yokecd · alam-cloud · Dec 15, 2025 · davidmdm · Dec 4, 2025
diff --git a/cmd/atc-installer/installer/run.go b/cmd/atc-installer/installer/run.go
@@ -23,19 +23,23 @@ import (
 )
 
 type Config struct {
-	Labels                 map[string]string `json:"labels,omitempty"`
-	Annotations            map[string]string `json:"annotations,omitempty"`
-	Image                  string            `json:"image,omitzero" Description:"set the image you want to deploy"`
-	Version                string            `json:"version,omitzero" Description:"version of the deployed image"`
-	Port                   int               `json:"port,omitzero"`
-	ServiceAccountName     string            `json:"serviceAccountName,omitzero"`
-	ImagePullPolicy        corev1.PullPolicy `json:"imagePullPolicy,omitzero"`
-	GenerateTLS            bool              `json:"generateTLS,omitzero" Description:"generate new tls certificates even if they already exist"`
-	DockerConfigSecretName string            `json:"dockerConfigSecretName,omitzero" Description:"name of dockerconfig secret to allow atc to pull images from private registries"`
-	LogFormat              string            `json:"logFormat,omitzero" Enum:"json,text"`
-	Verbose                bool              `json:"verbose,omitzero" Description:"verbose logging"`
-	Concurrency            int               `json:"concurrency,omitzero" Description:"number of workers to process reconciliation events. Defaults to GOMAXPROCS if unset"`
-	CacheFS                string            `json:"cacheFS,omitzero" Description:"controls location to mount empty dir for wasm module fs cache. Defaults to /tmp if unset"`
+	Labels                                   map[string]string `json:"labels,omitempty"`
+	Annotations                              map[string]string `json:"annotations,omitempty"`
+	Image                                    string            `json:"image,omitzero" Description:"set the image you want to deploy"`
+	Version                                  string            `json:"version,omitzero" Description:"version of the deployed image"`
+	Port                                     int               `json:"port,omitzero"`
+	ServiceAccountName                       string            `json:"serviceAccountName,omitzero"`
+	ImagePullPolicy                          corev1.PullPolicy `json:"imagePullPolicy,omitzero"`
+	GenerateTLS                              bool              `json:"generateTLS,omitzero" Description:"generate new tls certificates even if they already exist"`
+	DockerConfigSecretName                   string            `json:"dockerConfigSecretName,omitzero" Description:"name of dockerconfig secret to allow atc to pull images from private registries"`
+	LogFormat                                string            `json:"logFormat,omitzero" Enum:"json,text"`
+	Verbose                                  bool              `json:"verbose,omitzero" Description:"verbose logging"`
+	Concurrency                              int               `json:"concurrency,omitzero" Description:"number of workers to process reconciliation events. Defaults to GOMAXPROCS if unset"`
+	CacheFS                                  string            `json:"cacheFS,omitzero" Description:"controls location to mount empty dir for wasm module fs cache. Defaults to /tmp if unset"`
+	AirwayValidationWebhookTimeout           int               `json:"airwayValidationWebhookTimeout,omitzero" Description:"timeout in seconds for airway instance validation webhooks (default: 10)"`
+	ResourceValidationWebhookTimeout         int               `json:"resourceValidationWebhookTimeout,omitzero" Description:"timeout in seconds for resource/event dispatching validation webhooks (default: 10)"`
+	ExternalResourceValidationWebhookTimeout int               `json:"externalResourceValidationWebhookTimeout,omitzero" Description:"timeout in seconds for external resource validation webhooks (default: 1)"`
+	FlightValidationWebhookTimeout           int               `json:"flightValidationWebhookTimeout,omitzero" Description:"timeout in seconds for flight validation webhooks (default: 30)"`
 }
 
 func Run(cfg Config) (flight.Resources, error) {
@@ -192,6 +196,22 @@ func Run(cfg Config) (flight.Resources, error) {
 		environment = append(environment, corev1.EnvVar{Name: "CONCURRENCY", Value: strconv.Itoa(cfg.Concurrency)})
 	}
 
+	if cfg.AirwayValidationWebhookTimeout > 0 {
+		environment = append(environment, corev1.EnvVar{Name: "AIRWAY_VALIDATION_WEBHOOK_TIMEOUT", Value: strconv.Itoa(cfg.AirwayValidationWebhookTimeout)})
+	}
+
+	if cfg.ResourceValidationWebhookTimeout > 0 {
+		environment = append(environment, corev1.EnvVar{Name: "RESOURCE_VALIDATION_WEBHOOK_TIMEOUT", Value: strconv.Itoa(cfg.ResourceValidationWebhookTimeout)})
+	}
+
+	if cfg.ExternalResourceValidationWebhookTimeout > 0 {
+		environment = append(environment, corev1.EnvVar{Name: "EXTERNAL_RESOURCE_VALIDATION_WEBHOOK_TIMEOUT", Value: strconv.Itoa(cfg.ExternalResourceValidationWebhookTimeout)})
+	}
+
+	if cfg.FlightValidationWebhookTimeout > 0 {
+		environment = append(environment, corev1.EnvVar{Name: "FLIGHT_VALIDATION_WEBHOOK_TIMEOUT", Value: strconv.Itoa(cfg.FlightValidationWebhookTimeout)})
+	}
+
 	tlsVolume := corev1.Volume{
 		Name: "tls-secrets",
 		VolumeSource: corev1.VolumeSource{

diff --git a/cmd/atc/config.go b/cmd/atc/config.go
@@ -22,6 +22,11 @@ type Config struct {
 
