Skip to content

Commit

Permalink
Added a watcher for secret
Browse files Browse the repository at this point in the history 
Signed-off-by: nithishs <[email protected]>
  • Loading branch information
@Nithish555
Nithish555 committed Mar 31, 2023
1 parent 428123a commit ebf6687
Show file tree
Hide file tree
Showing 9 changed files with 244 additions and 553 deletions.
5 changes: 5 additions & 0 deletions build/charts/nephe/templates/controller/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@ spec:
image: {{ include "nepheImage" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: nephe-controller
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 9443
name: webhook-server
Expand Down
5 changes: 5 additions & 0 deletions config/manager/nephe-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,11 @@ spec:
image: "projects.registry.vmware.com/antrea/nephe:latest"
imagePullPolicy: IfNotPresent
name: nephe-controller
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
limits:
cpu: 1000m
Expand Down
6 changes: 5 additions & 1 deletion config/nephe.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -509,6 +509,11 @@ spec:
- --enable-debug-log
command:
- /nephe-controller
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: projects.registry.vmware.com/antrea/nephe:latest
imagePullPolicy: IfNotPresent
name: nephe-controller
Expand Down Expand Up @@ -706,7 +711,6 @@ webhooks:
apiVersions:
- v1
operations:
- UPDATE
- DELETE
resources:
- secrets
Expand Down
1 change: 0 additions & 1 deletion config/webhook/manifests-new.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,6 @@ webhooks:
apiVersions:
- v1
operations:
- UPDATE
- DELETE
resources:
- secrets
Expand Down
48 changes: 4 additions & 44 deletions pkg/apiserver/webhook/secret_webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@ func (v *SecretValidator) Handle(ctx context.Context, req admission.Request) adm
v.Log.V(1).Info("Received admission webhook request", "Name", req.Name, "Operation", req.Operation)
switch req.Operation {
case admissionv1.Create:
return v.validateCreate(req)
return v.validateCreate()
case admissionv1.Update:
return v.validateUpdate(req)
return v.validateUpdate()
case admissionv1.Delete:
return v.validateDelete(req)
default:
Expand All @@ -60,14 +60,6 @@ func (v *SecretValidator) InjectDecoder(d *admission.Decoder) error { //nolint:u
return nil
}

// allowSecretUpdate returns true only when Secret data key is unchanged.
func (v *SecretValidator) allowSecretUpdate(new *corev1.Secret, old *corev1.Secret, key string) bool {
if changed := string(new.Data[key]) != string(old.Data[key]); changed {
return false
}
return true
}

// getCPABySecret returns nil only when the Secret is not used by any CloudProvideAccount CR,
// otherwise the dependent CloudProvideAccount CR will be returned.
func (v *SecretValidator) getCPABySecret(s *corev1.Secret) (error, *crdv1alpha1.CloudProviderAccount) {
Expand Down Expand Up @@ -96,44 +88,12 @@ func (v *SecretValidator) getCPABySecret(s *corev1.Secret) (error, *crdv1alpha1.
}

// validateCreate does not deny Secret creation.
func (v *SecretValidator) validateCreate(req admission.Request) admission.Response { // nolint: unparam
func (v *SecretValidator) validateCreate() admission.Response { // nolint: unparam
return admission.Allowed("")
}

// validateUpdate denies Secret update, if the Secret key is referred in a CloudProviderAccount.
func (v *SecretValidator) validateUpdate(req admission.Request) admission.Response {
newSecret := &corev1.Secret{}
err := v.decoder.Decode(req, newSecret)
if err != nil {
v.Log.Error(err, "Failed to decode Secret", "SecretValidator", req.Name)
return admission.Errored(http.StatusBadRequest, err)
}
oldSecret := &corev1.Secret{}
if req.OldObject.Raw != nil {
if err := json.Unmarshal(req.OldObject.Raw, &oldSecret); err != nil {
v.Log.Error(err, "Failed to decode old Secret", "SecretValidator", req.Name)
return admission.Errored(http.StatusBadRequest, err)
}
}

err, cpa := v.getCPABySecret(oldSecret)
if err != nil {
return admission.Denied(err.Error())
}
if cpa != nil {
var key string
if cpa.Spec.AWSConfig != nil {
key = cpa.Spec.AWSConfig.SecretRef.Key
} else if cpa.Spec.AzureConfig != nil {
key = cpa.Spec.AzureConfig.SecretRef.Key
}
if ok := v.allowSecretUpdate(newSecret, oldSecret, key); !ok {
v.Log.Error(nil, "The Secret is referred by a CloudProviderAccount. Cannot modify it,",
"Secret", oldSecret.Name, "CloudProviderAccount", cpa.Name)
return admission.Denied(fmt.Sprintf("the Secret %v is referred by a "+
"CloudProviderAccount %s. The %s field 'value' cannot be changed", oldSecret.Name, cpa.Name, key))
}
}
func (v *SecretValidator) validateUpdate() admission.Response {
return admission.Allowed("")
}

Expand Down
Loading

0 comments on commit ebf6687

Please sign in to comment.