From 918498f1071d69782b03773a6b2e63c26ec8e285 Mon Sep 17 00:00:00 2001 From: Darren Shepherd Date: Wed, 16 Jun 2021 10:55:15 -0700 Subject: [PATCH] Allow webhook to run when mcm is disabled --- .../rancher-webhook/templates/deployment.yaml | 2 ++ charts/rancher-webhook/values.yaml | 3 ++ main.go | 2 +- pkg/clients/clients.go | 28 +++++++++++-------- pkg/server/server.go | 4 +-- pkg/server/validation.go | 19 +++++++------ 6 files changed, 36 insertions(+), 22 deletions(-) diff --git a/charts/rancher-webhook/templates/deployment.yaml b/charts/rancher-webhook/templates/deployment.yaml index dc928275..fdebcddf 100644 --- a/charts/rancher-webhook/templates/deployment.yaml +++ b/charts/rancher-webhook/templates/deployment.yaml @@ -21,6 +21,8 @@ spec: value: "{{.Values.stamp}}" - name: ENABLE_CAPI value: "{{.Values.capi.enabled}}" + - name: ENABLE_MCM + value: "{{.Values.mcm.enabled}}" - name: NAMESPACE valueFrom: fieldRef: diff --git a/charts/rancher-webhook/values.yaml b/charts/rancher-webhook/values.yaml index 78c7310d..50619396 100644 --- a/charts/rancher-webhook/values.yaml +++ b/charts/rancher-webhook/values.yaml @@ -9,3 +9,6 @@ global: capi: enabled: false + +mcm: + enabled: true \ No newline at end of file diff --git a/main.go b/main.go index 850a3df5..ab96ae52 100644 --- a/main.go +++ b/main.go @@ -29,7 +29,7 @@ func run() error { cfg.RateLimiter = ratelimit.None ctx := signals.SetupSignalHandler(context.Background()) - if err := server.ListenAndServe(ctx, cfg, os.Getenv("ENABLE_CAPI") == "true"); err != nil { + if err := server.ListenAndServe(ctx, cfg, os.Getenv("ENABLE_CAPI") == "true", os.Getenv("ENABLE_MCM") != "false"); err != nil { return err } diff --git a/pkg/clients/clients.go b/pkg/clients/clients.go index 7837254e..82ef0812 100644 --- a/pkg/clients/clients.go +++ b/pkg/clients/clients.go @@ -16,11 +16,12 @@ import ( type Clients struct { clients.Clients - Management managementv3.Interface - EscalationChecker *auth.EscalationChecker + MultiClusterManagement bool + Management managementv3.Interface + EscalationChecker *auth.EscalationChecker } -func New(ctx context.Context, rest *rest.Config) (*Clients, error) { +func New(ctx context.Context, rest *rest.Config, mcmEnabled bool) (*Clients, error) { clients, err := clients.NewFromConfig(rest, nil) if err != nil { return nil, err @@ -47,12 +48,17 @@ func New(ctx context.Context, rest *rest.Config) (*Clients, error) { } ruleResolver := rbacregistryvalidation.NewDefaultRuleResolver(rbacRestGetter, rbacRestGetter, rbacRestGetter, rbacRestGetter) - escalationChecker := auth.NewEscalationChecker(ruleResolver, - mgmt.Management().V3().RoleTemplate().Cache(), clients.RBAC.ClusterRole().Cache()) - - return &Clients{ - Clients: *clients, - Management: mgmt.Management().V3(), - EscalationChecker: escalationChecker, - }, nil + + result := &Clients{ + Clients: *clients, + Management: mgmt.Management().V3(), + MultiClusterManagement: mcmEnabled, + } + + if result.MultiClusterManagement { + result.EscalationChecker = auth.NewEscalationChecker(ruleResolver, + mgmt.Management().V3().RoleTemplate().Cache(), clients.RBAC.ClusterRole().Cache()) + } + + return result, nil } diff --git a/pkg/server/server.go b/pkg/server/server.go index 158056b7..6fc20d57 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -33,8 +33,8 @@ var ( sideEffectClassNoneOnDryRun = v1.SideEffectClassNoneOnDryRun ) -func ListenAndServe(ctx context.Context, cfg *rest.Config, capiEnabled bool) error { - clients, err := clients.New(ctx, cfg) +func ListenAndServe(ctx context.Context, cfg *rest.Config, capiEnabled, mcmEnabled bool) error { + clients, err := clients.New(ctx, cfg, mcmEnabled) if err != nil { return err } diff --git a/pkg/server/validation.go b/pkg/server/validation.go index 98f636fa..5790e27a 100644 --- a/pkg/server/validation.go +++ b/pkg/server/validation.go @@ -15,18 +15,21 @@ import ( ) func Validation(clients *clients.Clients) (http.Handler, error) { - globalRoleBindings := globalrolebinding.NewValidator(clients.Management.GlobalRole().Cache(), clients.EscalationChecker) - prtbs := projectroletemplatebinding.NewValidator(clients.Management.RoleTemplate().Cache(), clients.EscalationChecker) - crtbs := clusterroletemplatebinding.NewValidator(clients.Management.RoleTemplate().Cache(), clients.EscalationChecker) - roleTemplates := roletemplate.NewValidator(clients.EscalationChecker) clusters := cluster.NewValidator(clients.K8s.AuthorizationV1().SubjectAccessReviews()) router := webhook.NewRouter() router.Kind("Cluster").Group(management.GroupName).Type(&v3.Cluster{}).Handle(clusters) - router.Kind("RoleTemplate").Group(management.GroupName).Type(&v3.RoleTemplate{}).Handle(roleTemplates) - router.Kind("GlobalRoleBinding").Group(management.GroupName).Type(&v3.GlobalRoleBinding{}).Handle(globalRoleBindings) - router.Kind("ClusterRoleTemplateBinding").Group(management.GroupName).Type(&v3.ClusterRoleTemplateBinding{}).Handle(crtbs) - router.Kind("ProjectRoleTemplateBinding").Group(management.GroupName).Type(&v3.ProjectRoleTemplateBinding{}).Handle(prtbs) + + if clients.MultiClusterManagement { + globalRoleBindings := globalrolebinding.NewValidator(clients.Management.GlobalRole().Cache(), clients.EscalationChecker) + prtbs := projectroletemplatebinding.NewValidator(clients.Management.RoleTemplate().Cache(), clients.EscalationChecker) + crtbs := clusterroletemplatebinding.NewValidator(clients.Management.RoleTemplate().Cache(), clients.EscalationChecker) + roleTemplates := roletemplate.NewValidator(clients.EscalationChecker) + router.Kind("RoleTemplate").Group(management.GroupName).Type(&v3.RoleTemplate{}).Handle(roleTemplates) + router.Kind("GlobalRoleBinding").Group(management.GroupName).Type(&v3.GlobalRoleBinding{}).Handle(globalRoleBindings) + router.Kind("ClusterRoleTemplateBinding").Group(management.GroupName).Type(&v3.ClusterRoleTemplateBinding{}).Handle(crtbs) + router.Kind("ProjectRoleTemplateBinding").Group(management.GroupName).Type(&v3.ProjectRoleTemplateBinding{}).Handle(prtbs) + } return router, nil }