remove defaultLinodeClient used by webhooks in favor of always using an authenticated client

Author: eljohnson92

internal/webhook/v1alpha2/linodecluster_webhook.go

@@ -47,7 +47,6 @@ func SetupLinodeClusterWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
-// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable update and deletion validation.
 // +kubebuilder:webhook:path=/validate-infrastructure-cluster-x-k8s-io-v1alpha2-linodecluster,mutating=false,failurePolicy=fail,sideEffects=None,groups=infrastructure.cluster.x-k8s.io,resources=linodeclusters,verbs=create,versions=v1alpha2,name=validation.linodecluster.infrastructure.cluster.x-k8s.io,admissionReviewVersions=v1
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
@@ -59,19 +58,13 @@ func (r *linodeClusterValidator) ValidateCreate(ctx context.Context, obj runtime
 	spec := cluster.Spec
 	linodeclusterlog.Info("validate create", "name", cluster.Name)
 
-	var linodeclient clients.LinodeClient = defaultLinodeClient
-	skipAPIValidation := false
+	skipAPIValidation, linodeClient := setupClientWithCredentials(ctx, r.Client, spec.CredentialsRef,
+		cluster.Name, cluster.GetNamespace(), linodeclusterlog)
 
-	// Handle credentials if provided
-	if spec.CredentialsRef != nil {
-		skipAPIValidation, linodeclient = setupClientWithCredentials(ctx, r.Client, spec.CredentialsRef,
-			cluster.Name, cluster.GetNamespace(), linodeclusterlog)
-	}
-
-	// TODO: instrument with tracing, might need refactor to preserve readibility
+	// TODO: instrument with tracing, might need refactor to preserve readability
 	var errs field.ErrorList
 
-	if err := r.validateLinodeClusterSpec(ctx, linodeclient, spec, skipAPIValidation); err != nil {
+	if err := r.validateLinodeClusterSpec(ctx, linodeClient, spec, skipAPIValidation); err != nil {
 		errs = slices.Concat(errs, err)
 	}
 

internal/webhook/v1alpha2/linodeclustertemplate_webhook.go

@@ -33,5 +33,3 @@ func SetupLinodeClusterTemplateWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).For(&infrav1alpha2.LinodeClusterTemplate{}).
 		Complete()
 }
-
-// TODO(user): EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!

internal/webhook/v1alpha2/linodemachine_webhook.go

@@ -65,16 +65,11 @@ func SetupLinodeMachineWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
-// TODO(user): EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-
-// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable update and deletion validation.
 // +kubebuilder:webhook:path=/validate-infrastructure-cluster-x-k8s-io-v1alpha2-linodemachine,mutating=false,failurePolicy=fail,sideEffects=None,groups=infrastructure.cluster.x-k8s.io,resources=linodemachines,verbs=create,versions=v1alpha2,name=validation.linodemachine.infrastructure.cluster.x-k8s.io,admissionReviewVersions=v1
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (r *linodeMachineValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
-	var linodeclient clients.LinodeClient = defaultLinodeClient
 	var errs field.ErrorList
-	skipAPIValidation := false
 
 	machine, ok := obj.(*infrav1alpha2.LinodeMachine)
 	if !ok {
@@ -83,13 +78,10 @@ func (r *linodeMachineValidator) ValidateCreate(ctx context.Context, obj runtime
 	spec := machine.Spec
 	linodemachinelog.Info("validate create", "name", machine.Name)
 
-	// Handle credentials if provided
-	if spec.CredentialsRef != nil {
-		skipAPIValidation, linodeclient = setupClientWithCredentials(ctx, r.Client, spec.CredentialsRef,
-			machine.Name, machine.GetNamespace(), linodemachinelog)
-	}
+	skipAPIValidation, linodeClient := setupClientWithCredentials(ctx, r.Client, spec.CredentialsRef,
+		machine.Name, machine.GetNamespace(), linodemachinelog)
 
-	if err := r.validateLinodeMachineSpec(ctx, linodeclient, spec, skipAPIValidation); err != nil {
+	if err := r.validateLinodeMachineSpec(ctx, linodeClient, spec, skipAPIValidation); err != nil {
 		errs = slices.Concat(errs, err)
 	}
 

internal/webhook/v1alpha2/linodeplacementgroup_webhook.go

@@ -68,18 +68,12 @@ func (v *LinodePlacementGroupCustomValidator) ValidateCreate(ctx context.Context
 	}
 	linodeplacementgrouplog.Info("Validation for LinodePlacementGroup upon creation", "name", pg.GetName())
 
