From cdab88e7230c4db7ce16472b227c1c6927c1aca2 Mon Sep 17 00:00:00 2001
From: Dmitry Kartsev <dmitry.kartsev@cnvrg.io>
Date: Mon, 11 Dec 2023 10:42:00 +0200
Subject: [PATCH] wip on admission

---
 Makefile                                      |   2 +
 charts/cnvrg-all-in-one/Chart.lock            |   6 +
 charts/cnvrg-all-in-one/Chart.yaml            |   4 +
 .../charts/domainpool-0.1.1.tgz               | Bin 0 -> 513 bytes
 .../cnvrg-all-in-one/templates/operator.yml   |  17 +-
 charts/cnvrg-all-in-one/values.yaml           |   3 +
 cmd/copctl/cmd/admission.go                   |  61 +++++
 cmd/copctl/cmd/install.go                     | 250 ------------------
 controllers/app/utils.go                      |  10 +
 go.mod                                        |   2 +-
 hack/scripts/certs-gen.sh                     |  89 +++++++
 .../scripts/webhook_deployment/adwebhook.yaml |  17 ++
 hack/scripts/webhook_deployment/ca.crt        |  19 ++
 hack/scripts/webhook_deployment/ca.key        |  28 ++
 hack/scripts/webhook_deployment/ca.srl        |   1 +
 hack/scripts/webhook_deployment/conf          |   8 +
 hack/scripts/webhook_deployment/server.crt    |  20 ++
 hack/scripts/webhook_deployment/server.csr    |  17 ++
 hack/scripts/webhook_deployment/server.key    |  28 ++
 pkg/admission/aicloud.go                      |  45 ++++
 20 files changed, 375 insertions(+), 252 deletions(-)
 create mode 100644 charts/cnvrg-all-in-one/Chart.lock
 create mode 100644 charts/cnvrg-all-in-one/charts/domainpool-0.1.1.tgz
 create mode 100644 cmd/copctl/cmd/admission.go
 delete mode 100644 cmd/copctl/cmd/install.go
 create mode 100755 hack/scripts/certs-gen.sh
 create mode 100644 hack/scripts/webhook_deployment/adwebhook.yaml
 create mode 100644 hack/scripts/webhook_deployment/ca.crt
 create mode 100644 hack/scripts/webhook_deployment/ca.key
 create mode 100644 hack/scripts/webhook_deployment/ca.srl
 create mode 100644 hack/scripts/webhook_deployment/conf
 create mode 100644 hack/scripts/webhook_deployment/server.crt
 create mode 100644 hack/scripts/webhook_deployment/server.csr
 create mode 100644 hack/scripts/webhook_deployment/server.key
 create mode 100644 pkg/admission/aicloud.go

diff --git a/Makefile b/Makefile
index 96a22c57..702054c9 100644
--- a/Makefile
+++ b/Makefile
@@ -22,6 +22,8 @@ test: generate fmt vet manifests
 	rm -f ./controllers/test-report.html ./controllers/junit.xml
 	CNVRG_OPERATOR_MAX_CONCURRENT_RECONCILES=1 go test ./controllers/ -v -timeout 40m
 
+docker:
+	docker buildx build --platform=linux/amd64 --load -t test .
 test-report:
 	docker run -v $$(pwd)/controllers:/tmp cnvrg/xunit-viewer xunit-viewer -r /tmp/junit.xml -o /tmp/test-report.html
 
diff --git a/charts/cnvrg-all-in-one/Chart.lock b/charts/cnvrg-all-in-one/Chart.lock
new file mode 100644
index 00000000..296066bd
--- /dev/null
+++ b/charts/cnvrg-all-in-one/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: domainpool
+  repository: https://catalog.stg.intelcloud.cnvrg.io/stage
+  version: 0.1.1
+digest: sha256:ea1793042e1ae78dda8970a565225d3fd8b8dec84714a70f150f589a58f9e08a
+generated: "2023-12-06T11:51:02.366403+02:00"
diff --git a/charts/cnvrg-all-in-one/Chart.yaml b/charts/cnvrg-all-in-one/Chart.yaml
index e81b278c..8e3d4f6a 100644
--- a/charts/cnvrg-all-in-one/Chart.yaml
+++ b/charts/cnvrg-all-in-one/Chart.yaml
@@ -4,3 +4,7 @@ description: A cnvrg.io AI:OS chart for K8s
 name: cnvrg-all-in-one
 type: application
 version: 5.0.0
+dependencies:
+  - name: domainpool
+    version: 0.1.1
+    repository: https://catalog.stg.intelcloud.cnvrg.io/stage
\ No newline at end of file
diff --git a/charts/cnvrg-all-in-one/charts/domainpool-0.1.1.tgz b/charts/cnvrg-all-in-one/charts/domainpool-0.1.1.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..7057fbb5944f41f0e683563cf4f6bd99a1d3c570
GIT binary patch
literal 513
zcmV+c0{;CUiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PI%5YTPgo^;usr<X){5dtLCYY@zL?loWEG+T%o2wu~e@Y{LF~
zkzL1P6Ud?4gbjWdp|?-77R-C2$~36j&KSMf-J<n;kBv@F3n7Havus?25XY;KAJar;
z+cXoIlwz9*nWm{oK%DqHo<;9G+C=>Ge;r@$On{xbChL@G3m7EBu6x`HF1TbBxzei6
zkJRU}Ti}N=8orWlVC)&FjfGF&V5d!AL8sBz#x|_Qh6-33j15a=$t8R1tFK6sB=Y}&
zx+nJ^0^mjer<ce6-{x}l|7)Psz4K(hpr<?BUr}Aa#RbDMShq&)i2XuGlkdl$LaY2#
z_f&vj&ZAdlNP_|-yHmQ_p{)w=wx`wJXMxE7o|=%|<TeY*_a_L0m;9fn$MZkG%=6X%
zuYq{}H{`JlGn|+0U~jlGn?a)PZc(z|s;%bv9}LfexI&Kw1E^JtTHTX%VfW#=LXQ##
zFg*+&9)MqwCUnHVV?%H_FxOETN<2*^1`r>-o@Uh(T_^&7-yA#B*6L<DIR#pDG7ys(
zAWpbQve2_|$-YQ7ld~ue#Ync$vvA4FNH&vjIJ|XhtXQ$)o#Rgc00960o{*LV01yBG
DT*LX`

literal 0
HcmV?d00001

diff --git a/charts/cnvrg-all-in-one/templates/operator.yml b/charts/cnvrg-all-in-one/templates/operator.yml
index 56618405..3257b972 100644
--- a/charts/cnvrg-all-in-one/templates/operator.yml
+++ b/charts/cnvrg-all-in-one/templates/operator.yml
