ary1992
diff --git a/‎pkg/admissioncontroller/webhook/admission/internaldomainsecret/handler.go
+25-24 b/‎pkg/admissioncontroller/webhook/admission/internaldomainsecret/handler.go
+25-24
diff --git a/‎pkg/admissioncontroller/webhook/admission/internaldomainsecret/handler_test.go
+15-5 b/‎pkg/admissioncontroller/webhook/admission/internaldomainsecret/handler_test.go
+15-5
diff --git a/‎pkg/admissioncontroller/webhook/admission/kubeconfigsecret/handler.go
+12-12 b/‎pkg/admissioncontroller/webhook/admission/kubeconfigsecret/handler.go
+12-12
diff --git a/‎pkg/admissioncontroller/webhook/admission/namespacedeletion/handler.go
+16-16 b/‎pkg/admissioncontroller/webhook/admission/namespacedeletion/handler.go
+16-16
@@ -25,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	gardencore "github.com/gardener/gardener/pkg/apis/core"
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
@@ -40,53 +41,53 @@ type Handler struct {
 }
 
 // ValidateCreate performs the check.
-func (h *Handler) ValidateCreate(ctx context.Context, obj runtime.Object) error {
+func (h *Handler) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
 	secret, ok := obj.(*corev1.Secret)
 	if !ok {
-		return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))
 	}
 
 	seedName := gardenerutils.ComputeSeedName(secret.Namespace)
 	if secret.Namespace != v1beta1constants.GardenNamespace && seedName == "" {
-		return nil
+		return nil, nil
 	}
 
 	exists, err := h.internalDomainSecretExists(ctx, secret.Namespace)
 	if err != nil {
-		return apierrors.NewInternalError(err)
+		return nil, apierrors.NewInternalError(err)
 	}
 	if exists {
-		return apierrors.NewConflict(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot create internal domain secret because there can be only one secret with the 'internal-domain' secret role per namespace"))
+		return nil, apierrors.NewConflict(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot create internal domain secret because there can be only one secret with the 'internal-domain' secret role per namespace"))
 	}
 
 	if _, _, _, _, _, err := gardenerutils.GetDomainInfoFromAnnotations(secret.Annotations); err != nil {
-		return apierrors.NewBadRequest(err.Error())
+		return nil, apierrors.NewBadRequest(err.Error())
 	}
 
-	return nil
+	return nil, nil
 }
 
 // ValidateUpdate performs the check.
-func (h *Handler) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) error {
+func (h *Handler) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
 	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
 	secret, ok := newObj.(*corev1.Secret)
 	if !ok {
-		return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", newObj))
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", newObj))
 	}
 
 	oldSecret, ok := oldObj.(*corev1.Secret)
 	if !ok {
-		return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", oldObj))
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", oldObj))
 	}
 
 	seedName := gardenerutils.ComputeSeedName(secret.Namespace)
 	if secret.Namespace != v1beta1constants.GardenNamespace && seedName == "" {
-		return nil
+		return nil, nil
 	}
 
 	// If secret was newly labeled with gardener.cloud/role=internal-domain then check whether another internal domain
@@ -95,59 +96,59 @@ func (h *Handler) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Obj
 		secret.Labels[v1beta1constants.GardenRole] == v1beta1constants.GardenRoleInternalDomain {
 		exists, err := h.internalDomainSecretExists(ctx, secret.Namespace)
 		if err != nil {
-			return apierrors.NewInternalError(err)
+			return nil, apierrors.NewInternalError(err)
 		}
 		if exists {
-			return apierrors.NewConflict(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot update secret because there can be only one secret with the 'internal-domain' secret role per namespace"))
+			return nil, apierrors.NewConflict(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot update secret because there can be only one secret with the 'internal-domain' secret role per namespace"))
 		}
 	}
 
 	_, oldDomain, _, _, _, err := gardenerutils.GetDomainInfoFromAnnotations(oldSecret.Annotations)
 	if err != nil {
-		return apierrors.NewInternalError(err)
+		return nil, apierrors.NewInternalError(err)
 	}
 	_, newDomain, _, _, _, err := gardenerutils.GetDomainInfoFromAnnotations(secret.Annotations)
 	if err != nil {
-		return apierrors.NewInternalError(err)
+		return nil, apierrors.NewInternalError(err)
 	}
 
 	if oldDomain != newDomain {
 		atLeastOneShoot, err := h.atLeastOneShootExists(ctx, seedName)
 		if err != nil {
-			return apierrors.NewInternalError(err)
+			return nil, apierrors.NewInternalError(err)
 		}
 		if atLeastOneShoot {
-			return apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot change domain because there are still shoots left in the system"))
+			return nil, apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot change domain because there are still shoots left in the system"))
 		}
 	}
 
