Validation webhook implementation

[patrykw-splunk]

Description

This PR implements an opt-in Kubernetes ValidatingAdmissionWebhook for Splunk Enterprise Custom Resources. The webhook validates CRD configurations at admission time, providing immediate feedback to users before resources are created or updated.

Key Changes

• Opt-in deployment via config/default-with-webhook kustomize overlay
• Supports all Splunk Enterprise CRDs: ClusterManager, IndexerCluster, SearchHeadCluster, Standalone, LicenseManager, MonitoringConsole
• Configurable timeouts via environment variables (WEBHOOK_READ_TIMEOUT, WEBHOOK_WRITE_TIMEOUT)
• TLS certificates managed by cert-manager with automatic CA injection

Kubebuilder Annotations (CRD Schema Level)

Field	Validation	Location
spec.imagePullPolicy	Enum: Always, Never, IfNotPresent	api/v4/common_types.go
spec.livenessInitialDelaySeconds	Minimum: 0	api/v4/common_types.go
spec.readinessInitialDelaySeconds	Minimum: 0	api/v4/common_types.go

Webhook Validations

CRD	Field	Validation Rule
IndexerCluster	spec.replicas	Must be ≥ 3
SearchHeadCluster	spec.replicas	Must be ≥ 3
Standalone	spec.replicas	Must be ≥ 0
All CRDs	spec.etcVolumeStorageConfig.storageCapacity	Must be in Gi format (e.g., 10Gi)
All CRDs	spec.etcVolumeStorageConfig.storageClassName	Required when using persistent storage
All CRDs	spec.varVolumeStorageConfig.storageCapacity	Must be in Gi format (e.g., 10Gi)
All CRDs	spec.varVolumeStorageConfig.storageClassName	Required when using persistent storage
Standalone, ClusterManager	spec.smartstore.volumes[].name	Required
Standalone, ClusterManager	spec.smartstore.volumes[]	Must have endpoint or path
Standalone, ClusterManager	spec.smartstore.indexes[].name	Required
Standalone, ClusterManager	spec.smartstore.indexes[].volumeName	Required
Standalone, SearchHeadCluster, ClusterManager	spec.appRepo.appSources[].name	Required
Standalone, SearchHeadCluster, ClusterManager	spec.appRepo.appSources[].location	Required
Standalone, SearchHeadCluster, ClusterManager	spec.appRepo.volumes[].name	Required

CRDs with Webhook Validation

CRD	Validates
IndexerCluster	Replicas + CommonSpec
SearchHeadCluster	Replicas + CommonSpec + AppFramework
Standalone	Replicas + CommonSpec + SmartStore + AppFramework
ClusterManager	CommonSpec + SmartStore + AppFramework
LicenseManager	CommonSpec
MonitoringConsole	CommonSpec

Webhook Infrastructure

• Custom HTTP server on port 9443 with TLS
• Single /validate endpoint handles all CRD types
• Generic validator pattern using Go generics (GenericValidator[T])
• Validation registry maps GroupVersionResource → validator
• Cert-manager integration for TLS certificate management
• Opt-in deployment via config/default-with-webhook overlay
• Configurable timeouts via environment variables
• Request-scoped logging with log.FromContext

Documentation

• docs/ValidationWebhook.md

Testing and Verification

Comprehensive unit tests (~95% coverage)
Server and HTTP handler tests

Related Issues

N/A

PR Checklist

• Code changes adhere to the project's coding standards.
• Relevant unit and integration tests are included.
• Documentation has been updated accordingly.
• All tests pass locally.
• The PR description follows the project's guidelines.

[github-actions]

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

0 out of 2 committers have signed the CLA.
❌ @patrykw-splunk
❌ @patryk Wasielewski
Patryk Wasielewski seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You can retrigger this bot by commenting recheck in this Pull Request}

[coveralls]

Pull Request Test Coverage Report for Build 21987334064

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• 459 unchanged lines in 13 files lost coverage.
• Overall coverage increased (+0.07%) to 86.279%

---

Files with Coverage Reduction	New Missed Lines	%
pkg/splunk/enterprise/afwscheduler.go	1	92.72%
pkg/splunk/enterprise/events.go	2	88.1%
pkg/splunk/enterprise/monitoringconsole.go	8	80.0%
pkg/splunk/enterprise/clustermaster.go	13	79.15%
pkg/splunk/client/enterprise.go	17	84.96%
pkg/splunk/enterprise/clustermanager.go	21	74.54%
pkg/splunk/enterprise/searchheadcluster.go	23	81.58%
pkg/splunk/enterprise/standalone.go	24	69.96%
pkg/splunk/enterprise/licensemanager.go	34	81.54%
pkg/splunk/enterprise/searchheadclusterpodmanager.go	41	80.43%

Totals
Change from base Build 21866948919:	0.07%
Covered Lines:	10948
Relevant Lines:	12689

---

💛 - Coveralls

[patrykw-splunk]

I have read the Code of Conduct and I hereby accept the Terms

[kubabuczak]

In current code there are 26 validation functions (search func validate across codebase) - shouldn't we replace / move them to new validation package?

[kasiakoziol]

added extra comments