Merge pull request #104 from mjlshen/OSD-13906

Use an APIReader so that we don't cache reads and can limit K8s RBAC
openshift · Jan 27, 2023 · e34203d · e34203d
2 parents 01cc910 + 2e1ce23
commit e34203d
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/controllers/vpcendpoint/helpers.go b/controllers/vpcendpoint/helpers.go
@@ -82,7 +82,7 @@ func (r *VpcEndpointReconciler) parseClusterInfo(ctx context.Context, vpce *avov
 
 	if vpce.Spec.AWSCredentialOverrideRef != nil {
 		// Use the provided override credentials for this specific vpcendpoint
-		cfg, err := secrets.ParseAWSCredentialOverride(ctx, r.Client, r.clusterInfo.region, vpce.Spec.AWSCredentialOverrideRef)
+		cfg, err := secrets.ParseAWSCredentialOverride(ctx, r.APIReader, r.clusterInfo.region, vpce.Spec.AWSCredentialOverrideRef)
 		if err != nil {
 			return err
 		}

diff --git a/controllers/vpcendpoint/vpcendpoint_controller.go b/controllers/vpcendpoint/vpcendpoint_controller.go
@@ -40,8 +40,9 @@ import (
 // VpcEndpointReconciler reconciles a VpcEndpoint object
 type VpcEndpointReconciler struct {
 	client.Client
-	Scheme   *runtime.Scheme
-	Recorder record.EventRecorder
+	APIReader client.Reader
+	Scheme    *runtime.Scheme
+	Recorder  record.EventRecorder
 
 	log         logr.Logger
 	awsClient   *aws_client.AWSClient
@@ -151,6 +152,8 @@ func (r *VpcEndpointReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *VpcEndpointReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	r.APIReader = mgr.GetAPIReader()
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&avov1alpha2.VpcEndpoint{}).
 		Owns(&corev1.Service{}).

diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
@@ -37,12 +37,14 @@ const (
 
 // ParseAWSCredentialOverride takes in an AWS region and a secret reference and attempts to assemble an aws.Config
 // Currently only supports parsing AWS IAM User credentials
-func ParseAWSCredentialOverride(ctx context.Context, c client.Client, region string, ref *corev1.SecretReference) (aws.Config, error) {
+func ParseAWSCredentialOverride(ctx context.Context, c client.Reader, region string, ref *corev1.SecretReference) (aws.Config, error) {
 	if ref == nil {
 		return aws.Config{}, errors.New("AWS Credential Override secret reference must not be nil")
 	}
 
 	secret := new(corev1.Secret)
+	// We use an APIReader instead of reading from the cache here so that the controller can minimize
+	// the K8s RBAC needed to only get secrets where desired
 	if err := c.Get(ctx, client.ObjectKey{Namespace: ref.Namespace, Name: ref.Name}, secret); err != nil {
 		return aws.Config{}, err
 	}