internal/groupsuffix: mutate TokenCredentialRequest's Authenticator

This is a partial revert of 288d9c999e. For some reason it didn't occur to me that we could do it this way earlier. Whoops. This also contains a middleware update: mutation funcs can return an error now and short-circuit the rest of the request/response flow. The idea here is that if someone is configuring their kubeclient to use middleware, they are agreeing to a narrow-er client contract by doing so (e.g., their TokenCredentialRequest's must have an Spec.Authenticator.APIGroup set). I also updated some internal/groupsuffix tests to be more realistic. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2026-01-05 21:15:26 +00:00 · 2021-02-04 20:02:59 -05:00
parent ae6503e972
commit 0fc1f17866
14 changed files with 453 additions and 195 deletions
--- a/internal/ownerref/ownerref.go
+++ b/internal/ownerref/ownerref.go
@@ -51,13 +51,15 @@ func New(refObj kubeclient.Object) kubeclient.Middleware {
 			return
 		}

-		rt.MutateRequest(func(obj kubeclient.Object) {
+		rt.MutateRequest(func(obj kubeclient.Object) error {
 			// we only want to set the owner ref on create and when one is not already present
 			if len(obj.GetOwnerReferences()) != 0 {
-				return
+				return nil
 			}

 			obj.SetOwnerReferences([]metav1.OwnerReference{ref})
+
+			return nil
 		})
 	})
 }