Migrate webhook deploy

api/v1/inline_types.go

@@ -198,6 +198,18 @@ func (r ResourceRequirements) GetOrDefault() corev1.ResourceRequirements {
 	return corev1.ResourceRequirements(r)
 }
 
+func (r ResourceRequirements) GetOrDefaultWebhook() corev1.ResourceRequirements {
+	requestsDefaulter := map_defaulter.NewMapDefaulter((*map[corev1.ResourceName]resource.Quantity)(&r.Requests))
+	requestsDefaulter.SetIfEmpty(corev1.ResourceMemory, resource.MustParse("512Mi"))
+	requestsDefaulter.SetIfEmpty(corev1.ResourceCPU, resource.MustParse("0.5"))
+
+	limitsDefaulter := map_defaulter.NewMapDefaulter((*map[corev1.ResourceName]resource.Quantity)(&r.Limits))
+	limitsDefaulter.SetIfEmpty(corev1.ResourceMemory, resource.MustParse("1Gi"))
+	limitsDefaulter.SetIfEmpty(corev1.ResourceCPU, resource.MustParse("1.0"))
+
+	return corev1.ResourceRequirements(r)
+}
+
 type AgentPodSpec struct {
 	// agent.pod.annotations are additional annotations to be added to the agent pods.
 	// +kubebuilder:validation:Optional
@@ -266,6 +278,25 @@ type ImageSpec struct {
 	PullPolicy corev1.PullPolicy `json:"pullPolicy,omitempty"`
 }
 
+type Instrumentation struct {
+	// Name is the name of the instrumentation image of the webhook.
+	// +kubebuilder:validation:Required
+	Image string `json:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ImagePullPolicy string `json:"imagePullPolicy,IfNotPresent"`
+	// +kubebuilder:validation:Optional
+	ImagePullCredentials string `json:"imagePullCredentials,omitempty"`
+}
+
+type ImagePullCredentials struct {
+	// +kubebuilder:validation:Optional
+	Registry string `json:"registry,omitempty"`
+	// +kubebuilder:validation:Optional
+	Username string `json:"username,omitempty"`
+	// +kubebuilder:validation:Optional
+	Password string `json:"password,omitempty"`
+}
+
 type ExtendedImageSpec struct {
 	// +kubebuilder:validation:Required
 	ImageSpec `json:",inline"`
@@ -292,6 +323,29 @@ type HostSpec struct {
 	Repository string `json:"repository,omitempty"`
 }
 
+// AutotraceWebhookSpec defines the desired state of the AutotraceMutatingWebhook
+type AutotraceWebhookSpec struct {
+	// +kubebuilder:validation:Type=boolean
+	// +kubebuilder:validation:default=false
+	Enabled bool `json:"enabled"`
+	// Name of the AutoTraceWebhook. If not set and `create` is true, the default name is generated.
+	// +kubebuilder:default="instana-autotrace-webhook"
+	Name string `json:"name"`
+	// Specify the number of replicas for the AutotraceMutatingWebhook.
+	// +kubebuilder:validation:Optional
+	Replicas int `json:"replicas,omitempty"`
+	// +kubebuilder:validation:Optional
+	PullSecret string `json:"pullSecret,omitempty"`
+	// +kubebuilder:validation:Optional
+	ImageSpec ImageSpec `json:"image,omitempty"`
+	// +kubebuilder:validation:Optional
+	Instrumentation Instrumentation `json:"instrumentation,omitempty"`
+	// +kubebuilder:validation:Optional
+	// Autotrace Autotrace `json:"autotrace,omitempty"` //TODO
+	// Override Agent resource requirements to e.g. give the Agent container more memory.
+	ResourceRequirements `json:",inline"`
+}
+
 type ServiceMeshSpec struct {
 	// +kubebuilder:validation:Optional
 	Enabled bool `json:"enabled,omitempty"`

api/v1/instanaagent_types.go

@@ -82,6 +82,9 @@ type InstanaAgentSpec struct {
 
 	// +kubebuilder:validation:Optional
 	ServiceMesh ServiceMeshSpec `json:"serviceMesh,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	AutotraceWebhook AutotraceWebhookSpec `json:"autotraceWebhook,omitempty"`
 }
 
