Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add validation for cloud provider Secrets #112

Merged
merged 1 commit into from
Jul 13, 2020
Merged

Add validation for cloud provider Secrets #112

merged 1 commit into from
Jul 13, 2020

Conversation

ialidzhikov
Copy link
Member

@ialidzhikov ialidzhikov commented Jun 9, 2020
edited

How to categorize this PR?

/area robustness
/area ops-productivity
/kind enhancement
/priority normal
/platform gcp

What this PR does / why we need it:
Add validation for cloud provider Secrets.

Which issue(s) this PR fixes:
Ref gardener/gardener#2293

Special notes for your reviewer:

Release note:

The existing ValidatingWebhookConfiguration of `admission-gcp` for Shoot validation does now validate also the Shoot secret. `admission-gcp` does now feature also a new webhook that prevents Shoot secret to be updated with invalid keys.

@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 9, 2020
@gardener-robot gardener-robot added platform/gcp Google cloud platform/infrastructure priority/normal labels Jun 9, 2020
@gardener-robot
Copy link

@ialidzhikov Labels area/todo, kind/todo do not exist.

@gardener-robot-ci-2 gardener-robot-ci-2 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jun 9, 2020
@ialidzhikov
Copy link
Member Author

Something interesting that I figure out today trying to use client.MatchingFields/client.MatchingFieldsSelector with the controller-runtime client.
When the client is a non-cached one, the above options are handled as field selector sent to the API server.
When the client is a cached one, the above options work on index and you have to explicitly add the index fields. For example:

			if err := mgr.GetFieldIndexer().IndexField(&gardencorev1beta1.Shoot{}, "spec.seedName", func(rawObj runtime.Object) []string {
				shoot := rawObj.(*gardencorev1beta1.Shoot)
				if shoot.Spec.SeedName == nil {
					return nil
				}

				return []string{*shoot.Spec.SeedName}
			}); err != nil {
				return err
			}

Otherwise the calls always fail with

Index with name field:spec.seedName does not exist

Ahh, that was quite unintuitive for me, as I added the required changes for gardener-apiserver for new field-selectors, kubectl and a non-cached client were working well, but I was wondering why the cached client continues to return index does not exist.

@ialidzhikov ialidzhikov mentioned this pull request Jun 22, 2020
Merged
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 22, 2020
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 22, 2020
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 23, 2020
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 23, 2020
@gardener-robot gardener-robot added area/ops-productivity Operator productivity related (how to improve operations) area/robustness Robustness, reliability, resilience related kind/enhancement Enhancement, improvement, extension labels Jun 23, 2020
@ialidzhikov ialidzhikov marked this pull request as ready for review June 23, 2020 07:47
@ialidzhikov ialidzhikov requested review from a team as code owners June 23, 2020 07:47
@timuthy
Copy link
Member

timuthy commented Jun 23, 2020

/assign

vpnachev
vpnachev suggested changes Jun 23, 2020
View reviewed changes
Copy link
Member

@vpnachev vpnachev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks very nice!

I have mostly comments and several change requests.

...rdener-extension-admission-gcp/charts/application/templates/validatingwebhook-validator.yaml Show resolved Hide resolved
docs/local-setup.md Outdated Show resolved Hide resolved
docs/local-setup.md Outdated Show resolved Hide resolved
example/40-validatingwebhookconfiguration.yaml Show resolved Hide resolved
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
rfranzke
rfranzke reviewed Jun 24, 2020
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice PR!

pkg/admission/cache/informer_cache.go Outdated Show resolved Hide resolved
pkg/admission/cache/informer_cache.go Outdated Show resolved Hide resolved
pkg/apis/gcp/validation/secret.go Show resolved Hide resolved
timuthy
timuthy requested changes Jun 24, 2020
View reviewed changes
Copy link
Member

@timuthy timuthy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice PR, I really like it. Just a few comments and questions.

docs/local-setup.md Outdated Show resolved Hide resolved
example/40-validatingwebhookconfiguration.yaml Show resolved Hide resolved
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
pkg/admission/validator/shoot.go Outdated Show resolved Hide resolved
pkg/admission/validator/webhook.go Show resolved Hide resolved
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 26, 2020
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 26, 2020
ialidzhikov
ialidzhikov commented Jun 26, 2020
View reviewed changes
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
pkg/admission/cache/informer_cache.go Outdated
// SecretRefNamespaceField is the field name for the index function that extracts the corresponding field from SecretBinding.
const SecretRefNamespaceField string = "secretRef.namespace"

func SecretRefNamespaceIndexerFunc(rawObj runtime.Object) []string {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These funcs are not admission-gcp specific, they would also need to go under g/g extensions pkgs to make them usable also from other provider extensions.

pkg/admission/validator/secret.go Outdated Show resolved Hide resolved
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 30, 2020
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jun 30, 2020
@ialidzhikov ialidzhikov mentioned this pull request Jul 1, 2020
Merged
timuthy
timuthy reviewed Jul 7, 2020
View reviewed changes
Copy link
Member

@timuthy timuthy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Can you update the g/g dependency to include gardener/gardener#2537 and adapt this PR to it?

docs/local-setup.md Outdated Show resolved Hide resolved
@ialidzhikov
Add validation for cloud provider Secrets
800ee3e 
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jul 10, 2020
@ialidzhikov
Copy link
Member Author

Nice. Can you update the g/g dependency to include gardener/gardener#2537 and adapt this PR to it?

Sorry for the long delay, now I updated the PR.

vpnachev
vpnachev previously approved these changes Jul 13, 2020
View reviewed changes
Copy link
Member

@vpnachev vpnachev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/reviewed ok-to-test

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jul 13, 2020
@vpnachev vpnachev dismissed their stale review July 13, 2020 14:48

sorry, wrong tab

@timuthy timuthy merged commit f560921 into gardener:master Jul 13, 2020
@ialidzhikov ialidzhikov mentioned this pull request Jul 14, 2020
Merged
@ialidzhikov ialidzhikov deleted the enh/credentials-validation branch July 25, 2020 17:23
@ialidzhikov ialidzhikov mentioned this pull request Jul 25, 2020
Closed
@timuthy timuthy mentioned this pull request Jul 28, 2020
Closed
@gardener-robot gardener-robot added the priority/3 Priority (lower number equals higher priority) label Mar 8, 2021
@ialidzhikov ialidzhikov mentioned this pull request Apr 7, 2021
Merged
This was referenced May 14, 2021
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timuthy timuthy timuthy approved these changes

@vpnachev vpnachev vpnachev left review comments

@rfranzke rfranzke Awaiting requested review from rfranzke

Assignees

@timuthy timuthy

Labels
area/ops-productivity Operator productivity related (how to improve operations) area/robustness Robustness, reliability, resilience related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) platform/gcp Google cloud platform/infrastructure priority/3 Priority (lower number equals higher priority) reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@ialidzhikov @gardener-robot @timuthy @vpnachev @rfranzke @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3