feat(labels) add generic validate label

Kong · Apr 13, 2024 · 73ee99b · 73ee99b
1 parent 80424f3
commit 73ee99b
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 40 deletions.
diff --git a/internal/admission/handler.go b/internal/admission/handler.go
@@ -286,24 +286,37 @@ func (h RequestHandler) handleSecret(
 		// referenced secret, labeled or not.
 
 		// plugin configuration secrets
-		if _, hasPluginLabel := secret.Labels[labels.ValidateLabel]; hasPluginLabel {
+		switch validate := secret.Labels[labels.ValidateLabel]; labels.ValidateType(validate) {
+		case labels.PluginValidate:
+			ok, message, err := h.checkReferrersOfSecret(ctx, &secret)
+			if err != nil {
+				return responseBuilder.Allowed(false).WithMessage(fmt.Sprintf("failed to validate other objects referencing the secret: %v", err)).Build(), err
+			}
+			if !ok {
+				return responseBuilder.Allowed(false).WithMessage(message).Build(), nil
+			}
+		default:
+			// TODO this duplicates the above plugin handling block. prior to 3.2, the admission webhook ingested all
+			// Secrets and used this to validate updates to plugin configuration. this non-labeled case is retained
+			// for environments that still use ingest all configuration.
 			ok, message, err := h.checkReferrersOfSecret(ctx, &secret)
 			if err != nil {
 				return responseBuilder.Allowed(false).WithMessage(fmt.Sprintf("failed to validate other objects referencing the secret: %v", err)).Build(), err
 			}
 			if !ok {
 				return responseBuilder.Allowed(false).WithMessage(message).Build(), nil
 			}
-		}
 
-		// fallback allow
-		// No Secret should hit this, as filters should only check those that match one of the above cases, but if we
-		// somehow (presumably via outdated webhook config) get a Secret that lacks the labels we check, allow it.
-		return responseBuilder.Allowed(true).Build(), nil
+			// no reference found in the blanket block, this is some random unrelated Secret and KIC should ignore it.
+			return responseBuilder.Allowed(true).Build(), nil
+		}
 
 	default:
 		return nil, fmt.Errorf("unknown operation %q", string(request.Operation))
 	}
+	// fallback allow. it should not be possible to hit this because of the defaults above, but the compiler wants it.
+	// if a request somehow has reached this, we shouldn't touch it.
+	return responseBuilder.Allowed(true).Build(), nil
 }
 
 // checkReferrersOfSecret validates all referrers (KongPlugins and KongClusterPlugins) of the secret

diff --git a/internal/dataplane/kongstate/kongstate_test.go b/internal/dataplane/kongstate/kongstate_test.go
@@ -742,40 +742,6 @@ func TestFillConsumersAndCredentials(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "KongConsumer with key-auth from label secret with the old cred field",
-			k8sConsumers: []*kongv1.KongConsumer{
-				{
-					TypeMeta: kongConsumerTypeMeta,
-					ObjectMeta: metav1.ObjectMeta{
-						Name:      "foo",
-						Namespace: "default",
-						Annotations: map[string]string{
-							"kubernetes.io/ingress.class": annotations.DefaultIngressClass,
-						},
-					},
-					Username: "foo",
-					CustomID: "foo",
-					Credentials: []string{
-						"labeledSecretWithCredField",
-					},
-				},
-			},
-			expectedKongStateConsumers: []Consumer{
-				{
-					Consumer: kong.Consumer{
-						Username: kong.String("foo"),
-						CustomID: kong.String("foo"),
-					},
-					KeyAuths: []*KeyAuth{{kong.KeyAuth{
-						Key: kong.String("little-rabbits-be-good"),
-						Tags: util.GenerateTagsForObject(&corev1.Secret{
-							ObjectMeta: metav1.ObjectMeta{Namespace: "default", Name: "labeledSecretWithCredField"},
-						}),
-					}}},
-				},
-			},
-		},
 	}
 
