Simplify the permissions for the certificate generation (#398)

Dynatrace · Dec 2, 2021 · e7399dc · e7399dc
1 parent 3d238ee
commit e7399dc
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 35 deletions.
diff --git a/config/common/operator/clusterrole-operator.yaml b/config/common/operator/clusterrole-operator.yaml
@@ -7,15 +7,15 @@ metadata:
     operator: dynakube
 rules:
   - apiGroups:
-      - "" # "" indicates the core API group
+      - ""
     resources:
       - nodes
     verbs:
       - get
       - list
       - watch
   - apiGroups:
-      - "" # "" indicates the core API group
+      - ""
     resources:
       - namespaces
     verbs:
@@ -41,21 +41,12 @@ rules:
       - update
       - delete
   - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - mutatingwebhookconfigurations
-    verbs:
-      - list
-      - create
-      - watch
-  - apiGroups:
-      - admissionregistration.k8s.io
+      - ""
     resources:
-      - validatingwebhookconfigurations
+      - events
     verbs:
-      - list
       - create
-      - watch
+      - patch
   - apiGroups:
       - admissionregistration.k8s.io
     resources:
@@ -74,26 +65,13 @@ rules:
     verbs:
       - get
       - update
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
   - apiGroups:
       - apiextensions.k8s.io
     resources:
       - customresourcedefinitions
     resourceNames:
-      - "dynakubes.dynatrace.com"
+      - dynakubes.dynatrace.com
     verbs:
       - get
       - update
-  - apiGroups:
-    - apiextensions.k8s.io
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - list
-      - watch
+
diff --git a/controllers/certificates/webhook_reconciler.go b/controllers/certificates/webhook_reconciler.go
@@ -51,13 +51,15 @@ func newWebhookReconciler(mgr manager.Manager, cancelMgr context.CancelFunc) *Re
 	return &ReconcileWebhookCertificates{
 		cancelMgrFunc: cancelMgr,
 		client:        mgr.GetClient(),
+		apiReader:     mgr.GetAPIReader(),
 		logger:        log.Log.WithName("operator.webhook-certificates"),
 	}
 }
 
 type ReconcileWebhookCertificates struct {
 	ctx           context.Context
 	client        client.Client
+	apiReader     client.Reader
 	namespace     string
 	logger        logr.Logger
 	cancelMgrFunc context.CancelFunc
@@ -193,7 +195,7 @@ func (r *ReconcileWebhookCertificates) updateWebhookConfigurations(ctx context.C
 func (r *ReconcileWebhookCertificates) getMutatingWebhookConfiguration(ctx context.Context) (
 	*admissionregistrationv1.MutatingWebhookConfiguration, error) {
 	var mutatingWebhook admissionregistrationv1.MutatingWebhookConfiguration
-	err := r.client.Get(ctx, client.ObjectKey{
+	err := r.apiReader.Get(ctx, client.ObjectKey{
 		Name: webhook.DeploymentName,
 	}, &mutatingWebhook)
 	if err != nil {
@@ -209,7 +211,7 @@ func (r *ReconcileWebhookCertificates) getMutatingWebhookConfiguration(ctx conte
 func (r *ReconcileWebhookCertificates) getValidatingWebhookConfiguration(ctx context.Context) (
 	*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
 	var mutatingWebhook admissionregistrationv1.ValidatingWebhookConfiguration
-	err := r.client.Get(ctx, client.ObjectKey{
+	err := r.apiReader.Get(ctx, client.ObjectKey{
 		Name: webhook.DeploymentName,
 	}, &mutatingWebhook)
 	if err != nil {
@@ -224,7 +226,7 @@ func (r *ReconcileWebhookCertificates) getValidatingWebhookConfiguration(ctx con
 
 func (r *ReconcileWebhookCertificates) getSecret() (*corev1.Secret, error) {
 	var oldSecret corev1.Secret
-	err := r.client.Get(r.ctx, client.ObjectKey{Name: r.buildSecretName(), Namespace: r.namespace}, &oldSecret)
+	err := r.apiReader.Get(r.ctx, client.ObjectKey{Name: r.buildSecretName(), Namespace: r.namespace}, &oldSecret)
 	if k8serrors.IsNotFound(err) {
 		return nil, nil
 	}
@@ -280,7 +282,7 @@ func (r *ReconcileWebhookCertificates) updateConfiguration(
 func (r *ReconcileWebhookCertificates) updateCRDConfiguration(ctx context.Context, secret *corev1.Secret) error {
 
 	var crd apiv1.CustomResourceDefinition
-	if err := r.client.Get(ctx, types.NamespacedName{Name: crdName}, &crd); err != nil {
+	if err := r.apiReader.Get(ctx, types.NamespacedName{Name: crdName}, &crd); err != nil {
 		return err
 	}
 

diff --git a/controllers/certificates/webhook_reconciler_test.go b/controllers/certificates/webhook_reconciler_test.go
@@ -32,8 +32,9 @@ func TestGetSecret(t *testing.T) {
 	t.Run(`get nil if secret does not exists`, func(t *testing.T) {
 		clt := fake.NewClient()
 		r := &ReconcileWebhookCertificates{
-			client: clt,
-			ctx:    context.TODO(),
+			client:    clt,
+			apiReader: clt,
+			ctx:       context.TODO(),
 		}
 		secret, err := r.getSecret()
 		require.NoError(t, err)
@@ -48,6 +49,7 @@ func TestGetSecret(t *testing.T) {
 		})
 		r := &ReconcileWebhookCertificates{
 			client:    clt,
+			apiReader: clt,
 			ctx:       context.TODO(),
 			namespace: testNamespace,
 		}
@@ -202,6 +204,7 @@ func prepareReconcile(clt client.Client) (*ReconcileWebhookCertificates, reconci
 	rec := &ReconcileWebhookCertificates{
 		ctx:       context.TODO(),
 		client:    clt,
+		apiReader: clt,
 		namespace: testNamespace,
 		logger:    logger.NewDTLogger(),
 	}