frr-k8s: Only render ValidatingWebhookConfiguration when CA is available

ricky-rav · ricky-rav · commit d653c928662d · 2025-12-17T15:30:16.000+01:00
The ValidatingWebhookConfiguration requires a valid caBundle to verify
the webhook's TLS certificate. The caBundle comes from a ConfigMap
created by the OperatorPKI controller.

On the first reconcile, the OperatorPKI CR is created but the CA
ConfigMap doesn't exist yet. If we render the VWC with an empty
caBundle, the API server will reject all webhook calls with:

  x509: certificate signed by unknown authority

Fix this by only rendering the VWC when the CA bundle is available.
CNO will keep reconciling, and once the OperatorPKI generates the CA
ConfigMap, the next reconcile will render the VWC with the correct
caBundle.

Signed-off-by: Riccardo Ravaioli &lt;rravaiol@redhat.com&gt;
diff --git a/bindata/network/frr-k8s/webhook.yaml b/bindata/network/frr-k8s/webhook.yaml
@@ -9,6 +9,7 @@ spec:
     targetPort: webhook
   selector:
     component: frr-k8s-statuscleaner
+{{- if .FRRK8sWebhookCABundle }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -36,3 +37,4 @@ webhooks:
     resources:
     - frrconfigurations
   sideEffects: None
+{{- end }}
diff --git a/pkg/network/render_test.go b/pkg/network/render_test.go
@@ -638,7 +638,8 @@ func Test_renderAdditionalRoutingCapabilities(t *testing.T) {
 					},
 				},
 			},
-			want:        21, // 19 original + 2 OperatorPKI (webhook + metrics)
+			// 19 original + 2 OperatorPKI (webhook + metrics) - 1 VWC (not rendered without CA bundle)
+			want:        20,
 			expectedErr: nil,
 		},
 	}