@@ -212,5 +212,20 @@ spec:
             requests:
               cpu: 500m
               memory: 200Mi
+        - command:
+            - /opt/app-root/cnvrg-operator
+            - start
+            - --max-concurrent-reconciles
+            - "3"
+          image: "docker.io/cnvrg/cnvrg-operator:5.0.0"
+          imagePullPolicy: Always
+          name: cnvrg-operator
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 1000Mi
+            requests:
+              cpu: 500m
+              memory: 200Mi
       serviceAccountName: cnvrg-operator
-      terminationGracePeriodSeconds: 10
\ No newline at end of file
+      terminationGracePeriodSeconds: 10¡
\ No newline at end of file
diff --git a/charts/cnvrg-all-in-one/values.yaml b/charts/cnvrg-all-in-one/values.yaml
index c84a4fba..97a567b8 100644
--- a/charts/cnvrg-all-in-one/values.yaml
+++ b/charts/cnvrg-all-in-one/values.yaml
@@ -1,3 +1,6 @@
+domainpool:
+  clusterGatewayRef: cluster-gateway
+  baseDomain: stg.intelcloud.cnvrg.io
 clusterDomain: ''
 clusterInternalDomain: cluster.local
 imageHub: docker.io/cnvrg
diff --git a/cmd/copctl/cmd/admission.go b/cmd/copctl/cmd/admission.go
new file mode 100644
index 00000000..5b9dd95d
--- /dev/null
+++ b/cmd/copctl/cmd/admission.go
@@ -0,0 +1,61 @@
+package cmd
+
+import (
+	"crypto/tls"
+	"fmt"
+	"github.com/AccessibleAI/cnvrg-operator/pkg/admission"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"go.uber.org/zap"
+	"net/http"
+)
+
+type PlatformType string
+
+const (
+	CAGPPlatform PlatformType = "cagp"
+)
+
+func init() {
+	admissionCtrlCmd.PersistentFlags().StringP("platform", "", "cagp",
+		fmt.Sprintf("one of: %s|", CAGPPlatform))
+	admissionCtrlCmd.PersistentFlags().StringP("domain-pool", "", "zerossl", "domain pool to use when deploying on CAGP")
+	admissionCtrlCmd.PersistentFlags().StringP("domain-claim", "", "cnvrg-domain-claim", "domain claim to create")
+	admissionCtrlCmd.PersistentFlags().StringP("gateway-name", "", "cnvrg-gateway", "gateway to create")
+	admissionCtrlCmd.PersistentFlags().StringP("namespace", "", "cnvrg", "namespace")
+	admissionCtrlCmd.PersistentFlags().StringP("reg-user", "", "reg-user", "registry user")
+	admissionCtrlCmd.PersistentFlags().StringP("reg-password", "", "reg-password", "registry password")
+
+	viper.BindPFlag("platform", admissionCtrlCmd.PersistentFlags().Lookup("platform"))
+	viper.BindPFlag("domain-pool", admissionCtrlCmd.PersistentFlags().Lookup("domain-pool"))
+	viper.BindPFlag("domain-claim", admissionCtrlCmd.PersistentFlags().Lookup("domain-claim"))
+	viper.BindPFlag("namespace", admissionCtrlCmd.PersistentFlags().Lookup("namespace"))
+	viper.BindPFlag("reg-user", admissionCtrlCmd.PersistentFlags().Lookup("reg-user"))
+	viper.BindPFlag("reg-password", admissionCtrlCmd.PersistentFlags().Lookup("reg-password"))
+
+	rootCmd.AddCommand(admissionCtrlCmd)
+}
+
+var admissionCtrlCmd = &cobra.Command{
+	Use:   "admission",
+	Short: "start cnvrg's operator K8s dynamic admission controller",
+	Run: func(cmd *cobra.Command, args []string) {
+		cert := viper.GetString("http.crt")
+		key := viper.GetString("http.key")
+		pair, err := tls.LoadX509KeyPair(cert, key)
+		if err != nil {
+			zap.S().Error("Failed to load key pair: %v", err)
+		}
+
+		// Handler for CnvrgCap clusterDomain deployed on AI Cloud
+		http.HandleFunc("/cap/clusterdomain/mutate", admission.MutateCnvrtAppClusterDomainHandler)
+
+		// Create HTTPS server configuration
+		s := &http.Server{
+			Addr:      "0.0.0.0:8080",
+			TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}},
+		}
+
+		zap.S().Fatal(s.ListenAndServeTLS("", ""))
+	},
+}
diff --git a/cmd/copctl/cmd/install.go b/cmd/copctl/cmd/install.go
deleted file mode 100644
index c53f92d1..00000000
--- a/cmd/copctl/cmd/install.go
+++ /dev/null
@@ -1,250 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	mlopsv1 "github.com/AccessibleAI/cnvrg-operator/api/v1"
-	"github.com/spf13/cobra"
-	"github.com/spf13/viper"
-	"go.uber.org/zap"
-	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/client-go/dynamic"
-	"os"
-	"os/signal"
-	"sigs.k8s.io/controller-runtime/pkg/client/config"
-	"strings"
-	"syscall"
-	"time"
-)
-
-type PlatformType string
-
-const (
-	CAGPPlatform PlatformType = "cagp"
-)
-
-func init() {
-	installCmd.PersistentFlags().StringP("platform", "", "cagp",
-		fmt.Sprintf("one of: %s|", CAGPPlatform))
-	installCmd.PersistentFlags().StringP("domain-pool", "", "zerossl", "domain pool to use when deploying on CAGP")
-	installCmd.PersistentFlags().StringP("domain-claim", "", "cnvrg-domain-claim", "domain claim to create")
-	installCmd.PersistentFlags().StringP("gateway-name", "", "cnvrg-gateway", "gateway to create")
-	installCmd.PersistentFlags().StringP("namespace", "", "cnvrg", "namespace")
-	installCmd.PersistentFlags().StringP("reg-user", "", "reg-user", "registry user")
