Add active deadline config, allow patching webhooks, compat helper fo…

…r `objectSelector`

class/defaults.yml

@@ -54,6 +54,11 @@ parameters:
           matchExpressions:
             - key: appuio.io/organization
               operator: Exists
+        patches:
+          pod-run-once-active-deadline-mutator.appuio.io:
+            _objectSelector:
+              matchExpressions: ${appuio_cloud:runOnceActiveDeadlineSeconds:podMatchExpressions}
+
       config:
         QuotaOverrideNamespace: ${appuio_cloud:namespace}
         MemoryPerCoreLimit: ${appuio_cloud:agent:resourceRatio:memoryPerCore}
@@ -80,6 +85,9 @@ parameters:
         _allowedAnnotations: ${appuio_cloud:allowedNamespaceAnnotations}
         _allowedLabels: ${appuio_cloud:allowedNamespaceLabels}
 
+        PodRunOnceActiveDeadlineSecondsOverrideAnnotation: ${appuio_cloud:runOnceActiveDeadlineSeconds:overrideAnnotationKey}
+        PodRunOnceActiveDeadlineSecondsDefault: ${appuio_cloud:runOnceActiveDeadlineSeconds:defaultActiveDeadlineSeconds}
+
     clusterRoles:
       namespace-owner:
         rules:

component/agent.jsonnet

@@ -184,6 +184,25 @@ local admissionWebhookTlsSecret =
     },
   };
 
+local formatWebhookObjectSelector = function(obj)
+  if std.objectHas(obj, '_objectSelector') then
+    local me = obj._objectSelector.matchExpressions;
+    obj {
+      objectSelector+: {
+        matchExpressions: std.prune([
+          if me[name] != null then
+            {
+              key: name,
+            } + me[name]
+          for name in std.objectFields(me)
+        ]),
+      },
+      _objectSelector:: null,
+    }
+  else
+    obj
+;
+
 local admissionWebhook = std.map(function(webhook) webhook {
   metadata+: {
     name: '%s-%s' % [ params.namespace, webhook.metadata.name ],
@@ -210,7 +229,7 @@ local admissionWebhook = std.map(function(webhook) webhook {
           )
         ) > 0
       ) then 'namespaceSelector']: params.agent.webhook.namespaceSelector,
-    }
+    } + com.makeMergeable(formatWebhookObjectSelector(std.get(params.agent.webhook.patches, w.name, {})))
     for w in super.webhooks
   ],
 }, loadManifests('webhook/manifests.yaml'));

tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml

@@ -29,6 +29,8 @@ data:
     "LegacyNamespaceQuota": 25
     "MemoryPerCoreLimit": "4Gi"
     "OrganizationLabel": "appuio.io/organization"
+    "PodRunOnceActiveDeadlineSecondsDefault": 1800
+    "PodRunOnceActiveDeadlineSecondsOverrideAnnotation": "appuio.io/active-deadline-seconds-override"
     "PrivilegedClusterRoles":
     - "cluster-admin"
     - "cluster-image-registry-operator"

tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_deployment.yaml

@@ -13,7 +13,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 7121f7e20ceae49ec13aed1a3ddd0472
+        checksum/config: ae18fd44fae34c4d84d9d3599cfa6a84
         kubectl.kubernetes.io/default-container: agent
       labels:
         control-plane: appuio-cloud-agent

tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/10_webhook_config.yaml

@@ -66,6 +66,10 @@ webhooks:
       matchExpressions:
         - key: appuio.io/organization
           operator: Exists
+    objectSelector:
+      matchExpressions:
+        - key: acme.cert-manager.io/http01-solver
+          operator: DoesNotExist
     reinvocationPolicy: IfNeeded
     rules:
       - apiGroups: