Add webhook handler to ensure DevWorkspaces only have a single container contribution merge target

This commit adds a webhook handler to ensure:

- A newly created DevWorkspace cannot have more than one container component with the controller.devfile.io/merge-contribution set to true.

- An existing DevWorkspace cannot be modified to have more than one container component with the controller.devfile.io/merge-contribution set to true.

Signed-off-by: Andrew Obuchowicz <[email protected]>

Author: AObuchow

webhook/workspace/handler/attributes.go

@@ -0,0 +1,56 @@
+//
+// Copyright (c) 2019-2023 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package handler
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/devfile/devworkspace-operator/pkg/constants"
+
+	dwv2 "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
+)
+
+// Checks whether the given DevWorkspace Template Spec has multiple container components with the
+// controller.devfile.io/merge-contribution attribute set to true.
+// If only a single container component has the controller.devfile.io/merge-contribution attribute set to true, nil is returned.
+// If multiple container component have the controller.devfile.io/merge-contribution attribute set to true, or an error occurs
+// while parsing the attribute, an error is returned.
+func checkMultipleContainerContributionTargets(devWorkspaceSpec dwv2.DevWorkspaceTemplateSpec) error {
+	var componentNames []string
+	for _, component := range devWorkspaceSpec.Components {
+		if component.Container == nil {
+			// Ignore attribute on non-container components as it's not clear what this would mean
+			continue
+		}
+		if component.Attributes.Exists(constants.MergeContributionAttribute) {
+			var errHolder error
+			if component.Attributes.GetBoolean(constants.MergeContributionAttribute, &errHolder) {
+				componentNames = append(componentNames, component.Name)
+			}
+
+			if errHolder != nil {
+				return fmt.Errorf("failed to parse %s attribute on component %s as true or false", constants.MergeContributionAttribute, component.Name)
+			}
+		}
+	}
+
+	if len(componentNames) > 1 {
+		return fmt.Errorf("only a single component may have the %s attribute set to true. The following %d components have the %s attribute set to true: %s", constants.MergeContributionAttribute, len(componentNames), constants.MergeContributionAttribute, strings.Join(componentNames, ", "))
+	}
+
+	return nil
+}

webhook/workspace/handler/workspace.go

@@ -62,6 +62,10 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha2OnCreate(ctx context.Context, re
 		return admission.Denied(err.Error())
 	}
 
+	if err := checkMultipleContainerContributionTargets(wksp.Spec.Template); err != nil {
+		return admission.Denied(err.Error())
+	}
+
 	if warnings := checkUnsupportedFeatures(wksp.Spec.Template); unsupportedWarningsPresent(warnings) {
 		return h.returnPatched(req, wksp).WithWarnings(formatUnsupportedFeaturesWarning(warnings))
 	}
@@ -170,6 +174,10 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha2OnUpdate(ctx context.Context, re
 		return admission.Denied(err.Error())
 	}
 
+	if err := checkMultipleContainerContributionTargets(newWksp.Spec.Template); err != nil {
+		return admission.Denied(err.Error())
+	}
+
 	oldCreator, found := oldWksp.Labels[constants.DevWorkspaceCreatorLabel]
 	if !found {
 		return admission.Denied(fmt.Sprintf("label '%s' is missing. Please recreate devworkspace to get it initialized", constants.DevWorkspaceCreatorLabel))