From ce0cdc26094b2dcd6f47ab84011c50f820bba8b5 Mon Sep 17 00:00:00 2001
From: Blair Drummond <blair.drummond@canada.ca>
Date: Fri, 8 Oct 2021 13:44:41 -0400
Subject: [PATCH] feat(https): use external vault if argo-workflow

---
 mutate.go | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/mutate.go b/mutate.go
index 343cf44..d56b920 100644
--- a/mutate.go
+++ b/mutate.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
+	"os"
 	"strings"
 
 	"k8s.io/api/admission/v1beta1"
@@ -15,6 +16,20 @@ func cleanName(name string) string {
 	return strings.ReplaceAll(name, "_", "-")
 }
 
+func useExternalVault(pod *v1.Pod) (bool, string) {
+	if os.Getenv("VAULT_ADDR_HTTPS") == "" {
+		return false, ""
+	}
+
+	// if val, ok := pod.ObjectMeta.Labels["sidecar.istio.io/inject"]; ok && val == "false" {
+	if _, ok := pod.ObjectMeta.Labels["workflows.argoproj.io/workflow"]; ok {
+		log.Printf("Will use external Vault address for workflow %s", pod.Name)
+		return true, os.Getenv("VAULT_ADDR_HTTPS")
+	}
+
+	return false, ""
+}
+
 func shouldInject(pod *v1.Pod) bool {
 
 	// Inject Minio credentials into notebook pods (condition: has notebook-name label)
@@ -96,6 +111,14 @@ func mutate(request v1beta1.AdmissionRequest, instances []Instance) (v1beta1.Adm
 			},
 		}
 
+		if useExternal, vaultAddr := useExternalVault(&pod); useExternal {
+			patches = append(patches, map[string]interface{}{
+				"op":    "add",
+				"path":  fmt.Sprintf("/metadata/annotations/vault.hashicorp.com~1service"),
+				"value": vaultAddr,
+			})
+		}
+
 		for _, instance := range instances {
 
 			// Only apply to the relevant instances