refactor: finishing touches

Signed-off-by: Bence Csati <[email protected]>
bank-vaults · Mar 28, 2024 · c3d6f5c · c3d6f5c
1 parent 9bb7619
commit c3d6f5c
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 44 deletions.
diff --git a/pkg/webhook/configmap.go b/pkg/webhook/configmap.go
@@ -55,13 +55,13 @@ func (mw *MutatingWebhook) MutateConfigMap(configMap *corev1.ConfigMap) error {
 
 func configMapNeedsMutation(configMap *corev1.ConfigMap) bool {
 	for _, value := range configMap.Data {
-		if hasProviderPrefix(currentlyUsedProvider, value, true) {
+		if hasProviderPrefix(value, true) {
 			return true
 		}
 	}
 
 	for _, value := range configMap.BinaryData {
-		if hasProviderPrefix(currentlyUsedProvider, string(value), false) {
+		if hasProviderPrefix(string(value), false) {
 			return true
 		}
 	}

diff --git a/pkg/webhook/pod.go b/pkg/webhook/pod.go
@@ -36,6 +36,11 @@ import (
 const SecretInitVolumeName = "secret-init"
 
 func (mw *MutatingWebhook) MutatePod(ctx context.Context, pod *corev1.Pod, webhookConfig common.Config, secretInitConfig common.SecretInitConfig, dryRun bool) error {
+	if isPodAlreadyMutated(pod) {
+		mw.logger.Info(fmt.Sprintf("Pod %s is already mutated, skipping mutation.", pod.Name))
+		return nil
+	}
+
 	mw.logger.Debug("Successfully connected to the API")
 
 	switch providerConfig := mw.providerConfig.(type) {
@@ -121,7 +126,7 @@ func (mw *MutatingWebhook) mutateContainers(ctx context.Context, containers []co
 		}
 
 		for _, env := range container.Env {
-			if hasProviderPrefix(currentlyUsedProvider, env.Value, true) {
+			if hasProviderPrefix(env.Value, true) {
 				envVars = append(envVars, env)
 			}
 
@@ -602,11 +607,6 @@ func getBaseSecurityContext(podSecurityContext *corev1.PodSecurityContext, webho
 // ======== VAULT ========
 
 func (mw *MutatingWebhook) mutatePodForVault(ctx context.Context, pod *corev1.Pod, webhookConfig common.Config, secretInitConfig common.SecretInitConfig, vaultConfig vault.Config, dryRun bool) error {
-	if isPodAlreadyMutated(pod) {
-		mw.logger.Info(fmt.Sprintf("Pod %s is already mutated, skipping mutation.", pod.Name))
-		return nil
-	}
-
 	initContainersMutated, err := mw.mutateContainers(ctx, pod.Spec.InitContainers, &pod.Spec, webhookConfig, secretInitConfig, vaultConfig, vaultConfig.ObjectNamespace, vaultConfig.FromPath)
 	if err != nil {
 		return err
@@ -1121,11 +1121,6 @@ func getAgentContainersForVault(originalContainers []corev1.Container, podSecuri
 // ======== BAO ========
 
 func (mw *MutatingWebhook) mutatePodForBao(ctx context.Context, pod *corev1.Pod, webhookConfig common.Config, secretInitConfig common.SecretInitConfig, baoConfig bao.Config, dryRun bool) error {
-	if isPodAlreadyMutated(pod) {
-		mw.logger.Info(fmt.Sprintf("Pod %s is already mutated, skipping mutation.", pod.Name))
-		return nil
-	}
-
 	initContainersMutated, err := mw.mutateContainers(ctx, pod.Spec.InitContainers, &pod.Spec, webhookConfig, secretInitConfig, baoConfig, baoConfig.ObjectNamespace, baoConfig.FromPath)
 	if err != nil {
 		return err

diff --git a/pkg/webhook/secret.go b/pkg/webhook/secret.go
@@ -56,6 +56,16 @@ type dockerAuthConfig struct {
 }
 
 func (mw *MutatingWebhook) MutateSecret(secret *corev1.Secret) error {
+	// do an early exit if no mutation is needed
+	requiredToMutate, err := secretNeedsMutation(secret)
+	if err != nil {
+		return errors.Wrap(err, "failed to check if secret needs to be mutated")
+	}
+
+	if !requiredToMutate {
+		return nil
+	}
+
 	switch providerConfig := mw.providerConfig.(type) {
 	case vault.Config:
 		err := mw.mutateSecretForVault(secret, providerConfig)
@@ -92,14 +102,14 @@ func secretNeedsMutation(secret *corev1.Secret) (bool, error) {
 				}
 
 				auth := string(authBytes)
-				if hasProviderPrefix(currentlyUsedProvider, auth, false) {
+				if hasProviderPrefix(auth, false) {
 					return true, nil
 				}
 			}
 
