#221 Validate security in doguSecurityContextManager

cloudogu · Dec 19, 2024 · d32eb1b · d32eb1b
1 parent 1063464
commit d32eb1b
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/controllers/doguSecurityContextManager.go b/controllers/doguSecurityContextManager.go
@@ -6,6 +6,8 @@ import (
 	k8sv2 "github.com/cloudogu/k8s-dogu-operator/v3/api/v2"
 	"github.com/cloudogu/k8s-dogu-operator/v3/controllers/resource"
 	"github.com/cloudogu/k8s-dogu-operator/v3/controllers/util"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
@@ -19,24 +21,38 @@ const (
 type doguSecurityContextManager struct {
 	resourceDoguFetcher resourceDoguFetcher
 	resourceUpserter    resource.ResourceUpserter
+	securityValidator   securityValidator
+	recorder            eventRecorder
 }
 
-func NewDoguSecurityContextManager(mgrSet *util.ManagerSet) *doguSecurityContextManager {
+func NewDoguSecurityContextManager(mgrSet *util.ManagerSet, eventRecorder record.EventRecorder) *doguSecurityContextManager {
 	return &doguSecurityContextManager{
 		resourceDoguFetcher: mgrSet.ResourceDoguFetcher,
 		resourceUpserter:    mgrSet.ResourceUpserter,
+		securityValidator:   mgrSet.SecurityValidator,
+		recorder:            eventRecorder,
 	}
 }
 
 func (d doguSecurityContextManager) UpdateDeploymentWithSecurityContext(ctx context.Context, doguResource *k8sv2.Dogu) error {
 	logger := log.FromContext(ctx)
+
 	logger.Info("Fetching dogu...")
+	d.recorder.Event(doguResource, corev1.EventTypeNormal, SecurityContextChangeEventReason, "Fetching dogu...")
 	dogu, _, err := d.resourceDoguFetcher.FetchWithResource(ctx, doguResource)
 	if err != nil {
 		return fmt.Errorf("failed to fetch dogu %s: %w", doguResource.Spec.Name, err)
 	}
 
-	logger.Info("Upserting deployment... ")
+	logger.Info("Validating dogu security...")
+	d.recorder.Event(doguResource, corev1.EventTypeNormal, SecurityContextChangeEventReason, "Validating dogu security...")
+	err = d.securityValidator.ValidateSecurity(dogu, doguResource)
+	if err != nil {
+		return err
+	}
+
+	logger.Info("Upserting deployment...")
+	d.recorder.Event(doguResource, corev1.EventTypeNormal, SecurityContextChangeEventReason, "Upserting deployment...")
 	_, err = d.resourceUpserter.UpsertDoguDeployment(ctx, doguResource, dogu, nil)
 	if err != nil {
 		return fmt.Errorf("failed to upsert deployment with security context: %w", err)

diff --git a/controllers/doguSecurityContextManager_test.go b/controllers/doguSecurityContextManager_test.go
@@ -17,9 +17,10 @@ func TestNewDoguSecurityContextManager(t *testing.T) {
 	t.Run("success", func(t *testing.T) {
 		// given
 		mgrSet := &util.ManagerSet{}
+		mockEventRecorder := &mockEventRecorder{}
 
 		// when
-		doguSecurityContextManager := NewDoguSecurityContextManager(mgrSet)
+		doguSecurityContextManager := NewDoguSecurityContextManager(mgrSet, mockEventRecorder)
 
 		// then
 		require.NotNil(t, doguSecurityContextManager)