Operator's proxy webhook validation interrupts control plane namespaces if certs are expired

[anithapriyanatarajan]

Expected Behavior

1.Tekton admission webhooks should validate only resources relevant to Tekton. Other cluster operators (e.g., Network Operator, Console Operator) should not fail due to Tekton webhook issues.
2. Webhook certificate renewal should be timely and reliable so that webhook failures do not propagate.

Actual Behavior

Tekton webhook (namespace.operator.tekton.dev) applies to all Namespace resources, including system/control-plane namespaces (kube-, openshift-). When the Tekton webhook’s TLS certificate expired, unrelated operators (e.g., Cluster Network Operator) failed during reconciliation because their namespace updates were blocked by the expired Tekton webhook.
This creates cross-operator coupling: Tekton’s webhook health directly impacts the stability of other critical operators.

Steps to Reproduce the Problem

1. Install Tekton operator in a cluster.
2. Observe that the ValidatingWebhookConfiguration for namespace.operator.tekton.dev applies broadly to all namespaces.
3. Allow the webhook TLS certificate to expire. (Since the validity is for one week, had to replicate this by manually by resetting the default values in vendor file to 5 mins validility). Wait for the Certificate to expire
4. Trigger another operator (e.g., Network Operator) that updates its namespace which is unrelated to Tekton.
5. The namespace update fails because the Tekton webhook cannot be reached due to expired certificate.

Attached a doc that captures additional details of how this is

Failed Certificate renewal .pdf

in a Openshift Cluster

[jkhelil]

Marking this as done