DNM: add virt annotation remover webhook

[weshayutin]

Why the changes were made

Unclear atm how quickly the kubevirt org will be able to remove velero annotations:
https://issues.redhat.com/browse/CNV-75370

How to test the changes made

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: dpa-sample
  namespace: openshift-adp
spec:
  kubevirtAnnotationsRemover:
    enable: true
  backupLocations:
  - velero:
      config:

[coderabbitai]

Walkthrough

Adds a new KubeVirt Annotations Remover component: API types and deepcopy support, CRD and CSV manifest updates, RBAC and manager env var, controller reconciliation (Deployment, Service, MutatingWebhookConfiguration), readiness check, and comprehensive unit tests.

Changes

Cohort / File(s)	Summary
API Type & Constants api/v1alpha1/dataprotectionapplication_types.go	Adds KubevirtAnnotationsRemover type with Enable *bool, new KubevirtAnnotationsRemover field on DataProtectionApplicationSpec, readiness constant ConditionKubevirtAnnotationsRemoverReady, and image override constant KubevirtAnnotationsRemoverImageKey.
DeepCopy Generation api/v1alpha1/zz_generated.deepcopy.go	Adds deepcopy methods for KubevirtAnnotationsRemover and updates DataProtectionApplicationSpec.DeepCopyInto to copy the new field.
Operator CSV & CRD Manifests bundle/manifests/oadp-operator.clusterserviceversion.yaml, bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml	Adds related image entry and env var for kubevirt-annotations-remover, new container reference in CSV, CRD schema field kubevirtAnnotationsRemover, and supports image override key in unsupportedOverrides.
Manager Config & RBAC config/manager/manager.yaml, config/rbac/role.yaml	Adds RELATED_IMAGE_KUBEVIRT_ANNOTATIONS_REMOVER env var to manager config and new RBAC rule granting verbs on mutatingwebhookconfigurations (admissionregistration.k8s.io).
Controller Integration internal/controller/dataprotectionapplication_controller.go	Inserts ReconcileKubevirtAnnotationsRemover into the reconciliation batch.
KubeVirt Annotations Remover Controller internal/controller/kubevirt_annotations_remover.go	New reconciler implementing enablement check, Service (with OpenShift CA annotation), Deployment (builder, image resolution, volumes, security), and cluster-scoped MutatingWebhookConfiguration management; includes cleanup logic, image resolution (env/overrides/default), labels/ownerrefs, and events.
Readiness internal/controller/readiness.go	Adds readiness condition updater for the KubeVirt Annotations Remover deployment and includes it in overall readiness aggregation.
Tests internal/controller/kubevirt_annotations_remover_test.go	Adds Ginkgo/Gomega test suite covering reconciliation flows, deployment building, image resolution, enablement checks, and error scenarios with event assertions.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: weshayutin
Once this PR has been reviewed and has the lgtm label, please assign kaovilai for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@config/rbac/role.yaml`:
- Around line 38-49: The MutatingWebhookConfiguration RBAC rule grants
unnecessary permissions; edit the role definition in config/rbac/role.yaml and
remove the "list" and "watch" verbs for apiGroups: admissionregistration.k8s.io
/ resources: mutatingwebhookconfigurations so the verbs are exactly "create",
"delete", "get", "patch", "update" (this aligns with how
internal/controller/kubevirt_annotations_remover.go uses Get (line ~75), Delete
(line ~84) and CreateOrUpdate (around line ~418) for the fixed-name webhook).

🧹 Nitpick comments (2)

internal/controller/kubevirt_annotations_remover_test.go (1)

532-543: Use strings.Contains instead of custom helpers.

The containsStr and containsSubstring functions duplicate functionality provided by Go's standard library strings.Contains.

♻️ Suggested simplification

+import "strings"

-func containsStr(s, substr string) bool {
-	return len(s) >= len(substr) && (s == substr || len(s) > 0 && containsSubstring(s, substr))
-}
-
-func containsSubstring(s, substr string) bool {
-	for i := 0; i <= len(s)-len(substr); i++ {
-		if s[i:i+len(substr)] == substr {
-			return true
-		}
-	}
-	return false
-}

Then replace containsStr(err.Error(), tt.errorContains) with strings.Contains(err.Error(), tt.errorContains).

internal/controller/kubevirt_annotations_remover.go (1)

72-72: Remove unused log parameters.