 // +k8s:openapi-gen=true
@@ -173,6 +176,15 @@ func (in *InstanaAgent) Default() {
 	optional.ValueOrDefault(&in.Spec.K8sSensor.ImageSpec.Tag, "latest")
 	optional.ValueOrDefault(&in.Spec.K8sSensor.ImageSpec.PullPolicy, corev1.PullAlways)
 	optional.ValueOrDefault(&in.Spec.K8sSensor.DeploymentSpec.Replicas, 3)
+	optional.ValueOrDefault(&in.Spec.AutotraceWebhook.Enabled, false)
+	optional.ValueOrDefault(&in.Spec.AutotraceWebhook.Instrumentation.Image, "icr.io/instana/instrumentation:latest")
+	optional.ValueOrDefault(&in.Spec.AutotraceWebhook.Instrumentation.ImagePullPolicy, "IfNotPresent")
+	optional.ValueOrDefault(&in.Spec.AutotraceWebhook.Replicas, 1)
+	optional.ValueOrDefault(&in.Spec.AutotraceWebhook.ImageSpec.Name, "containers.instana.io/instana/release/agent/instana-autotrace-webhook")
+	optional.ValueOrDefault(&in.Spec.AutotraceWebhook.ImageSpec.Tag, "latest")
+	optional.ValueOrDefault(&in.Spec.AutotraceWebhook.ImageSpec.PullPolicy, corev1.PullAlways)
+	optional.ValueOrDefault(&in.Spec.AutotraceWebhook.Name, "instana-autotrace-webhook")
+
 }
 
 // +kubebuilder:object:root=true

api/v1/instanaagent_types_test.go

@@ -1,3 +1,8 @@
+/*
+ * (c) Copyright IBM Corp. 2025
+ * (c) Copyright Instana Inc. 2025
+ */
+
 package v1
 
 import (
@@ -51,6 +56,20 @@ func TestInstanaAgent_Default(t *testing.T) {
 				Replicas: 2,
 			},
 		},
+		AutotraceWebhook: AutotraceWebhookSpec{
+			Name:    "instana-autotrace-webhook",
+			Enabled: false,
+			Instrumentation: Instrumentation{
+				Image:           "icr.io/instana/instrumentation:latest",
+				ImagePullPolicy: "IfNotPresent",
+			},
+			Replicas: 1,
+			ImageSpec: ImageSpec{
+				Name:       "containers.instana.io/instana/release/agent/instana-autotrace-webhook",
+				Tag:        "latest",
+				PullPolicy: corev1.PullAlways,
+			},
+		},
 	}
 
 	tests := []struct {
@@ -100,6 +119,20 @@ func TestInstanaAgent_Default(t *testing.T) {
 						Replicas: 3,
 					},
 				},
+				AutotraceWebhook: AutotraceWebhookSpec{
+					Name:    "instana-autotrace-webhook",
+					Enabled: false,
+					Instrumentation: Instrumentation{
+						Image:           "icr.io/instana/instrumentation:latest",
+						ImagePullPolicy: "IfNotPresent",
+					},
+					Replicas: 1,
+					ImageSpec: ImageSpec{
+						Name:       "containers.instana.io/instana/release/agent/instana-autotrace-webhook",
+						Tag:        "latest",
+						PullPolicy: corev1.PullAlways,
+					},
+				},
 			},
 		},
 		{

ci/pr-pipeline.yml

@@ -314,7 +314,7 @@ jobs:
     plan:
       - get: pipeline-source
         trigger: true
-        passed: [self-update, build-e2e-operator-base-image]
+        passed: [self-update]
       - get: agent-operator-version
         trigger: true
       - load_var: agent-operator-version

config/manifests/bases/instana-agent-operator.clusterserviceversion.yaml

@@ -236,6 +236,7 @@ spec:
           - get
           - list
           - watch
+          - create
         - apiGroups:
           - ""
           resources:

config/rbac/role.yaml

@@ -9,6 +9,30 @@ rules:
   - /version
   verbs:
   - get
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - apiextensions.k8s.io
   resources:
@@ -72,7 +96,6 @@ rules:
   - configmaps
   - endpoints
   - events
-  - namespaces
   - nodes
   - nodes/metrics
   - nodes/stats

config/samples/instana_v1_extended_instanaagent.yaml

@@ -227,3 +227,18 @@ spec:
           memory: 3072Mi
           # kubernetes.deployment.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
           cpu: 4
+
+  # zones:
+  # # Configure use of zones to use tolerations as the basis to associate a specific daemonset per tainted node pool
+  # - name: pool-01
+  #   tolerations:
+  #   - key: "pool"
+  #     operator: "Equal"
+  #     value: "pool-01"
+  #     effect: "NoExecute"
+  # - name: pool-02
+  #   tolerations:
+  #   - key: "pool"
+  #     operator: "Equal"
+  #     value: "pool-02"
+  #     effect: "NoExecute"

controllers/apply.go

@@ -19,6 +19,7 @@ package controllers
 
 import (
 	"context"
+	"fmt"
 
