Merge branch '1Password:main' into feat/add-empty-value-field

macchiang · web-flow · commit f42805597c4a · 2023-04-20T11:50:42.000+08:00
diff --git a/config/connect/deployment.yaml b/config/connect/deployment.yaml
@@ -12,6 +12,8 @@ spec:
         app: onepassword-connect
         version: "1.0.0"
     spec:
+      securityContext:
+        runAsNonRoot: true
       volumes:
         - name: shared-data
           emptyDir: {}
@@ -32,6 +34,8 @@ spec:
       containers:
         - name: connect-api
           image: 1password/connect-api:latest
+          securityContext:
+            allowPrivilegeEscalation: false
           resources:
             limits:
               memory: "128Mi"
@@ -49,6 +53,8 @@ spec:
               name: shared-data
         - name: connect-sync
           image: 1password/connect-sync:latest
+          securityContext:
+            allowPrivilegeEscalation: false
           resources:
             limits:
               memory: "128Mi"
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -8,6 +8,8 @@ metadata:
 spec:
   template:
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
       - name: kube-rbac-proxy
         securityContext:
diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml
@@ -6,6 +6,8 @@ metadata:
 spec:
   template:
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
       - name: manager
         args:
diff --git a/controllers/deployment_controller.go b/controllers/deployment_controller.go
@@ -95,12 +95,12 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		// This is so we can handle cleanup of associated secrets properly
 		if !utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {
 			deployment.ObjectMeta.Finalizers = append(deployment.ObjectMeta.Finalizers, finalizer)
-			if err := r.Update(context.Background(), deployment); err != nil {
+			if err = r.Update(context.Background(), deployment); err != nil {
 				return reconcile.Result{}, err
 			}
 		}
 		// Handles creation or updating secrets for deployment if needed
-		if err := r.handleApplyingDeployment(deployment, deployment.Namespace, annotations, req); err != nil {
+		if err = r.handleApplyingDeployment(deployment, deployment.Namespace, annotations, req); err != nil {
 			return ctrl.Result{}, err
 		}
 		return ctrl.Result{}, nil
@@ -110,10 +110,12 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	if utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {
 
 		secretName := annotations[op.NameAnnotation]
-		r.cleanupKubernetesSecretForDeployment(secretName, deployment)
+		if err = r.cleanupKubernetesSecretForDeployment(secretName, deployment); err != nil {
+			return ctrl.Result{}, err
+		}
 
 		// Remove the finalizer from the deployment so deletion of deployment can be completed
-		if err := r.removeOnePasswordFinalizerFromDeployment(deployment); err != nil {
+		if err = r.removeOnePasswordFinalizerFromDeployment(deployment); err != nil {
 			return reconcile.Result{}, err
 		}
 	}
@@ -144,7 +146,7 @@ func (r *DeploymentReconciler) cleanupKubernetesSecretForDeployment(secretName s
 
 	// Only delete the associated kubernetes secret if it is not being used by other deployments
 	if !multipleDeploymentsUsingSecret {
-		if err := r.Delete(context.Background(), kubernetesSecret); err != nil {
+		if err = r.Delete(context.Background(), kubernetesSecret); err != nil {
 			if !errors.IsNotFound(err) {
 				return err
 			}
diff --git a/controllers/onepassworditem_controller.go b/controllers/onepassworditem_controller.go
@@ -95,13 +95,13 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		// This is so we can handle cleanup of associated secrets properly
 		if !utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) {
 			onepassworditem.ObjectMeta.Finalizers = append(onepassworditem.ObjectMeta.Finalizers, finalizer)
-			if err := r.Update(context.Background(), onepassworditem); err != nil {
+			if err = r.Update(context.Background(), onepassworditem); err != nil {
 				return ctrl.Result{}, err
 			}
 		}
 
 		// Handles creation or updating secrets for deployment if needed
-		err := r.handleOnePasswordItem(onepassworditem, req)
+		err = r.handleOnePasswordItem(onepassworditem, req)
 		if updateStatusErr := r.updateStatus(onepassworditem, err); updateStatusErr != nil {
 			return ctrl.Result{}, fmt.Errorf("cannot update status: %s", updateStatusErr)
 		}
@@ -116,7 +116,7 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		}
 
 		// Remove finalizer now that cleanup is complete
-		if err := r.removeFinalizer(onepassworditem); err != nil {
+		if err = r.removeFinalizer(onepassworditem); err != nil {
 			return ctrl.Result{}, err
 		}
 	}
@@ -143,7 +143,6 @@ func (r *OnePasswordItemReconciler) cleanupKubernetesSecret(onePasswordItem *one
 	kubernetesSecret.ObjectMeta.Name = onePasswordItem.Name
 	kubernetesSecret.ObjectMeta.Namespace = onePasswordItem.Namespace
 
-	r.Delete(context.Background(), kubernetesSecret)
 	if err := r.Delete(context.Background(), kubernetesSecret); err != nil {
 		if !errors.IsNotFound(err) {
 			return err

