diff --git a/pkg/webhook/configmap.go b/pkg/webhook/configmap.go index b6698e0..85e3f2f 100644 --- a/pkg/webhook/configmap.go +++ b/pkg/webhook/configmap.go @@ -55,13 +55,13 @@ func (mw *MutatingWebhook) MutateConfigMap(configMap *corev1.ConfigMap) error { func configMapNeedsMutation(configMap *corev1.ConfigMap) bool { for _, value := range configMap.Data { - if hasProviderPrefix(currentlyUsedProvider, value, true) { + if hasProviderPrefix(value, true) { return true } } for _, value := range configMap.BinaryData { - if hasProviderPrefix(currentlyUsedProvider, string(value), false) { + if hasProviderPrefix(string(value), false) { return true } } diff --git a/pkg/webhook/pod.go b/pkg/webhook/pod.go index fdc3ddc..46ad0f7 100644 --- a/pkg/webhook/pod.go +++ b/pkg/webhook/pod.go @@ -36,6 +36,11 @@ import ( const SecretInitVolumeName = "secret-init" func (mw *MutatingWebhook) MutatePod(ctx context.Context, pod *corev1.Pod, webhookConfig common.Config, secretInitConfig common.SecretInitConfig, dryRun bool) error { + if isPodAlreadyMutated(pod) { + mw.logger.Info(fmt.Sprintf("Pod %s is already mutated, skipping mutation.", pod.Name)) + return nil + } + mw.logger.Debug("Successfully connected to the API") switch providerConfig := mw.providerConfig.(type) { @@ -121,7 +126,7 @@ func (mw *MutatingWebhook) mutateContainers(ctx context.Context, containers []co } for _, env := range container.Env { - if hasProviderPrefix(currentlyUsedProvider, env.Value, true) { + if hasProviderPrefix(env.Value, true) { envVars = append(envVars, env) } @@ -602,11 +607,6 @@ func getBaseSecurityContext(podSecurityContext *corev1.PodSecurityContext, webho // ======== VAULT ======== func (mw *MutatingWebhook) mutatePodForVault(ctx context.Context, pod *corev1.Pod, webhookConfig common.Config, secretInitConfig common.SecretInitConfig, vaultConfig vault.Config, dryRun bool) error { - if isPodAlreadyMutated(pod) { - mw.logger.Info(fmt.Sprintf("Pod %s is already mutated, skipping mutation.", pod.Name)) - return nil - } - initContainersMutated, err := mw.mutateContainers(ctx, pod.Spec.InitContainers, &pod.Spec, webhookConfig, secretInitConfig, vaultConfig, vaultConfig.ObjectNamespace, vaultConfig.FromPath) if err != nil { return err @@ -1121,11 +1121,6 @@ func getAgentContainersForVault(originalContainers []corev1.Container, podSecuri // ======== BAO ======== func (mw *MutatingWebhook) mutatePodForBao(ctx context.Context, pod *corev1.Pod, webhookConfig common.Config, secretInitConfig common.SecretInitConfig, baoConfig bao.Config, dryRun bool) error { - if isPodAlreadyMutated(pod) { - mw.logger.Info(fmt.Sprintf("Pod %s is already mutated, skipping mutation.", pod.Name)) - return nil - } - initContainersMutated, err := mw.mutateContainers(ctx, pod.Spec.InitContainers, &pod.Spec, webhookConfig, secretInitConfig, baoConfig, baoConfig.ObjectNamespace, baoConfig.FromPath) if err != nil { return err diff --git a/pkg/webhook/secret.go b/pkg/webhook/secret.go index be72cc2..2e0764b 100644 --- a/pkg/webhook/secret.go +++ b/pkg/webhook/secret.go @@ -56,6 +56,16 @@ type dockerAuthConfig struct { } func (mw *MutatingWebhook) MutateSecret(secret *corev1.Secret) error { + // do an early exit if no mutation is needed + requiredToMutate, err := secretNeedsMutation(secret) + if err != nil { + return errors.Wrap(err, "failed to check if secret needs to be mutated") + } + + if !requiredToMutate { + return nil + } + switch providerConfig := mw.providerConfig.(type) { case vault.Config: err := mw.mutateSecretForVault(secret, providerConfig) @@ -92,14 +102,14 @@ func secretNeedsMutation(secret *corev1.Secret) (bool, error) { } auth := string(authBytes) - if hasProviderPrefix(currentlyUsedProvider, auth, false) { + if hasProviderPrefix(auth, false) { return true, nil } } - } else if hasProviderPrefix(currentlyUsedProvider, string(value), false) { + } else if hasProviderPrefix(string(value), false) { return true, nil - } else if hasInlineProviderDelimiters(currentlyUsedProvider, string(value)) { + } else if hasInlineProviderDelimiters(string(value)) { return true, nil } } @@ -110,16 +120,6 @@ func secretNeedsMutation(secret *corev1.Secret) (bool, error) { // ======== VAULT ======== func (mw *MutatingWebhook) mutateSecretForVault(secret *corev1.Secret, vaultConfig vault.Config) error { - // do an early exit if no mutation is needed - requiredToMutate, err := secretNeedsMutation(secret) - if err != nil { - return errors.Wrap(err, "failed to check if secret needs to be mutated") - } - - if !requiredToMutate { - return nil - } - vaultClient, err := mw.newVaultClient(vaultConfig) if err != nil { return errors.Wrap(err, "failed to create vault client") @@ -227,16 +227,6 @@ func (mw *MutatingWebhook) mutateSecretDataForVault(secret *corev1.Secret, injec // ======== BAO ======== func (mw *MutatingWebhook) mutateSecretForBao(secret *corev1.Secret, baoConfig bao.Config) error { - // do an early exit if no mutation is needed - requiredToMutate, err := secretNeedsMutation(secret) - if err != nil { - return errors.Wrap(err, "failed to check if secret needs to be mutated") - } - - if !requiredToMutate { - return nil - } - baoClient, err := mw.newBaoClient(baoConfig) if err != nil { return errors.Wrap(err, "failed to create bao client") diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go index 346cfd6..864faa3 100644 --- a/pkg/webhook/webhook.go +++ b/pkg/webhook/webhook.go @@ -136,7 +136,7 @@ func (mw *MutatingWebhook) lookForEnvFrom(envFrom []corev1.EnvFromSource, ns str } for key, value := range data { - if hasProviderPrefix(currentlyUsedProvider, value, true) { + if hasProviderPrefix(value, true) { envFromCM := corev1.EnvVar{ Name: key, Value: value, @@ -158,7 +158,7 @@ func (mw *MutatingWebhook) lookForEnvFrom(envFrom []corev1.EnvFromSource, ns str for name, v := range data { value := string(v) - if hasProviderPrefix(currentlyUsedProvider, value, true) { + if hasProviderPrefix(value, true) { envFromSec := corev1.EnvVar{ Name: name, Value: value, @@ -183,7 +183,7 @@ func (mw *MutatingWebhook) lookForValueFrom(env corev1.EnvVar, ns string) (*core } value := data[env.ValueFrom.ConfigMapKeyRef.Key] - if hasProviderPrefix(currentlyUsedProvider, value, true) { + if hasProviderPrefix(value, true) { fromCM := corev1.EnvVar{ Name: env.Name, Value: value, @@ -202,7 +202,7 @@ func (mw *MutatingWebhook) lookForValueFrom(env corev1.EnvVar, ns string) (*core } value := string(data[env.ValueFrom.SecretKeyRef.Key]) - if hasProviderPrefix(currentlyUsedProvider, value, true) { + if hasProviderPrefix(value, true) { fromSecret := corev1.EnvVar{ Name: env.Name, Value: value, @@ -272,8 +272,8 @@ func parseProviderConfig(obj metav1.Object, ar *model.AdmissionReview, providerN return config, nil } -func hasProviderPrefix(providerName string, value string, withInlineDelimiters bool) bool { - switch providerName { +func hasProviderPrefix(value string, withInlineDelimiters bool) bool { + switch currentlyUsedProvider { case vaultprov.ProviderName: if withInlineDelimiters { return common.HasVaultPrefix(value) || vaultinjector.HasInlineVaultDelimiters(value) @@ -291,8 +291,8 @@ func hasProviderPrefix(providerName string, value string, withInlineDelimiters b } } -func hasInlineProviderDelimiters(providerName, value string) bool { - switch providerName { +func hasInlineProviderDelimiters(value string) bool { + switch currentlyUsedProvider { case vaultprov.ProviderName: return vaultinjector.HasInlineVaultDelimiters(value)