fix: add group annotation to WebhookConfiguration and filter watch requests

internal/constants/constants.go

@@ -52,6 +52,8 @@ const (
 	WebhookConfigurationPolicyScopeLabelKey          = "kubewardenPolicyScope"
 	WebhookConfigurationPolicyNameAnnotationKey      = "kubewardenPolicyName"
 	WebhookConfigurationPolicyNamespaceAnnotationKey = "kubewardenPolicyNamespace"
+	WebhookConfigurationPolicyGroupAnnotationKey     = "kubewardenPolicyGroup"
+	True                                             = "true"
 
 	// Scope.
 	NamespacePolicyScope = "namespace"

internal/controller/admissionpolicy_controller.go

@@ -102,5 +102,5 @@ func (r *AdmissionPolicyReconciler) findAdmissionPoliciesForPod(ctx context.Cont
 }
 
 func (r *AdmissionPolicyReconciler) findAdmissionPolicyForWebhookConfiguration(_ context.Context, webhookConfiguration client.Object) []reconcile.Request {
-	return findPolicyForWebhookConfiguration(webhookConfiguration, r.Log)
+	return findPolicyForWebhookConfiguration(webhookConfiguration, false, r.Log)
 }

internal/controller/admissionpolicygroup_controller.go

@@ -98,5 +98,5 @@ func (r *AdmissionPolicyGroupReconciler) findAdmissionPoliciesForPod(ctx context
 }
 
 func (r *AdmissionPolicyGroupReconciler) findAdmissionPolicyForWebhookConfiguration(_ context.Context, webhookConfiguration client.Object) []reconcile.Request {
-	return findPolicyForWebhookConfiguration(webhookConfiguration, r.Log)
+	return findPolicyForWebhookConfiguration(webhookConfiguration, true, r.Log)
 }

internal/controller/admissionpolicygroup_controller_test.go

@@ -84,6 +84,7 @@ var _ = Describe("AdmissionPolicyGroup controller", Label("real-cluster"), func(
 
 				Expect(validatingWebhookConfiguration.Labels[constants.PartOfLabelKey]).To(Equal(constants.PartOfLabelValue))
 				Expect(validatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey]).To(Equal(constants.NamespacePolicyScope))
+				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyGroupAnnotationKey]).To(Equal(constants.True))
 				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNameAnnotationKey]).To(Equal(policyName))
 				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey]).To(Equal(policyNamespace))
 				Expect(validatingWebhookConfiguration.Webhooks).To(HaveLen(1))
@@ -114,6 +115,7 @@ var _ = Describe("AdmissionPolicyGroup controller", Label("real-cluster"), func(
 			By("changing the ValidatingWebhookConfiguration")
 			delete(validatingWebhookConfiguration.Labels, constants.PartOfLabelKey)
 			validatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey] = newName("scope")
+			validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyGroupAnnotationKey] = "false"
 			delete(validatingWebhookConfiguration.Annotations, constants.WebhookConfigurationPolicyNameAnnotationKey)
 			validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey] = newName("namespace")
 			validatingWebhookConfiguration.Webhooks[0].ClientConfig.Service.Name = newName("service")

internal/controller/clusteradmissionpolicy_controller.go

@@ -101,5 +101,5 @@ func (r *ClusterAdmissionPolicyReconciler) findClusterAdmissionPoliciesForPod(ct
 }
 
 func (r *ClusterAdmissionPolicyReconciler) findClusterAdmissionPolicyForWebhookConfiguration(_ context.Context, webhookConfiguration client.Object) []reconcile.Request {
-	return findClusterPolicyForWebhookConfiguration(webhookConfiguration, r.Log)
+	return findClusterPolicyForWebhookConfiguration(webhookConfiguration, false, r.Log)
 }

internal/controller/clusteradmissionpolicygroup_controller.go

@@ -97,5 +97,5 @@ func (r *ClusterAdmissionPolicyGroupReconciler) findClusterAdmissionPoliciesForP
 }
 
 func (r *ClusterAdmissionPolicyGroupReconciler) findClusterAdmissionPolicyForWebhookConfiguration(_ context.Context, webhookConfiguration client.Object) []reconcile.Request {
-	return findClusterPolicyForWebhookConfiguration(webhookConfiguration, r.Log)
+	return findClusterPolicyForWebhookConfiguration(webhookConfiguration, true, r.Log)
 }

internal/controller/clusteradmissionpolicygroup_controller_test.go

@@ -72,6 +72,7 @@ var _ = Describe("ClusterAdmissionPolicyGroup controller", Label("real-cluster")
 
 				Expect(validatingWebhookConfiguration.Labels[constants.PartOfLabelKey]).To(Equal(constants.PartOfLabelValue))
 				Expect(validatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey]).To(Equal(constants.ClusterPolicyScope))
+				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyGroupAnnotationKey]).To(Equal(constants.True))
 				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNameAnnotationKey]).To(Equal(policyName))
 				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey]).To(BeEmpty())
 				Expect(validatingWebhookConfiguration.Webhooks).To(HaveLen(1))
@@ -108,6 +109,7 @@ var _ = Describe("ClusterAdmissionPolicyGroup controller", Label("real-cluster")
 
 			delete(validatingWebhookConfiguration.Labels, constants.PartOfLabelKey)
 			validatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey] = newName("scope")
+			validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyGroupAnnotationKey] = "false"
 			delete(validatingWebhookConfiguration.Annotations, constants.WebhookConfigurationPolicyNameAnnotationKey)
 			validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey] = newName("namespace")
 			validatingWebhookConfiguration.Webhooks[0].ClientConfig.Service.Name = newName("service")

internal/controller/policy_subreconciler.go

@@ -349,12 +349,12 @@ func findClusterPoliciesForPod(ctx context.Context, k8sClient client.Client, obj
 	return findClusterPoliciesForConfigMap(&configMap)
 }
 
