Adapt the secrets webhook to rely on the provider label

Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>

charts/gardener-extension-admission-gcp/charts/application/templates/rbac.yaml

@@ -6,6 +6,7 @@ metadata:
   labels:
 {{ include "labels" . | indent 4 }}
 rules:
+# TODO (ialidzhikov): list,watch permissions for shoots,secrets should not be required anymore.
 - apiGroups:
   - core.gardener.cloud
   resources:

charts/gardener-extension-admission-gcp/charts/application/templates/validatingwebhook-validator.yaml

@@ -44,7 +44,9 @@ webhooks:
     resources:
     - secrets
   failurePolicy: Fail
-  objectSelector: {}
+  objectSelector:
+    matchLabels:
+      provider.shoot.gardener.cloud/gcp: "true"
   namespaceSelector: {}
   sideEffects: None
   admissionReviewVersions:

cmd/gardener-extension-admission-gcp/app/app.go

@@ -24,10 +24,8 @@ import (
 
 	controllercmd "github.com/gardener/gardener/extensions/pkg/controller/cmd"
 	"github.com/gardener/gardener/extensions/pkg/util"
-	"github.com/gardener/gardener/extensions/pkg/util/index"
 	webhookcmd "github.com/gardener/gardener/extensions/pkg/webhook/cmd"
 	"github.com/gardener/gardener/pkg/apis/core/install"
-	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	"github.com/spf13/cobra"
 	componentbaseconfig "k8s.io/component-base/config"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -78,13 +76,6 @@ func NewAdmissionCommand(ctx context.Context) *cobra.Command {
 				return fmt.Errorf("could not update manager scheme: %v", err)
 			}
 
-			if err := mgr.GetFieldIndexer().IndexField(ctx, &gardencorev1beta1.SecretBinding{}, index.SecretRefNamespaceField, index.SecretRefNamespaceIndexerFunc); err != nil {
-				return err
-			}
-			if err := mgr.GetFieldIndexer().IndexField(ctx, &gardencorev1beta1.Shoot{}, index.SecretBindingNameField, index.SecretBindingNameIndexerFunc); err != nil {
-				return err
-			}
-
 			log.Info("Setting up webhook server")
 
 			if err := webhookOptions.Completed().AddToManager(mgr); err != nil {

example/40-validatingwebhookconfiguration.yaml

@@ -37,7 +37,9 @@ webhooks:
     resources:
     - secrets
   failurePolicy: Fail
-  objectSelector: {}
+  objectSelector:
+    matchLabels:
+      provider.shoot.gardener.cloud/gcp: "true"
   namespaceSelector: {}
   sideEffects: None
   admissionReviewVersions:

pkg/admission/validator/secret.go

@@ -19,32 +19,21 @@ import (
 	"fmt"
 
 	gcpvalidation "github.com/gardener/gardener-extension-provider-gcp/pkg/apis/gcp/validation"
-	"github.com/gardener/gardener-extension-provider-gcp/pkg/gcp"
 
-	secretutil "github.com/gardener/gardener/extensions/pkg/util/secret"
 	extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-type secret struct {
-	client client.Client
-}
+type secret struct{}
 
 // NewSecretValidator returns a new instance of a secret validator.
 func NewSecretValidator() extensionswebhook.Validator {
 	return &secret{}
 }
 
-// InjectClient injects the given client into the validator.
-func (s *secret) InjectClient(client client.Client) error {
-	s.client = client
-	return nil
-}
-
-// Validate checks whether the given new secret is in use by Shoot with provider.type=gcp
-// and if yes, it check whether the new secret contains a valid GCP service account.
+// Validate checks whether the given new secret contains a valid GCP service account.
 func (s *secret) Validate(ctx context.Context, newObj, oldObj client.Object) error {
 	secret, ok := newObj.(*corev1.Secret)
 	if !ok {
@@ -62,14 +51,5 @@ func (s *secret) Validate(ctx context.Context, newObj, oldObj client.Object) err
 		}
 	}
 
-	isInUse, err := secretutil.IsSecretInUseByShoot(ctx, s.client, secret, gcp.Type)
-	if err != nil {
-		return err
-	}
-
-	if !isInUse {
-		return nil
-	}
-
 	return gcpvalidation.ValidateCloudProviderSecret(secret)
 }