chore: adapt ServiceAccount only in case of K8s Provider (#498)

Signed-off-by: Giovanni Liva <giovanni.liva@dynatrace.com>
open-feature · Jul 11, 2023 · 786d511 · 786d511
1 parent 603e74e
commit 786d511
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 6 deletions.
diff --git a/webhooks/pod_webhook.go b/webhooks/pod_webhook.go
@@ -83,17 +83,19 @@ func (m *PodMutator) Handle(ctx context.Context, req admission.Request) admissio
 		return admission.Denied("static or orphaned pods cannot be mutated")
 	}
 
-	// Check for the correct clusterrolebinding for the pod
-	if err := m.FlagdInjector.EnableClusterRoleBinding(ctx, pod.Namespace, pod.Spec.ServiceAccountName); err != nil {
-		return admission.Denied(err.Error())
-	}
-
 	// merge any provided flagd specs
 	flagSourceConfigurationSpec, code, err := m.createFSConfigSpec(ctx, req, annotations, pod)
 	if err != nil {
 		return admission.Errored(code, err)
 	}
 
+	// Check for the correct clusterrolebinding for the pod if we use the Kubernetes mode
+	if containsK8sProvider(flagSourceConfigurationSpec.Sources) {
+		if err := m.FlagdInjector.EnableClusterRoleBinding(ctx, pod.Namespace, pod.Spec.ServiceAccountName); err != nil {
+			return admission.Denied(err.Error())
+		}
+	}
+
 	if err := m.FlagdInjector.InjectFlagd(ctx, &pod.ObjectMeta, &pod.Spec, flagSourceConfigurationSpec); err != nil {
 		if goErr.Is(err, constant.ErrFlagdProxyNotReady) {
 			return admission.Denied(err.Error())
@@ -110,6 +112,15 @@ func (m *PodMutator) Handle(ctx context.Context, req admission.Request) admissio
 	return admission.PatchResponseFromRaw(req.Object.Raw, marshaledPod)
 }
 
+func containsK8sProvider(sources []v1alpha1.Source) bool {
+	for _, source := range sources {
+		if source.Provider.IsKubernetes() {
+			return true
+		}
+	}
+	return false
+}
+
 func (m *PodMutator) createFSConfigSpec(ctx context.Context, req admission.Request, annotations map[string]string, pod *corev1.Pod) (*v1alpha1.FlagSourceConfigurationSpec, int32, error) {
 	// Check configuration
 	fscNames := []string{}

diff --git a/webhooks/pod_webhook_test.go b/webhooks/pod_webhook_test.go
@@ -335,7 +335,19 @@ func TestPodMutator_Handle(t *testing.T) {
 		{
 			name: "forbidden request pod annotated with owner, but cluster role binding cannot be enabled",
 			mutator: &PodMutator{
-				Client:  NewClient(false),
+				Client: NewClient(false,
+					&v1alpha1.FeatureFlagConfiguration{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      featureFlagConfigurationName,
+							Namespace: mutatePodNamespace,
+						},
+						Spec: v1alpha1.FeatureFlagConfigurationSpec{
+							FlagDSpec: &v1alpha1.FlagDSpec{Envs: []corev1.EnvVar{
+								{Name: "LOG_LEVEL", Value: "dev"},
+							}},
+						},
+					},
+				),
 				decoder: decoder,
 				Log:     testr.New(t),
 				ready:   false,