-	installCmd.PersistentFlags().StringP("reg-password", "", "reg-password", "registry password")
-
-	viper.BindPFlag("platform", installCmd.PersistentFlags().Lookup("platform"))
-	viper.BindPFlag("domain-pool", installCmd.PersistentFlags().Lookup("domain-pool"))
-	viper.BindPFlag("domain-claim", installCmd.PersistentFlags().Lookup("domain-claim"))
-	viper.BindPFlag("namespace", installCmd.PersistentFlags().Lookup("namespace"))
-	viper.BindPFlag("reg-user", installCmd.PersistentFlags().Lookup("reg-user"))
-	viper.BindPFlag("reg-password", installCmd.PersistentFlags().Lookup("reg-password"))
-
-	rootCmd.AddCommand(installCmd)
-}
-
-var installCmd = &cobra.Command{
-	Use:   "install",
-	Short: "install cnvrg on different platforms",
-	Run: func(cmd *cobra.Command, args []string) {
-		if PlatformType(viper.GetString("platform")) == CAGPPlatform {
-			zap.S().Infof("installing cnvrg on %s platform", CAGPPlatform)
-			dc := getDomainClaim(viper.GetString("domain-claim"), viper.GetString("namespace"))
-			// if domain claim not exists, create it
-			if dc == nil {
-				createDomainClaim(
-					viper.GetString("domain-claim"),
-					viper.GetString("namespace"),
-					viper.GetString("domain-pool"),
-				)
-			}
-
-			waitForDomainClaimReady(viper.GetString("domain-claim"), viper.GetString("namespace"))
-			dcData := domainClaimData(dc)
-
-			cnvrgAppSpec := cnvrgAppDeploySpec(
-				strings.ReplaceAll(dcData["commonName"], "*.", ""),
-				viper.GetString("reg-user"),
-				viper.GetString("reg-password"),
-				fmt.Sprintf("%s-%s", dcData["domainRefName"], viper.GetString("domain-claim")),
-				viper.GetString("namespace"),
-			)
-
-			applyCnvrgSpec(cnvrgAppSpec)
-			zap.S().Info("done")
-
-			// handle interrupts
-			sigCh := make(chan os.Signal, 1)
-			signal.Notify(sigCh, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)
-			for {
-				select {
-				case s := <-sigCh:
-					zap.S().Infof("signal: %s, shutting down", s)
-					zap.S().Info("bye bye 👋")
-					os.Exit(0)
-				}
-			}
-
-		}
-	},
-}
-
-func waitForDomainClaimReady(dcName, ns string) {
-	for {
-		dc := getDomainClaim(dcName, ns)
-		if dc != nil {
-			status := dc.Object["status"].(map[string]interface{})
-			if len(status) > 0 {
-				if val, ok := status["status"].(string); ok {
-					if val == "READY" {
-						zap.S().Infof("domain claim %s is ready yet", dcName)
-						return
-					}
-
-				}
-
-			}
-		}
-		zap.S().Infof("domain claim %s not ready yet", dcName)
-		time.Sleep(5 * time.Second)
-	}
-}
-
-func domainClaimData(dc *unstructured.Unstructured) map[string]string {
-
-	return map[string]string{
-		"domainRefName": dc.Object["spec"].(map[string]interface{})["domainRef"].(map[string]interface{})["name"].(string),
-		"commonName":    dc.Object["spec"].(map[string]interface{})["domainRef"].(map[string]interface{})["commonName"].(string),
-	}
-
-}
-
-func createDomainClaim(name, ns, domainPool string) {
-	zap.S().Info("creating domain claim")
-	if _, err := dynamicSet().Resource(domainClaimGVR()).
-		Namespace(ns).
-		Create(context.Background(), domainClaimSpec(name, domainPool), metav1.CreateOptions{}); err != nil {
-		zap.Error(err)
-	}
-
-}
-
-func getDomainClaim(dcName, dcNamespace string) *unstructured.Unstructured {
-	u, err := dynamicSet().
-		Resource(domainClaimGVR()).
-		Namespace(dcNamespace).
-		Get(context.Background(), dcName, metav1.GetOptions{})
-	if errors.IsNotFound(err) {
-		zap.S().Info("domain name not exists")
-		return nil
-	} else if err != nil {
-		zap.S().Error(err)
-		return nil
-	}
-	return u
-}
-
-func domainClaimGVR() schema.GroupVersionResource {
-	return schema.GroupVersionResource{Group: "metacloud.cnvrg.io", Version: "v1alpha1", Resource: "domainclaims"}
-}
-
-func cnvrgAppGVR() schema.GroupVersionResource {
-	return schema.GroupVersionResource{Group: "mlops.cnvrg.io", Version: "v1", Resource: "cnvrgapps"}
-}
-
-func domainClaimSpec(name, domainPool string) *unstructured.Unstructured {
-	return &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": domainClaimGVR().GroupVersion().String(),
-			"kind":       "DomainClaim",
-			"metadata": map[string]interface{}{
-				"name": name,
-			},
-			"spec": map[string]interface{}{
-				"secretName": name,
-				"domainRef": map[string]interface{}{
-					"domainPool": domainPool,
-				},
-			},
-		},
-	}
-}
-
-func dynamicSet() *dynamic.DynamicClient {
-	rc, err := config.GetConfig()
-	if err != nil {
-		zap.S().Fatal(err)
-	}
-
-	dynamicset, err := dynamic.NewForConfig(rc)
-	if err != nil {
-		zap.S().Fatal(err)
-	}
-
-	return dynamicset
-}
-
-func applyCnvrgSpec(cap *mlopsv1.CnvrgApp) {
-	ucap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(cap)
-	if err != nil {
-		zap.S().Error(err)
-		return
-	}
-
-	if _, err := dynamicSet().
