Initial implementation

Signed-off-by: Magnus Ullberg <magnus@ullberg.us>

Author: ullbergm

.devcontainer/Dockerfile

@@ -21,6 +21,13 @@ RUN OC_VERSION=latest \
     && rm /tmp/openshift-client-linux.tar.gz \
     && chmod +x /usr/local/bin/oc /usr/local/bin/kubectl
 
+# Install OpenShift CLI (oc)
+RUN OC_VERSION=latest \
+    && curl -sSL -o /tmp/openshift-client-linux.tar.gz "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz" \
+    && tar -xzf /tmp/openshift-client-linux.tar.gz -C /usr/local/bin oc kubectl \
+    && rm /tmp/openshift-client-linux.tar.gz \
+    && chmod +x /usr/local/bin/oc /usr/local/bin/kubectl
+
 CMD sleep infinity
 
 ENTRYPOINT []

.devcontainer/post-install.sh

@@ -17,3 +17,15 @@ if ! command -v golangci-lint >/dev/null 2>&1; then
 	rm -rf /tmp/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64* golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz || true
 	echo "golangci-lint installed"
 fi
+
+# Install OpenShift CLI if not present
+if ! command -v oc >/dev/null 2>&1; then
+	echo "oc not found, installing OpenShift CLI"
+	apt-get update || true
+	apt-get install -y --no-install-recommends ca-certificates curl || true
+	curl -sSL -o /tmp/openshift-client-linux.tar.gz "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz" || true
+	tar -xzf /tmp/openshift-client-linux.tar.gz -C /usr/local/bin oc kubectl || true
+	rm /tmp/openshift-client-linux.tar.gz || true
+	chmod +x /usr/local/bin/oc /usr/local/bin/kubectl || true
+	echo "oc installed"
+fi

.github/workflows/release.yml

@@ -14,6 +14,7 @@ on:
 env:
   REGISTRY: ghcr.io
   CONTROLLER_IMAGE: ghcr.io/${{ github.repository }}
+  WEBHOOK_IMAGE: ghcr.io/${{ github.repository_owner }}/object-lease-webhook
   OPERATOR_IMAGE: ghcr.io/${{ github.repository_owner }}/object-lease-operator-controller
   PLUGIN_IMAGE: ghcr.io/${{ github.repository_owner }}/object-lease-console-plugin
   BUNDLE_IMAGE: ghcr.io/${{ github.repository_owner }}/object-lease-operator-bundle
@@ -89,6 +90,50 @@ jobs:
             ${{ env.CONTROLLER_IMAGE }}:${{ needs.prepare.outputs.version_tag }} \
             --tag ${{ env.CONTROLLER_IMAGE }}:latest
 
+  build-webhook:
+    name: Build and Push Webhook
+    needs: prepare
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Run Tests
+        run: make test
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Push Webhook Image
+        run: |
+          make webhook-buildx \
+            WEBHOOK_IMG=${{ env.WEBHOOK_IMAGE }}:${{ needs.prepare.outputs.version_tag }} \
+            PLATFORMS=${{ env.PLATFORMS }}
+
+      - name: Tag Latest
+        run: |
+          docker buildx imagetools create \
+            ${{ env.WEBHOOK_IMAGE }}:${{ needs.prepare.outputs.version_tag }} \
+            --tag ${{ env.WEBHOOK_IMAGE }}:latest
+
   build-plugin:
     name: Build and Push Console Plugin
     needs: prepare
@@ -140,7 +185,7 @@ jobs:
 
   build-operator:
     name: Build and Push Operator
-    needs: [prepare, build-controller]
+    needs: [prepare, build-controller, build-webhook]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -241,7 +286,7 @@ jobs:
 
   create-release:
     name: Create GitHub Release
-    needs: [prepare, build-controller, build-plugin, build-operator, build-bundle, build-catalog]
+    needs: [prepare, build-controller, build-webhook, build-plugin, build-operator, build-bundle, build-catalog]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -261,6 +306,7 @@ jobs:
           ### Container Images
 
           - **Controller**: `${{ env.CONTROLLER_IMAGE }}:${{ needs.prepare.outputs.version_tag }}`
+          - **Webhook**: `${{ env.WEBHOOK_IMAGE }}:${{ needs.prepare.outputs.version_tag }}`
           - **Console Plugin**: `${{ env.PLUGIN_IMAGE }}:${{ needs.prepare.outputs.version_tag }}`
           - **Operator**: `${{ env.OPERATOR_IMAGE }}:${{ needs.prepare.outputs.version_tag }}`
           - **Bundle**: `${{ env.BUNDLE_IMAGE }}:${{ needs.prepare.outputs.version_tag }}`

Dockerfile.webhook

@@ -0,0 +1,26 @@
+# Build stage
+FROM golang:1.23 AS builder
+
+WORKDIR /workspace
+
+# Copy go mod files
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source code
+COPY cmd/ cmd/
+COPY pkg/ pkg/
+
+# Build the webhook binary
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o webhook cmd/webhook/main.go
+
+# Runtime stage
+FROM gcr.io/distroless/static:nonroot
+
+WORKDIR /
+
+COPY --from=builder /workspace/webhook .
+
+USER 65532:65532
+
+ENTRYPOINT ["/webhook"]

