refactor: Done

Signed-off-by: Bence Csati <[email protected]>
bank-vaults · Mar 27, 2024 · d0d3ced · d0d3ced
1 parent 3f2bb4f
commit d0d3ced
Show file tree

Hide file tree

Showing 16 changed files with 400 additions and 384 deletions.
diff --git a/e2e/main_test.go b/e2e/main_test.go
@@ -102,8 +102,8 @@ func TestMain(m *testing.M) {
 		testenv.Setup(installVaultOperator)
 		testenv.Finish(uninstallVaultOperator, envfuncs.DeleteNamespace("vault-operator"))
 
-		testenv.Setup(envfuncs.CreateNamespace("secrets-webhook"), installVaultSecretsWebhook)
-		testenv.Finish(uninstallVaultSecretsWebhook, envfuncs.DeleteNamespace("secrets-webhook"))
+		testenv.Setup(envfuncs.CreateNamespace("secrets-webhook"), installSecretsWebhook)
+		testenv.Finish(uninstallSecretsWebhook, envfuncs.DeleteNamespace("secrets-webhook"))
 
 		// Set up test namespace
 		// ns := envconf.RandomName("webhook-test", 16)
@@ -158,7 +158,7 @@ func uninstallVaultOperator(ctx context.Context, cfg *envconf.Config) (context.C
 	return ctx, nil
 }
 
-func installVaultSecretsWebhook(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+func installSecretsWebhook(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
 	manager := helm.New(cfg.KubeconfigFile())
 
 	version := "latest"
@@ -186,7 +186,7 @@ func installVaultSecretsWebhook(ctx context.Context, cfg *envconf.Config) (conte
 	return ctx, nil
 }
 
-func uninstallVaultSecretsWebhook(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+func uninstallSecretsWebhook(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
 	manager := helm.New(cfg.KubeconfigFile())
 
 	err := manager.RunUninstall(

diff --git a/e2e/test/configmap.yaml b/e2e/test/configmap.yaml
@@ -3,7 +3,7 @@ kind: ConfigMap
 metadata:
   name: test-configmap
   annotations:
-    secrets-webhook.security.banzaicloud.io/providers: "vault"
+    secrets-webhook.security.banzaicloud.io/provider: "vault"
     vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
     vault.security.banzaicloud.io/vault-role: "default"
     vault.security.banzaicloud.io/vault-tls-secret: vault-tls

diff --git a/e2e/test/deployment-init-seccontext.yaml b/e2e/test/deployment-init-seccontext.yaml
@@ -12,7 +12,7 @@ spec:
       labels:
         app.kubernetes.io/name: test-deployment-init-seccontext
       annotations:
-        secrets-webhook.security.banzaicloud.io/providers: "vault"
+        secrets-webhook.security.banzaicloud.io/provider: "vault"
         secrets-webhook.security.banzaicloud.io/run-as-non-root: "true"
         secrets-webhook.security.banzaicloud.io/run-as-user: "1000"
         secrets-webhook.security.banzaicloud.io/run-as-group: "1000"

diff --git a/e2e/test/deployment-seccontext.yaml b/e2e/test/deployment-seccontext.yaml
@@ -12,7 +12,7 @@ spec:
       labels:
         app.kubernetes.io/name: test-deployment-seccontext
       annotations:
-        secrets-webhook.security.banzaicloud.io/providers: "vault"
+        secrets-webhook.security.banzaicloud.io/provider: "vault"
         vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
         vault.security.banzaicloud.io/vault-role: "default"
         vault.security.banzaicloud.io/vault-tls-secret: vault-tls

diff --git a/e2e/test/deployment-template.yaml b/e2e/test/deployment-template.yaml
@@ -53,7 +53,7 @@ spec:
       labels:
         app.kubernetes.io/name: test-deployment-template
       annotations:
-        secrets-webhook.security.banzaicloud.io/providers: "vault"
+        secrets-webhook.security.banzaicloud.io/provider: "vault"
         vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # optional, the address of the Vault service, default values is https://vault:8200
         vault.security.banzaicloud.io/vault-role: "default" # optional, the default value is the name of the ServiceAccount the Pod runs in, in case of Secrets and ConfigMaps it is "default"
         vault.security.banzaicloud.io/vault-skip-verify: "false" # optional, skip TLS verification of the Vault server certificate

diff --git a/e2e/test/deployment.yaml b/e2e/test/deployment.yaml
@@ -12,7 +12,7 @@ spec:
       labels:
         app.kubernetes.io/name: test-deployment
       annotations:
-        secrets-webhook.security.banzaicloud.io/providers: "vault"
+        secrets-webhook.security.banzaicloud.io/provider: "vault"
         vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
         vault.security.banzaicloud.io/vault-role: "default"
         vault.security.banzaicloud.io/vault-tls-secret: vault-tls

diff --git a/e2e/test/secret.yaml b/e2e/test/secret.yaml
@@ -3,7 +3,7 @@ kind: Secret
 metadata:
   name: test-secret
   annotations:
-    secrets-webhook.security.banzaicloud.io/providers: "vault"
+    secrets-webhook.security.banzaicloud.io/provider: "vault"
     vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
     vault.security.banzaicloud.io/vault-role: "default"
     vault.security.banzaicloud.io/vault-tls-secret: vault-tls

diff --git a/pkg/common/common.go b/pkg/common/common.go
@@ -31,7 +31,7 @@ const (
 	RegistrySkipVerifyAnnotation          = "secrets-webhook.security.banzaicloud.io/registry-skip-verify"
 	MutateAnnotation                      = "secrets-webhook.security.banzaicloud.io/mutate"
 	MutateProbesAnnotation                = "secrets-webhook.security.banzaicloud.io/mutate-probes"
-	ProvidersAnnotation                   = "secrets-webhook.security.banzaicloud.io/providers"
+	ProviderAnnotation                    = "secrets-webhook.security.banzaicloud.io/provider"
 