-	return nil
+	return nil, nil
 }
 
 // ValidateDelete performs the check.
-func (h *Handler) ValidateDelete(ctx context.Context, obj runtime.Object) error {
+func (h *Handler) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
 	secret, ok := obj.(*corev1.Secret)
 	if !ok {
-		return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))
 	}
 
 	seedName := gardenerutils.ComputeSeedName(secret.Namespace)
 	if secret.Namespace != v1beta1constants.GardenNamespace && seedName == "" {
-		return nil
+		return nil, nil
 	}
 
 	atLeastOneShoot, err := h.atLeastOneShootExists(ctx, seedName)
 	if err != nil {
-		return apierrors.NewInternalError(err)
+		return nil, apierrors.NewInternalError(err)
 	}
 	if atLeastOneShoot {
-		return apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot delete internal domain secret because there are still shoots left in the system"))
+		return nil, apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot delete internal domain secret because there are still shoots left in the system"))
 	}
 
-	return nil
+	return nil, nil
 }
 
 func (h *Handler) atLeastOneShootExists(ctx context.Context, seedName string) (bool, error) {
 
@@ -111,7 +111,9 @@ var _ = Describe("handler", func() {
 				client.Limit(1),
 			).Return(fakeErr)
 
-			err := handler.ValidateCreate(ctx, secret)
+			warnings, err := handler.ValidateCreate(ctx, secret)
+			Expect(warnings).To(BeNil())
+
 			statusError, ok := err.(*apierrors.StatusError)
 			Expect(ok).To(BeTrue())
 			Expect(statusError.Status().Code).To(Equal(int32(http.StatusInternalServerError)))
@@ -130,7 +132,9 @@ var _ = Describe("handler", func() {
 				return nil
 			})
 
-			Expect(handler.ValidateCreate(ctx, secret)).To(MatchError(ContainSubstring("there can be only one secret with the 'internal-domain' secret role")))
+			warnings, err := handler.ValidateCreate(ctx, secret)
+			Expect(warnings).To(BeNil())
+			Expect(err).To(MatchError(ContainSubstring("there can be only one secret with the 'internal-domain' secret role")))
 		})
 
 		It("should fail because another internal domain secret exists in the same seed namespace", func() {
@@ -193,7 +197,9 @@ var _ = Describe("handler", func() {
 					client.Limit(1),
 				).Return(fakeErr)
 
-				err := handler.ValidateUpdate(ctx, oldSecret, secret)
+				warnings, err := handler.ValidateUpdate(ctx, oldSecret, secret)
+				Expect(warnings).To(BeNil())
+
 				statusError, ok := err.(*apierrors.StatusError)
 				Expect(ok).To(BeTrue())
 				Expect(statusError.Status().Code).To(Equal(int32(http.StatusInternalServerError)))
@@ -238,7 +244,9 @@ var _ = Describe("handler", func() {
 			oldSecret := secret.DeepCopy()
 			secret.Annotations["dns.gardener.cloud/domain"] = "foobar"
 
-			err := handler.ValidateUpdate(ctx, oldSecret, secret)
+			warnings, err := handler.ValidateUpdate(ctx, oldSecret, secret)
+			Expect(warnings).To(BeNil())
+
 			statusError, ok := err.(*apierrors.StatusError)
 			Expect(ok).To(BeTrue())
 			Expect(statusError.Status().Code).To(Equal(int32(http.StatusInternalServerError)))
@@ -304,7 +312,9 @@ var _ = Describe("handler", func() {
 				client.Limit(1),
 			).Return(fakeErr)
 
-			err := handler.ValidateDelete(ctx, secret)
+			warnings, err := handler.ValidateDelete(ctx, secret)
+			Expect(warnings).To(BeNil())
+
 			statusError, ok := err.(*apierrors.StatusError)
 			Expect(ok).To(BeTrue())
 			Expect(statusError.Status().Code).To(Equal(int32(http.StatusInternalServerError)))
 