 	instanav1 "github.com/instana/instana-agent-operator/api/v1"
 	agentdaemonset "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/agent/daemonset"
@@ -28,6 +29,12 @@ import (
 	tlssecret "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/agent/secrets/tls-secret"
 	"github.com/instana/instana-agent-operator/pkg/k8s/object/builders/agent/service"
 	agentserviceaccount "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/agent/serviceaccount"
+	webhookdeployment "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/autotrace-mutating-webhook/deployment"
+	webhookrbac "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/autotrace-mutating-webhook/rbac"
+	webhooksecrets "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/autotrace-mutating-webhook/secrets"
+	webhookservice "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/autotrace-mutating-webhook/service"
+	webhooksa "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/autotrace-mutating-webhook/serviceaccount"
+	webhookconfig "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/autotrace-mutating-webhook/webhookconfig"
 	backends "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/common/backends"
 	"github.com/instana/instana-agent-operator/pkg/k8s/object/builders/common/builder"
 	k8ssensorconfigmap "github.com/instana/instana-agent-operator/pkg/k8s/object/builders/k8s-sensor/configmap"
@@ -109,11 +116,40 @@ func (r *InstanaAgentReconciler) applyResources(
 
 	builders = append(builders, getK8sSensorDeployments(agent, isOpenShift, statusManager, k8SensorBackends)...)
 
+	if agent.Spec.AutotraceWebhook.Enabled {
+		var webhookCertBuilder, webhookWebhookConfigBuilder builder.ObjectBuilder
+		caCertPem, serverCertPem, serverKeyPem, err := webhooksecrets.GenerateCerts()
+		if err == nil {
+			webhookCertBuilder = webhooksecrets.NewCertBuilder(agent, isOpenShift, caCertPem, serverCertPem, serverKeyPem)
+			webhookWebhookConfigBuilder = webhookconfig.NewWebhookConfigBuilder(agent, isOpenShift, caCertPem)
+		}
+
+		webhookBuilder := webhookdeployment.NewWebhookBuilder(agent, isOpenShift, statusManager)
+		// webhookNsBuilder := webhookns.NewNamespaceBuilder(agent)
+		webhookServiceBuilder := webhookservice.NewServiceBuilder(agent)
+		webhookSaBuilder := webhooksa.NewServiceAccountBuilder(agent)
+		webhookClusterRoleBuilder := webhookrbac.NewClusterRoleBuilder(agent)
+		webhookClusterRoleBindingBuilder := webhookrbac.NewClusterRoleBindingBuilder(agent)
+		webhookWebhookPullSecret := webhooksecrets.NewDownloadSecretBuilder(agent)
+		builders = append(
+			builders,
+			webhookBuilder,
+			// webhookNsBuilder,
+			webhookServiceBuilder,
+			webhookSaBuilder,
+			webhookClusterRoleBuilder,
+			webhookClusterRoleBindingBuilder,
+			webhookCertBuilder,
+			webhookWebhookConfigBuilder,
+			webhookWebhookPullSecret,
+		)
+	}
+
 	if err := operatorUtils.ApplyAll(builders...); err != nil {
 		log.Error(err, "failed to apply kubernetes resources for agent")
 		return reconcileFailure(err)
 	}
 
-	log.V(1).Info("successfully applied kubernetes resources for agent")
+	fmt.Println("successfully applied kubernetes resources for agent")
 	return reconcileContinue()
 }

controllers/instanaagent_controller.go

@@ -160,7 +160,7 @@ func (r *InstanaAgentReconciler) reconcile(
 // adding role property required to manage instana-agent-k8sensor ClusterRole
 // +kubebuilder:rbac:urls=/version;/healthz,verbs=get
 // +kubebuilder:rbac:groups=extensions,resources=deployments;replicasets;ingresses,verbs=get;list;watch
-// +kubebuilder:rbac:groups=core,resources=configmaps;events;services;endpoints;namespaces;nodes;pods;pods/log;replicationcontrollers;resourcequotas;persistentvolumes;persistentvolumeclaims;nodes/metrics;nodes/stats,verbs=get;list;watch
+// +kubebuilder:rbac:groups=core,resources=configmaps;events;services;endpoints;nodes;pods;pods/log;replicationcontrollers;resourcequotas;persistentvolumes;persistentvolumeclaims;nodes/metrics;nodes/stats,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=daemonsets;deployments;replicasets;statefulsets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=batch,resources=cronjobs;jobs,verbs=get;list;watch
 // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch
@@ -169,6 +169,10 @@ func (r *InstanaAgentReconciler) reconcile(
 // +kubebuilder:rbac:groups=security.openshift.io,resourceNames=privileged,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups=policy,resourceNames=instana-agent-k8sensor,resources=podsecuritypolicies,verbs=use
 
+//adding role property required to manager instana-autotrace-webhook
+// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
+
 func (r *InstanaAgentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 	res ctrl.Result,
 	reconcileErr error,