fix: pod name logging in admission webhook

- Add potentialPodName() function based on Istio's proven pattern
- Handle generateName case with descriptive suffix
- Convert all logging to clean structured fields
- Remove ugly string concatenation in favor of separate pod/namespace fields
- Add comprehensive unit tests for pod naming scenarios
- Ensure consistent logging throughout webhook lifecycle

This fixes empty pod names in logs during admission control phase
when pods only have generateName (common with Deployments/ReplicaSets).

Example log output:
Before: {"pod": "", "namespace": "flux-system"}
After: {"pod": "controller-***** (actual name not yet known)", "namespace": "flux-system"}

Author: fujin

internal/webhook/v1/pod_webhook.go

@@ -25,20 +25,21 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"os"
+	"strings"
+
 	"github.com/prometheus/client_golang/prometheus"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
-	"os"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
-	"strings"
 )
 
 // nolint:unused
@@ -102,14 +103,27 @@ type PodCustomDefaulter struct {
 
 var _ webhook.CustomDefaulter = &PodCustomDefaulter{}
 
+// potentialPodName returns the pod name if available, otherwise a descriptive string
+// This mirrors Istio's approach to handling generateName in admission webhooks
+func potentialPodName(metadata metav1.ObjectMeta) string {
+	if metadata.Name != "" {
+		return metadata.Name
+	}
+	if metadata.GenerateName != "" {
+		return metadata.GenerateName + "***** (actual name not yet known)"
+	}
+	return ""
+}
+
 // Default implements webhook.CustomDefaulter so a webhook will be registered for the Kind Pod.
 func (d *PodCustomDefaulter) Default(ctx context.Context, obj runtime.Object) error {
 	pod, ok := obj.(*corev1.Pod)
 	if !ok {
 		return fmt.Errorf("expected an Pod object but got %T", obj)
 	}
 
-	podlog.Info("Defaulting for Pod", "name", pod.GetName())
+	podName := potentialPodName(pod.ObjectMeta)
+	podlog.Info("Processing pod for WIF injection", "pod", podName, "namespace", pod.Namespace)
 
 	// Skip if pod already has WIF volumes/env vars
 	if hasWorkloadIdentityConfig(pod) {
@@ -160,7 +174,7 @@ func (d *PodCustomDefaulter) Default(ctx context.Context, obj runtime.Object) er
 	// Inject WIF configuration
 	injectWorkloadIdentityConfig(d, pod, wifConfig)
 
-	podlog.Info("Injected WIF configuration", "pod", pod.GetName(), "serviceAccount", saName)
+	podlog.Info("Injected WIF configuration", "pod", podName, "namespace", pod.Namespace, "serviceAccount", saName)
 	return nil
 }
 
@@ -365,7 +379,7 @@ func injectWorkloadIdentityConfig(d *PodCustomDefaulter, pod *corev1.Pod, config
 		injectionOperations.WithLabelValues("volume", "injected", "success").Inc()
 	} else {
 		podlog.Info("Skipped WIF injection due to existing volume",
-			"pod", pod.GetName(),
+			"pod", potentialPodName(pod.ObjectMeta),
 			"namespace", pod.Namespace,
 			"component", "volume",
 			"volume", "token",
@@ -394,7 +408,7 @@ func injectWorkloadIdentityConfig(d *PodCustomDefaulter, pod *corev1.Pod, config
 		injectionOperations.WithLabelValues("volume", "injected", "success").Inc()
 	} else {
 		podlog.Info("Skipped WIF injection due to existing volume",
-			"pod", pod.GetName(),
+			"pod", potentialPodName(pod.ObjectMeta),
 			"namespace", pod.Namespace,
 			"component", "volume",
 			"volume", credentialsVolumeName,
@@ -424,7 +438,7 @@ func injectWorkloadIdentityConfig(d *PodCustomDefaulter, pod *corev1.Pod, config
 		} else {
 			if volumeMountExists(container, "token") {
 				podlog.Info("Skipped WIF injection due to existing volume mount",
-					"pod", pod.GetName(),
+					"pod", potentialPodName(pod.ObjectMeta),
 					"namespace", pod.Namespace,
 					"container", container.Name,
 					"component", "mount",
@@ -434,7 +448,7 @@ func injectWorkloadIdentityConfig(d *PodCustomDefaulter, pod *corev1.Pod, config
 			}
 			if mountPathExists(container, tokenMountPath) {
 				podlog.Info("Skipped WIF injection due to mount path conflict",
-					"pod", pod.GetName(),
+					"pod", potentialPodName(pod.ObjectMeta),
 					"namespace", pod.Namespace,
 					"container", container.Name,
 					"component", "mount",
@@ -457,7 +471,7 @@ func injectWorkloadIdentityConfig(d *PodCustomDefaulter, pod *corev1.Pod, config
 		} else {
 			if volumeMountExists(container, credentialsVolumeName) {
 				podlog.Info("Skipped WIF injection due to existing volume mount",
-					"pod", pod.GetName(),
+					"pod", potentialPodName(pod.ObjectMeta),
 					"namespace", pod.Namespace,
 					"container", container.Name,
 					"component", "mount",
@@ -467,7 +481,7 @@ func injectWorkloadIdentityConfig(d *PodCustomDefaulter, pod *corev1.Pod, config
 			}
 			if mountPathExists(container, credentialsMountPath) {
 				podlog.Info("Skipped WIF injection due to mount path conflict",
-					"pod", pod.GetName(),
+					"pod", potentialPodName(pod.ObjectMeta),
 					"namespace", pod.Namespace,
 					"container", container.Name,
 					"component", "mount",
@@ -486,7 +500,7 @@ func injectWorkloadIdentityConfig(d *PodCustomDefaulter, pod *corev1.Pod, config
 			injectionOperations.WithLabelValues("env", "injected", "success").Inc()
 		} else {
 			podlog.Info("Skipped WIF injection due to existing environment variable",
-				"pod", pod.GetName(),
+				"pod", potentialPodName(pod.ObjectMeta),
 				"namespace", pod.Namespace,
 				"container", container.Name,
 				"component", "env",