 	Verbose bool
 
+	AirwayValidationWebhookTimeout           int32
+	ResourceValidationWebhookTimeout         int32
+	ExternalResourceValidationWebhookTimeout int32
+	FlightValidationWebhookTimeout           int32
+
 	TLS TLSConfig
 }
 
@@ -59,6 +64,11 @@ func LoadConfig() (*Config, error) {
 
 	conf.Var(parser, &cfg.CacheFS, "CACHE_FS", conf.Default(os.TempDir()))
 
+	conf.Var(parser, &cfg.AirwayValidationWebhookTimeout, "AIRWAY_VALIDATION_WEBHOOK_TIMEOUT")
+	conf.Var(parser, &cfg.ResourceValidationWebhookTimeout, "RESOURCE_VALIDATION_WEBHOOK_TIMEOUT")
+	conf.Var(parser, &cfg.ExternalResourceValidationWebhookTimeout, "EXTERNAL_RESOURCE_VALIDATION_WEBHOOK_TIMEOUT")
+	conf.Var(parser, &cfg.FlightValidationWebhookTimeout, "FLIGHT_VALIDATION_WEBHOOK_TIMEOUT")
+
 	if err := parser.Parse(); err != nil {
 		return nil, err
 	}

diff --git a/cmd/atc/resources.go b/cmd/atc/resources.go
@@ -174,6 +174,18 @@ func ApplyResources(ctx context.Context, client *k8s.Client, cfg *Config) (err e
 		return fmt.Errorf("failed to apply airway crd: %w", err)
 	}
 
+	// withDefault returns the value if > 0, otherwise returns the default
+	withDefault := func(value int32, defaultValue int32) *int32 {
+		if value > 0 {
+			return ptr.To(value)
+		}
+		return ptr.To(defaultValue)
+	}
+
+	airwayTimeoutSeconds := withDefault(cfg.AirwayValidationWebhookTimeout, 10)
+	flightTimeoutSeconds := withDefault(cfg.FlightValidationWebhookTimeout, 30)
+	resourceTimeoutSeconds := withDefault(cfg.ResourceValidationWebhookTimeout, 10)
+	externalResourceTimeoutSeconds := withDefault(cfg.ExternalResourceValidationWebhookTimeout, 1)
 	airwayValidation := &admissionregistrationv1.ValidatingWebhookConfiguration{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: admissionregistrationv1.SchemeGroupVersion.Identifier(),
@@ -196,6 +208,7 @@ func ApplyResources(ctx context.Context, client *k8s.Client, cfg *Config) (err e
 				},
 				SideEffects:             ptr.To(admissionregistrationv1.SideEffectClassNone),
 				AdmissionReviewVersions: []string{"v1"},
+				TimeoutSeconds:          airwayTimeoutSeconds,
 				Rules: []admissionregistrationv1.RuleWithOperations{
 					{
 						Operations: []admissionregistrationv1.OperationType{
@@ -236,11 +249,8 @@ func ApplyResources(ctx context.Context, client *k8s.Client, cfg *Config) (err e
 				},
 				SideEffects:             ptr.To(admissionregistrationv1.SideEffectClassNone),
 				AdmissionReviewVersions: []string{"v1"},
-				// We are using the maximum timeout.
-				// It is likely that for this webhook handles the download and compilation of the flights wasm.
-				// In general this should be fast, on the order of a couple seconds, but lets stay on the side of caution for now.
-				TimeoutSeconds: ptr.To(int32(30)),
-				MatchPolicy:    ptr.To(admissionregistrationv1.Exact),
+				TimeoutSeconds:          flightTimeoutSeconds,
+				MatchPolicy:             ptr.To(admissionregistrationv1.Exact),
 				MatchConditions: []admissionregistrationv1.MatchCondition{
 					{
 						Name: "not-atc-service-account",
@@ -292,6 +302,7 @@ func ApplyResources(ctx context.Context, client *k8s.Client, cfg *Config) (err e
 				AdmissionReviewVersions: []string{"v1"},
 				FailurePolicy:           ptr.To(admissionregistrationv1.Ignore),
 				MatchPolicy:             ptr.To(admissionregistrationv1.Exact),
+				TimeoutSeconds:          resourceTimeoutSeconds,
 				MatchConditions: []admissionregistrationv1.MatchCondition{
 					{
 						Name:       "managed-by-atc",
@@ -348,7 +359,7 @@ func ApplyResources(ctx context.Context, client *k8s.Client, cfg *Config) (err e
 				AdmissionReviewVersions: []string{"v1"},
 				FailurePolicy:           ptr.To(admissionregistrationv1.Ignore),
 				MatchPolicy:             ptr.To(admissionregistrationv1.Exact),
-				TimeoutSeconds:          ptr.To[int32](1),
+				TimeoutSeconds:          externalResourceTimeoutSeconds,
 				MatchConditions: []admissionregistrationv1.MatchCondition{
 					{
 						Name: "all",