-
Notifications
You must be signed in to change notification settings - Fork 595
/
Copy pathutils.go
68 lines (60 loc) · 2.79 KB
/
utils.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
package admission
import (
"context"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
"sigs.k8s.io/controller-runtime/pkg/client"
credsvalidation "github.com/kong/kubernetes-ingress-controller/v2/internal/adminapi/validators/consumer/credentials"
kongv1 "github.com/kong/kubernetes-ingress-controller/v2/pkg/apis/configuration/v1"
)
// -----------------------------------------------------------------------------
// KongHTTPValidator - Private Functions
// -----------------------------------------------------------------------------
// listManagedConsumersReferencingCredentialsSecret takes a Secret and a list of KongConsumers.
// It returns a list of KongConsumers that reference that Secret as a credential
func listManagedConsumersReferencingCredentialsSecret(secret corev1.Secret, managedConsumers []*kongv1.KongConsumer) []*kongv1.KongConsumer {
// determine if this credential is being actively referenced by a consumer
consumersWhichReferenceSecret := make([]*kongv1.KongConsumer, 0)
for _, consumer := range managedConsumers {
// verify that the secret is actually in the same namespace (its possible for
// there to be name duplication across multiple namespaces).
if consumer.Namespace == secret.Namespace {
// verify whether the consumer in this same namespace as the secret
// actually references it as a credential.
for _, secretName := range consumer.Credentials {
if secretName == secret.Name { // this credential is referred to from a consumer
consumersWhichReferenceSecret = append(consumersWhichReferenceSecret, consumer)
}
}
}
}
return consumersWhichReferenceSecret
}
// globalValidationIndexForCredentials builds an index of all consumer credentials
// using a given controller-runtime client. This provides an index based on
// ALL namespaces in the cluster. This can be very expensive with high numbers
// of consumer credentials, particularly if the client you provide is not cached
func globalValidationIndexForCredentials(ctx context.Context, managerClient client.Client, consumers []*kongv1.KongConsumer) (credsvalidation.Index, error) {
// pull the reference secrets for credentials from each consumer in the list
index := make(credsvalidation.Index)
for _, consumer := range consumers {
for _, secretName := range consumer.Credentials {
// grab a copy of the credential secret
secret := &corev1.Secret{}
if err := managerClient.Get(ctx, client.ObjectKey{
Namespace: consumer.Namespace,
Name: secretName,
}, secret); err != nil {
if errors.IsNotFound(err) { // ignore missing secrets
continue
}
return nil, err
}
// add the credential secret to the index
if err := index.ValidateCredentialsForUniqueKeyConstraints(consumer.Name, secret); err != nil {
return nil, err
}
}
}
return index, nil
}