Allow webhook to run when mcm is disabled

rancher · Jun 16, 2021 · 918498f · 918498f
1 parent ba25850
commit 918498f
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 22 deletions.
diff --git a/charts/rancher-webhook/templates/deployment.yaml b/charts/rancher-webhook/templates/deployment.yaml
@@ -21,6 +21,8 @@ spec:
           value: "{{.Values.stamp}}"
         - name: ENABLE_CAPI
           value: "{{.Values.capi.enabled}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
         - name: NAMESPACE
           valueFrom:
             fieldRef:

diff --git a/charts/rancher-webhook/values.yaml b/charts/rancher-webhook/values.yaml
@@ -9,3 +9,6 @@ global:
 
 capi:
   enabled: false
+
+mcm:
+  enabled: true
diff --git a/main.go b/main.go
@@ -29,7 +29,7 @@ func run() error {
 	cfg.RateLimiter = ratelimit.None
 
 	ctx := signals.SetupSignalHandler(context.Background())
-	if err := server.ListenAndServe(ctx, cfg, os.Getenv("ENABLE_CAPI") == "true"); err != nil {
+	if err := server.ListenAndServe(ctx, cfg, os.Getenv("ENABLE_CAPI") == "true", os.Getenv("ENABLE_MCM") != "false"); err != nil {
 		return err
 	}
 

diff --git a/pkg/clients/clients.go b/pkg/clients/clients.go
@@ -16,11 +16,12 @@ import (
 type Clients struct {
 	clients.Clients
 
-	Management        managementv3.Interface
-	EscalationChecker *auth.EscalationChecker
+	MultiClusterManagement bool
+	Management             managementv3.Interface
+	EscalationChecker      *auth.EscalationChecker
 }
 
-func New(ctx context.Context, rest *rest.Config) (*Clients, error) {
+func New(ctx context.Context, rest *rest.Config, mcmEnabled bool) (*Clients, error) {
 	clients, err := clients.NewFromConfig(rest, nil)
 	if err != nil {
 		return nil, err
@@ -47,12 +48,17 @@ func New(ctx context.Context, rest *rest.Config) (*Clients, error) {
 	}
 
 	ruleResolver := rbacregistryvalidation.NewDefaultRuleResolver(rbacRestGetter, rbacRestGetter, rbacRestGetter, rbacRestGetter)
-	escalationChecker := auth.NewEscalationChecker(ruleResolver,
-		mgmt.Management().V3().RoleTemplate().Cache(), clients.RBAC.ClusterRole().Cache())
-
-	return &Clients{
-		Clients:           *clients,
-		Management:        mgmt.Management().V3(),
-		EscalationChecker: escalationChecker,
-	}, nil
+
+	result := &Clients{
+		Clients:                *clients,
+		Management:             mgmt.Management().V3(),
+		MultiClusterManagement: mcmEnabled,
+	}
+
+	if result.MultiClusterManagement {
+		result.EscalationChecker = auth.NewEscalationChecker(ruleResolver,
+			mgmt.Management().V3().RoleTemplate().Cache(), clients.RBAC.ClusterRole().Cache())
+	}
+
+	return result, nil
 }
diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -33,8 +33,8 @@ var (
 	sideEffectClassNoneOnDryRun = v1.SideEffectClassNoneOnDryRun
 )
 
-func ListenAndServe(ctx context.Context, cfg *rest.Config, capiEnabled bool) error {
-	clients, err := clients.New(ctx, cfg)
+func ListenAndServe(ctx context.Context, cfg *rest.Config, capiEnabled, mcmEnabled bool) error {
+	clients, err := clients.New(ctx, cfg, mcmEnabled)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/server/validation.go b/pkg/server/validation.go
@@ -15,18 +15,21 @@ import (
 )
 
 func Validation(clients *clients.Clients) (http.Handler, error) {
-	globalRoleBindings := globalrolebinding.NewValidator(clients.Management.GlobalRole().Cache(), clients.EscalationChecker)
-	prtbs := projectroletemplatebinding.NewValidator(clients.Management.RoleTemplate().Cache(), clients.EscalationChecker)
-	crtbs := clusterroletemplatebinding.NewValidator(clients.Management.RoleTemplate().Cache(), clients.EscalationChecker)
-	roleTemplates := roletemplate.NewValidator(clients.EscalationChecker)
 	clusters := cluster.NewValidator(clients.K8s.AuthorizationV1().SubjectAccessReviews())
 
 	router := webhook.NewRouter()
 	router.Kind("Cluster").Group(management.GroupName).Type(&v3.Cluster{}).Handle(clusters)
-	router.Kind("RoleTemplate").Group(management.GroupName).Type(&v3.RoleTemplate{}).Handle(roleTemplates)
-	router.Kind("GlobalRoleBinding").Group(management.GroupName).Type(&v3.GlobalRoleBinding{}).Handle(globalRoleBindings)
-	router.Kind("ClusterRoleTemplateBinding").Group(management.GroupName).Type(&v3.ClusterRoleTemplateBinding{}).Handle(crtbs)
-	router.Kind("ProjectRoleTemplateBinding").Group(management.GroupName).Type(&v3.ProjectRoleTemplateBinding{}).Handle(prtbs)
+
+	if clients.MultiClusterManagement {
+		globalRoleBindings := globalrolebinding.NewValidator(clients.Management.GlobalRole().Cache(), clients.EscalationChecker)
+		prtbs := projectroletemplatebinding.NewValidator(clients.Management.RoleTemplate().Cache(), clients.EscalationChecker)
+		crtbs := clusterroletemplatebinding.NewValidator(clients.Management.RoleTemplate().Cache(), clients.EscalationChecker)
+		roleTemplates := roletemplate.NewValidator(clients.EscalationChecker)
+		router.Kind("RoleTemplate").Group(management.GroupName).Type(&v3.RoleTemplate{}).Handle(roleTemplates)
+		router.Kind("GlobalRoleBinding").Group(management.GroupName).Type(&v3.GlobalRoleBinding{}).Handle(globalRoleBindings)
+		router.Kind("ClusterRoleTemplateBinding").Group(management.GroupName).Type(&v3.ClusterRoleTemplateBinding{}).Handle(crtbs)
+		router.Kind("ProjectRoleTemplateBinding").Group(management.GroupName).Type(&v3.ProjectRoleTemplateBinding{}).Handle(prtbs)
+	}
 
 	return router, nil
 }