-		} else if hasProviderPrefix(currentlyUsedProvider, string(value), false) {
+		} else if hasProviderPrefix(string(value), false) {
 			return true, nil
-		} else if hasInlineProviderDelimiters(currentlyUsedProvider, string(value)) {
+		} else if hasInlineProviderDelimiters(string(value)) {
 			return true, nil
 		}
 	}
@@ -110,16 +120,6 @@ func secretNeedsMutation(secret *corev1.Secret) (bool, error) {
 // ======== VAULT ========
 
 func (mw *MutatingWebhook) mutateSecretForVault(secret *corev1.Secret, vaultConfig vault.Config) error {
-	// do an early exit if no mutation is needed
-	requiredToMutate, err := secretNeedsMutation(secret)
-	if err != nil {
-		return errors.Wrap(err, "failed to check if secret needs to be mutated")
-	}
-
-	if !requiredToMutate {
-		return nil
-	}
-
 	vaultClient, err := mw.newVaultClient(vaultConfig)
 	if err != nil {
 		return errors.Wrap(err, "failed to create vault client")
@@ -227,16 +227,6 @@ func (mw *MutatingWebhook) mutateSecretDataForVault(secret *corev1.Secret, injec
 // ======== BAO ========
 
 func (mw *MutatingWebhook) mutateSecretForBao(secret *corev1.Secret, baoConfig bao.Config) error {
-	// do an early exit if no mutation is needed
-	requiredToMutate, err := secretNeedsMutation(secret)
-	if err != nil {
-		return errors.Wrap(err, "failed to check if secret needs to be mutated")
-	}
-
-	if !requiredToMutate {
-		return nil
-	}
-
 	baoClient, err := mw.newBaoClient(baoConfig)
 	if err != nil {
 		return errors.Wrap(err, "failed to create bao client")

diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
@@ -136,7 +136,7 @@ func (mw *MutatingWebhook) lookForEnvFrom(envFrom []corev1.EnvFromSource, ns str
 			}
 
 			for key, value := range data {
-				if hasProviderPrefix(currentlyUsedProvider, value, true) {
+				if hasProviderPrefix(value, true) {
 					envFromCM := corev1.EnvVar{
 						Name:  key,
 						Value: value,
@@ -158,7 +158,7 @@ func (mw *MutatingWebhook) lookForEnvFrom(envFrom []corev1.EnvFromSource, ns str
 
 			for name, v := range data {
 				value := string(v)
-				if hasProviderPrefix(currentlyUsedProvider, value, true) {
+				if hasProviderPrefix(value, true) {
 					envFromSec := corev1.EnvVar{
 						Name:  name,
 						Value: value,
@@ -183,7 +183,7 @@ func (mw *MutatingWebhook) lookForValueFrom(env corev1.EnvVar, ns string) (*core
 		}
 
 		value := data[env.ValueFrom.ConfigMapKeyRef.Key]
-		if hasProviderPrefix(currentlyUsedProvider, value, true) {
+		if hasProviderPrefix(value, true) {
 			fromCM := corev1.EnvVar{
 				Name:  env.Name,
 				Value: value,
@@ -202,7 +202,7 @@ func (mw *MutatingWebhook) lookForValueFrom(env corev1.EnvVar, ns string) (*core
 		}
 
 		value := string(data[env.ValueFrom.SecretKeyRef.Key])
-		if hasProviderPrefix(currentlyUsedProvider, value, true) {
+		if hasProviderPrefix(value, true) {
 			fromSecret := corev1.EnvVar{
 				Name:  env.Name,
 				Value: value,
@@ -272,8 +272,8 @@ func parseProviderConfig(obj metav1.Object, ar *model.AdmissionReview, providerN
 	return config, nil
 }
 
-func hasProviderPrefix(providerName string, value string, withInlineDelimiters bool) bool {
-	switch providerName {
+func hasProviderPrefix(value string, withInlineDelimiters bool) bool {
+	switch currentlyUsedProvider {
 	case vaultprov.ProviderName:
 		if withInlineDelimiters {
 			return common.HasVaultPrefix(value) || vaultinjector.HasInlineVaultDelimiters(value)
@@ -291,8 +291,8 @@ func hasProviderPrefix(providerName string, value string, withInlineDelimiters b
 	}
 }
 
-func hasInlineProviderDelimiters(providerName, value string) bool {
-	switch providerName {
+func hasInlineProviderDelimiters(value string) bool {
+	switch currentlyUsedProvider {
 	case vaultprov.ProviderName:
 		return vaultinjector.HasInlineVaultDelimiters(value)