Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

admission-openstack: Adapt Secrets webhook to rely on the provider label #452

Merged
merged 2 commits into from
May 30, 2022
Merged

admission-openstack: Adapt Secrets webhook to rely on the provider label #452

merged 2 commits into from
May 30, 2022

Conversation

ialidzhikov
Copy link
Member

/area robustness
/area cost
/kind enhancement
/platform openstack

What this PR does / why we need it:
This PR:

Which issue(s) this PR fixes:
Part of gardener/gardener-extension-provider-gcp#143 but for admission-openstack

Special notes for your reviewer:
Unlike admission-{gcp,aws,azure} for admission-openstack we cannot drop the cache for SecretBindings as the Shoot validator has to get the SecretBinding -> then the Secret to fetch the domainName from it - the domainName is later used for validation.

gardener-extension-provider-openstack/pkg/admission/validator/shoot.go

Lines 216 to 236 in 1d8ffd8

func (s *shoot) getCloudProviderSecretForShoot(ctx context.Context, shoot *core.Shoot) (*corev1.Secret, error) {
var (
secretBinding = &gardencorev1beta1.SecretBinding{}
secretBindingKey = kutil.Key(shoot.Namespace, shoot.Spec.SecretBindingName)
)
if err := kutil.LookupObject(ctx, s.client, s.apiReader, secretBindingKey, secretBinding); err != nil {
return nil, err
}
var (
secret = &corev1.Secret{}
secretKey = kutil.Key(secretBinding.SecretRef.Namespace, secretBinding.SecretRef.Name)
)
// Explicitly use the client.Reader to prevent controller-runtime to start Informer for Secrets
// under the hood. The latter increases the memory usage of the component.
if err := s.apiReader.Get(ctx, secretKey, secret); err != nil {
return nil, err
}
return secret, nil
}

gardener-extension-provider-openstack/pkg/admission/validator/shoot.go

Lines 120 to 122 in 1d8ffd8

allErrs = append(allErrs, openstackvalidation.ValidateInfrastructureConfigAgainstCloudProfile(nil, valContext.infraConfig, credentials.DomainName, valContext.shoot.Spec.Region, valContext.cloudProfileConfig, infraConfigPath)...)
allErrs = append(allErrs, openstackvalidation.ValidateControlPlaneConfigAgainstCloudProfile(nil, valContext.cpConfig, credentials.DomainName, valContext.shoot.Spec.Region, valContext.infraConfig.FloatingPoolName, valContext.cloudProfileConfig, cpConfigPath)...)
allErrs = append(allErrs, s.validateShoot(valContext, credentials)...)

Release note:

This version of admission-openstack requires the SecretBinding provider controller to be enabled - enabled by default for gardener-controller-manager >= 1.42 or can be enabled via the gardener-controller-manager component config.

The Secrets webhook of admission-openstack:
- no longer intercepts every Secret UPDATE request but only requests for Secrets that are associated with a SecretBinding with `provider.type=openstack`.
- no longer needs to list Shoots (hence, no cache for Shoots)

The admission-openstack component introduces a new SecretBinding validator. It validates requests for SecretBindings and checks whether the SecretBinding refers to a valid OpenStack Secret.

@ialidzhikov ialidzhikov requested review from a team as code owners May 26, 2022 06:28
@gardener-robot gardener-robot added needs/review Needs review area/cost Cost related area/robustness Robustness, reliability, resilience related kind/enhancement Enhancement, improvement, extension platform/openstack OpenStack platform/infrastructure size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) labels May 26, 2022
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label May 26, 2022
@gardener-robot-ci-2 gardener-robot-ci-2 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels May 26, 2022
rfranzke
rfranzke approved these changes May 30, 2022
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rfranzke rfranzke merged commit 08b2946 into gardener:master May 30, 2022
@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging status/closed Issue is closed (either delivered or triaged) and removed needs/review Needs review labels May 30, 2022
@ialidzhikov ialidzhikov deleted the enh/admission-openstack branch March 20, 2023 09:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfranzke rfranzke rfranzke approved these changes

Assignees
No one assigned
Labels
area/cost Cost related area/robustness Robustness, reliability, resilience related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) platform/openstack OpenStack platform/infrastructure reviewed/lgtm Has approval for merging size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ialidzhikov @rfranzke @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot