updated owner ref on hook (#22)

AlexsJones · web-flow · commit 55c28229d95a · 2022-05-30T13:39:45.000+01:00
* updated owner ref on hook

* Update manager.yaml

This has been moved to /webhooks/certificate.yaml due to a bug in the webhook timeout with cert-manager need a separate call

* blocks static pods
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -13,4 +13,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: tibbar/of-operator
-  newTag: v0.0.2.1
+  newTag: v0.0.3
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -58,25 +58,3 @@ spec:
             memory: 64Mi
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: open-feature-operator-selfsigned-issuer
-  namespace: open-feature-operator-system  
-spec:
-  selfSigned: {}
----  
-apiVersion: cert-manager.io/v1
-kind: Certificate  
-metadata:  
-  name: webhook-cert
-  namespace: open-feature-operator-system  
-spec:  
-  secretName: sidecar-injector-certs  
-  dnsNames:
-    - open-feature-operator-webhook-service
-    - open-feature-operator-webhook-service.open-feature-operator-system.svc  
-    - open-feature-operator-webhook-service.open-feature-operator-system.svc.cluster.local  
-  issuerRef:  
-    name: open-feature-operator-selfsigned-issuer
diff --git a/webhooks/mutating_admission_webhook.go b/webhooks/mutating_admission_webhook.go
@@ -42,6 +42,14 @@ func (m *PodMutator) Handle(ctx context.Context, req admission.Request) admissio
 			return admission.Allowed("openfeature is disabled")
 		}
 	}
+	// Check if the pod is static or orphaned
+	name := pod.Name
+	if len(pod.GetOwnerReferences()) != 0 {
+		name = pod.GetOwnerReferences()[0].Name
+	} else {
+		return admission.Denied("static or orphaned pods cannot be mutated")
+	}
+
 	var featureFlagCustomResource corev1alpha1.FeatureFlagConfiguration
 	// Check CustomResource
 	val, ok = pod.GetAnnotations()["openfeature.dev/featureflagconfiguration"]
@@ -50,17 +58,13 @@ func (m *PodMutator) Handle(ctx context.Context, req admission.Request) admissio
 	} else {
 		// Current limitation is to use the same namespace, this is easy to fix though
 		// e.g. namespace/name check
-		err = m.Client.Get(context.TODO(), client.ObjectKey{Name: val, Namespace: req.Namespace},
+		err = m.Client.Get(context.TODO(), client.ObjectKey{Name: val,
+			Namespace: req.Namespace},
 			&featureFlagCustomResource)
 		if err != nil {
 			return admission.Denied("FeatureFlagConfiguration not found")
 		}
 	}
-	name := pod.Name
-	if len(pod.GetOwnerReferences()) != 0 {
-		name = pod.GetOwnerReferences()[0].Name
-	}
-
 	// TODO: this should be a short sha to avoid collisions
 	configName := name
 	// Create the agent configmap
@@ -70,6 +74,7 @@ func (m *PodMutator) Handle(ctx context.Context, req admission.Request) admissio
 			Namespace: req.Namespace,
 		},
 	}) // Delete the configmap if it exists
+
 	m.Log.V(1).Info(fmt.Sprintf("Creating configmap %s", configName))
 	if err := m.Client.Create(ctx, &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