-	var linodeclient clients.LinodeClient = defaultLinodeClient
-	skipAPIValidation := false
-
-	// Handle credentials if provided
-	if pg.Spec.CredentialsRef != nil {
-		skipAPIValidation, linodeclient = setupClientWithCredentials(ctx, v.Client, pg.Spec.CredentialsRef,
-			pg.Name, pg.GetNamespace(), linodeplacementgrouplog)
-	}
+	skipAPIValidation, linodeClient := setupClientWithCredentials(ctx, v.Client, pg.Spec.CredentialsRef,
+		pg.Name, pg.GetNamespace(), linodeplacementgrouplog)
 
 	var errs field.ErrorList
 
-	if err := v.validateLinodePlacementGroupSpec(ctx, linodeclient, pg.Spec, pg.Name, skipAPIValidation); err != nil {
+	if err := v.validateLinodePlacementGroupSpec(ctx, linodeClient, pg.Spec, pg.Name, skipAPIValidation); err != nil {
 		errs = slices.Concat(errs, err)
 	}
 

internal/webhook/v1alpha2/linodevpc_webhook.go

@@ -85,7 +85,6 @@ func SetupLinodeVPCWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
-// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable update and deletion validation.
 // +kubebuilder:webhook:path=/validate-infrastructure-cluster-x-k8s-io-v1alpha2-linodevpc,mutating=false,failurePolicy=fail,sideEffects=None,groups=infrastructure.cluster.x-k8s.io,resources=linodevpcs,verbs=create,versions=v1alpha2,name=validation.linodevpc.infrastructure.cluster.x-k8s.io,admissionReviewVersions=v1
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
@@ -97,17 +96,11 @@ func (r *linodeVPCValidator) ValidateCreate(ctx context.Context, obj runtime.Obj
 	spec := vpc.Spec
 	linodevpclog.Info("validate create", "name", vpc.Name)
 
-	var linodeclient clients.LinodeClient = defaultLinodeClient
-	skipAPIValidation := false
+	skipAPIValidation, linodeClient := setupClientWithCredentials(ctx, r.Client, spec.CredentialsRef,
+		vpc.Name, vpc.GetNamespace(), linodevpclog)
 
-	// Handle credentials if provided
-	if spec.CredentialsRef != nil {
-		skipAPIValidation, linodeclient = setupClientWithCredentials(ctx, r.Client, spec.CredentialsRef,
-			vpc.Name, vpc.GetNamespace(), linodevpclog)
-	}
-
-	// TODO: instrument with tracing, might need refactor to preserve readibility
-	errs := r.validateLinodeVPCSpec(ctx, linodeclient, spec, skipAPIValidation)
+	// TODO: instrument with tracing, might need refactor to preserve readability
+	errs := r.validateLinodeVPCSpec(ctx, linodeClient, spec, skipAPIValidation)
 
 	if len(errs) == 0 {
 		return nil, nil

internal/webhook/v1alpha2/webhook_helpers.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"os"
 	"regexp"
 	"slices"
 	"time"
@@ -41,14 +42,6 @@ const (
 	defaultClientTimeout = time.Second * 10
 )
 
-var (
-	// defaultLinodeClient is an unauthenticated Linode client
-	defaultLinodeClient = linodeclient.NewLinodeClientWithTracing(
-		ptr.To(linodego.NewClient(&http.Client{Timeout: defaultClientTimeout})),
-		linodeclient.DefaultDecorator(),
-	)
-)
-
 func validateRegion(ctx context.Context, linodegoclient clients.LinodeClient, id string, path *field.Path, capabilities ...string) *field.Error {
 	region, err := linodegoclient.GetRegion(ctx, id)
 	if err != nil {
@@ -132,14 +125,24 @@ func getCredentials(ctx context.Context, crClient clients.K8sClient, credentials
 	return &credSecret, nil
 }
 
-// setupClientWithCredentials configures a Linode client with credentials from a secret reference
+// setupClientWithCredentials configures a Linode client with credentials the LINODE_TOKEN env variable or
+// a secret reference if it is provided
 // Returns (skipAPIValidation, client) - skipAPIValidation will be true if credentials cannot be found
 // and API validation should be skipped
 func setupClientWithCredentials(ctx context.Context, crClient clients.K8sClient, credRef *corev1.SecretReference,
 	resourceName, namespace string, logger logr.Logger) (bool, clients.LinodeClient) {
-	linodeClient := defaultLinodeClient
+	linodeClient := linodeclient.NewLinodeClientWithTracing(
+		ptr.To(linodego.NewClient(&http.Client{Timeout: defaultClientTimeout})),
+		linodeclient.DefaultDecorator(),
+	)
+	credName := ""
+	apiToken := []byte(os.Getenv("LINODE_TOKEN"))
+	var err error
+	if credRef != nil {
+		credName = credRef.Name
+		apiToken, err = getCredentialDataFromRef(ctx, crClient, *credRef, namespace)
+	}
 
-	apiToken, err := getCredentialDataFromRef(ctx, crClient, *credRef, namespace)
 	if err == nil {
 		logger.Info("creating a verified linode client for create request", "name", resourceName)
 		linodeClient.SetToken(string(apiToken))
@@ -149,7 +152,7 @@ func setupClientWithCredentials(ctx context.Context, crClient clients.K8sClient,
 	// Handle error cases
 	if apierrors.IsNotFound(err) {
 		logger.Info("credentials secret not found, skipping API validation",
-			"name", resourceName, "secret", credRef.Name)
+			"name", resourceName, "secret", credName)
 		return true, linodeClient
 	}