-		Resource(cnvrgAppGVR()).
-		Namespace(cap.Namespace).
-		Create(
-			context.Background(),
-			&unstructured.Unstructured{Object: ucap},
-			metav1.CreateOptions{},
-		); err != nil {
-		zap.S().Error(err)
-	}
-}
-
-func cnvrgAppDeploySpec(clusterDomain, regUser, regPass, certSecret, ns string) *mlopsv1.CnvrgApp {
-	cnvrgApp := &mlopsv1.CnvrgApp{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "CnvrgApp",
-			APIVersion: "mlops.cnvrg.io/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "cnvrg-app",
-			Namespace: ns,
-		},
-		Spec: mlopsv1.DefaultCnvrgAppSpec(),
-	}
-	cnvrgApp.Spec.ClusterDomain = clusterDomain
-	cnvrgApp.Spec.ControlPlane.Image = "app:v4.7.52-DEV-15824-cnvrg-agnostic-infra-38"
-	cnvrgApp.Spec.ControlPlane.CnvrgScheduler.Enabled = false
-	cnvrgApp.Spec.ControlPlane.BaseConfig.FeatureFlags = map[string]string{
-		"CNVRG_ENABLE_MOUNT_FOLDERS": "false",
-		"CNVRG_MOUNT_HOST_FOLDERS":   "false",
-		"CNVRG_PROMETHEUS_METRICS":   "true",
-	}
-	cnvrgApp.Spec.Registry.User = regUser
-	cnvrgApp.Spec.Registry.Password = regPass
-	cnvrgApp.Spec.Networking.Ingress.IstioIngressSelectorValue = "cluster-gateway"
-	cnvrgApp.Spec.Networking.HTTPS.Enabled = true
-	cnvrgApp.Spec.Networking.HTTPS.CertSecret = certSecret
-
-	cnvrgApp.Spec.ControlPlane.WebApp.Enabled = true
-	cnvrgApp.Spec.ControlPlane.Sidekiq.Enabled = true
-	cnvrgApp.Spec.ControlPlane.Searchkiq.Enabled = true
-	cnvrgApp.Spec.ControlPlane.Systemkiq.Enabled = true
-	cnvrgApp.Spec.ControlPlane.Hyper.Enabled = true
-	cnvrgApp.Spec.ControlPlane.Nomex.Enabled = true
-	cnvrgApp.Spec.Dbs.Pg.Enabled = true
-	cnvrgApp.Spec.Dbs.Minio.Enabled = true
-	cnvrgApp.Spec.Dbs.Es.Enabled = true
-	cnvrgApp.Spec.Dbs.Redis.Enabled = true
-	cnvrgApp.Spec.Dbs.Prom.Enabled = true
-	cnvrgApp.Spec.Dbs.Prom.Grafana.Enabled = true
-
-	return cnvrgApp
-}
diff --git a/controllers/app/utils.go b/controllers/app/utils.go
index 1c2f2d59..a7f0d712 100644
--- a/controllers/app/utils.go
+++ b/controllers/app/utils.go
@@ -21,6 +21,10 @@ import (
 
 var log logr.Logger
 
+func discoverAICloudHost(clientset client.Client) () {
+
+}
+
 func discoverOcpDefaultRouteHost(clientset client.Client) (ocpDefaultRouteHost string, err error) {
 	routeCfg := &unstructured.Unstructured{}
 	routeCfg.SetGroupVersionKind(desired.Kinds["OcpIngressCfgGVK"])
@@ -97,6 +101,11 @@ func CalculateAndApplyAppDefaults(app *mlopsv1.CnvrgApp, defaultSpec *mlopsv1.Cn
 		}
 	}
 
+	if app.Spec.Networking.Ingress.Type == mlopsv1.AICloudIngress {
+
+	}
+
+	// discover defaults for OpenShift Route Ingress
 	if app.Spec.Networking.Ingress.Type == mlopsv1.OpenShiftIngress {
 		if app.Spec.ClusterDomain == "" && clientset != nil {
 			clusterDomain, err := discoverOcpDefaultRouteHost(clientset)
@@ -123,6 +132,7 @@ func CalculateAndApplyAppDefaults(app *mlopsv1.CnvrgApp, defaultSpec *mlopsv1.Cn
 		}
 	}
 
+	// configure defaults for SSO
 	if app.Spec.SSO.Enabled {
 		scheme := "http"
 		if app.Spec.Networking.HTTPS.Enabled {
diff --git a/go.mod b/go.mod
index eba2b517..34c65c8e 100644
--- a/go.mod
+++ b/go.mod
@@ -16,6 +16,7 @@ require (
 	k8s.io/api v0.27.4
 	k8s.io/apimachinery v0.27.4
 	k8s.io/client-go v0.27.4
+	k8s.io/klog/v2 v2.90.1
 	sigs.k8s.io/controller-runtime v0.15.1
 )
 
@@ -82,7 +83,6 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.27.2 // indirect
 	k8s.io/component-base v0.27.2 // indirect
-	k8s.io/klog/v2 v2.90.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
diff --git a/hack/scripts/certs-gen.sh b/hack/scripts/certs-gen.sh
