[BUG] Namespace-level injection documented but not implemented

[bgruszka]

Bug Report

Description

The documentation describes namespace-level sidecar injection via the ctxforge.io/injection: enabled label, but the webhook implementation doesn't actually check namespace labels - it only checks pod annotations.

Current Behavior

The webhook only injects when a pod has the annotation:

annotations:
  ctxforge.io/enabled: "true"

Namespace labels like ctxforge.io/injection: enabled are ignored by the webhook logic.

Expected Behavior (per docs)

According to website/content/docs/configuration.md:

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    ctxforge.io/injection: enabled

To inject sidecars into all pods in a namespace (without requiring annotations)

Pods in this namespace should automatically get the sidecar injected.

Root Cause

File: internal/webhook/v1/pod_webhook.go:119-125

func (d *PodCustomDefaulter) shouldInject(pod *corev1.Pod) bool {
	if pod.Annotations == nil {
		return false
	}
	enabled, ok := pod.Annotations[AnnotationEnabled]
	return ok && enabled == AnnotationValueTrue
}

The shouldInject function only checks pod annotations. It does not:

• Have access to the namespace object
• Check the namespace's ctxforge.io/injection label
• Support namespace-level opt-in

Impact

• Documentation is misleading
• Users following the docs will expect namespace-level injection to work but it doesn't
• Test tests/e2e/propagation_test.go:904 is skipped with comment: "Namespace-level injection not implemented yet - requires webhook namespace label selector"

What Works vs What Doesn't

✅ Works:

• Webhook namespace selector (prevents injection in disabled namespaces)
• Pod-level annotation injection
• Opt-out via pod annotation in disabled namespaces

❌ Doesn't Work:

• Namespace-level opt-in via ctxforge.io/injection: enabled
• Automatic injection for all pods in labeled namespace
• Opt-out via pod annotation in enabled namespaces

Implementation Options

Option 1: Access namespace from admission request

func (d *PodCustomDefaulter) Default(ctx context.Context, obj runtime.Object, req admission.Request) error {
    pod := obj.(*corev1.Pod)
    namespace := req.Namespace
    
    // Check namespace label
    // But: admission.Request doesn't include namespace object, only name
}

Option 2: Query Kubernetes API for namespace

func (d *PodCustomDefaulter) shouldInject(ctx context.Context, pod *corev1.Pod) bool {
    // Query k8s API to get namespace object and check labels
    // Requires: client.Client injection into webhook
}

Option 3: Use admission webhook context

The admission request includes namespace name but not the namespace object. Would need to fetch it.

Acceptance Criteria

• Webhook checks namespace ctxforge.io/injection label
• Pods in ctxforge.io/injection: enabled namespaces get automatic injection
• Pod annotation ctxforge.io/enabled: "false" can opt-out in enabled namespace
• Pod annotation ctxforge.io/enabled: "true" still works (pod-level opt-in)
• E2E test tests/e2e/propagation_test.go:904 passes (un-skip)
• Documentation remains accurate

Related Files

• internal/webhook/v1/pod_webhook.go - Webhook implementation
• deploy/helm/contextforge/templates/webhook.yaml - Webhook configuration
• website/content/docs/configuration.md:200-215 - Documentation
• tests/e2e/propagation_test.go:853-926 - Skipped test

Workaround

Currently, users must add pod-level annotations to every deployment, even in "enabled" namespaces.

Priority

Medium - Documentation bug causing confusion. Feature is documented but not implemented.