@@ -41,46 +41,46 @@ type Handler struct {
 }
 
 // ValidateCreate performs the check.
-func (h *Handler) ValidateCreate(ctx context.Context, obj runtime.Object) error {
+func (h *Handler) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	return h.handle(ctx, obj)
 }
 
 // ValidateUpdate performs the check.
-func (h *Handler) ValidateUpdate(ctx context.Context, _, newObj runtime.Object) error {
+func (h *Handler) ValidateUpdate(ctx context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
 	return h.handle(ctx, newObj)
 }
 
 // ValidateDelete returns nil (not implemented by this handler).
-func (h *Handler) ValidateDelete(_ context.Context, _ runtime.Object) error {
-	return nil
+func (h *Handler) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	return nil, nil
 }
 
-func (h *Handler) handle(ctx context.Context, obj runtime.Object) error {
+func (h *Handler) handle(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	secret, ok := obj.(*corev1.Secret)
 	if !ok {
-		return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))
 	}
 
 	req, err := admission.RequestFromContext(ctx)
 	if err != nil {
-		return apierrors.NewInternalError(err)
+		return nil, apierrors.NewInternalError(err)
 	}
 
 	kubeconfig, ok := secret.Data[kubernetes.KubeConfig]
 	if !ok {
-		return nil
+		return nil, nil
 	}
 
 	clientConfig, err := clientcmd.NewClientConfigFromBytes(kubeconfig)
 	if err != nil {
-		return apierrors.NewBadRequest(err.Error())
+		return nil, apierrors.NewBadRequest(err.Error())
 	}
 
 	// Validate that the given kubeconfig doesn't have fields in its auth-info that are
 	// not acceptable.
 	rawConfig, err := clientConfig.RawConfig()
 	if err != nil {
-		return apierrors.NewBadRequest(err.Error())
+		return nil, apierrors.NewBadRequest(err.Error())
 	}
 
 	if err := kubernetes.ValidateConfig(rawConfig); err != nil {
@@ -98,8 +98,8 @@ func (h *Handler) handle(ctx context.Context, obj runtime.Object) error {
 			metricReasonRejectedKubeconfig,
 		).Inc()
 
-		return apierrors.NewInvalid(schema.GroupKind{Group: corev1.GroupName, Kind: "Secret"}, secret.Name, field.ErrorList{field.Invalid(field.NewPath("data", "kubeconfig"), kubeconfig, fmt.Sprintf("secret contains invalid kubeconfig: %s", err))})
+		return nil, apierrors.NewInvalid(schema.GroupKind{Group: corev1.GroupName, Kind: "Secret"}, secret.Name, field.ErrorList{field.Invalid(field.NewPath("data", "kubeconfig"), kubeconfig, fmt.Sprintf("secret contains invalid kubeconfig: %s", err))})
 	}
 
-	return nil
+	return nil, nil
 }
@@ -40,70 +40,70 @@ type Handler struct {
 }
 
 // ValidateCreate returns nil (not implemented by this handler).
-func (h *Handler) ValidateCreate(_ context.Context, _ runtime.Object) error {
-	return nil
+func (h *Handler) ValidateCreate(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	return nil, nil
 }
 
 // ValidateUpdate returns nil (not implemented by this handler).
-func (h *Handler) ValidateUpdate(_ context.Context, _, _ runtime.Object) error {
-	return nil
+func (h *Handler) ValidateUpdate(_ context.Context, _, _ runtime.Object) (admission.Warnings, error) {
+	return nil, nil
 }
 
 // ValidateDelete validates the namespace deletion.
-func (h *Handler) ValidateDelete(ctx context.Context, _ runtime.Object) error {
+func (h *Handler) ValidateDelete(ctx context.Context, _ runtime.Object) (admission.Warnings, error) {
 	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
 	req, err := admission.RequestFromContext(ctx)
 	if err != nil {
-		return apierrors.NewInternalError(err)
+		return nil, apierrors.NewInternalError(err)
 	}
 
 	if err := h.admitNamespace(ctx, req.Name); err != nil {
 		h.Logger.Info("Rejected namespace deletion", "user", req.UserInfo.Username, "reason", err.Error())
 		return err
 	}
 
