)
+	if !ac.disableNamespaceOwnership {
+		// Set the owner to namespace.
+		ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
+		if err != nil {
+			return fmt.Errorf("failed to fetch namespace: %w", err)
+		}
+		nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+		webhook.OwnerReferences = []metav1.OwnerReference{nsRef}
 	}
-	nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
-	webhook.OwnerReferences = []metav1.OwnerReference{nsRef}
 
 	for i, wh := range webhook.Webhooks {
 		if wh.Name != webhook.Name {
diff --git a/webhook/configmaps/controller.go b/webhook/configmaps/controller.go
index c2d71eb039..e9512f2323 100644
--- a/webhook/configmaps/controller.go
+++ b/webhook/configmaps/controller.go
@@ -61,8 +61,9 @@ func NewAdmissionController(
 		key:  key,
 		path: path,
 
-		constructors: make(map[string]reflect.Value),
-		secretName:   options.SecretName,
+		constructors:              make(map[string]reflect.Value),
+		secretName:                options.SecretName,
+		disableNamespaceOwnership: options.DisableNamespaceOwnership,
 
 		client:       client,
 		vwhlister:    vwhInformer.Lister(),
diff --git a/webhook/resourcesemantics/defaulting/controller.go b/webhook/resourcesemantics/defaulting/controller.go
index ba50005d79..58694f4371 100644
--- a/webhook/resourcesemantics/defaulting/controller.go
+++ b/webhook/resourcesemantics/defaulting/controller.go
@@ -101,9 +101,10 @@ func newController(ctx context.Context, name string, optsFunc ...OptionFunc) *co
 		handlers:  opts.types,
 		callbacks: opts.callbacks,
 
-		withContext:           opts.wc,
-		disallowUnknownFields: opts.disallowUnknownFields,
-		secretName:            wopts.SecretName,
+		withContext:               opts.wc,
+		disallowUnknownFields:     opts.disallowUnknownFields,
+		secretName:                wopts.SecretName,
+		disableNamespaceOwnership: wopts.DisableNamespaceOwnership,
 
 		client:       client,
 		mwhlister:    mwhInformer.Lister(),
diff --git a/webhook/resourcesemantics/defaulting/defaulting.go b/webhook/resourcesemantics/defaulting/defaulting.go
index 90f9ec8c96..cfa7af29aa 100644
--- a/webhook/resourcesemantics/defaulting/defaulting.go
+++ b/webhook/resourcesemantics/defaulting/defaulting.go
@@ -69,8 +69,9 @@ type reconciler struct {
 	mwhlister    admissionlisters.MutatingWebhookConfigurationLister
 	secretlister corelisters.SecretLister
 
-	disallowUnknownFields bool
-	secretName            string
+	disallowUnknownFields     bool
+	secretName                string
+	disableNamespaceOwnership bool
 }
 
 // CallbackFunc is the function to be invoked.
@@ -216,12 +217,14 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt
 
 	current := configuredWebhook.DeepCopy()
 
-	ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
-	if err != nil {
-		return fmt.Errorf("failed to fetch namespace: %w", err)
+	if !ac.disableNamespaceOwnership {
+		ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
+		if err != nil {
+			return fmt.Errorf("failed to fetch namespace: %w", err)
+		}
+		nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+		current.OwnerReferences = []metav1.OwnerReference{nsRef}
 	}
-	nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
-	current.OwnerReferences = []metav1.OwnerReference{nsRef}
 
 	for i, wh := range current.Webhooks {
 		if wh.Name != current.Name {
diff --git a/webhook/resourcesemantics/validation/controller.go b/webhook/resourcesemantics/validation/controller.go
index eee6105b45..a0ee1c003e 100644
--- a/webhook/resourcesemantics/validation/controller.go
+++ b/webhook/resourcesemantics/validation/controller.go
@@ -87,9 +87,10 @@ func newController(ctx context.Context, name string, optsFunc ...OptionFunc) *co
 		handlers:  opts.types,
 		callbacks: opts.callbacks,
 
-		withContext:           opts.wc,
-		disallowUnknownFields: opts.DisallowUnknownFields(),
-		secretName:            woptions.SecretName,
+		withContext:               opts.wc,
+		disallowUnknownFields:     opts.DisallowUnknownFields(),
+		secretName:                woptions.SecretName,
+		disableNamespaceOwnership: woptions.DisableNamespaceOwnership,
 
 		client:       client,
 		vwhlister:    vwhInformer.Lister(),
diff --git a/webhook/resourcesemantics/validation/reconcile_config.go b/webhook/resourcesemantics/validation/reconcile_config.go
index dfc3619910..21b2e79ff2 100644
--- a/webhook/resourcesemantics/validation/reconcile_config.go
+++ b/webhook/resourcesemantics/validation/reconcile_config.go
@@ -60,8 +60,9 @@ type reconciler struct {
 	vwhlister    admissionlisters.ValidatingWebhookConfigurationLister
 	secretlister corelisters.SecretLister
 
-	disallowUnknownFields bool
-	secretName            string
+	disallowUnknownFields     bool
+	secretName                string
+	disableNamespaceOwnership bool
 }
 
 var _ controller.Reconciler = (*reconciler)(nil)
@@ -191,13 +192,15 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b
 
 	current := configuredWebhook.DeepCopy()
 
-	// Set the owner to namespace.
-	ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
-	if err != nil {
-		return fmt.Errorf("failed to fetch namespace: %w", err)
+	if !ac.disableNamespaceOwnership {
+		// Set the owner to namespace.
+		ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
+		if err != nil {
+			return fmt.Errorf("failed to fetch namespace: %w", err)
+		}
+		nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+		current.OwnerReferences = []metav1.OwnerReference{nsRef}
 	}
-	nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
-	current.OwnerReferences = []metav1.OwnerReference{nsRef}
 
 	for i, wh := range current.Webhooks {
 		if wh.Name != current.Name {
diff --git a/webhook/webhook.go b/webhook/webhook.go
index eff693e80d..190c609452 100644
--- a/webhook/webhook.go
+++ b/webhook/webhook.go
@@ -78,6 +78,10 @@ type Options struct {
 	// before shutting down.
 	GracePeriod time.Duration
 
+	// DisableNamespaceOwnership configures whether the webhook adds an owner reference for the SYSTEM_NAMESPACE
+	// Disabling this is useful when you expect the webhook configuration to be managed by something other than knative
+	DisableNamespaceOwnership bool
+
 	// ControllerOptions encapsulates options for creating a new controller,
 	// including throttling and stats behavior.
 	ControllerOptions *controller.ControllerOptions