From 78d1e5745bd8dcdf82d79084ece074ca48172011 Mon Sep 17 00:00:00 2001
From: IsaiahStapleton <istaplet@redhat.com>
Date: Thu, 22 Jan 2026 12:11:25 -0500
Subject: [PATCH] Add class label webhook for prod

We're running courses in both prod and edu and need the webhook for both so we need to separate their deployment manifests since they require different env variables

Signed-off-by: IsaiahStapleton <istaplet@redhat.com>
---
 .../assign-class-label-prod/certificate.yaml  | 12 ++++++
 .../assign-class-label-prod/deployment.yaml   | 40 +++++++++++++++++++
 webhooks/assign-class-label-prod/issuer.yaml  |  6 +++
 .../kustomization.yaml                        | 15 +++++++
 webhooks/assign-class-label-prod/role.yaml    |  8 ++++
 .../assign-class-label-prod/rolebinding.yaml  | 12 ++++++
 webhooks/assign-class-label-prod/service.yaml | 10 +++++
 .../serviceaccount.yaml                       |  5 +++
 .../webhook-config.yaml                       | 32 +++++++++++++++
 9 files changed, 140 insertions(+)
 create mode 100644 webhooks/assign-class-label-prod/certificate.yaml
 create mode 100644 webhooks/assign-class-label-prod/deployment.yaml
 create mode 100644 webhooks/assign-class-label-prod/issuer.yaml
 create mode 100644 webhooks/assign-class-label-prod/kustomization.yaml
 create mode 100644 webhooks/assign-class-label-prod/role.yaml
 create mode 100644 webhooks/assign-class-label-prod/rolebinding.yaml
 create mode 100644 webhooks/assign-class-label-prod/service.yaml
 create mode 100644 webhooks/assign-class-label-prod/serviceaccount.yaml
 create mode 100644 webhooks/assign-class-label-prod/webhook-config.yaml

diff --git a/webhooks/assign-class-label-prod/certificate.yaml b/webhooks/assign-class-label-prod/certificate.yaml
new file mode 100644
index 0000000..fb48405
--- /dev/null
+++ b/webhooks/assign-class-label-prod/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: assign-class-label-tls
+spec:
+  secretName: assign-class-label-tls
+  issuerRef:
+    name: assign-class-label-issuer
+    kind: Issuer
+  commonName: "rhods-notebooks.svc"
+  dnsNames:
+    - assign-class-label-webhook.rhods-notebooks.svc
diff --git a/webhooks/assign-class-label-prod/deployment.yaml b/webhooks/assign-class-label-prod/deployment.yaml
new file mode 100644
index 0000000..d51a2c8
--- /dev/null
+++ b/webhooks/assign-class-label-prod/deployment.yaml
@@ -0,0 +1,40 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: assign-class-label-webhook
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: assign-class-label-webhook
+        webhook: "true"
+    spec:
+      containers:
+        - name: assign-class-label
+          image: quay.io/rh-ee-istaplet/ope-webhooks:assign-class-label-webhook
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 443
+          volumeMounts:
+            - name: tls
+              mountPath: /certs/webhook.crt
+              subPath: tls.crt
+              readOnly: true
+            - name: tls
+              mountPath: /certs/webhook.key
+              subPath: tls.key
+              readOnly: true
+          resources:
+            limits:
+              cpu: 500m
+              memory: 512Mi
+          env:
+            # EDIT VALUE HERE BEFORE RUNNING, must be comma separated
+            - name: RHOAI_CLASS_GROUPS
+              value: "cs210,ds100"
+      serviceAccountName: webhook-sa
+      volumes:
+        - name: tls
+          secret:
+            secretName: assign-class-label-tls
diff --git a/webhooks/assign-class-label-prod/issuer.yaml b/webhooks/assign-class-label-prod/issuer.yaml
new file mode 100644
index 0000000..1efd34c
--- /dev/null
+++ b/webhooks/assign-class-label-prod/issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: assign-class-label-issuer
+spec:
+  selfSigned: {}
diff --git a/webhooks/assign-class-label-prod/kustomization.yaml b/webhooks/assign-class-label-prod/kustomization.yaml
new file mode 100644
index 0000000..efd305c
--- /dev/null
+++ b/webhooks/assign-class-label-prod/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: rhods-notebooks
+commonLabels:
+  app: assign-class-label-webhook
+
+resources:
+  - issuer.yaml
+  - certificate.yaml
+  - deployment.yaml
+  - service.yaml
+  - webhook-config.yaml
+  - serviceaccount.yaml
+  - role.yaml
+  - rolebinding.yaml
diff --git a/webhooks/assign-class-label-prod/role.yaml b/webhooks/assign-class-label-prod/role.yaml
new file mode 100644
index 0000000..5640af6
--- /dev/null
+++ b/webhooks/assign-class-label-prod/role.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ope-webhook-role
+rules:
+- apiGroups: ["user.openshift.io"]
+  resources: ["pods", "groups"]
+  verbs: ["get", "list", "watch", "patch"]
diff --git a/webhooks/assign-class-label-prod/rolebinding.yaml b/webhooks/assign-class-label-prod/rolebinding.yaml
new file mode 100644
index 0000000..48cebf2
--- /dev/null
+++ b/webhooks/assign-class-label-prod/rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ope-webhook-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ope-webhook-role
+subjects:
+- kind: ServiceAccount
+  name: webhook-sa
+  namespace: rhods-notebooks
diff --git a/webhooks/assign-class-label-prod/service.yaml b/webhooks/assign-class-label-prod/service.yaml
new file mode 100644
index 0000000..06bd0d1
--- /dev/null
+++ b/webhooks/assign-class-label-prod/service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: assign-class-label-webhook
+spec:
+  ports:
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: 5000
diff --git a/webhooks/assign-class-label-prod/serviceaccount.yaml b/webhooks/assign-class-label-prod/serviceaccount.yaml
new file mode 100644
index 0000000..86983aa
--- /dev/null
+++ b/webhooks/assign-class-label-prod/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: webhook-sa
+  namespace: rhods-notebooks
diff --git a/webhooks/assign-class-label-prod/webhook-config.yaml b/webhooks/assign-class-label-prod/webhook-config.yaml
new file mode 100644
index 0000000..978be1c
--- /dev/null
+++ b/webhooks/assign-class-label-prod/webhook-config.yaml
@@ -0,0 +1,32 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: assign-class-label-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: rhods-notebooks/assign-class-label-tls
+webhooks:
+- name: assign-class-label-webhook.rhods-notebooks.svc
+  clientConfig:
+    service:
+      namespace: rhods-notebooks
+      name: assign-class-label-webhook
+      path: /mutate
+  rules:
+    - operations: ["CREATE"]
+      apiGroups: [""]
+      apiVersions: ["v1"]
+      resources: ["pods"]
+  namespaceSelector:
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+          - rhods-notebooks
+  objectSelector:
+    matchExpressions:
+      - key: webhook
+        operator: NotIn
+        values:
+          - "true"
+  sideEffects: None
+  admissionReviewVersions: ["v1"]