Implement an UPDATE "exemption" mechanism in the injector for the syncer AB#449116

[amigus]

Background

The latest version of this repository introduced a new component, the “syncer.” After the injector has done the initial patch, it works with the syncer to re-patch annotated k8s secrets when required.

Problem

When the syncer was added, the injector was re-configured to only act on Kubernetes secret CREATE not UPDATE, as it did previously. This was to avoid a “double-update” when the syncer runs. However, it resulted in an integration bug whereby updating a Kubernetes secret with an unannotated input drops the annotations and does not get patched then or subsequently.

Solution

The injector and syncer will share an “exemption” token. When the syncer updates a secret, it will use the exemption token to tell the injector that it should not operate on this secret because the syncer already has.

Design

Both the injector and the syncer will be updated to create/overwrite and read the exemption token from a Kubernetes secret that both components have access to.
Both charts will need a mechanism for creating and specifying overwrite behavior on/for the exemption token. However, a non-default overwrite setting in the chart values should be sufficient as overwrite is not frequently or generally useful.
The secret itself will be a base64 encoded UUID. However, any base64 encoded string that is 40 characters or more in length will be considered valid.

Implementation

• Chart updates:
  o Both components need an RBAC role to share the exemption token.
  o A service account for the injector so that it can manipulate the exemption token.
  o Add “UPDATE” back to the injector webhook YAML.
  o A new annotation to carry the exemption token.
• Code changes
  o Add code to the syncer that adds the exemption token to the Kubernetes secret that it is patching, using the new annotation
  o Enable the injector and syncer to create, read, and, when specified, overwrite the exemption token Kubernetes secret.
  o Enable the injector to check for the exemption token and complete without patching when it is present. It matches the value in the Kubernetes secret that the injector and syncer share.

Considerations

The injector will now have a service account, authenticate itself to the cluster, and have a role that reads a secret. In the current version, the injector has no rights to the cluster, nor is it aware of whether it is a part of one.
A malicious actor can theoretically steal the exemption token; however, any practical attack would require more access than the token would grant them.

TL;DR

A shared “exemption token” will be added to the injector and syncer such that the syncer adds the exemption token and the injector does not act on UPDATE the Kubernetes secret when the exemption token is present matching. A malicious actor would need more access to steal the exemption token than it is worth.

related AB#449116

[sheldonhull]

Marking as closed right now after discussion with @tdillenbeck.
This doesn't apply any further as we don't trigger the injector on CREATE anymore.

Future work on this will have to be reassessed, since this isn't really an existing issue as it's described.