Fix Otterize credentials operator not deleting IAM roles on pod clean…

…up due to the Otterize finalizer not being added to service accounts (#160)
otterize · Sep 15, 2024 · 78fe3f2 · 78fe3f2
1 parent 5a2fc0f
commit 78fe3f2
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 6 deletions.
diff --git a/src/operator/controllers/iam/serviceaccounts/serviceaccount_controller.go b/src/operator/controllers/iam/serviceaccounts/serviceaccount_controller.go
@@ -73,7 +73,6 @@ func (r *ServiceAccountReconciler) handleServiceAccountUpdate(ctx context.Contex
 		return ctrl.Result{Requeue: true}, nil
 	}
 	if updated {
-		controllerutil.AddFinalizer(updatedServiceAccount, r.agent.FinalizerName())
 		err := r.Client.Patch(ctx, updatedServiceAccount, client.MergeFrom(&serviceAccount))
 		if err != nil {
 			if apierrors.IsConflict(err) {

diff --git a/src/operator/controllers/iam/webhooks/pod_webhook.go b/src/operator/controllers/iam/webhooks/pod_webhook.go
@@ -69,6 +69,7 @@ func (w *ServiceAccountAnnotatingPodWebhook) handleOnce(ctx context.Context, pod
 
 	if !dryRun {
 		apiutils.AddLabel(updatedServiceAccount, w.agent.ServiceAccountLabel(), metadata.OtterizeServiceAccountHasPodsValue)
+		controllerutil.AddFinalizer(updatedServiceAccount, w.agent.FinalizerName())
 		err = w.client.Patch(ctx, updatedServiceAccount, client.MergeFrom(&serviceAccount))
 		if err != nil {
 			return corev1.Pod{}, false, "", errors.Errorf("could not patch service account: %w", err)

diff --git a/src/operator/go.mod b/src/operator/go.mod
diff --git a/src/operator/go.sum b/src/operator/go.sum
diff --git a/src/operator/main.go b/src/operator/main.go
@@ -346,6 +346,8 @@ func setupIAMAgents(ctx context.Context, mgr ctrl.Manager, client controllerrunt
 	azureIAMEnabled := viper.GetBool(operatorconfig.EnableAzureServiceAccountManagementKey)
 	gcpIAMEnabled := viper.GetBool(operatorconfig.EnableGCPServiceAccountManagementKey)
 
+	disableWebhookServer := viper.GetBool(operatorconfig.DisableWebhookServerKey)
+
 	if !awsIAMEnabled && !azureIAMEnabled && !gcpIAMEnabled {
 		return
 	}
@@ -356,8 +358,10 @@ func setupIAMAgents(ctx context.Context, mgr ctrl.Manager, client controllerrunt
 		awsCredentialsAgent := initAWSCredentialsAgent(ctx)
 		iamAgents = append(iamAgents, awsCredentialsAgent)
 
-		awsWebhookHandler := sa_pod_webhook_generic.NewServiceAccountAnnotatingPodWebhook(mgr, awsCredentialsAgent)
-		mgr.GetWebhookServer().Register("/mutate-aws-v1-pod", &webhook.Admission{Handler: awsWebhookHandler})
+		if !disableWebhookServer {
+			awsWebhookHandler := sa_pod_webhook_generic.NewServiceAccountAnnotatingPodWebhook(mgr, awsCredentialsAgent)
+			mgr.GetWebhookServer().Register("/mutate-aws-v1-pod", &webhook.Admission{Handler: awsWebhookHandler})
+		}
 	}
 
 	if gcpIAMEnabled {
@@ -369,8 +373,10 @@ func setupIAMAgents(ctx context.Context, mgr ctrl.Manager, client controllerrunt
 		azureCredentialsAgent := initAzureCredentialsAgent(ctx)
 		iamAgents = append(iamAgents, azureCredentialsAgent)
 
-		azureWebhookHandler := sa_pod_webhook_generic.NewServiceAccountAnnotatingPodWebhook(mgr, azureCredentialsAgent)
-		mgr.GetWebhookServer().Register("/mutate-azure-v1-pod", &webhook.Admission{Handler: azureWebhookHandler})
+		if !disableWebhookServer {
+			azureWebhookHandler := sa_pod_webhook_generic.NewServiceAccountAnnotatingPodWebhook(mgr, azureCredentialsAgent)
+			mgr.GetWebhookServer().Register("/mutate-azure-v1-pod", &webhook.Admission{Handler: azureWebhookHandler})
+		}
 	}
 
 	// setup service account reconciler

diff --git a/src/operator/operatorconfig/config.go b/src/operator/operatorconfig/config.go
@@ -40,6 +40,8 @@ const (
 	CertManagerIssuerDefault                   = "ca-issuer"
 	SelfSignedCertKey                          = "self-signed-cert"
 	SelfSignedCertDefault                      = true
+	DisableWebhookServerKey                    = "disable-webhook-server" // Disable webhook validator server
+	DisableWebhookServerDefault                = false
 	CertManagerUseClustierIssuerKey            = "cert-manager-use-cluster-issuer"
 	CertManagerUseClusterIssuerDefault         = false
 	UseCertManagerApproverKey                  = "cert-manager-approve-requests"
@@ -76,6 +78,7 @@ func init() {
 	viper.SetDefault(SpireServerAddrKey, SpireServerAddrDefault)
 	viper.SetDefault(CertProviderKey, CertProviderDefault)
 	viper.SetDefault(SelfSignedCertKey, SelfSignedCertDefault)
+	viper.SetDefault(DisableWebhookServerKey, DisableWebhookServerDefault)
 	viper.SetDefault(EnableLeaderElectionKey, EnableLeaderElectionDefault)
 	viper.SetDefault(CertManagerIssuerKey, CertManagerIssuerDefault)
 	viper.SetDefault(CertManagerUseClustierIssuerKey, CertManagerUseClusterIssuerDefault)