Feature cert manager changes (aws#536)

* Include package validation for cert manager * Fix wording
junshun · Oct 12, 2022 · 0b22bb3 · 0b22bb3
1 parent 1de12c0
commit 0b22bb3
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/api/v1alpha1/package.go b/api/v1alpha1/package.go
@@ -1,15 +1,17 @@
 package v1alpha1
 
 import (
+	"os"
 	"strings"
 
 	"sigs.k8s.io/yaml"
 )
 
 const (
-	PackageKind      = "Package"
-	PackageNamespace = "eksa-packages"
-	namespacePrefix  = PackageNamespace + "-"
+	PackageKind       = "Package"
+	PackageNamespace  = "eksa-packages"
+	namespacePrefix   = PackageNamespace + "-"
+	clusterNameEnvVar = "CLUSTER_NAME"
 )
 
 func (config *Package) MetaKind() string {
@@ -43,3 +45,12 @@ func (config *Package) IsValidNamespace() bool {
 	}
 	return true
 }
+
+// IsInstalledOnWorkload returns true if the package is being installed on a workload cluster
+// returns false otherwise
+func (config *Package) IsInstalledOnWorkload() bool {
+	clusterName := config.GetClusterName()
+	managementClusterName := os.Getenv(clusterNameEnvVar)
+
+	return managementClusterName != clusterName
+}
diff --git a/pkg/webhook/package_webhook.go b/pkg/webhook/package_webhook.go
@@ -63,7 +63,7 @@ func (v *packageValidator) Handle(ctx context.Context, request admission.Request
 		return admission.Errored(http.StatusInternalServerError, fmt.Errorf("getting PackageBundle: %v", err))
 	}
 
-	isConfigValid, err := v.isPackageConfigValid(p, activeBundle)
+	isConfigValid, err := v.isPackageValid(p, activeBundle)
 
 	resp := &admission.Response{
 		AdmissionResponse: admissionv1.AdmissionResponse{Allowed: isConfigValid},
@@ -82,7 +82,7 @@ func (v *packageValidator) Handle(ctx context.Context, request admission.Request
 	return *resp
 }
 
-func (v *packageValidator) isPackageConfigValid(p *v1alpha1.Package, activeBundle *v1alpha1.PackageBundle) (bool, error) {
+func (v *packageValidator) isPackageValid(p *v1alpha1.Package, activeBundle *v1alpha1.PackageBundle) (bool, error) {
 	packageInBundle, err := activeBundle.GetPackageFromBundle(p.Spec.PackageName)
 	if err != nil {
 		return false, err
@@ -93,6 +93,10 @@ func (v *packageValidator) isPackageConfigValid(p *v1alpha1.Package, activeBundl
 		return false, fmt.Errorf("package %s does not contain any versions", p.Name)
 	}
 
+	if packageInBundle.WorkloadOnly && !p.IsInstalledOnWorkload() {
+		return false, fmt.Errorf("package %s should only be installed on a workload cluster", p.Name)
+	}
+
 	jsonSchema, err := packageInBundle.GetJsonSchema()
 	if err != nil {
 		return false, err