 	// Secret-init annotations
 	SecretInitDaemonAnnotation          = "secrets-webhook.security.banzaicloud.io/secret-init-daemon"

diff --git a/pkg/common/config.go b/pkg/common/config.go
@@ -16,7 +16,6 @@ package common
 
 import (
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/spf13/viper"
@@ -35,7 +34,7 @@ type Config struct {
 	RegistrySkipVerify          bool
 	Mutate                      bool
 	MutateProbes                bool
-	Providers                   []string
+	Provider                    string
 }
 
 // SecretInitConfig represents the configuration for the secret-init container
@@ -90,8 +89,8 @@ func ParseWebhookConfig(obj metav1.Object) Config {
 		Config.MutateProbes, _ = strconv.ParseBool(val)
 	}
 
-	if val, ok := annotations[ProvidersAnnotation]; ok {
-		Config.Providers = strings.Split(val, ",")
+	if val, ok := annotations[ProviderAnnotation]; ok {
+		Config.Provider = val
 	}
 
 	return Config

diff --git a/pkg/webhook/configmap.go b/pkg/webhook/configmap.go
@@ -33,27 +33,25 @@ func (mw *MutatingWebhook) MutateConfigMap(configMap *corev1.ConfigMap) error {
 		return nil
 	}
 
-	for _, config := range mw.providerConfigs {
-		switch providerConfig := config.(type) {
-		case vault.Config:
-			currentlyUsedProvider = vault.ProviderName
+	switch providerConfig := mw.providerConfig.(type) {
+	case vault.Config:
+		currentlyUsedProvider = vault.ProviderName
 
-			err := mw.mutateConfigMapForVault(configMap, providerConfig)
-			if err != nil {
-				return errors.Wrap(err, "failed to mutate secret")
-			}
+		err := mw.mutateConfigMapForVault(configMap, providerConfig)
+		if err != nil {
+			return errors.Wrap(err, "failed to mutate secret")
+		}
 
-		case bao.Config:
-			currentlyUsedProvider = bao.ProviderName
+	case bao.Config:
+		currentlyUsedProvider = bao.ProviderName
 
-			err := mw.mutateConfigMapForBao(configMap, providerConfig)
-			if err != nil {
-				return errors.Wrap(err, "failed to mutate secret")
-			}
-
-		default:
-			return errors.Errorf("unknown provider config type: %T", config)
+		err := mw.mutateConfigMapForBao(configMap, providerConfig)
+		if err != nil {
+			return errors.Wrap(err, "failed to mutate secret")
 		}
+
+	default:
+		return errors.Errorf("unknown provider config type: %T", mw.providerConfig)
 	}
 
 	return nil

diff --git a/pkg/webhook/configmap_test.go b/pkg/webhook/configmap_test.go
@@ -63,9 +63,9 @@ func TestMutateConfigMap_Vault(t *testing.T) {
 
 	admissionReview := &model.AdmissionReview{}
 
-	providerConfigs, err := parseProviderConfigs(&configMap, admissionReview, []string{vaultprov.ProviderName})
+	providerConfig, err := parseProviderConfig(&configMap, admissionReview, vaultprov.ProviderName)
 	assert.NoError(t, err)
-	mw.providerConfigs = providerConfigs
+	mw.providerConfig = providerConfig
 
 	err = mw.MutateConfigMap(&configMap)
 	assert.NoError(t, err)

diff --git a/pkg/webhook/object.go b/pkg/webhook/object.go
@@ -84,27 +84,25 @@ func sliceIterator(s []interface{}) iterator {
 func (mw *MutatingWebhook) MutateObject(object *unstructured.Unstructured) error {
 	mw.logger.Debug(fmt.Sprintf("mutating object: %s.%s", object.GetNamespace(), object.GetName()))
 
-	for _, config := range mw.providerConfigs {
-		switch providerConfig := config.(type) {
-		case vault.Config:
-			currentlyUsedProvider = vault.ProviderName
+	switch providerConfig := mw.providerConfig.(type) {
+	case vault.Config:
+		currentlyUsedProvider = vault.ProviderName
 
-			err := mw.mutateObjectForVault(object, providerConfig)
-			if err != nil {
-				return errors.Wrap(err, "failed to mutate secret")
-			}
-
-		case bao.Config:
-			currentlyUsedProvider = bao.ProviderName
+		err := mw.mutateObjectForVault(object, providerConfig)
+		if err != nil {
+			return errors.Wrap(err, "failed to mutate secret")
+		}
 
-			err := mw.mutateObjectForBao(object, providerConfig)
-			if err != nil {
-				return errors.Wrap(err, "failed to mutate secret")
-			}
+	case bao.Config:
+		currentlyUsedProvider = bao.ProviderName
 
-		default:
-			return errors.Errorf("unknown provider config type: %T", config)
+		err := mw.mutateObjectForBao(object, providerConfig)
+		if err != nil {
+			return errors.Wrap(err, "failed to mutate secret")
 		}
+
+	default:
+		return errors.Errorf("unknown provider config type: %T", mw.providerConfig)
 	}
 
 	return nil