 	for i, tc := range testCases {

diff --git a/test/envtest/admission_webhook_envtest_test.go b/test/envtest/admission_webhook_envtest_test.go
@@ -214,6 +214,9 @@ func TestAdmissionWebhook_KongPlugins(t *testing.T) {
 			kongPlugin: &kongv1.KongPlugin{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "rate-limiting-invalid-config-from",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				PluginName: "rate-limiting",
 				ConfigFrom: &kongv1.ConfigSource{
@@ -226,6 +229,9 @@ func TestAdmissionWebhook_KongPlugins(t *testing.T) {
 			secretBefore: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "conf-secret-invalid-config",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config": []byte(`{"limit_by":"consumer","policy":"local","minute":5}`),
@@ -234,6 +240,9 @@ func TestAdmissionWebhook_KongPlugins(t *testing.T) {
 			secretAfter: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "conf-secret-invalid-config",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config": []byte(`{"limit_by":"consumer","policy":"local","minute":"5"}`),
@@ -267,6 +276,9 @@ func TestAdmissionWebhook_KongPlugins(t *testing.T) {
 			secretBefore: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "conf-secret-invalid-field",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config-minutes": []byte("10"),
@@ -275,6 +287,9 @@ func TestAdmissionWebhook_KongPlugins(t *testing.T) {
 			secretAfter: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "conf-secret-invalid-field",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config-minutes": []byte(`"10"`),
@@ -288,6 +303,9 @@ func TestAdmissionWebhook_KongPlugins(t *testing.T) {
 			kongPlugin: &kongv1.KongPlugin{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "rate-limiting-valid-config",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				PluginName: "rate-limiting",
 				Config: apiextensionsv1.JSON{
@@ -308,6 +326,9 @@ func TestAdmissionWebhook_KongPlugins(t *testing.T) {
 			secretBefore: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "conf-secret-valid-field",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config-minutes": []byte(`10`),
@@ -316,6 +337,9 @@ func TestAdmissionWebhook_KongPlugins(t *testing.T) {
 			secretAfter: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "conf-secret-valid-field",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config-minutes": []byte(`15`),
@@ -411,6 +435,9 @@ func TestAdmissionWebhook_KongClusterPlugins(t *testing.T) {
 			secretBefore: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "cluster-conf-secret-valid",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config": []byte(`{"limit_by":"consumer","policy":"local","minute":5}`),
@@ -419,6 +446,9 @@ func TestAdmissionWebhook_KongClusterPlugins(t *testing.T) {
 			secretAfter: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "cluster-conf-secret-valid",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config": []byte(`{"limit_by":"consumer","policy":"local","minute":10}`),
@@ -447,6 +477,9 @@ func TestAdmissionWebhook_KongClusterPlugins(t *testing.T) {
 			secretBefore: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "cluster-conf-secret-invalid",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config": []byte(`{"limit_by":"consumer","policy":"local","minute":5}`),
@@ -455,6 +488,9 @@ func TestAdmissionWebhook_KongClusterPlugins(t *testing.T) {
 			secretAfter: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "cluster-conf-secret-invalid",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-config": []byte(`{"limit_by":"consumer","policy":"local","minute":"5"}`),
@@ -492,6 +528,9 @@ func TestAdmissionWebhook_KongClusterPlugins(t *testing.T) {
 			secretBefore: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "cluster-conf-secret-valid-patch",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-minute": []byte(`5`),
@@ -500,6 +539,9 @@ func TestAdmissionWebhook_KongClusterPlugins(t *testing.T) {
 			secretAfter: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "cluster-conf-secret-valid-patch",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-minute": []byte(`10`),
@@ -536,6 +578,9 @@ func TestAdmissionWebhook_KongClusterPlugins(t *testing.T) {
 			secretBefore: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "cluster-conf-secret-invalid-patch",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-minute": []byte(`5`),
@@ -544,6 +589,9 @@ func TestAdmissionWebhook_KongClusterPlugins(t *testing.T) {
 			secretAfter: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "cluster-conf-secret-invalid-patch",
+					Labels: map[string]string{
+						labels.ValidateLabel: "plugin",
+					},
 				},
 				Data: map[string][]byte{
 					"rate-limiting-minute": []byte(`"10"`),