Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify the permissions for the certificate generation #398

Merged
merged 1 commit into from
Dec 2, 2021
Merged

Simplify the permissions for the certificate generation #398

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 7 additions & 29 deletions config/common/operator/clusterrole-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ metadata:
operator: dynakube
rules:
- apiGroups:
- "" # "" indicates the core API group
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- "" # "" indicates the core API group
- ""
resources:
- namespaces
verbs:
Expand All @@ -41,21 +41,12 @@ rules:
- update
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- list
- create
- watch
- apiGroups:
- admissionregistration.k8s.io
- ""
resources:
- validatingwebhookconfigurations
- events
verbs:
- list
- create
- watch
- patch
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand All @@ -74,26 +65,13 @@ rules:
verbs:
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- "dynakubes.dynatrace.com"
- dynakubes.dynatrace.com
verbs:
- get
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch

10 changes: 6 additions & 4 deletions controllers/certificates/webhook_reconciler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,15 @@ func newWebhookReconciler(mgr manager.Manager, cancelMgr context.CancelFunc) *Re
return &ReconcileWebhookCertificates{
cancelMgrFunc: cancelMgr,
client: mgr.GetClient(),
apiReader: mgr.GetAPIReader(),
logger: log.Log.WithName("operator.webhook-certificates"),
}
}

type ReconcileWebhookCertificates struct {
ctx context.Context
client client.Client
apiReader client.Reader
namespace string
logger logr.Logger
cancelMgrFunc context.CancelFunc
Expand Down Expand Up @@ -193,7 +195,7 @@ func (r *ReconcileWebhookCertificates) updateWebhookConfigurations(ctx context.C
func (r *ReconcileWebhookCertificates) getMutatingWebhookConfiguration(ctx context.Context) (
*admissionregistrationv1.MutatingWebhookConfiguration, error) {
var mutatingWebhook admissionregistrationv1.MutatingWebhookConfiguration
err := r.client.Get(ctx, client.ObjectKey{
err := r.apiReader.Get(ctx, client.ObjectKey{
Name: webhook.DeploymentName,
}, &mutatingWebhook)
if err != nil {
Expand All @@ -209,7 +211,7 @@ func (r *ReconcileWebhookCertificates) getMutatingWebhookConfiguration(ctx conte
func (r *ReconcileWebhookCertificates) getValidatingWebhookConfiguration(ctx context.Context) (
*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
var mutatingWebhook admissionregistrationv1.ValidatingWebhookConfiguration
err := r.client.Get(ctx, client.ObjectKey{
err := r.apiReader.Get(ctx, client.ObjectKey{
Name: webhook.DeploymentName,
}, &mutatingWebhook)
if err != nil {
Expand All @@ -224,7 +226,7 @@ func (r *ReconcileWebhookCertificates) getValidatingWebhookConfiguration(ctx con

func (r *ReconcileWebhookCertificates) getSecret() (*corev1.Secret, error) {
var oldSecret corev1.Secret
err := r.client.Get(r.ctx, client.ObjectKey{Name: r.buildSecretName(), Namespace: r.namespace}, &oldSecret)
err := r.apiReader.Get(r.ctx, client.ObjectKey{Name: r.buildSecretName(), Namespace: r.namespace}, &oldSecret)
if k8serrors.IsNotFound(err) {
return nil, nil
}
Expand Down Expand Up @@ -280,7 +282,7 @@ func (r *ReconcileWebhookCertificates) updateConfiguration(
func (r *ReconcileWebhookCertificates) updateCRDConfiguration(ctx context.Context, secret *corev1.Secret) error {

var crd apiv1.CustomResourceDefinition
if err := r.client.Get(ctx, types.NamespacedName{Name: crdName}, &crd); err != nil {
if err := r.apiReader.Get(ctx, types.NamespacedName{Name: crdName}, &crd); err != nil {
return err
}

Expand Down
7 changes: 5 additions & 2 deletions controllers/certificates/webhook_reconciler_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,9 @@ func TestGetSecret(t *testing.T) {
t.Run(`get nil if secret does not exists`, func(t *testing.T) {
clt := fake.NewClient()
r := &ReconcileWebhookCertificates{
client: clt,
ctx: context.TODO(),
client: clt,
apiReader: clt,
ctx: context.TODO(),
}
secret, err := r.getSecret()
require.NoError(t, err)
Expand All @@ -48,6 +49,7 @@ func TestGetSecret(t *testing.T) {
})
r := &ReconcileWebhookCertificates{
client: clt,
apiReader: clt,
ctx: context.TODO(),
namespace: testNamespace,
}
Expand Down Expand Up @@ -202,6 +204,7 @@ func prepareReconcile(clt client.Client) (*ReconcileWebhookCertificates, reconci
rec := &ReconcileWebhookCertificates{
ctx: context.TODO(),
client: clt,
apiReader: clt,
namespace: testNamespace,
logger: logger.NewDTLogger(),
}
Expand Down