From 6e552f66a0289f6309477fb024019b62a251da16 Mon Sep 17 00:00:00 2001 From: Irbe Krumina Date: Wed, 11 Dec 2024 14:58:44 +0000 Subject: [PATCH] cmd/containerboot: don't attempt to patch a Secret field without permissions (#14365) Signed-off-by: Irbe Krumina --- cmd/containerboot/kube.go | 1 + cmd/containerboot/serve.go | 2 +- cmd/containerboot/settings.go | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cmd/containerboot/kube.go b/cmd/containerboot/kube.go index 643eef385..4d00687ee 100644 --- a/cmd/containerboot/kube.go +++ b/cmd/containerboot/kube.go @@ -24,6 +24,7 @@ import ( type kubeClient struct { kubeclient.Client stateSecret string + canPatch bool // whether the client has permissions to patch Kubernetes Secrets } func newKubeClient(root string, stateSecret string) (*kubeClient, error) { diff --git a/cmd/containerboot/serve.go b/cmd/containerboot/serve.go index c8b9e098d..14c7f00d7 100644 --- a/cmd/containerboot/serve.go +++ b/cmd/containerboot/serve.go @@ -72,7 +72,7 @@ func watchServeConfigChanges(ctx context.Context, path string, cdChanged <-chan if err := updateServeConfig(ctx, sc, certDomain, lc); err != nil { log.Fatalf("serve proxy: error updating serve config: %v", err) } - if kc != nil { + if kc != nil && kc.canPatch { if err := kc.storeHTTPSEndpoint(ctx, certDomain); err != nil { log.Fatalf("serve proxy: error storing HTTPS endpoint: %v", err) } diff --git a/cmd/containerboot/settings.go b/cmd/containerboot/settings.go index e80dbee57..5fc6cc3f0 100644 --- a/cmd/containerboot/settings.go +++ b/cmd/containerboot/settings.go @@ -217,6 +217,7 @@ func (cfg *settings) setupKube(ctx context.Context, kc *kubeClient) error { return fmt.Errorf("some Kubernetes permissions are missing, please check your RBAC configuration: %v", err) } cfg.KubernetesCanPatch = canPatch + kc.canPatch = canPatch s, err := kc.GetSecret(ctx, cfg.KubeSecret) if err != nil {