Makefile

@@ -4,6 +4,7 @@
 
 # Image configurations
 IMG ?= ghcr.io/ullbergm/object-lease-controller:v1.0.0
+WEBHOOK_IMG ?= ghcr.io/ullbergm/object-lease-webhook:v1.0.0
 PLUGIN_IMG ?= ghcr.io/ullbergm/object-lease-console-plugin:v1.0.0
 
 # Build configurations
@@ -73,6 +74,13 @@ fuzz:
 build: tidy fmt vet test ## Build the binary
 	go build -o $(BUILD_DIR)/$(BINARY_NAME) ./cmd/main.go
 
+.PHONY: build-webhook
+build-webhook: tidy fmt vet test ## Build the webhook binary
+	go build -o $(BUILD_DIR)/lease-webhook ./cmd/webhook/main.go
+
+.PHONY: build-all
+build-all: build build-webhook ## Build all binaries
+
 .PHONY: run
 run: build ## Run the application locally
 	./$(BUILD_DIR)/$(BINARY_NAME) \
@@ -85,6 +93,10 @@ run: build ## Run the application locally
 # 		-opt-in-label-value true \
 		-zap-log-level debug
 
+.PHONY: run-webhook
+run-webhook: build-webhook ## Run the webhook server locally (insecure mode)
+	./$(BUILD_DIR)/lease-webhook -insecure -webhook-port 8443
+
 # =============================================================================
 # Docker Targets - Main Controller
 # =============================================================================
@@ -104,6 +116,25 @@ docker-buildx: ## Build and push multi-platform Docker image for main controller
 	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag $(IMG) -f Dockerfile .
 	- $(CONTAINER_TOOL) buildx rm project-v3-builder
 
+# =============================================================================
+# Docker Targets - Webhook
+# =============================================================================
+
+.PHONY: webhook-build
+webhook-build: ## Build Docker image for webhook
+	$(CONTAINER_TOOL) build -t $(WEBHOOK_IMG) -f Dockerfile.webhook .
+
+.PHONY: webhook-push
+webhook-push: webhook-build ## Build and push Docker image for webhook
+	$(CONTAINER_TOOL) push $(WEBHOOK_IMG)
+
+.PHONY: webhook-buildx
+webhook-buildx: ## Build and push multi-platform Docker image for webhook
+	- $(CONTAINER_TOOL) buildx create --name project-v3-builder
+	$(CONTAINER_TOOL) buildx use project-v3-builder
+	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag $(WEBHOOK_IMG) -f Dockerfile.webhook .
+	- $(CONTAINER_TOOL) buildx rm project-v3-builder
+
 # =============================================================================
 # Docker Targets - Console Plugin
 # =============================================================================
@@ -138,5 +169,6 @@ deploy-operator-and-plugin: ## Deploy operator and plugin to Kubernetes
 .PHONY: push-all
 push-all: ## Push all images and operator bundles
 	$(MAKE) docker-push
+	$(MAKE) webhook-push
 	$(MAKE) plugin-push
 	cd object-lease-operator && $(MAKE) docker-build docker-push bundle-push catalog-push && cd ..

README.md

@@ -15,6 +15,7 @@ This project implements a Kubernetes operator that allows you to specify a TTL (
 - Dynamically deploys a controller for each configured GVK.
 - Controllers are only managing one GVK each, increasing scalability.
 - Leader election support for high availability.
+- **Admission webhook** for validating TTL annotation format (optional, per-GVK configuration).
 - Custom cleanup scripts via Kubernetes Jobs before object deletion.
 
 ## Architecture
@@ -49,11 +50,14 @@ kind: LeaseController
 metadata:
   name: deployment-controller
 spec:
-  group: ""
+  group: "apps"
+  version: "v1"
   kind:
     singular: "Deployment"
-    plural: "Deployments"
-  version: "v1"
+    plural: "deployments"
+  webhook:
+    enabled: true           # Optional: Enable admission webhook validation
+    failurePolicy: Ignore   # Optional: "Ignore" (default) or "Fail"
 ```
 
 ### Object annotation
@@ -289,3 +293,14 @@ Details on enabling and namespace participation are documented by Red Hat:
 - [Red Hat Documentation](https://docs.openshift.com/container-platform/latest/monitoring/enabling-monitoring-for-user-defined-projects.html)
 
 That is all you need. Your counters and histogram are already registered on the default registry, so Prometheus will scrape them from `/metrics` on the ServiceMonitor endpoint.
+
+## Admission Webhook
+
+The operator includes an optional **validating admission webhook** that validates TTL annotation format before objects are created or updated. This prevents invalid lease configurations from being applied.
+
+See [docs/webhook.md](docs/webhook.md) for detailed documentation on:
+- Architecture and how it works
+- Configuration options
+- Certificate management
+- Troubleshooting
+- Security considerations