feat(labels) add generic validate label

Kong · Apr 12, 2024 · 81f1cd0 · 81f1cd0
1 parent 80424f3
commit 81f1cd0
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/internal/admission/handler.go b/internal/admission/handler.go
@@ -286,7 +286,19 @@ func (h RequestHandler) handleSecret(
 		// referenced secret, labeled or not.
 
 		// plugin configuration secrets
-		if _, hasPluginLabel := secret.Labels[labels.ValidateLabel]; hasPluginLabel {
+		switch validate := secret.Labels[labels.ValidateLabel]; labels.ValidateType(validate) {
+		case labels.PluginValidate:
+			ok, message, err := h.checkReferrersOfSecret(ctx, &secret)
+			if err != nil {
+				return responseBuilder.Allowed(false).WithMessage(fmt.Sprintf("failed to validate other objects referencing the secret: %v", err)).Build(), err
+			}
+			if !ok {
+				return responseBuilder.Allowed(false).WithMessage(message).Build(), nil
+			}
+		default:
+			// TODO this duplicates the above plugin handling block. prior to 3.2, the admission webhook ingested all
+			// Secrets and used this to validate updates to plugin configuration. this non-labeled case is retained
+			// for environments that still use ingest all configuration.
 			ok, message, err := h.checkReferrersOfSecret(ctx, &secret)
 			if err != nil {
 				return responseBuilder.Allowed(false).WithMessage(fmt.Sprintf("failed to validate other objects referencing the secret: %v", err)).Build(), err