cmd/containerboot: don't attempt to patch a Secret field without permissions (#14365)

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-01-08 09:07:44 +00:00 · 2024-12-11 14:58:44 +00:00 · 2024-12-11 14:58:44 +00:00 · 6e552f66a0
commit 6e552f66a0
parent f1ccdcc713
3 changed files with 3 additions and 1 deletions
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@ -24,6 +24,7 @@
 type kubeClient struct {
 	kubeclient.Client
 	stateSecret string
+	canPatch    bool // whether the client has permissions to patch Kubernetes Secrets
 }

 func newKubeClient(root string, stateSecret string) (*kubeClient, error) {
--- a/cmd/containerboot/serve.go
+++ b/cmd/containerboot/serve.go
@ -72,7 +72,7 @@ func watchServeConfigChanges(ctx context.Context, path string, cdChanged <-chan
 		if err := updateServeConfig(ctx, sc, certDomain, lc); err != nil {
 			log.Fatalf("serve proxy: error updating serve config: %v", err)
 		}
-		if kc != nil {
+		if kc != nil && kc.canPatch {
 			if err := kc.storeHTTPSEndpoint(ctx, certDomain); err != nil {
 				log.Fatalf("serve proxy: error storing HTTPS endpoint: %v", err)
 			}
--- a/cmd/containerboot/settings.go
+++ b/cmd/containerboot/settings.go
@ -217,6 +217,7 @@ func (cfg *settings) setupKube(ctx context.Context, kc *kubeClient) error {
 		return fmt.Errorf("some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
 	}
 	cfg.KubernetesCanPatch = canPatch
+	kc.canPatch = canPatch

 	s, err := kc.GetSecret(ctx, cfg.KubeSecret)
 	if err != nil {