-	return nil
+	return nil, nil
 }
 
 // admitNamespace does only allow the request if no Shoots exist in this specific namespace anymore.
-func (h *Handler) admitNamespace(ctx context.Context, namespaceName string) error {
+func (h *Handler) admitNamespace(ctx context.Context, namespaceName string) (admission.Warnings, error) {
 	// Determine project for given namespace.
 	// TODO: we should use a direct lookup here, as we might falsely allow the request, if our cache is
 	// out of sync and doesn't know about the project. We should use a field selector for looking up the project
 	// belonging to a given namespace.
 	project, namespace, err := gardenerutils.ProjectAndNamespaceFromReader(ctx, h.Client, namespaceName)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
-			return nil
+			return nil, nil
 		}
-		return apierrors.NewInternalError(err)
+		return nil, apierrors.NewInternalError(err)
 	}
 
 	if project == nil {
-		return nil
+		return nil, nil
 	}
 
 	switch {
 	case namespace.DeletionTimestamp != nil:
-		return nil
+		return nil, nil
 
 	case project.DeletionTimestamp != nil:
 		// if project is marked for deletion we need to wait until all shoots in the namespace are gone
 		namespaceInUse, err := kubernetesutils.ResourcesExist(ctx, h.APIReader, gardencorev1beta1.SchemeGroupVersion.WithKind("ShootList"), client.InNamespace(namespace.Name))
 		if err != nil {
-			return apierrors.NewInternalError(err)
+			return nil, apierrors.NewInternalError(err)
 		}
 
 		if !namespaceInUse {
-			return nil
+			return nil, nil
 		}
 
-		return apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Namespace"}, namespace.Name, fmt.Errorf("deletion of namespace %q is not permitted (it still contains Shoots)", namespace.Name))
+		return nil, apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Namespace"}, namespace.Name, fmt.Errorf("deletion of namespace %q is not permitted (it still contains Shoots)", namespace.Name))
 	}
 
