Update Hyper-V mutating webhook to controller-runtime v0.19 (#546)

* Update Hyper-V mutating webhook to controller-runtime v0.19

- Migrate webhook from raw kubebuilder to controller-runtime v0.19 API
- Update Go to 1.24, k8s deps to v0.31.0
- Fix RuntimeClassName nil check and decoder type in webhook.go
- Replace standalone deployment.yaml with Helm chart support
- Make Helm deployment.yaml args and certMountPath configurable
- Add values-hyperv.yaml for controller-runtime webhook overrides
- Use existing webhook image (sigwindowstools/hyperv-runtimeclass-mutating-webhook)

* Fix Hyper-V E2E: pin containerd to v2.1.6 and fix webhook scheduling

- Pin containerd to v2.1.6 when HYPERV=true to avoid SandboxPlatform
  validation bug in containerd >= 2.2.1 (hcsshim >= v0.14.0-rc.1)
- Move apply_hyperv_configuration after apply_hpc_webhook to avoid
  cert-manager conflict
- Deploy hyperv webhook via Helm chart instead of standalone manifests
- Fix webhook pod scheduling: untaint/retaint control-plane nodes

* Exclude Helm templates from yamllint

Helm template files use Go template syntax ({{ }}, {{- }}) which is not
valid YAML. yamllint cannot parse these and reports false syntax errors.
The helm-chart-validation workflow already validates charts with helm lint.

Author: rzlink

.yamllint.yml

@@ -0,0 +1,3 @@
+---
+ignore: |
+  helpers/helm/templates/

capz/run-capz-e2e.sh

@@ -30,6 +30,24 @@ main() {
     export WINDOWS_CONTAINERD_URL="${WINDOWS_CONTAINERD_URL:-"https://github.com/containerd/containerd/releases/download/v1.7.16/containerd-1.7.16-windows-amd64.tar.gz"}"
     export GMSA="${GMSA:-""}" 
     export HYPERV="${HYPERV:-""}"
+
+    # Pin containerd to v2.1.6 for Hyper-V testing to avoid hcsshim SandboxPlatform
+    # validation bug in containerd >= 2.2.1 (hcsshim >= v0.14.0-rc.1).
+    #
+    # Root cause: containerd's config_windows.go sets SandboxIsolation=1 for the
+    # runhcs-wcow-hypervisor runtime but omits SandboxPlatform, making shim options
+    # non-empty. hcsshim PR #2473 added strict validation that calls
+    # platforms.Parse("") on the empty SandboxPlatform, which fails. containerd
+    # v2.1.6 bundles hcsshim v0.13.0 (pre-dates this validation).
+    #
+    # Upstream references:
+    #   - hcsshim validation: https://github.com/microsoft/hcsshim/pull/2473
+    #   - containerd missing default: https://github.com/containerd/containerd/blob/main/internal/cri/config/config_windows.go
+    if [[ "${HYPERV}" == "true" && ("${WINDOWS_CONTAINERD_URL}" == "latest" || -z "${WINDOWS_CONTAINERD_URL}") ]]; then
+        export WINDOWS_CONTAINERD_URL="https://github.com/containerd/containerd/releases/download/v2.1.6/containerd-2.1.6-windows-amd64.tar.gz"
+        log "HYPERV=true: pinning containerd to v2.1.6 to avoid SandboxPlatform bug"
+    fi
+
     export KPNG="${WINDOWS_KPNG:-""}"
     export CALICO_VERSION="${CALICO_VERSION:-"v3.31.0"}"
     export TEMPLATE="${TEMPLATE:-"windows-ci.yaml"}"
@@ -66,8 +84,6 @@ main() {
     wait_for_nodes
     ensure_cloud_provider_taint_on_windows_nodes
     wait_for_windows_machinedeployment
-    if [[ "${HYPERV}" == "true" ]]; then apply_hyperv_configuration; fi
-
     if [[ ${#post_command[@]} -gt 0 ]]; then
         local exit_code
         log "post command detected; skipping default e2e tests"
@@ -77,6 +93,7 @@ main() {
     fi
 
     apply_hpc_webhook
+    if [[ "${HYPERV}" == "true" ]]; then apply_hyperv_configuration; fi
     run_e2e_test
 }
 
@@ -476,41 +493,25 @@ apply_hpc_webhook(){
 }
 
 apply_hyperv_configuration(){
-    set -x
     log "applying configuration for testing hyperv isolated containers"
 
-    log "installing hyperv runtime class"
-    kubectl apply -f "${SCRIPT_ROOT}/../helpers/hyper-v-mutating-webhook/hyperv-runtimeclass.yaml"
-
-    # ensure cert-manager and webhook pods land on Linux nodes
+    # ensure webhook pod lands on Linux control-plane node
     log "untainting control-plane nodes"
     mapfile -t cp_nodes < <(kubectl get nodes | grep control-plane | awk '{print $1}')
     kubectl taint nodes "${cp_nodes[@]}" node-role.kubernetes.io/control-plane:NoSchedule- || true
 
