From 0b22bb3e37fe8001e232968e735f57c1184dbee9 Mon Sep 17 00:00:00 2001
From: a-cool-train <98445475+a-cool-train@users.noreply.github.com>
Date: Wed, 12 Oct 2022 05:16:45 -0700
Subject: [PATCH] Feature cert manager changes (#536)

* Include package validation for cert manager

* Fix wording
---
 api/v1alpha1/package.go        | 17 ++++++++++++++---
 pkg/webhook/package_webhook.go |  8 ++++++--
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/api/v1alpha1/package.go b/api/v1alpha1/package.go
index 70711c88..07a39c79 100644
--- a/api/v1alpha1/package.go
+++ b/api/v1alpha1/package.go
@@ -1,15 +1,17 @@
 package v1alpha1
 
 import (
+	"os"
 	"strings"
 
 	"sigs.k8s.io/yaml"
 )
 
 const (
-	PackageKind      = "Package"
-	PackageNamespace = "eksa-packages"
-	namespacePrefix  = PackageNamespace + "-"
+	PackageKind       = "Package"
+	PackageNamespace  = "eksa-packages"
+	namespacePrefix   = PackageNamespace + "-"
+	clusterNameEnvVar = "CLUSTER_NAME"
 )
 
 func (config *Package) MetaKind() string {
@@ -43,3 +45,12 @@ func (config *Package) IsValidNamespace() bool {
 	}
 	return true
 }
+
+// IsInstalledOnWorkload returns true if the package is being installed on a workload cluster
+// returns false otherwise
+func (config *Package) IsInstalledOnWorkload() bool {
+	clusterName := config.GetClusterName()
+	managementClusterName := os.Getenv(clusterNameEnvVar)
+
+	return managementClusterName != clusterName
+}
diff --git a/pkg/webhook/package_webhook.go b/pkg/webhook/package_webhook.go
index c4a18418..61ecb4be 100644
--- a/pkg/webhook/package_webhook.go
+++ b/pkg/webhook/package_webhook.go
@@ -63,7 +63,7 @@ func (v *packageValidator) Handle(ctx context.Context, request admission.Request
 		return admission.Errored(http.StatusInternalServerError, fmt.Errorf("getting PackageBundle: %v", err))
 	}
 
-	isConfigValid, err := v.isPackageConfigValid(p, activeBundle)
+	isConfigValid, err := v.isPackageValid(p, activeBundle)
 
 	resp := &admission.Response{
 		AdmissionResponse: admissionv1.AdmissionResponse{Allowed: isConfigValid},
@@ -82,7 +82,7 @@ func (v *packageValidator) Handle(ctx context.Context, request admission.Request
 	return *resp
 }
 
-func (v *packageValidator) isPackageConfigValid(p *v1alpha1.Package, activeBundle *v1alpha1.PackageBundle) (bool, error) {
+func (v *packageValidator) isPackageValid(p *v1alpha1.Package, activeBundle *v1alpha1.PackageBundle) (bool, error) {
 	packageInBundle, err := activeBundle.GetPackageFromBundle(p.Spec.PackageName)
 	if err != nil {
 		return false, err
@@ -93,6 +93,10 @@ func (v *packageValidator) isPackageConfigValid(p *v1alpha1.Package, activeBundl
 		return false, fmt.Errorf("package %s does not contain any versions", p.Name)
 	}
 
+	if packageInBundle.WorkloadOnly && !p.IsInstalledOnWorkload() {
+		return false, fmt.Errorf("package %s should only be installed on a workload cluster", p.Name)
+	}
+
 	jsonSchema, err := packageInBundle.GetJsonSchema()
 	if err != nil {
 		return false, err