fix: resolve SecretRef and populate mgtCtx Auth before any validation

see: https://gravitee.atlassian.net/browse/GKO-775
gravitee-io · Nov 15, 2024 · 8665e92 · 8665e92
1 parent 206935d
commit 8665e92
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 17 deletions.
diff --git a/internal/admission/mctx/validate.go b/internal/admission/mctx/validate.go
@@ -94,13 +94,7 @@ func validateSecretRef(ctx context.Context, context core.ContextObject) *errors.
 }
 
 func validateContextIsAvailable(ctx context.Context, context core.ContextObject) *errors.AdmissionError {
-	var apimClient *apim.APIM
-	var err error
-	if context.HasSecretRef() || (context.HasCloud() && context.GetCloud().HasSecretRef()) {
-		apimClient, err = apim.FromContextRef(ctx, context.GetRef(), context.GetNamespace())
-	} else {
-		apimClient, err = apim.FromContext(ctx, context, context.GetNamespace())
-	}
+	apimClient, err := apim.FromContext(ctx, context, context.GetNamespace())
 
 	if err != nil {
 		return errors.NewSevere(err.Error())

diff --git a/internal/apim/apim.go b/internal/apim/apim.go
@@ -51,6 +51,10 @@ func FromContext(ctx context.Context, context core.ContextModel, parentNs string
 		return nil, err
 	}
 
+	if _, err = dynamic.InjectSecretIfAny(ctx, context, parentNs); err != nil {
+		return nil, err
+	}
+
 	client := &client.Client{
 		HTTP: http.NewClient(ctx, toHttpAuth(context)),
 		URLs: urls,

diff --git a/internal/k8s/dynamic/mctx.go b/internal/k8s/dynamic/mctx.go
@@ -36,19 +36,19 @@ func ResolveContext(ctx context.Context, ref core.ObjectRef, parentNs string) (*
 		return nil, err
 	}
 
-	return injectSecretIfAny(ctx, context, parentNs)
+	return context, err
 }
 
-func injectSecretIfAny(ctx context.Context, mCtx *management.Context, parentNs string) (*management.Context, error) {
-	if mCtx.HasSecretRef() || (mCtx.HasCloud() && mCtx.Cloud.HasSecretRef()) { //nolint:nestif // normal complexity
-		var ref *refs.NamespacedName
+func InjectSecretIfAny(ctx context.Context, mCtx core.ContextModel, parentNs string) (*core.ContextModel, error) {
+	if mCtx.HasSecretRef() || (mCtx.HasCloud() && mCtx.GetCloud().HasSecretRef()) { //nolint:nestif // normal complexity
+		var name string
 		if mCtx.HasSecretRef() {
-			ref = mCtx.SecretRef()
+			name = mCtx.GetSecretRef().GetName()
 		} else {
-			ref = mCtx.Cloud.SecretRef
+			name = mCtx.GetCloud().GetSecretRef().GetName()
 		}
 
-		secret, err := ResolveSecret(ctx, ref, parentNs)
+		secret, err := ResolveSecret(ctx, &refs.NamespacedName{Name: name, Namespace: parentNs}, parentNs)
 		if err != nil {
 			return nil, err
 		}
@@ -61,8 +61,11 @@ func injectSecretIfAny(ctx context.Context, mCtx *management.Context, parentNs s
 		username := string(secret.Data[core.UsernameSecretKey])
 		password := string(secret.Data[core.PasswordSecretKey])
 
-		mCtx.SetToken(bearerToken)
-		mCtx.SetCredentials(username, password)
+		if mCtx.GetAuth() != nil {
+			mCtx.GetAuth().SetToken(bearerToken)
+			mCtx.GetAuth().SetCredentials(username, password)
+		}
 	}
-	return mCtx, nil
+
+	return &mCtx, nil
 }
diff --git a/test/integration/admission/managementcontext/create_withMissingSecret_test.go b/test/integration/admission/managementcontext/create_withMissingSecret_test.go
@@ -37,6 +37,7 @@ var _ = Describe("Validate create", labels.WithContext, func() {
 		fixtures := fixture.Builder().
 			WithContext(constants.ContextWithSecretFile).
 			Build()
+		fixtures.Context.Spec.SecretRef().Name = "unknown-secret"
 
 		Consistently(func() error {
 			_, err := admissionCtrl.ValidateCreate(ctx, fixtures.Context)