Skip to content

Commit

Permalink
Use an APIReader so that we don't cache reads and can limit K8s RBAC
Browse files Browse the repository at this point in the history 
Signed-off-by: Michael Shen <mshen@redhat.com>
  • Loading branch information
@mjlshen
mjlshen committed Jan 27, 2023
1 parent 62262f7 commit 2e1ce23
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 4 deletions.
2 changes: 1 addition & 1 deletion controllers/vpcendpoint/helpers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ func (r *VpcEndpointReconciler) parseClusterInfo(ctx context.Context, vpce *avov

if vpce.Spec.AWSCredentialOverrideRef != nil {
// Use the provided override credentials for this specific vpcendpoint
cfg, err := secrets.ParseAWSCredentialOverride(ctx, r.Client, r.clusterInfo.region, vpce.Spec.AWSCredentialOverrideRef)
cfg, err := secrets.ParseAWSCredentialOverride(ctx, r.APIReader, r.clusterInfo.region, vpce.Spec.AWSCredentialOverrideRef)
if err != nil {
return err
}
Expand Down
7 changes: 5 additions & 2 deletions controllers/vpcendpoint/vpcendpoint_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,9 @@ import (
// VpcEndpointReconciler reconciles a VpcEndpoint object
type VpcEndpointReconciler struct {
client.Client
Scheme *runtime.Scheme
Recorder record.EventRecorder
APIReader client.Reader
Scheme *runtime.Scheme
Recorder record.EventRecorder

log logr.Logger
awsClient *aws_client.AWSClient
Expand Down Expand Up @@ -151,6 +152,8 @@ func (r *VpcEndpointReconciler) Reconcile(ctx context.Context, req ctrl.Request)

// SetupWithManager sets up the controller with the Manager.
func (r *VpcEndpointReconciler) SetupWithManager(mgr ctrl.Manager) error {
r.APIReader = mgr.GetAPIReader()

return ctrl.NewControllerManagedBy(mgr).
For(&avov1alpha2.VpcEndpoint{}).
Owns(&corev1.Service{}).
Expand Down
4 changes: 3 additions & 1 deletion pkg/secrets/secrets.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,14 @@ const (

// ParseAWSCredentialOverride takes in an AWS region and a secret reference and attempts to assemble an aws.Config
// Currently only supports parsing AWS IAM User credentials
func ParseAWSCredentialOverride(ctx context.Context, c client.Client, region string, ref *corev1.SecretReference) (aws.Config, error) {
func ParseAWSCredentialOverride(ctx context.Context, c client.Reader, region string, ref *corev1.SecretReference) (aws.Config, error) {
if ref == nil {
return aws.Config{}, errors.New("AWS Credential Override secret reference must not be nil")
}

secret := new(corev1.Secret)
// We use an APIReader instead of reading from the cache here so that the controller can minimize
// the K8s RBAC needed to only get secrets where desired
if err := c.Get(ctx, client.ObjectKey{Namespace: ref.Namespace, Name: ref.Name}, secret); err != nil {
return aws.Config{}, err
}
Expand Down

0 comments on commit 2e1ce23

Please sign in to comment.