Original file line number	Diff line number	Diff line change
`@@ -95,12 +95,12 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request)`
`95`	`95`	`// This is so we can handle cleanup of associated secrets properly`
`96`	`96`	`if !utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {`
`97`	`97`	`deployment.ObjectMeta.Finalizers = append(deployment.ObjectMeta.Finalizers, finalizer)`
`98`		`- if err := r.Update(context.Background(), deployment); err != nil {`
	`98`	`+ if err = r.Update(context.Background(), deployment); err != nil {`
`99`	`99`	`return reconcile.Result{}, err`
`100`	`100`	`}`
`101`	`101`	`}`
`102`	`102`	`// Handles creation or updating secrets for deployment if needed`
`103`		`- if err := r.handleApplyingDeployment(deployment, deployment.Namespace, annotations, req); err != nil {`
	`103`	`+ if err = r.handleApplyingDeployment(deployment, deployment.Namespace, annotations, req); err != nil {`
`104`	`104`	`return ctrl.Result{}, err`
`105`	`105`	`}`
`106`	`106`	`return ctrl.Result{}, nil`
`@@ -110,10 +110,12 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request)`
`110`	`110`	`if utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {`
`111`	`111`
`112`	`112`	`secretName := annotations[op.NameAnnotation]`
`113`		`- r.cleanupKubernetesSecretForDeployment(secretName, deployment)`
	`113`	`+ if err = r.cleanupKubernetesSecretForDeployment(secretName, deployment); err != nil {`
	`114`	`+ return ctrl.Result{}, err`
	`115`	`+ }`
`114`	`116`
`115`	`117`	`// Remove the finalizer from the deployment so deletion of deployment can be completed`
`116`		`- if err := r.removeOnePasswordFinalizerFromDeployment(deployment); err != nil {`
	`118`	`+ if err = r.removeOnePasswordFinalizerFromDeployment(deployment); err != nil {`
`117`	`119`	`return reconcile.Result{}, err`
`118`	`120`	`}`
`119`	`121`	`}`
`@@ -144,7 +146,7 @@ func (r *DeploymentReconciler) cleanupKubernetesSecretForDeployment(secretName s`
`144`	`146`
`145`	`147`	`// Only delete the associated kubernetes secret if it is not being used by other deployments`
`146`	`148`	`if !multipleDeploymentsUsingSecret {`
`147`		`- if err := r.Delete(context.Background(), kubernetesSecret); err != nil {`
	`149`	`+ if err = r.Delete(context.Background(), kubernetesSecret); err != nil {`
`148`	`150`	`if !errors.IsNotFound(err) {`
`149`	`151`	`return err`
`150`	`152`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,13 +95,13 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ`
`95`	`95`	`// This is so we can handle cleanup of associated secrets properly`
`96`	`96`	`if !utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) {`
`97`	`97`	`onepassworditem.ObjectMeta.Finalizers = append(onepassworditem.ObjectMeta.Finalizers, finalizer)`
`98`		`- if err := r.Update(context.Background(), onepassworditem); err != nil {`
	`98`	`+ if err = r.Update(context.Background(), onepassworditem); err != nil {`
`99`	`99`	`return ctrl.Result{}, err`
`100`	`100`	`}`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`// Handles creation or updating secrets for deployment if needed`
`104`		`- err := r.handleOnePasswordItem(onepassworditem, req)`
	`104`	`+ err = r.handleOnePasswordItem(onepassworditem, req)`
`105`	`105`	`if updateStatusErr := r.updateStatus(onepassworditem, err); updateStatusErr != nil {`
`106`	`106`	`return ctrl.Result{}, fmt.Errorf("cannot update status: %s", updateStatusErr)`
`107`	`107`	`}`
`@@ -116,7 +116,7 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ`
`116`	`116`	`}`
`117`	`117`
`118`	`118`	`// Remove finalizer now that cleanup is complete`
`119`		`- if err := r.removeFinalizer(onepassworditem); err != nil {`
	`119`	`+ if err = r.removeFinalizer(onepassworditem); err != nil {`
`120`	`120`	`return ctrl.Result{}, err`
`121`	`121`	`}`
`122`	`122`	`}`
`@@ -143,7 +143,6 @@ func (r OnePasswordItemReconciler) cleanupKubernetesSecret(onePasswordItem one`
`143`	`143`	`kubernetesSecret.ObjectMeta.Name = onePasswordItem.Name`
`144`	`144`	`kubernetesSecret.ObjectMeta.Namespace = onePasswordItem.Namespace`
`145`	`145`
`146`		`- r.Delete(context.Background(), kubernetesSecret)`
`147`	`146`	`if err := r.Delete(context.Background(), kubernetesSecret); err != nil {`
`148`	`147`	`if !errors.IsNotFound(err) {`
`149`	`148`	`return err`