templates: MutatingWebhookConfig filter to CREATE POD events only

[draychev]

This PR:

• adds rules to the MutatingWebhookConfiguration YAML template - observe only pods/create events
• removes Rules from the MutatingWebhookConfiguration struct created by patchMutatingWebhookConfiguration in webhook.go
• refactors and documents what and why the update/patch code does

---

Context

The template for the MutatingWebhookConfiguration is a bit misleading since it seems like it observes all events. In reality the final version of the MutatingWebhookConfiguration is augmented by the OSM Controller with a) rules and b) CA Bundle and looks like this:

$ kubectl get MutatingWebhookConfiguration osm-webhook-osm -o yaml

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
...
webhooks:
- admissionReviewVersions:
  - v1beta1
  clientConfig:
    caBundle: ABCDEF==
    service:
      name: osm-controller
      namespace: osm-system
      path: /mutate
      port: 443
...
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
    scope: '*'
...

The addition of rules and caBundle is done in webhook.go via the patchMutatingWebhookConfiguration() function: https://github.com/openservicemesh/osm/blob/release-v0.4/pkg/injector/webhook.go#L332-L336

Even though adding this section to the YAML file is technically a noop - it would lead to fewer confusions when folks are browsing the source code to understand how this mutating webhook works.

Affected area:

• New Functionality [ ]
• Documentation [ ]
• Install [ ]
• Control Plane [ ]
• CLI Tool [ ]
• Certificate Management [ ]
• Networking [ ]
• Metrics [ ]
• SMI Policy [ ]
• Security [ ]
• Tests [ ]
• CI System [ ]
• Performance [ ]
• Other [X]

Please answer the following questions with yes/no.

• Does this change contain code from or inspired by another project? If so, did you notify the maintainers and provide attribution?

[codecov-io]

Codecov Report

Merging #1904 into main will decrease coverage by 0.16%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #1904      +/-   ##
==========================================
- Coverage   58.57%   58.40%   -0.17%     
==========================================
  Files         130      130              
  Lines        5265     5256       -9     
==========================================
- Hits         3084     3070      -14     
- Misses       2178     2183       +5     
  Partials        3        3              

Impacted Files	Coverage Δ
pkg/injector/webhook.go	71.11% <100.00%> (-1.38%)	⬇️
...ertificate/providers/tresor/certificate_manager.go	69.66% <0.00%> (-6.75%)	⬇️
pkg/envoy/route/config.go	95.83% <0.00%> (+0.83%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d3ade1e...425146a. Read the comment docs.

[ritazh]

Maybe I missed this in the code somewhere but do we watch for changes in this mwhc resource to reconcile/ensure the CA cert in this mwhc is using the most recent CA cert from the secret? I can open an issue if that helps.

[draychev]

@ritazh very good point - this does not exist yet!
An issue would be great!

[eduser25]

lgtm