From f2b31eccbb9e20dcfc54358d9d8f41a3d2ee3fc1 Mon Sep 17 00:00:00 2001 From: Mattia Lavacca Date: Wed, 9 Oct 2024 11:28:53 +0200 Subject: [PATCH] don't allow cross-namespace refs Signed-off-by: Mattia Lavacca --- controller/dataplane/konnect_extension.go | 5 +- .../dataplane/konnect_extension_test.go | 69 +++++++++++++++---- 2 files changed, 60 insertions(+), 14 deletions(-) diff --git a/controller/dataplane/konnect_extension.go b/controller/dataplane/konnect_extension.go index a8116fae0..476aae8c6 100644 --- a/controller/dataplane/konnect_extension.go +++ b/controller/dataplane/konnect_extension.go @@ -2,6 +2,7 @@ package dataplane import ( "context" + "errors" "strings" "github.com/samber/lo" @@ -25,8 +26,8 @@ func applyDataPlaneKonnectExtension(ctx context.Context, cl client.Client, datap continue } namespace := dataplane.Namespace - if extensionRef.Namespace != nil { - namespace = *extensionRef.Namespace + if extensionRef.Namespace != nil && *extensionRef.Namespace != namespace { + return errors.New("cross-namespace reference is not currently supported for Konnect extensions") } konnectExt := v1alpha1.DataPlaneKonnectExtension{} diff --git a/controller/dataplane/konnect_extension_test.go b/controller/dataplane/konnect_extension_test.go index 38245d226..99777c051 100644 --- a/controller/dataplane/konnect_extension_test.go +++ b/controller/dataplane/konnect_extension_test.go @@ -45,6 +45,52 @@ func TestApplyDataPlaneKonnectExtension(t *testing.T) { }, expectedError: false, }, + { + name: "Cross-namespace extension", + dataplane: &operatorv1beta1.DataPlane{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "default", + }, + Spec: operatorv1beta1.DataPlaneSpec{ + DataPlaneOptions: operatorv1beta1.DataPlaneOptions{ + Extensions: []operatorv1alpha1.ExtensionRef{ + { + Group: operatorv1alpha1.SchemeGroupVersion.Group, + Kind: "DataPlaneKonnectExtension", + NamespacedRef: operatorv1alpha1.NamespacedRef{ + Name: "konnect-ext", + Namespace: lo.ToPtr("other"), + }, + }, + }, + Deployment: operatorv1beta1.DataPlaneDeploymentOptions{ + DeploymentOptions: operatorv1beta1.DeploymentOptions{ + PodTemplateSpec: &corev1.PodTemplateSpec{}, + }, + }, + }, + }, + }, + konnectExt: &operatorv1alpha1.DataPlaneKonnectExtension{ + ObjectMeta: metav1.ObjectMeta{ + Name: "konnect-ext", + Namespace: "other", + }, + Spec: operatorv1alpha1.DataPlaneKonnectExtensionSpec{ + AuthConfiguration: operatorv1alpha1.KonnectControlPlaneAPIAuthConfiguration{ + ClusterCertificateSecretRef: operatorv1alpha1.ClusterCertificateSecretRef{ + Name: "cluster-cert-secret", + }, + }, + ControlPlaneRef: configurationv1alpha1.ControlPlaneRef{ + KonnectID: lo.ToPtr("konnect-id"), + }, + ControlPlaneRegion: "us-west", + ServerHostname: "konnect.example.com", + }, + }, + expectedError: true, + }, { name: "Extension not found", dataplane: &operatorv1beta1.DataPlane{ @@ -192,20 +238,19 @@ func TestApplyDataPlaneKonnectExtension(t *testing.T) { require.Error(t, err) } else { require.NoError(t, err) - } - - requiredEnv := []corev1.EnvVar{} - if tt.dataplane.Spec.Deployment.PodTemplateSpec != nil { - if container := k8sutils.GetPodContainerByName(&tt.dataplane.Spec.Deployment.PodTemplateSpec.Spec, consts.DataPlaneProxyContainerName); container != nil { - requiredEnv = container.Env + requiredEnv := []corev1.EnvVar{} + if tt.dataplane.Spec.Deployment.PodTemplateSpec != nil { + if container := k8sutils.GetPodContainerByName(&tt.dataplane.Spec.Deployment.PodTemplateSpec.Spec, consts.DataPlaneProxyContainerName); container != nil { + requiredEnv = container.Env + } } - } - if tt.konnectExt != nil { - requiredEnv = append(requiredEnv, getKongInKonnectEnvVars(*tt.konnectExt)...) - sort.Sort(k8sutils.SortableEnvVars(requiredEnv)) - assert.NotNil(t, dataplane.Spec.Deployment.PodTemplateSpec) - assert.Equal(t, requiredEnv, dataplane.Spec.Deployment.PodTemplateSpec.Spec.Containers[0].Env) + if tt.konnectExt != nil { + requiredEnv = append(requiredEnv, getKongInKonnectEnvVars(*tt.konnectExt)...) + sort.Sort(k8sutils.SortableEnvVars(requiredEnv)) + assert.NotNil(t, dataplane.Spec.Deployment.PodTemplateSpec) + assert.Equal(t, requiredEnv, dataplane.Spec.Deployment.PodTemplateSpec.Spec.Containers[0].Env) + } } }) }