Webhook handle lack of permission and skip installing webhook secret for operatorOnly

rjeberhard · rjeberhard · commit 8f96855d5455 · 2024-12-16T10:59:42.000-05:00
diff --git a/kubernetes/charts/weblogic-operator/templates/_operator-secret.tpl b/kubernetes/charts/weblogic-operator/templates/_operator-secret.tpl
@@ -1,7 +1,8 @@
-# Copyright (c) 2018, 2022, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorSecrets" }}
+{{- if not .webhookOnly }}
 ---
 apiVersion: "v1"
 kind: "Secret"
@@ -22,6 +23,8 @@ metadata:
   name: "weblogic-operator-secrets"
   namespace:  {{ .Release.Namespace | quote }}
 type: "Opaque"
+{{- end }}
+{{- if not .operatorOnly }}
 ---
 apiVersion: "v1"
 kind: "Secret"
@@ -44,3 +47,4 @@ metadata:
   namespace:  {{ .Release.Namespace | quote }}
 type: "Opaque"
 {{- end }}
+{{- end }}
diff --git a/operator/src/main/java/oracle/kubernetes/operator/helpers/WebhookHelper.java b/operator/src/main/java/oracle/kubernetes/operator/helpers/WebhookHelper.java
@@ -1,4 +1,4 @@
-// Copyright (c) 2022, Oracle and/or its affiliates.
+// Copyright (c) 2022, 2024, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -263,7 +263,8 @@ protected NextAction onFailureNoRetry(Packet packet,
                                             CallResponse<V1ValidatingWebhookConfiguration> callResponse) {
         LOGGER.info(MessageKeys.READ_VALIDATING_WEBHOOK_CONFIGURATION_FAILED,
             VALIDATING_WEBHOOK_NAME, callResponse.getE().getResponseBody());
-        return super.onFailureNoRetry(packet, callResponse);
+        return isNotAuthorizedOrForbidden(callResponse)
+                ? doNext(packet) : super.onFailureNoRetry(packet, callResponse);
       }
     }
 
@@ -284,7 +285,8 @@ protected NextAction onFailureNoRetry(Packet packet,
                                             CallResponse<V1ValidatingWebhookConfiguration> callResponse) {
         LOGGER.info(MessageKeys.CREATE_VALIDATING_WEBHOOK_CONFIGURATION_FAILED,
             VALIDATING_WEBHOOK_NAME, callResponse.getE().getResponseBody());
-        return super.onFailureNoRetry(packet, callResponse);
+        return isNotAuthorizedOrForbidden(callResponse)
+                ? doNext(packet) : super.onFailureNoRetry(packet, callResponse);
       }
     }
 
@@ -318,7 +320,8 @@ protected NextAction onFailureNoRetry(Packet packet,
                                             CallResponse<V1ValidatingWebhookConfiguration> callResponse) {
         LOGGER.info(MessageKeys.REPLACE_VALIDATING_WEBHOOK_CONFIGURATION_FAILED,
             VALIDATING_WEBHOOK_NAME, callResponse.getE().getResponseBody());
-        return super.onFailureNoRetry(packet, callResponse);
+        return isNotAuthorizedOrForbidden(callResponse)
+                ? doNext(packet) : super.onFailureNoRetry(packet, callResponse);
       }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Copyright (c) 2022, Oracle and/or its affiliates.`
	`1`	`+// Copyright (c) 2022, 2024, Oracle and/or its affiliates.`
`2`	`2`	`// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.`
`3`	`3`
`4`	`4`	`package oracle.kubernetes.operator.helpers;`
`@@ -263,7 +263,8 @@ protected NextAction onFailureNoRetry(Packet packet,`
`263`	`263`	`CallResponse<V1ValidatingWebhookConfiguration> callResponse) {`
`264`	`264`	`LOGGER.info(MessageKeys.READ_VALIDATING_WEBHOOK_CONFIGURATION_FAILED,`
`265`	`265`	`VALIDATING_WEBHOOK_NAME, callResponse.getE().getResponseBody());`
`266`		`- return super.onFailureNoRetry(packet, callResponse);`
	`266`	`+ return isNotAuthorizedOrForbidden(callResponse)`
	`267`	`+ ? doNext(packet) : super.onFailureNoRetry(packet, callResponse);`
`267`	`268`	`}`
`268`	`269`	`}`
`269`	`270`
`@@ -284,7 +285,8 @@ protected NextAction onFailureNoRetry(Packet packet,`
`284`	`285`	`CallResponse<V1ValidatingWebhookConfiguration> callResponse) {`
`285`	`286`	`LOGGER.info(MessageKeys.CREATE_VALIDATING_WEBHOOK_CONFIGURATION_FAILED,`
`286`	`287`	`VALIDATING_WEBHOOK_NAME, callResponse.getE().getResponseBody());`
`287`		`- return super.onFailureNoRetry(packet, callResponse);`
	`288`	`+ return isNotAuthorizedOrForbidden(callResponse)`
	`289`	`+ ? doNext(packet) : super.onFailureNoRetry(packet, callResponse);`
`288`	`290`	`}`
`289`	`291`	`}`
`290`	`292`
`@@ -318,7 +320,8 @@ protected NextAction onFailureNoRetry(Packet packet,`
`318`	`320`	`CallResponse<V1ValidatingWebhookConfiguration> callResponse) {`
`319`	`321`	`LOGGER.info(MessageKeys.REPLACE_VALIDATING_WEBHOOK_CONFIGURATION_FAILED,`
`320`	`322`	`VALIDATING_WEBHOOK_NAME, callResponse.getE().getResponseBody());`
`321`		`- return super.onFailureNoRetry(packet, callResponse);`
	`323`	`+ return isNotAuthorizedOrForbidden(callResponse)`
	`324`	`+ ? doNext(packet) : super.onFailureNoRetry(packet, callResponse);`
`322`	`325`	`}`
`323`	`326`	`}`
`324`	`327`