-func findClusterPolicyForWebhookConfiguration(webhookConfiguration client.Object, log logr.Logger) []reconcile.Request {
-	// Pre v1.16.0
-	_, kubwardenLabelExists := webhookConfiguration.GetLabels()["kubewarden"]
-	// From v1.16.0 on we are using the recommended label "app.kubernetes.io/part-of"
-	partOfLabel := webhookConfiguration.GetLabels()["app.kubernetes.io/part-of"]
-	if !kubwardenLabelExists && partOfLabel != "kubewarden" {
+func findClusterPolicyForWebhookConfiguration(webhookConfiguration client.Object, isGroup bool, log logr.Logger) []reconcile.Request {
+	if !hasKubewardenLabel(webhookConfiguration.GetLabels()) {
+		return []reconcile.Request{}
+	}
+
+	if isGroup && !hasGroupAnnotation(webhookConfiguration.GetAnnotations()) {
 		return []reconcile.Request{}
 	}
 
@@ -386,12 +386,12 @@ func findClusterPolicyForWebhookConfiguration(webhookConfiguration client.Object
 	}
 }
 
-func findPolicyForWebhookConfiguration(webhookConfiguration client.Object, log logr.Logger) []reconcile.Request {
-	// Pre v1.16.0
-	_, kubwardenLabelExists := webhookConfiguration.GetLabels()["kubewarden"]
-	// From v1.16.0 on we are using the recommended label "app.kubernetes.io/part-of"
-	partOfLabel := webhookConfiguration.GetLabels()[constants.PartOfLabelKey]
-	if !kubwardenLabelExists && partOfLabel != constants.PartOfLabelValue {
+func findPolicyForWebhookConfiguration(webhookConfiguration client.Object, isGroup bool, log logr.Logger) []reconcile.Request {
+	if !hasKubewardenLabel(webhookConfiguration.GetLabels()) {
+		return []reconcile.Request{}
+	}
+
+	if isGroup && !hasGroupAnnotation(webhookConfiguration.GetAnnotations()) {
 		return []reconcile.Request{}
 	}
 
@@ -428,6 +428,19 @@ func findPolicyForWebhookConfiguration(webhookConfiguration client.Object, log l
 	}
 }
 
+func hasKubewardenLabel(labels map[string]string) bool {
+	// Pre v1.16.0
+	kubewardenLabel := labels["kubewarden"]
+	// From v1.16.0 on we are using the recommended label "app.kubernetes.io/part-of"
+	partOfLabel := labels[constants.PartOfLabelKey]
+
+	return kubewardenLabel == constants.True || partOfLabel == constants.PartOfLabelValue
+}
+
+func hasGroupAnnotation(annotations map[string]string) bool {
+	return annotations[constants.WebhookConfigurationPolicyGroupAnnotationKey] == constants.True
+}
+
 func getPolicyMapFromConfigMap(configMap *corev1.ConfigMap) (policyConfigEntryMap, error) {
 	policyMap := policyConfigEntryMap{}
 	if policies, ok := configMap.Data[constants.PolicyServerConfigPoliciesEntry]; ok {

internal/controller/policy_subreconciler_webhook.go

@@ -18,7 +18,6 @@ import (
 
 //+kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=create;delete;list;patch;watch
 
-//nolint:dupl // This function is similar to the other reconcileMutatingWebhookConfiguration
 func (r *policySubReconciler) reconcileValidatingWebhookConfiguration(
 	ctx context.Context,
 	policy policiesv1.Policy,
@@ -60,6 +59,9 @@ func (r *policySubReconciler) reconcileValidatingWebhookConfiguration(
 			constants.WebhookConfigurationPolicyNameAnnotationKey:      policy.GetName(),
 			constants.WebhookConfigurationPolicyNamespaceAnnotationKey: policy.GetNamespace(),
 		}
+		if _, ok := policy.(policiesv1.PolicyGroup); ok {
+			webhook.Annotations[constants.WebhookConfigurationPolicyGroupAnnotationKey] = constants.True
+		}
 		webhook.Webhooks = []admissionregistrationv1.ValidatingWebhook{
 			{
 				Name: policy.GetUniqueName() + ".kubewarden.admission",
@@ -108,7 +110,6 @@ func (r *policySubReconciler) reconcileValidatingWebhookConfigurationDeletion(ct
 
 //+kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=create;delete;list;patch;watch
 
-//nolint:dupl // This function is similar to the other reconcileValidatingWebhookConfiguration
 func (r *policySubReconciler) reconcileMutatingWebhookConfiguration(
 	ctx context.Context,
 	policy policiesv1.Policy,