 	// Namespace is not yet marked for deletion and project is not marked as well. We do not admit and respond that
 	// namespace deletion is only allowed via project deletion.
-	return apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Namespace"}, namespace.Name, fmt.Errorf("direct deletion of namespace %q is not permitted (you must delete the corresponding project %q)", namespace.Name, project.Name))
+	return nil, apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Namespace"}, namespace.Name, fmt.Errorf("direct deletion of namespace %q is not permitted (you must delete the corresponding project %q)", namespace.Name, project.Name))
 }
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ import (`
`25`	`25`	`"k8s.io/apimachinery/pkg/runtime"`
`26`	`26`	`"k8s.io/apimachinery/pkg/runtime/schema"`
`27`	`27`	`"sigs.k8s.io/controller-runtime/pkg/client"`
	`28`	`+ "sigs.k8s.io/controller-runtime/pkg/webhook/admission"`
`28`	`29`
`29`	`30`	`gardencore "github.com/gardener/gardener/pkg/apis/core"`
`30`	`31`	`gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"`
`@@ -40,53 +41,53 @@ type Handler struct {`
`40`	`41`	`}`
`41`	`42`
`42`	`43`	`// ValidateCreate performs the check.`
`43`		`-func (h *Handler) ValidateCreate(ctx context.Context, obj runtime.Object) error {`
	`44`	`+func (h *Handler) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {`
`44`	`45`	`ctx, cancel := context.WithTimeout(ctx, 10*time.Second)`
`45`	`46`	`defer cancel()`
`46`	`47`
`47`	`48`	`secret, ok := obj.(*corev1.Secret)`
`48`	`49`	`if !ok {`
`49`		`- return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))`
	`50`	`+ return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`seedName := gardenerutils.ComputeSeedName(secret.Namespace)`
`53`	`54`	`if secret.Namespace != v1beta1constants.GardenNamespace && seedName == "" {`
`54`		`- return nil`
	`55`	`+ return nil, nil`
`55`	`56`	`}`
`56`	`57`
`57`	`58`	`exists, err := h.internalDomainSecretExists(ctx, secret.Namespace)`
`58`	`59`	`if err != nil {`
`59`		`- return apierrors.NewInternalError(err)`
	`60`	`+ return nil, apierrors.NewInternalError(err)`
`60`	`61`	`}`
`61`	`62`	`if exists {`
`62`		`- return apierrors.NewConflict(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot create internal domain secret because there can be only one secret with the 'internal-domain' secret role per namespace"))`
	`63`	`+ return nil, apierrors.NewConflict(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot create internal domain secret because there can be only one secret with the 'internal-domain' secret role per namespace"))`
`63`	`64`	`}`
`64`	`65`
`65`	`66`	`if _, _, _, _, _, err := gardenerutils.GetDomainInfoFromAnnotations(secret.Annotations); err != nil {`
`66`		`- return apierrors.NewBadRequest(err.Error())`
	`67`	`+ return nil, apierrors.NewBadRequest(err.Error())`
`67`	`68`	`}`
`68`	`69`
`69`		`- return nil`
	`70`	`+ return nil, nil`
`70`	`71`	`}`
`71`	`72`
`72`	`73`	`// ValidateUpdate performs the check.`
`73`		`-func (h *Handler) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) error {`
	`74`	`+func (h *Handler) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {`
`74`	`75`	`ctx, cancel := context.WithTimeout(ctx, 10*time.Second)`
`75`	`76`	`defer cancel()`
`76`	`77`
`77`	`78`	`secret, ok := newObj.(*corev1.Secret)`
`78`	`79`	`if !ok {`
`79`		`- return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", newObj))`
	`80`	`+ return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", newObj))`
`80`	`81`	`}`
`81`	`82`
`82`	`83`	`oldSecret, ok := oldObj.(*corev1.Secret)`
`83`	`84`	`if !ok {`
`84`		`- return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", oldObj))`
	`85`	`+ return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", oldObj))`
`85`	`86`	`}`
`86`	`87`
`87`	`88`	`seedName := gardenerutils.ComputeSeedName(secret.Namespace)`
`88`	`89`	`if secret.Namespace != v1beta1constants.GardenNamespace && seedName == "" {`
`89`		`- return nil`
	`90`	`+ return nil, nil`
`90`	`91`	`}`
`91`	`92`
`92`	`93`	`// If secret was newly labeled with gardener.cloud/role=internal-domain then check whether another internal domain`
`@@ -95,59 +96,59 @@ func (h *Handler) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Obj`
`95`	`96`	`secret.Labels[v1beta1constants.GardenRole] == v1beta1constants.GardenRoleInternalDomain {`
`96`	`97`	`exists, err := h.internalDomainSecretExists(ctx, secret.Namespace)`
`97`	`98`	`if err != nil {`
`98`		`- return apierrors.NewInternalError(err)`
	`99`	`+ return nil, apierrors.NewInternalError(err)`
`99`	`100`	`}`
`100`	`101`	`if exists {`
`101`		`- return apierrors.NewConflict(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot update secret because there can be only one secret with the 'internal-domain' secret role per namespace"))`
	`102`	`+ return nil, apierrors.NewConflict(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot update secret because there can be only one secret with the 'internal-domain' secret role per namespace"))`
`102`	`103`	`}`
`103`	`104`	`}`
`104`	`105`
`105`	`106`	`_, oldDomain, _, _, _, err := gardenerutils.GetDomainInfoFromAnnotations(oldSecret.Annotations)`
`106`	`107`	`if err != nil {`
`107`		`- return apierrors.NewInternalError(err)`
	`108`	`+ return nil, apierrors.NewInternalError(err)`
`108`	`109`	`}`
`109`	`110`	`_, newDomain, _, _, _, err := gardenerutils.GetDomainInfoFromAnnotations(secret.Annotations)`
