splunk · patrykw-splunk · Jan 22, 2026 · Jan 30, 2026 · Feb 2, 2026 · Feb 2, 2026
diff --git a/.biased_lang_exclude b/.biased_lang_exclude
@@ -19,6 +19,7 @@ config/examples/licensemaster/default.yaml
 config/rbac/licensemaster_editor_role.yaml
 config/rbac/licensemaster_viewer_role.yaml
 config/samples/enterprise_v3_licensemaster.yaml
+config/webhook/manifests.yaml
 tools/make_bundle.sh
 config/samples/kustomization.yaml
 config/manifests/bases/splunk-operator.clusterserviceversion.yaml

diff --git a/cmd/main.go b/cmd/main.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"flag"
 	"fmt"
@@ -26,6 +27,7 @@ import (
 	intController "github.com/splunk/splunk-operator/internal/controller"
 	"github.com/splunk/splunk-operator/internal/controller/debug"
 	"github.com/splunk/splunk-operator/pkg/config"
+	"github.com/splunk/splunk-operator/pkg/splunk/enterprise/validation"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -229,6 +231,43 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "Standalone")
 		os.Exit(1)
 	}
+
+	// Setup centralized validation webhook server (opt-in via ENABLE_WEBHOOKS env var, defaults to false)
+	enableWebhooks := os.Getenv("ENABLE_WEBHOOKS")
+	if enableWebhooks == "true" {
+		// Parse optional timeout configurations from environment
+		readTimeout := 10 * time.Second
+		if val := os.Getenv("WEBHOOK_READ_TIMEOUT"); val != "" {
+			if d, err := time.ParseDuration(val); err == nil {
+				readTimeout = d
+			}
+		}
+		writeTimeout := 10 * time.Second
+		if val := os.Getenv("WEBHOOK_WRITE_TIMEOUT"); val != "" {
+			if d, err := time.ParseDuration(val); err == nil {
+				writeTimeout = d
+			}
+		}
+
+		webhookServer := validation.NewWebhookServer(validation.WebhookServerOptions{
+			Port:         9443,
+			CertDir:      "/tmp/k8s-webhook-server/serving-certs",
+			Validators:   validation.DefaultValidators,
+			ReadTimeout:  readTimeout,
+			WriteTimeout: writeTimeout,
+		})
+
+		// Add webhook server as a runnable to the manager
+		if err := mgr.Add(manager.RunnableFunc(func(ctx context.Context) error {
+			return webhookServer.Start(ctx)
+		})); err != nil {
+			setupLog.Error(err, "unable to add webhook server to manager")
+			os.Exit(1)
+		}
+		setupLog.Info("Validation webhook enabled via ENABLE_WEBHOOKS=true")
+	} else {
+		setupLog.Info("Validation webhook disabled (set ENABLE_WEBHOOKS=true to enable)")
+	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml
@@ -0,0 +1,38 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app.kubernetes.io/name: issuer
+    app.kubernetes.io/instance: selfsigned-issuer
+    app.kubernetes.io/component: certificate
+    app.kubernetes.io/created-by: splunk-operator
+    app.kubernetes.io/part-of: splunk-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app.kubernetes.io/name: certificate
+    app.kubernetes.io/instance: serving-cert
+    app.kubernetes.io/component: certificate
+    app.kubernetes.io/created-by: splunk-operator
+    app.kubernetes.io/part-of: splunk-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: serving-cert
+  namespace: system
+spec:
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: webhook-server-cert
diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,13 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
diff --git a/config/default-with-webhook/kustomization-cluster.yaml b/config/default-with-webhook/kustomization-cluster.yaml
@@ -0,0 +1,137 @@
+# Adds namespace to all resources.
+# Cluster-scoped deployment WITH webhook enabled (opt-in)
+# Requires cert-manager to be installed in the cluster
+namespace: splunk-operator 
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: splunk-operator-
+
+# Labels to add to all resources and selectors.
+commonLabels:
+  name: splunk-operator
+
+bases:
+- ../crd
+- ../rbac
+- ../persistent-volume
+- ../service
+- ../manager
+# [WEBHOOK] Enabled for opt-in webhook deployment
+- ../webhook
+# [CERTMANAGER] Required for webhook TLS
+- ../certmanager
+# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
+#- ../prometheus
+# [METRICS] Expose the controller manager metrics service.
+- metrics_service.yaml
+
+patchesStrategicMerge:
+# Mount the controller config file for loading manager configurations
+# through a ComponentConfig type
+#- manager_config_patch.yaml
+
+# [WEBHOOK] Enabled for webhook deployment
+- manager_webhook_patch.yaml
+
+# [CERTMANAGER] Enabled for CA injection in the admission webhooks
+- webhookcainjection_patch.yaml
+
+# the following config is for teaching kustomize how to do var substitution
+vars:
+# [CERTMANAGER] Variables for cert-manager CA injection
+- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+  fieldref:
+    fieldpath: metadata.namespace
+- name: CERTIFICATE_NAME
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+- name: SERVICE_NAMESPACE # namespace of the service
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
+- name: SERVICE_NAME
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+
+#patches:
+#- target:
+#    kind: Deployment
+#    name: controller-manager
+#  patch: |-
+#    - op: replace
+#      path: /metadata/name
+#      value: splunk-operator
+#- target:
+#    kind: ServiceAccount
+#    name: controller-manager
+#  patch: |-
+#    - op: replace
+#      path: /metadata/name
+#      value: splunk-operator
+#- target:
+#    kind: Service
+#    name: controller-manager-service
+#  patch: |-
+#    - op: replace
+#      path: /metadata/name
+#      value: splunk-operator-service
+#- target:
+#    kind: Role
+#    name: manager-role
+#  patch: |-
+#    - op: replace
+#      path: /metadata/name
+#      value: splunk:operator:namespace-manager
+#- target:
+#    kind: RoleBinding
+#    name: manager-rolebinding
+#  patch: |-
+#    - op: replace
+#      path: /metadata/name
+#      value: splunk:operator:namespace-manager
+
+# currently patch is set to change deployment environment variables
+patches:
+- target:
+    kind: Deployment
+    name: controller-manager
+  patch: |-
+    - op: add
+      path: /spec/template/spec/containers/0/env
+      value: 
+      - name: WATCH_NAMESPACE
+        value: WATCH_NAMESPACE_VALUE
+      - name: RELATED_IMAGE_SPLUNK_ENTERPRISE
+        value: SPLUNK_ENTERPRISE_IMAGE
+      - name: OPERATOR_NAME
+        value: splunk-operator
+      - name: SPLUNK_GENERAL_TERMS
+        value: SPLUNK_GENERAL_TERMS_VALUE
+      - name: ENABLE_WEBHOOKS
+        value: "true"
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            fieldPath: metadata.name
+# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
+# More info: https://book.kubebuilder.io/reference/metrics
+- path: manager_metrics_patch.yaml
+  target:
+    kind: Deployment