new file mode 100755
index 00000000..56d94b59
--- /dev/null
+++ b/hack/scripts/certs-gen.sh
@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+
+WORK_DIR="$(pwd)/webhook_deployment"
+COMMON_NAME=$1
+EXPIRATION_DAYS=36500
+
+echo "${WORK_DIR}"
+echo "${COMMON_NAME}"
+
+init () {
+    if [ -d "$WORK_DIR" ]; then
+        rm -fr "${WORK_DIR}"
+    fi
+    mkdir "${WORK_DIR}"
+    cd "${WORK_DIR}" || exit
+    cat << EOF > conf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+EOF
+}
+
+create_ca () {
+    openssl genrsa -out ca.key 2048
+    openssl req -x509 -new -nodes -key ca.key -days ${EXPIRATION_DAYS} -out ca.crt -subj "/CN=admission_ca"
+}
+
+create_server_crts () {
+    openssl genrsa -out server.key 2048
+    openssl req -new -key server.key -out server.csr -subj "/CN=${COMMON_NAME}" -config conf
+    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days ${EXPIRATION_DAYS} -extensions v3_req -extfile conf
+}
+
+print_base64_certs (){
+    echo -e "base64 encoded ca.crt\n"
+    base64 -i "${WORK_DIR}"/ca.crt
+    echo -e "\n"
+    echo -e "base64 encoded server.crt\n"
+    base64 -i "${WORK_DIR}"/server.crt
+    echo -e "\n"
+    echo -e "base64 encoded server.key\n"
+    base64 -i "${WORK_DIR}"/server.key
+    echo -e "\n"
+}
+
+print_k8s_webhook_def(){
+export SERVICE_NAME=${COMMON_NAME}
+export BASE64_CA_BUNDLE=$(base64 -i "${WORK_DIR}/ca.crt")
+cat <<EOF > "${WORK_DIR}/adwebhook.yaml"
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: uac
+  labels:
+    app: uac
+webhooks:
+  - name: ${SERVICE_NAME}
+    clientConfig:
+      url: https://${SERVICE_NAME}:8080/
+      caBundle: ${BASE64_CA_BUNDLE}
+    rules:
+      - operations: [ "CREATE"]
+        apiGroups: ["*"]
+        apiVersions: ["*"]
+        resources: ["oauthaccesstokens"]
+    failurePolicy: Ignore
+EOF
+cat /tmp/adwebhook.yaml
+echo "############### create webhook cmd ##################"
+echo "# oc create -f ./webhook_deployment/adwebhook.yaml  #"
+echo "#####################################################"
+}
+
+if [ "$#" -ne 1 ]; then
+    echo "Missing certificate common name (CN). Example usage: ./create-certs.sh uac.bnhp-system.svc.cluster.local"
+    exit 1
+fi
+
+
+init
+create_ca
+create_server_crts
+print_base64_certs
+print_k8s_webhook_def
\ No newline at end of file
diff --git a/hack/scripts/webhook_deployment/adwebhook.yaml b/hack/scripts/webhook_deployment/adwebhook.yaml
new file mode 100644
index 00000000..842176ee
--- /dev/null
+++ b/hack/scripts/webhook_deployment/adwebhook.yaml
@@ -0,0 +1,17 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: uac
+  labels:
+    app: uac
+webhooks:
+  - name: foo.bar.test.local
+    clientConfig:
+      url: https://foo.bar.test.local:8080/
+      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFVENDQWZtZ0F3SUJBZ0lVRTh0UHQ3dEZkUyt3M0ZGVWNNUW1PeU0xZ3JFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0Z6RVZNQk1HQTFVRUF3d01ZV1J0YVhOemFXOXVYMk5oTUNBWERUSXpNVEl4TVRBNE1qWXdObG9ZRHpJeApNak14TVRFM01EZ3lOakEyV2pBWE1SVXdFd1lEVlFRRERBeGhaRzFwYzNOcGIyNWZZMkV3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN0bG9TZUg1M25GUmFVUHdvSDRWRWRoTlNmQUZ4a3B1UFMKT0lDRGFLbWc2UXVLazV1d1RmMlZjQUxzWnA3blBtcGJtRUFWY1MzUk9hSVFjam9qclNkTS9ON1NRQWVtVnUvWAoxRitLT1VwVVlaODd3WVlvZ0NBU0lnNENZUXpJSU80MVJPVjlDS0JXRm1ncWtsRmUrRU9kajUxOW8wTjE4STZuCjZidEZvWTNOL0lDRmNiYUwrbjVOM0FsM1hOWUNRVzgxOWNLNmU5SDdLQVBFQlpCaEZDTTdDR0tSbXFxU1Z5UHgKTEhuRGQrb3o1NW1lV3Uzelkvd3JrR0NWVnplSHNnb1E4UE04cTd4eGIwRUR3V0R2MENDUFlvVnZDTVFXT2NYRgpINDJUSDhrNnR5ajdvOHhUcURWbTNBc0YzWXBuV3RSdUVxU1FQRUZuK3hqU3NVUzRRMmRqQWdNQkFBR2pVekJSCk1CMEdBMVVkRGdRV0JCUkVYTVh0ZVdBVG82OVlwNTZZWmxEdWU3U3gyakFmQmdOVkhTTUVHREFXZ0JSRVhNWHQKZVdBVG82OVlwNTZZWmxEdWU3U3gyakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFCL1FzSzNFTnNBa1BBbENmb2YrS2NLY0hCOHIrNXk0VGk1aXhpeXJyRENOSmJXWHpSblpWSUtHZW1SCmJ4aFhVT0xZaTc0SkFnUFdTb0V6QWRjaU90U2MrKzVvT2ZsN1BtOW9vN2g1SnlwVm5QdmtxZEthQmVPbEJ6clEKZEJRTWtPZXgwNFNnUjY3dHlOTUUvOFFEWWUrbkJ4bkVkNzd1ZXpTTWViZlZteEZvRFpjN1JZQ0tLaU54TzRieAppNEd0KzNvV25pY3RmZmF1cEkzcUlQZEtwckMrSUo3MEsvUCtmTG1xaU1DL0FDcDFLa3ZRSFZsZm92WmtFV3QvCkdkN0tqUTgzaG9OWDQzWlE1NUdBZDlvWFRhb3BTR3pBZWE4U09hSFY1bEdnS1RkNEJnWm5hSGIvVTRtdUduR3kKUG5IbTJGa3JNZks2aG5Xd1lWdU8yVjRkeHZiRAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+    rules:
+      - operations: [ "CREATE"]
+        apiGroups: ["*"]
+        apiVersions: ["*"]
+        resources: ["oauthaccesstokens"]
+    failurePolicy: Ignore
diff --git a/hack/scripts/webhook_deployment/ca.crt b/hack/scripts/webhook_deployment/ca.crt
new file mode 100644
index 00000000..1adf5db1
--- /dev/null
+++ b/hack/scripts/webhook_deployment/ca.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIUE8tPt7tFdS+w3FFUcMQmOyM1grEwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMYWRtaXNzaW9uX2NhMCAXDTIzMTIxMTA4MjYwNloYDzIx
+MjMxMTE3MDgyNjA2WjAXMRUwEwYDVQQDDAxhZG1pc3Npb25fY2EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtloSeH53nFRaUPwoH4VEdhNSfAFxkpuPS
+OICDaKmg6QuKk5uwTf2VcALsZp7nPmpbmEAVcS3ROaIQcjojrSdM/N7SQAemVu/X
+1F+KOUpUYZ87wYYogCASIg4CYQzIIO41ROV9CKBWFmgqklFe+EOdj519o0N18I6n
+6btFoY3N/ICFcbaL+n5N3Al3XNYCQW819cK6e9H7KAPEBZBhFCM7CGKRmqqSVyPx
+LHnDd+oz55meWu3zY/wrkGCVVzeHsgoQ8PM8q7xxb0EDwWDv0CCPYoVvCMQWOcXF
+H42TH8k6tyj7o8xTqDVm3AsF3YpnWtRuEqSQPEFn+xjSsUS4Q2djAgMBAAGjUzBR
+MB0GA1UdDgQWBBREXMXteWATo69Yp56YZlDue7Sx2jAfBgNVHSMEGDAWgBREXMXt
+eWATo69Yp56YZlDue7Sx2jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQB/QsK3ENsAkPAlCfof+KcKcHB8r+5y4Ti5ixiyrrDCNJbWXzRnZVIKGemR
+bxhXUOLYi74JAgPWSoEzAdciOtSc++5oOfl7Pm9oo7h5JypVnPvkqdKaBeOlBzrQ
+dBQMkOex04SgR67tyNME/8QDYe+nBxnEd77uezSMebfVmxFoDZc7RYCKKiNxO4bx
+i4Gt+3oWnictffaupI3qIPdKprC+IJ70K/P+fLmqiMC/ACp1KkvQHVlfovZkEWt/
+Gd7KjQ83hoNX43ZQ55GAd9oXTaopSGzAea8SOaHV5lGgKTd4BgZnaHb/U4muGnGy
+PnHm2FkrMfK6hnWwYVuO2V4dxvbD
+-----END CERTIFICATE-----
diff --git a/hack/scripts/webhook_deployment/ca.key b/hack/scripts/webhook_deployment/ca.key
new file mode 100644
index 00000000..2ee0d96c
--- /dev/null
+++ b/hack/scripts/webhook_deployment/ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCtloSeH53nFRaU
+PwoH4VEdhNSfAFxkpuPSOICDaKmg6QuKk5uwTf2VcALsZp7nPmpbmEAVcS3ROaIQ
+cjojrSdM/N7SQAemVu/X1F+KOUpUYZ87wYYogCASIg4CYQzIIO41ROV9CKBWFmgq
+klFe+EOdj519o0N18I6n6btFoY3N/ICFcbaL+n5N3Al3XNYCQW819cK6e9H7KAPE
+BZBhFCM7CGKRmqqSVyPxLHnDd+oz55meWu3zY/wrkGCVVzeHsgoQ8PM8q7xxb0ED
+wWDv0CCPYoVvCMQWOcXFH42TH8k6tyj7o8xTqDVm3AsF3YpnWtRuEqSQPEFn+xjS
+sUS4Q2djAgMBAAECgf8TiAL/x6UuuZpyKfONPVf+9LXski6FOvQDHP9Yvqs1+tY1
+xvas2hmdhL+uEVhKMho/5inrjZ5oCANbGSYYeV2I7XBnkMGkoi6oQSEw7EFJzfTq
+kjpfJ7Jd0mDXaUCSDFolQBAi5Y07F1V0li6GhpUVCYiTDzVg/xnWW3uxMwdi86RA
+o7yK08WveHejg1NnIHbjZhbi4m9wstCwjhKTD2WwZmzlg2HW9788NbLg41Km9H45
+UHM7pEiAORWYWqFqgWnwCXUJjC5kXYpXhXgrg+MPhEtXJpJJQcnAi8wKHAYPbYIP
+375txs31gzCy3DNMz/XcLKwLYywR4cGdWpGyjLECgYEA8Q4L5gFtuFG+9eXsd151
+4FWIefO/I7GgFDAqKcSuwavyTeRR1bjdooMKSbKLFy8T/rZJJX58qEN1UQUR3/19
+r3lTSiYKqGmgKdSavKxJDasnF79WtBjmS53PHbOr2p7D2L/RCYdugqQyAiWyTlZB
+IeMsIsAJkNHTXSCD+Zz1ibMCgYEAuFmn/UtiXuSCgU39ugCRz0YcVeSHlrpVjp2D
+F8qNbv5vrZKWiREZe8Mkg4U89Hkt5Q238M28Sre/sGIP8XHPd04/iYPxP9hx/Dmd
+Zw4lYmYmf8Oy2IVS0TWKJ9GZoDQ+QBha9W6H/7Aydw9ACDc+BjcCPKF+PZ8kcrHH
+MSXXc5ECgYEAjOFmttAS7exorJHp94GvZqLWll+MUDIZmnLj0XFvqSTzAe70nPHk
+JnxrYNMGU1BiYTTr3wvjkvuJ7wYFgmFGOW2w7d75z5+byZbFsIsITwK+YDSlWbBL
+t9nNGFDPmX+8ekrwwp7ySUvpJjQd14a1njaErvKJJKhc3UqJlzLSld0CgYBNshO4
+EF58Seiq4JjwHK9XYWAt3yw6HXxTqBUJIOgtAHVG/UIOsLNB0wP/nlcLXks2f2qn
+xb3266yRhTLc+q+Kw+LJbV9vHiUkPZAWUAL3jr/pFyy4TrCR1fPNRmxt9bbKwrkL
+ObN90t/iB/5fuBCfA+4gaZvQEtOEt2KRVzaP0QKBgH1Pqqw6dgLa2xngPuuihf1J
+EMToVcPyaUtCenmUlsNlldsT3GFYcTHgqCKXztYorcWnrkuN9UvjojD/R+zNk0ad
+9Sa2TExhMLCUr67Zs7eSoSA44TmpCWoWUC1O+TozhPOwX7ZbIlYRy/IcVvbC+eSx
+e4/upDY8off//1M4W/Z9
+-----END PRIVATE KEY-----
diff --git a/hack/scripts/webhook_deployment/ca.srl b/hack/scripts/webhook_deployment/ca.srl
new file mode 100644
index 00000000..551f8707
--- /dev/null
+++ b/hack/scripts/webhook_deployment/ca.srl
@@ -0,0 +1 @@
+4B4F2A14E7EEA9F2765B6FEB92DED69977FDE9BF
diff --git a/hack/scripts/webhook_deployment/conf b/hack/scripts/webhook_deployment/conf
new file mode 100644
index 00000000..9dba6fae
--- /dev/null
+++ b/hack/scripts/webhook_deployment/conf
@@ -0,0 +1,8 @@
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
diff --git a/hack/scripts/webhook_deployment/server.crt b/hack/scripts/webhook_deployment/server.crt
new file mode 100644
index 00000000..e72a396e
--- /dev/null
+++ b/hack/scripts/webhook_deployment/server.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPTCCAiWgAwIBAgIUS08qFOfuqfJ2W2/rkt7WmXf96b8wDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMYWRtaXNzaW9uX2NhMCAXDTIzMTIxMTA4MjYwNloYDzIx
+MjMxMTE3MDgyNjA2WjAdMRswGQYDVQQDDBJmb28uYmFyLnRlc3QubG9jYWwwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVAcSSodV0lkzG34JB7PvIyFS5
+ny0s0axjGqn26YtHOOJ9qV9EmiW8QcCXIVhQg5qs7VEgDidkH5SPXR/7ej7bSA7F
+U0EN0IFf6B2G8dUwq12T0lPPfHJHWC+580/+Ia7NoHJzt01Su5nkTKpHbsg8ImJ9
+C+ATJvF5tSf/V42SZQ8dU7O9VqVl8w7urvZl0S7CTd9XW+esfvXRNICXVChnw+sb
+dpO26TMZ68/hT6SPpurl7t0NMV+nK5GyR2tecztmrCuEAD11GQj1jhQveW7FhLEq
+A3NcddxPeqaUQGqwMAqhaBWV8PxwNCZfPAwf7s90WUHfmmU8udjeDFE08NnVAgMB
+AAGjeTB3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUF
+BwMCBggrBgEFBQcDATAdBgNVHQ4EFgQULAvB35V5jBhZLccgs7o4oIOlqI8wHwYD
+VR0jBBgwFoAURFzF7XlgE6OvWKeemGZQ7nu0sdowDQYJKoZIhvcNAQELBQADggEB
+AGQU7GknUDSnMqSlZkgUuFrEXRUwDEYLsJHOG3JWWHNFKU/uCL/ImpHqCVtdLsFk
+0yrj1A02nI9Z6OLqsKLB9L9Kfz8/B8hZrEl1yVF8Gx/kr4FcR5wDmpWIjiOrgqHa
+kqvPZIjjGnDKTfNepUSNC1oGjVIk6H4TeXOjQoZZqiFA9CYAChhSzCgf4itmp/Dj
+K6rkFLywPwj860dVwrCWLk3W8wIQpmEuNkM5e+/Dm2iFAFLzf0aL3z+4Xttu/cZj
+emDpzpYMuMzJHjpiN+gNG+2qaBcWVVTyyeadTF9pacLp243/ixSeEZvt+Ri6RVOE
+d+Y0ZJUzlwA4xaerJbeRsJU=
+-----END CERTIFICATE-----
diff --git a/hack/scripts/webhook_deployment/server.csr b/hack/scripts/webhook_deployment/server.csr
new file mode 100644
index 00000000..85879317
--- /dev/null
+++ b/hack/scripts/webhook_deployment/server.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICqjCCAZICAQAwHTEbMBkGA1UEAwwSZm9vLmJhci50ZXN0LmxvY2FsMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QHEkqHVdJZMxt+CQez7yMhUuZ8t
+LNGsYxqp9umLRzjifalfRJolvEHAlyFYUIOarO1RIA4nZB+Uj10f+3o+20gOxVNB
+DdCBX+gdhvHVMKtdk9JTz3xyR1gvufNP/iGuzaByc7dNUruZ5EyqR27IPCJifQvg
+EybxebUn/1eNkmUPHVOzvValZfMO7q72ZdEuwk3fV1vnrH710TSAl1QoZ8PrG3aT
+tukzGevP4U+kj6bq5e7dDTFfpyuRskdrXnM7ZqwrhAA9dRkI9Y4UL3luxYSxKgNz
+XHXcT3qmlEBqsDAKoWgVlfD8cDQmXzwMH+7PdFlB35plPLnY3gxRNPDZ1QIDAQAB
+oEgwRgYJKoZIhvcNAQkOMTkwNzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNV
+HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAAv7
