Skip to content

Commit e954114

Browse files
cappyzawacappyzawa
committed
Add object-level configuration validation
Validates that ObjectLevelWorkloadIdentity feature gate is enabled when default service account flags are set. This prevents misconfiguration where lockdown flags are used without enabling the required feature gate. Signed-off-by: cappyzawa <[email protected]>
1 parent 3576ac8 commit e954114

File tree

3 files changed

+12
-7
lines changed

3 files changed

+12
-7
lines changed

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ require (
2020
github.com/fluxcd/pkg/apis/acl v0.8.0
2121
github.com/fluxcd/pkg/apis/event v0.18.0
2222
github.com/fluxcd/pkg/apis/meta v1.18.0
23-
github.com/fluxcd/pkg/auth v0.26.0
23+
github.com/fluxcd/pkg/auth v0.27.0
2424
github.com/fluxcd/pkg/cache v0.10.0
2525
github.com/fluxcd/pkg/git v0.35.0
2626
github.com/fluxcd/pkg/git/gogit v0.38.0

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -134,8 +134,8 @@ github.com/fluxcd/pkg/apis/event v0.18.0 h1:PNbWk9gvX8gMIi6VsJapnuDO+giLEeY+6olL
134134
github.com/fluxcd/pkg/apis/event v0.18.0/go.mod h1:7S/DGboLolfbZ6stO6dcDhG1SfkPWQ9foCULvbiYpiA=
135135
github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
136136
github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
137-
github.com/fluxcd/pkg/auth v0.26.0 h1:jw128zPI4aRSvkGbFfAQcFNF3oK58P4rDdKIpj2/7yM=
138-
github.com/fluxcd/pkg/auth v0.26.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
137+
github.com/fluxcd/pkg/auth v0.27.0 h1:DFsizUxt9ZDAc+z7+o7jcbtfaxRH55MRD/wdU4CXNCQ=
138+
github.com/fluxcd/pkg/auth v0.27.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
139139
github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
140140
github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
141141
github.com/fluxcd/pkg/git v0.35.0 h1:mAauhsdfxNW4yQdXviVlvcN/uCGGG0+6p5D1+HFZI9w=

main.go

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -118,10 +118,6 @@ func main() {
118118

119119
flag.Parse()
120120

121-
if defaultServiceAccount != "" {
122-
auth.SetDefaultServiceAccount(defaultServiceAccount)
123-
}
124-
125121
logger.SetLogger(logger.NewLogger(logOptions))
126122

127123
err := featureGates.WithLogger(setupLog).
@@ -139,6 +135,15 @@ func main() {
139135
auth.EnableObjectLevelWorkloadIdentity()
140136
}
141137

138+
if defaultServiceAccount != "" {
139+
auth.SetDefaultServiceAccount(defaultServiceAccount)
140+
}
141+
142+
if auth.InconsistentObjectLevelConfiguration() {
143+
setupLog.Error(auth.ErrInconsistentObjectLevelConfiguration, "invalid configuration")
144+
os.Exit(1)
145+
}
146+
142147
watchNamespace := ""
143148
if !watchOptions.AllNamespaces {
144149
watchNamespace = os.Getenv("RUNTIME_NAMESPACE")

0 commit comments

Comments
 (0)