-    log "tainting windows nodes"
-    mapfile -t windows_nodes < <(kubectl get nodes -o wide | grep Windows | awk '{print $1}')
-    kubectl taint nodes "${windows_nodes[@]}" os=windows:NoSchedule
-
-    log "installing cert-manager"
-    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
-
-    log "wait for cert-manager pods to start"
-    timeout 5m kubectl wait --for=condition=ready pod --all -n cert-manager --timeout -1s
-
-    log "installing admission controller webhook"
-    kubectl apply -f "${SCRIPT_ROOT}/../helpers/hyper-v-mutating-webhook/deployment.yaml"
-
-    log "wait for webhook pods to start"
-    timeout 5m kubectl wait --for=condition=ready pod --all -n hyperv-webhook-system  --timeout -1s
+    log "installing hyperv webhook via helm"
+    "$TOOLS_BIN_DIR"/helm install hyperv-webhook "${SCRIPT_ROOT}/../helpers/helm" \
+        -f "${SCRIPT_ROOT}/../helpers/helm/values-hyperv.yaml" \
+        --create-namespace
 
-    log "untainting Windows agent nodes"
-    kubectl taint nodes "${windows_nodes[@]}" os=windows:NoSchedule-
+    log "wait for hyperv webhook pods to start"
+    timeout 5m kubectl wait --for=condition=ready pod --all -n hyperv-webhook --timeout -1s
 
     log "tainting control-plane nodes again"
     kubectl taint nodes "${cp_nodes[@]}" node-role.kubernetes.io/control-plane:NoSchedule || true
 
     log "done configuring testing for hyperv isolated containers"
-    set +x
 }
 
 run_post_command() {

helpers/helm/templates/deployment.yaml

@@ -39,10 +39,10 @@ spec:
           {{- toYaml .Values.deployment.securityContext | nindent 12 }}
         image: "{{ include "webhook.imageRepository" . }}:{{ .Values.deployment.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.deployment.image.pullPolicy }}
+        {{- with .Values.deployment.args }}
         args:
-        - --tls-cert-file=/etc/webhook/certs/tls.crt
-        - --tls-private-key-file=/etc/webhook/certs/tls.key
-        - --port={{ .Values.deployment.service.targetPort }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         ports:
         - name: webhook
           containerPort: {{ .Values.deployment.service.targetPort }}
@@ -58,7 +58,7 @@ spec:
         {{- end }}
         volumeMounts:
         - name: webhook-certs
-          mountPath: /etc/webhook/certs
+          mountPath: {{ .Values.deployment.certMountPath | default "/etc/webhook/certs" }}
           readOnly: true
         {{- with .Values.deployment.livenessProbe }}
         livenessProbe:

helpers/helm/templates/mutatingwebhookconfiguration.yaml

@@ -16,7 +16,7 @@ webhooks:
     service:
       name: {{ include "webhook.fullname" . }}
       namespace: {{ include "webhook.namespace" . }}
-      path: "/mutate"
+      path: {{ .Values.webhookConfiguration.path | default "/mutate" | quote }}
       port: {{ .Values.deployment.service.port }}
     {{- if not .Values.certificate.useCertManager }}
     caBundle: {{ .Values.certificate.manual.caCert | b64enc }}

helpers/helm/values-hyperv.yaml

@@ -10,11 +10,43 @@ webhookType: hyperv
 
 deployment:
   image:
-    # Uses default registry from values.yaml: sigwindowstools
-    # Override with: --set deployment.image.registry=myregistry.io/myorg
+    repository: sigwindowstools/hyperv-runtimeclass-mutating-webhook
     tag: ""  # Uses chart appVersion by default, override with --set deployment.image.tag=$VERSION
 
+  # controller-runtime manages TLS and flags internally, no args needed
+  args: []
+
+  # controller-runtime default cert directory
+  certMountPath: /tmp/k8s-webhook-server/serving-certs
+
+  service:
+    targetPort: 9443
+
+  # controller-runtime serves health checks on a separate HTTP port
+  livenessProbe:
+    httpGet:
+      path: /healthz
+      port: 8081
+      scheme: HTTP
+    initialDelaySeconds: 15
+    periodSeconds: 20
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  readinessProbe:
+    httpGet:
+      path: /readyz
+      port: 8081
+      scheme: HTTP
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
 webhookConfiguration:
+  path: /mutate-v1-pod
   objectSelector:
     matchLabels:
       hyperv-isolation: "true"

helpers/helm/values.yaml

@@ -34,6 +34,17 @@ deployment:
     tag: ""  # If empty, defaults to chart appVersion
 
   imagePullSecrets: []
+
+  # Container args passed to the webhook binary
+  # Default args are for the HPC webhook pattern (standalone TLS server)
+  # Override in values-hyperv.yaml for controller-runtime based webhooks
+  args:
+    - --tls-cert-file=/etc/webhook/certs/tls.crt
+    - --tls-private-key-file=/etc/webhook/certs/tls.key
+    - --port=8443
+
+  # Path where TLS certificates are mounted in the container
+  certMountPath: /etc/webhook/certs
 
   service:
     type: ClusterIP