Story (Required)

<Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>

As a cluster admin trying to install Shipwright Builds I want the operator to deploy and manage its conversion webhook so that I can use the v1beta1 API.

Background (Required)

<Describes the context or background related to this story>

When BUILD-648 is complete, Shipwright Builds will deploy a conversion webhook that requires a certificate authority to communicate with the Kubernetes apiserver. Builds is not opinionated about how that CA is generated.

The upstream operator should be enhanced to deploy the conversion webhook and give the admin options as to how the CA is generated/managed. For MVP, the operator should provide the following options

1. Self-managed: Admins must provide the TLS certificate authority and keypair in a pre-defined location
2. OpenShift: use OpenShift's mechanisms for injecting service certificate authorities.

Out of scope

<Defines what is not included in this story>

1. Support for cert-manager - this should be a follow-up enhancement taken up by the community.

Approach (Required)

<Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

OPEN QUESTION: Does OLM handle CAs for webhooks if we are on OpenShift?

1. Update operator's release.yaml to a nightly build that includes the conversion webhook
2. Extend the `ShipwrightBuild` operator's API to let the webhook CA be configurable, using a Strategy pattern
3. Implement the following CA strategies:
   1. Self - self managed
   2. OpenShift - use OpenShift ca injection labels

Dependencies

<Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

• BUILD-647
• BUILD-648
• BUILD-705
• Network operator CA injection for webhooks

Acceptance Criteria (Mandatory)

<Describe edge cases to consider when implementing the story and defining tests>

<Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

• "Self" - operator deploys webhook with self-managed certificate authorities
• "OpenShift" - operator deploys webhook with OpenShift managed certificate authorities
• The operator reports the "Available: True" status condition if the build controller and conversion webhook have been deployed with valid configurations
• The operator reports the "Available: False" status condition if either the build controller or the webhook are not deployed with valid configurations.

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

Done Checklist

• Code is completed, reviewed, documented and checked in
• Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
• Continuous Delivery pipeline(s) is able to proceed with new code included
• Customer facing documentation, API docs etc. are produced/updated, reviewed and published
• Acceptance criteria are met