feat(agent): add label for read-only agent (#1029)

cryostatio · Jan 29, 2025 · 7d36651 · 7d36651
1 parent 18b26c2
commit 7d36651
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 2 deletions.
diff --git a/internal/controllers/constants/constants.go b/internal/controllers/constants/constants.go
@@ -63,6 +63,7 @@ const (
 	AgentLabelCryostatNamespace = agentLabelPrefix + "namespace"
 	AgentLabelCallbackPort      = agentLabelPrefix + "callback-port"
 	AgentLabelContainer         = agentLabelPrefix + "container"
+	AgentLabelReadOnly          = agentLabelPrefix + "read-only"
 
 	CryostatCATLSCommonName     = "cryostat-ca-cert-manager"
 	CryostatTLSCommonName       = "cryostat"

diff --git a/internal/webhooks/agent/pod_defaulter.go b/internal/webhooks/agent/pod_defaulter.go
@@ -101,6 +101,12 @@ func (r *podMutator) Default(ctx context.Context, obj runtime.Object) error {
 		return err
 	}
 
+	// Check whether write access has been disabled
+	write, err := hasWriteAccess(pod.Labels)
+	if err != nil {
+		return err
+	}
+
 	// Add init container
 	nonRoot := true
 	imageTag := r.getImageTag()
@@ -175,7 +181,7 @@ func (r *podMutator) Default(ctx context.Context, obj runtime.Object) error {
 		},
 		corev1.EnvVar{
 			Name:  "CRYOSTAT_AGENT_API_WRITES_ENABLED",
-			Value: "true", // TODO default to writes enabled, separate label?
+			Value: strconv.FormatBool(*write),
 		},
 		corev1.EnvVar{
 			Name:  "CRYOSTAT_AGENT_WEBSERVER_PORT",
@@ -318,6 +324,21 @@ func getAgentCallbackPort(labels map[string]string) (*int32, error) {
 	return &result, nil
 }
 
+func hasWriteAccess(labels map[string]string) (*bool, error) {
+	// Default to true
+	result := true
+	value, pres := labels[constants.AgentLabelReadOnly]
+	if pres {
+		// Parse the label value into a bool and return an error if invalid
+		parsed, err := strconv.ParseBool(value)
+		if err != nil {
+			return nil, fmt.Errorf("invalid label value for \"%s\": %s", constants.AgentLabelReadOnly, err.Error())
+		}
+		result = !parsed
+	}
+	return &result, nil
+}
+
 func (r *podMutator) callbackEnv(cr *model.CryostatInstance, namespace string, tls bool, containerPort int32) []corev1.EnvVar {
 	scheme := "https"
 	if !tls {

diff --git a/internal/webhooks/agent/pod_defaulter_test.go b/internal/webhooks/agent/pod_defaulter_test.go
@@ -386,6 +386,29 @@ var _ = Describe("PodDefaulter", func() {
 					ExpectPod()
 				})
 			})
+
+			Context("with a custom read-only label", func() {
+				Context("that is valid", func() {
+					BeforeEach(func() {
+						t.objs = append(t.objs, t.NewCryostat().Object)
+						originalPod = t.NewPodReadOnlyLabel()
+						expectedPod = t.NewMutatedPodReadOnlyLabel()
+					})
+
+					ExpectPod()
+				})
+
+				Context("that is non-boolean", func() {
+					BeforeEach(func() {
+						t.objs = append(t.objs, t.NewCryostat().Object)
+						originalPod = t.NewPodReadOnlyLabelInvalid()
+						// Should fail
+						expectedPod = originalPod
+					})
+
+					ExpectPod()
+				})
+			})
 		})
 
 		Context("with a missing Cryostat CR", func() {

diff --git a/internal/webhooks/agent/test/resources.go b/internal/webhooks/agent/test/resources.go
@@ -168,13 +168,26 @@ func (r *AgentWebhookTestResources) NewPodContainerBadLabel() *corev1.Pod {
 	return pod
 }
 
+func (r *AgentWebhookTestResources) NewPodReadOnlyLabel() *corev1.Pod {
+	pod := r.NewPod()
+	pod.Labels["cryostat.io/read-only"] = "true"
+	return pod
+}
+
+func (r *AgentWebhookTestResources) NewPodReadOnlyLabelInvalid() *corev1.Pod {
+	pod := r.NewPod()
+	pod.Labels["cryostat.io/read-only"] = "banana"
+	return pod
+}
+
 type mutatedPodOptions struct {
 	javaToolOptions string
 	namespace       string
 	image           string
 	pullPolicy      corev1.PullPolicy
 	gatewayPort     int32
 	callbackPort    int32
+	writeAccess     *bool
 	scheme          string
 	// Function to produce mutated container array
 	containersFunc func(*AgentWebhookTestResources, *mutatedPodOptions) []corev1.Container
@@ -196,6 +209,9 @@ func (r *AgentWebhookTestResources) setDefaultMutatedPodOptions(options *mutated
 	if options.callbackPort == 0 {
 		options.callbackPort = 9977
 	}
+	if options.writeAccess == nil {
+		options.writeAccess = &[]bool{true}[0]
+	}
 	options.scheme = "https"
 	if !r.TLS {
 		options.scheme = "http"
@@ -259,6 +275,12 @@ func (r *AgentWebhookTestResources) NewMutatedPodContainerLabel() *corev1.Pod {
 	})
 }
 
+func (r *AgentWebhookTestResources) NewMutatedPodReadOnlyLabel() *corev1.Pod {
+	return r.newMutatedPod(&mutatedPodOptions{
+		writeAccess: &[]bool{false}[0],
+	})
+}
+
 func (r *AgentWebhookTestResources) newMutatedPod(options *mutatedPodOptions) *corev1.Pod {
 	r.setDefaultMutatedPodOptions(options)
 	pod := &corev1.Pod{
@@ -374,7 +396,7 @@ func (r *AgentWebhookTestResources) newMutatedContainer(original *corev1.Contain
 			},
 			{
 				Name:  "CRYOSTAT_AGENT_API_WRITES_ENABLED",
-				Value: "true",
+				Value: strconv.FormatBool(*options.writeAccess),
 			},
 			{
 				Name:  "CRYOSTAT_AGENT_WEBSERVER_PORT",