internal/webhook/v1/pod_webhook_test.go

@@ -363,6 +363,163 @@ func TestInjectWorkloadIdentityConfig(t *testing.T) {
 
 }
 
+func TestPotentialPodName(t *testing.T) {
+	tests := []struct {
+		name     string
+		metadata metav1.ObjectMeta
+		expected string
+	}{
+		{
+			name: "pod with explicit name",
+			metadata: metav1.ObjectMeta{
+				Name:      "my-pod",
+				Namespace: "default",
+			},
+			expected: "my-pod",
+		},
+		{
+			name: "pod with generateName (typical Deployment pattern)",
+			metadata: metav1.ObjectMeta{
+				GenerateName: "web-deployment-abc123-",
+				Namespace:    "default",
+			},
+			expected: "web-deployment-abc123-***** (actual name not yet known)",
+		},
+		{
+			name: "pod with both name and generateName (name takes precedence)",
+			metadata: metav1.ObjectMeta{
+				Name:         "explicit-name",
+				GenerateName: "should-be-ignored-",
+				Namespace:    "default",
+			},
+			expected: "explicit-name",
+		},
+		{
+			name: "pod with neither name nor generateName",
+			metadata: metav1.ObjectMeta{
+				Namespace: "default",
+			},
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := potentialPodName(tt.metadata)
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}
+
+func TestPodWebhookIntegration(t *testing.T) {
+	// Set required environment variables for testing
+	os.Setenv("PROJECT_NUMBER", "123456789")
+	os.Setenv("POOL_ID", "test-pool")
+	os.Setenv("PROVIDER_ID", "test-provider")
+	defer func() {
+		os.Unsetenv("PROJECT_NUMBER")
+		os.Unsetenv("POOL_ID")
+		os.Unsetenv("PROVIDER_ID")
+	}()
+
+	testSA := &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "default",
+			Namespace: "default",
+		},
+	}
+
+	runtimeScheme := runtime.NewScheme()
+	require.NoError(t, scheme.AddToScheme(runtimeScheme))
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(runtimeScheme).
+		WithObjects(testSA).
+		Build()
+
+	webhook := &PodCustomDefaulter{
+		Client: fakeClient,
+		Cache:  fakeClient,
+	}
+
+	ctx := context.Background()
+
+	tests := []struct {
+		name string
+		pod  *corev1.Pod
+	}{
+		{
+			name: "pod with explicit name",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "explicit-pod-name",
+					Namespace: "default",
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "default",
+					Containers: []corev1.Container{
+						{Name: "app", Image: "nginx"},
+					},
+				},
+			},
+		},
+		{
+			name: "pod with generateName (Deployment pattern)",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					GenerateName: "web-deployment-abc123-",
+					Namespace:    "default",
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "default",
+					Containers: []corev1.Container{
+						{Name: "app", Image: "nginx"},
+					},
+				},
+			},
+		},
+		{
+			name: "pod with neither name nor generateName",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "default",
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "default",
+					Containers: []corev1.Container{
+						{Name: "app", Image: "nginx"},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test that webhook processes without error
+			err := webhook.Default(ctx, tt.pod)
+			require.NoError(t, err)
+
+			// Verify WIF injection occurred
+			assert.True(t, hasWorkloadIdentityConfig(tt.pod), "WIF configuration should be injected")
+
+			// Verify volumes were added
+			assert.Len(t, tt.pod.Spec.Volumes, 2, "Should have token and credentials volumes")
+
+			// Verify container modifications
+			require.Len(t, tt.pod.Spec.Containers, 1, "Should still have one container")
+			container := tt.pod.Spec.Containers[0]
+
+			// Check volume mounts
+			assert.Len(t, container.VolumeMounts, 2, "Should have WIF volume mounts")
+
+			// Check environment variable
+			assert.Len(t, container.Env, 1, "Should have GOOGLE_APPLICATION_CREDENTIALS env var")
+			assert.Equal(t, "GOOGLE_APPLICATION_CREDENTIALS", container.Env[0].Name)
+		})
+	}
+}
+
 // BenchmarkWebhookDefault measures webhook performance
 func BenchmarkWebhookDefault(b *testing.B) {
 	// Set required environment variables for testing