The log parameter is declared but unused in these functions. Either use the logger for debugging/tracing or remove the parameter.

♻️ Option 1: Remove unused parameters

-func (r *DataProtectionApplicationReconciler) cleanupKubevirtAnnotationsRemover(log logr.Logger) (bool, error) {
+func (r *DataProtectionApplicationReconciler) cleanupKubevirtAnnotationsRemover() (bool, error) {

-func (r *DataProtectionApplicationReconciler) reconcileKubevirtAnnotationsRemoverService(log logr.Logger) error {
+func (r *DataProtectionApplicationReconciler) reconcileKubevirtAnnotationsRemoverService() error {

-func (r *DataProtectionApplicationReconciler) reconcileKubevirtAnnotationsRemoverDeployment(log logr.Logger) error {
+func (r *DataProtectionApplicationReconciler) reconcileKubevirtAnnotationsRemoverDeployment() error {

-func (r *DataProtectionApplicationReconciler) reconcileKubevirtAnnotationsRemoverWebhook(log logr.Logger) error {
+func (r *DataProtectionApplicationReconciler) reconcileKubevirtAnnotationsRemoverWebhook() error {

And update the callers in ReconcileKubevirtAnnotationsRemover accordingly.

Also applies to: 182-182, 239-239, 407-407

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, find the overall structure and locate the controller code
fd --type f -e go | head -20

Repository: openshift/oadp-operator

Length of output: 925

---

🏁 Script executed:

# Search for MutatingWebhookConfiguration usage in Go files
rg -n 'MutatingWebhookConfiguration' --type go -A 3 -B 3

Repository: openshift/oadp-operator

Length of output: 5404

---

🏁 Script executed:

# Search for List and Watch patterns related to MutatingWebhookConfiguration
rg -n '(List|Watch).*MutatingWebhookConfiguration|MutatingWebhookConfiguration.*(List|Watch)' --type go -A 2 -B 2

Repository: openshift/oadp-operator

Length of output: 49

---

🏁 Script executed:

# Check for client operations on MutatingWebhookConfiguration
rg -n 'mutatingwebhookconfigurations|webhook.*config' --type go -i -A 2 | head -50

Repository: openshift/oadp-operator

Length of output: 4585

---

Remove unnecessary list and watch verbs from MutatingWebhookConfiguration RBAC rule.

The controller in internal/controller/kubevirt_annotations_remover.go manages only a single webhook configuration by fixed name (see line 405-406). The actual operations used are: get (line 75), delete (line 84), and create/update/patch via CreateOrUpdate (line 418). The list and watch verbs are not used and should be removed to maintain least privilege.

Update the verbs to: create, delete, get, patch, update.

🧰 Tools

🪛 Trivy (0.69.1)

[error] 38-49: Manage webhookconfigurations

ClusterRole 'manager-role' should not have access to resources ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]

Rule: KSV-0114

Learn more

(IaC/Kubernetes)

🤖 Prompt for AI Agents

In `@config/rbac/role.yaml` around lines 38 - 49, The MutatingWebhookConfiguration
RBAC rule grants unnecessary permissions; edit the role definition in
config/rbac/role.yaml and remove the "list" and "watch" verbs for apiGroups:
admissionregistration.k8s.io / resources: mutatingwebhookconfigurations so the
verbs are exactly "create", "delete", "get", "patch", "update" (this aligns with
how internal/controller/kubevirt_annotations_remover.go uses Get (line ~75),
Delete (line ~84) and CreateOrUpdate (around line ~418) for the fixed-name
webhook).

[weshayutin]

/retest

[openshift-ci]

@weshayutin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/5.0-e2e-test-aws	85f8a90	link	false	/test 5.0-e2e-test-aws
ci/prow/4.21-e2e-test-cli-aws	85f8a90	link	false	/test 4.21-e2e-test-cli-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.