Skip to content

Commit

Permalink
Merge pull request #44 from patoarvizu/ignore-default
Browse files Browse the repository at this point in the history
Ignore default
  • Loading branch information
patoarvizu authored Feb 9, 2021
2 parents 26c17b0 + 9a31b7a commit 14b196c
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 0 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ Here's the list of architectures the images are being built for, and their corre

* If the annotation is added to a service account that matches a role/policy that already exists in the Vault CRD will be modified, but all other role/policies will be kept as they are defined.
* Currently, the Operator will add the appropriate configuration, but won't remove it if the annotation is removed (or set to a non-`true` value), or if the service account itself is removed.
* The controller will explicitly ignore any service accounts named `default`, to avoid accidentally overwriting Vault's built-in [`default` policy](https://www.vaultproject.io/docs/concepts/policies#default-policy).

## Help wanted!

Expand Down
5 changes: 5 additions & 0 deletions controllers/serviceaccount_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,11 @@ func (r *ServiceAccountReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err
return reconcile.Result{}, nil
}

if instance.ObjectMeta.Name == "default" {
reqLogger.V(1).Info(fmt.Sprintf("Explicitly ignoring 'default' ServiceAccount in namespace %s, to avoid overwriting Vaults 'default' policy", &instance.ObjectMeta.Namespace))
return reconcile.Result{}, nil
}

vaultConfig := &bankvaultsv1alpha1.Vault{}
ns, _ := getOperatorNamespace()
err = r.Client.Get(context.TODO(), types.NamespacedName{Name: TargetVaultName, Namespace: ns}, vaultConfig)
Expand Down
13 changes: 13 additions & 0 deletions test/e2e/operator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,19 @@ var _ = Describe("All namespaces", func() {
})
})

var _ = Describe("Any namespace", func() {
Context("When annotating a service account called 'default'", func() {
It("Should NOT create a Vault role or policy wit that name", func() {
serviceAccount, err := createServiceAccount("default", "default", map[string]string{})
Expect(err).ToNot(HaveOccurred())
err = testVaultRole("default", []string{"*"})
Expect(err).To(HaveOccurred())
err = k8sClient.Delete(context.TODO(), serviceAccount)
Expect(err).ToNot(HaveOccurred())
})
})
})

var _ = AfterSuite(func() {
By("tearing down the test environment")
err := testEnv.Stop()
Expand Down

0 comments on commit 14b196c

Please sign in to comment.