+v0cw7046vyY0UsiRE/6P2dwA3dg+WvN9U3er5X/34M0pebdyxsGDKvHIsqTLj8Ku
+rL2cJSnAQXziLfsbTkI32vZ4zGRr3I+FQGnE8yqjuWD1fLM5WP16/8kid3Li2DZk
+6Vvq2H9qcoXevpqMdg1ia3jA5SNyDRGY9IqG8m0adxysG6tGeSysEpMlabtWdqNV
+CVCwPHKEa+9jRAK8oOsB24EN5pQXxonDXX+Co6846jcZyUE+ZOcGM3c16xsroFnV
+HbiXg35EW0mH9ywsvjouf6mfiOqjqSzcMaj6s3WfNPhaXWEyF2GBdKTKZilAwxtO
+re2e6FwEkMq9b1APnU8=
+-----END CERTIFICATE REQUEST-----
diff --git a/hack/scripts/webhook_deployment/server.key b/hack/scripts/webhook_deployment/server.key
new file mode 100644
index 00000000..944883d8
--- /dev/null
+++ b/hack/scripts/webhook_deployment/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVAcSSodV0lkzG
+34JB7PvIyFS5ny0s0axjGqn26YtHOOJ9qV9EmiW8QcCXIVhQg5qs7VEgDidkH5SP
+XR/7ej7bSA7FU0EN0IFf6B2G8dUwq12T0lPPfHJHWC+580/+Ia7NoHJzt01Su5nk
+TKpHbsg8ImJ9C+ATJvF5tSf/V42SZQ8dU7O9VqVl8w7urvZl0S7CTd9XW+esfvXR
+NICXVChnw+sbdpO26TMZ68/hT6SPpurl7t0NMV+nK5GyR2tecztmrCuEAD11GQj1
+jhQveW7FhLEqA3NcddxPeqaUQGqwMAqhaBWV8PxwNCZfPAwf7s90WUHfmmU8udje
+DFE08NnVAgMBAAECggEAEBHXUumnKSnKpolHsjIPB8WHUM6vsY0q+HoTPwe9BHVH
+7wuHXq1Tcfmy7iPrnf1jvq6Tu3ud4KmaQ1uW9VmyYsgzpxLiGkjz7bic+6iEeSzA
+fU21mXZtx7ChPyHaU9WWMrirUcwPJxH0qPrYsNVsgU7lx8HM2J0MRC6U0yh3i4b1
+hxSPvXYnqnVTjNbJBehWzs8QwGUqdGFJOsjR+n4ceAnmNOghBHFV7M1Lrbw8SNmV
+awdnzMN9QN6Gkpww6/vWce/e1PXeEeQJVqTQpLEgcdfsrd7Hl8sVrNfuRRKYV4q0
+1njtl5BZlqly8Xsl4p0hesNym8NIJ1tA5BFjg2gwYQKBgQDvuqgnscORMJYTHL1D
+4FA1XyxeeYJKgHLaffIiEjrCXPK/4RYOEcRPSoNLw83k+Sqo2WchrAPjyTqAyoYS
+iWus2vQPyn7HEgQO2ypHg7gGqd7P2KcKE1y4+CEjDrbH9sWUUfM9M3ZwCzfk08ac
+66Dhu/E0Va2h7ziaSHdDnaysdQKBgQDjds6OzRkB35gwyuyDiVr7/owLhz5rUjHY
+wwfsxlwg7LpzqV7HS4Zx+HttwkD2A6ooXI+pqbqGPiEk76M8oV5C+brJa59PfSjF
+GYO+gmxXqETceW0B/7vFsVVJvOukPp+a18xYeB/ngk1mCdepsvoOtT0mKTKTdA7R
+FaOSiitL4QKBgEZtCntm0LI1mNESj1OCcW3MgOdcQPeMFrGzcE+sFVEGJ1ZRVL5b
+X9V/aWT3p+QNgwfJnm+Y7ieb9TDizlJhxp0oUazV6zqmQ0TuA9SwkH58pvVei2v9
+Vi8MzgdTikTibRbuoEupc7Dkys3RnTZ6TnAiW3DpfrHk6jcA9PCLQLAFAoGBALJR
+ZDL8xFr8n4G4w1uG5YXhkoZDGwLlZ+BnXKIZCwZgrvaXU47nPVnBk3mDLIvwaYfE
+sHcwcOJmeHNNTentE0lsHytiLH0TQE/r5aUG98psRreUlYlYoyqjD5qD+TNESLkJ
+7c95NIG4W9bfZmtJvNCk8nAlIdoIxMjSru3lVXXhAoGACnsECBQZb8QyLHxOeBCC
+xura8F8XtDSyDxSO1rxw5AyZXWpS7nlwfykWtC5TC8TlJ10YnclzIshFcgSG+tk3
+/x8K0cXVhNEgj9ZWptusaxplO5IPrcJywYP2zYwoiezFusdNVQOm23x7LBszDWwA
+F9mv/VUP0Js1nLgBOeeXkro=
+-----END PRIVATE KEY-----
diff --git a/pkg/admission/aicloud.go b/pkg/admission/aicloud.go
new file mode 100644
index 00000000..030c8532
--- /dev/null
+++ b/pkg/admission/aicloud.go
@@ -0,0 +1,45 @@
+package admission
+
+import (
+	"fmt"
+	"io"
+	v1 "k8s.io/api/admission/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/klog/v2"
+	"net/http"
+)
+
+var (
+	runtimeScheme = runtime.NewScheme()
+	codecs        = serializer.NewCodecFactory(runtimeScheme)
+	deserializer  = codecs.UniversalDeserializer()
+)
+
+func MutateCnvrtAppClusterDomainHandler(w http.ResponseWriter, r *http.Request) {
+	var body []byte
+	if r.Body != nil {
+		if data, err := io.ReadAll(r.Body); err == nil {
+			body = data
+		}
+	}
+
+	// verify the content type is accurate
+	contentType := r.Header.Get("Content-Type")
+	if contentType != "application/json" {
+		klog.Errorf("contentType=%s, expect application/json", contentType)
+		return
+	}
+
+	klog.V(2).Info(fmt.Sprintf("handling request: %s", body))
+	ar := &v1.AdmissionReview{}
+	obj, gvk, err := deserializer.Decode(body, nil, ar)
+	if err != nil {
+		msg := fmt.Sprintf("Request could not be decoded: %v", err)
+		klog.Error(msg)
+		http.Error(w, msg, http.StatusBadRequest)
+		return
+	}
+	fmt.Println(obj)
+	fmt.Println(gvk)
+}