Skip to content

[dmt] add webhook configuration annotations lint rule#412

Open
diyliv wants to merge 13 commits into
mainfrom
feature/webhook-config-annotations-lint
Open

[dmt] add webhook configuration annotations lint rule#412
diyliv wants to merge 13 commits into
mainfrom
feature/webhook-config-annotations-lint

Conversation

@diyliv

@diyliv diyliv commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • WebhookConfiguration annotations rule (webhook_configuration.go): checks that every ValidatingWebhookConfiguration / MutatingWebhookConfiguration resource has at least one of the annotations werf.io/weight or werf.io/deploy-dependency. If neither annotation is present — error.
  • Resource discovery: iterates GetStorage(), filters by kind ValidatingWebhookConfiguration or MutatingWebhookConfiguration. Non-webhook resources are skipped.
  • Annotation check: accesses object.Unstructured.GetAnnotations() directly on the unstructured object. Presence of either werf.io/weight or werf.io/deploy-dependency satisfies the rule.
  • Error context: each error is tied to the specific object via errorList.WithObjectID() and the source file via errorList.WithFilePath().
  • Config wiring: added WebhookConfigurationRule RuleConfig + WebhookConfiguration KindRuleExcludeList to runtime config (pkg/config.go), YAML config (pkg/config/linters_settings.go), and global overrides (pkg/config/global/global.go). Level mapping in mapTemplatesRules() and exclusion mapping in mapTemplatesExclusionsAndSettings() (internal/module/module.go).
  • Registration: NewWebhookConfigurationRule(...).ValidateWebhookConfigurationAnnotations(...) call added to the Run() method of the templates linter (templates.go).
  • Tests: 8 test scenarios covering both annotations present, only weight, only deploy-dependency, neither annotation, MutatingWebhookConfiguration, skipping non-webhook kinds, excluded resource, excluded resource not affecting others.

Context

Without werf.io/weight or werf.io/deploy-dependency annotations, webhook configurations may deploy in an undefined order or without proper dependency ordering. These annotations control werf's deploy sequencing: werf.io/weight sets explicit ordering priority, while werf.io/deploy-dependency declares a dependency on another resource. The rule ensures that every webhook configuration explicitly declares its place in the deploy order.

Example

ValidatingWebhookConfiguration without annotations:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: my-webhook
webhooks:
  - name: check.example.com
    ...

Result: error — ValidatingWebhookConfiguration "my-webhook" must have either "werf.io/weight" or "werf.io/deploy-dependency" annotation.

Fixed version:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: my-webhook
  annotations:
    werf.io/weight: "10"
webhooks:
  - name: check.example.com
    ...

Excluding resources

Per-resource exclusion via KindRuleExclude (kind + name). Disable the rule entirely by setting impact to ignored.

linters-settings:
  templates:
    rules:
      webhook-configuration-annotations:
        impact: error                      # error (default) | warn | ignored
    exclude-rules:
      webhook-configuration-annotations:
        - kind: ValidatingWebhookConfiguration
          name: istio-sidecar-injector     # managed externally, no werf annotations
        - kind: MutatingWebhookConfiguration
          name: cert-manager-webhook       # managed by cert-manager operator

@diyliv
add webhook configuration annotations lint rule
d8cea88 
Check that ValidatingWebhookConfiguration and
MutatingWebhookConfiguration resources have either werf.io/weight or
werf.io/deploy-dependency annotation for proper deploy ordering.

Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv diyliv force-pushed the feature/webhook-config-annotations-lint branch from 016450e to d8cea88 Compare June 26, 2026 10:28
@diyliv diyliv changed the title add webhook configuration annotations lint rule [dmt] add webhook configuration annotations lint rule Jun 26, 2026
@diyliv diyliv self-assigned this Jun 26, 2026
@diyliv diyliv added enhancement New feature or request go Pull requests that update go code labels Jun 26, 2026
diyliv added 7 commits June 26, 2026 13:31
@diyliv
fix golangci-lint: gofumpt formatting and gci import grouping
e5f119d 
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv
add webhook-configuration-annotations to templates linter documentation
f4edefd 
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv
change webhook configuration annotations rule to warning level
581b38f 
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv
make webhook configuration annotations rule configurable via dmtlint.…
74cd9d3 
…yaml

Use Errorf in the rule so impact level can be escalated to error.
Default to warn when neither global nor module config sets the rule level.

Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv
document dmtlint.yaml configuration for webhook rule impact level and…
55eac59 
… exclusions

Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv
make webhook rule always default to warn, fix config filename in docs
1f39e47 
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv
use standard SetLevel pattern instead of hardcoded warn default
3babd14 
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv diyliv force-pushed the feature/webhook-config-annotations-lint branch from 9dc3168 to 3babd14 Compare June 26, 2026 10:56
@diyliv
add e2e tests for webhook configuration annotations rule
497466d 
Signed-off-by: diyliv <onlogn081@gmail.com>
ilya-lesikov
ilya-lesikov reviewed Jun 26, 2026
View reviewed changes
Comment thread pkg/linters/templates/README.md Outdated
Comment thread pkg/linters/templates/README.md
diyliv added 2 commits June 26, 2026 18:07
@diyliv
mention deploy-dependency before weight, improve Why it matters docs
04781cb 
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv
fix deploy-dependency prefix match
b62906b 
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv diyliv force-pushed the feature/webhook-config-annotations-lint branch from 50a2f5b to b62906b Compare June 29, 2026 11:13
diyliv added 2 commits June 29, 2026 14:17
@diyliv
fix e2e expected message
15ba71f 
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv
remove ignored from webhook docs
e836901 
Signed-off-by: diyliv <onlogn081@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ilya-lesikov ilya-lesikov ilya-lesikov left review comments

Assignees

@diyliv diyliv

Labels

enhancement New feature or request go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@diyliv @ilya-lesikov