`110`	`111`	`if err != nil {`
`111`		`- return apierrors.NewInternalError(err)`
	`112`	`+ return nil, apierrors.NewInternalError(err)`
`112`	`113`	`}`
`113`	`114`
`114`	`115`	`if oldDomain != newDomain {`
`115`	`116`	`atLeastOneShoot, err := h.atLeastOneShootExists(ctx, seedName)`
`116`	`117`	`if err != nil {`
`117`		`- return apierrors.NewInternalError(err)`
	`118`	`+ return nil, apierrors.NewInternalError(err)`
`118`	`119`	`}`
`119`	`120`	`if atLeastOneShoot {`
`120`		`- return apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot change domain because there are still shoots left in the system"))`
	`121`	`+ return nil, apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot change domain because there are still shoots left in the system"))`
`121`	`122`	`}`
`122`	`123`	`}`
`123`	`124`
`124`		`- return nil`
	`125`	`+ return nil, nil`
`125`	`126`	`}`
`126`	`127`
`127`	`128`	`// ValidateDelete performs the check.`
`128`		`-func (h *Handler) ValidateDelete(ctx context.Context, obj runtime.Object) error {`
	`129`	`+func (h *Handler) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {`
`129`	`130`	`ctx, cancel := context.WithTimeout(ctx, 10*time.Second)`
`130`	`131`	`defer cancel()`
`131`	`132`
`132`	`133`	`secret, ok := obj.(*corev1.Secret)`
`133`	`134`	`if !ok {`
`134`		`- return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))`
	`135`	`+ return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))`
`135`	`136`	`}`
`136`	`137`
`137`	`138`	`seedName := gardenerutils.ComputeSeedName(secret.Namespace)`
`138`	`139`	`if secret.Namespace != v1beta1constants.GardenNamespace && seedName == "" {`
`139`		`- return nil`
	`140`	`+ return nil, nil`
`140`	`141`	`}`
`141`	`142`
`142`	`143`	`atLeastOneShoot, err := h.atLeastOneShootExists(ctx, seedName)`
`143`	`144`	`if err != nil {`
`144`		`- return apierrors.NewInternalError(err)`
	`145`	`+ return nil, apierrors.NewInternalError(err)`
`145`	`146`	`}`
`146`	`147`	`if atLeastOneShoot {`
`147`		`- return apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot delete internal domain secret because there are still shoots left in the system"))`
	`148`	`+ return nil, apierrors.NewForbidden(schema.GroupResource{Group: corev1.GroupName, Resource: "Secret"}, secret.Name, fmt.Errorf("cannot delete internal domain secret because there are still shoots left in the system"))`
`148`	`149`	`}`
`149`	`150`
`150`		`- return nil`
	`151`	`+ return nil, nil`
`151`	`152`	`}`
`152`	`153`
`153`	`154`	`func (h *Handler) atLeastOneShootExists(ctx context.Context, seedName string) (bool, error) {`
Original file line number	Diff line number	Diff line change
`@@ -41,46 +41,46 @@ type Handler struct {`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`// ValidateCreate performs the check.`
`44`		`-func (h *Handler) ValidateCreate(ctx context.Context, obj runtime.Object) error {`
	`44`	`+func (h *Handler) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {`
`45`	`45`	`return h.handle(ctx, obj)`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`// ValidateUpdate performs the check.`
`49`		`-func (h *Handler) ValidateUpdate(ctx context.Context, _, newObj runtime.Object) error {`
	`49`	`+func (h *Handler) ValidateUpdate(ctx context.Context, _, newObj runtime.Object) (admission.Warnings, error) {`
`50`	`50`	`return h.handle(ctx, newObj)`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`// ValidateDelete returns nil (not implemented by this handler).`
`54`		`-func (h *Handler) ValidateDelete(_ context.Context, _ runtime.Object) error {`
`55`		`- return nil`
	`54`	`+func (h *Handler) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {`
	`55`	`+ return nil, nil`
`56`	`56`	`}`
`57`	`57`
`58`		`-func (h *Handler) handle(ctx context.Context, obj runtime.Object) error {`
	`58`	`+func (h *Handler) handle(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {`
`59`	`59`	`secret, ok := obj.(*corev1.Secret)`
`60`	`60`	`if !ok {`
`61`		`- return apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))`
	`61`	`+ return nil, apierrors.NewBadRequest(fmt.Sprintf("expected *corev1.Secret but got %T", obj))`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`req, err := admission.RequestFromContext(ctx)`
`65`	`65`	`if err != nil {`
`66`		`- return apierrors.NewInternalError(err)`
	`66`	`+ return nil, apierrors.NewInternalError(err)`
`67`	`67`	`}`
`68`	`68`
`69`	`69`	`kubeconfig, ok := secret.Data[kubernetes.KubeConfig]`
`70`	`70`	`if !ok {`
`71`		`- return nil`
	`71`	`+ return nil, nil`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`clientConfig, err := clientcmd.NewClientConfigFromBytes(kubeconfig)`
`75`	`75`	`if err != nil {`
`76`		`- return apierrors.NewBadRequest(err.Error())`
	`76`	`+ return nil, apierrors.NewBadRequest(err.Error())`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	`// Validate that the given kubeconfig doesn't have fields in its auth-info that are`
`80`	`80`	`// not acceptable.`
`81`	`81`	`rawConfig, err := clientConfig.RawConfig()`
`82`	`82`	`if err != nil {`
`83`		`- return apierrors.NewBadRequest(err.Error())`
	`83`	`+ return nil, apierrors.NewBadRequest(err.Error())`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`if err := kubernetes.ValidateConfig(rawConfig); err != nil {`
`@@ -98,8 +98,8 @@ func (h *Handler) handle(ctx context.Context, obj runtime.Object) error {`
`98`	`98`	`metricReasonRejectedKubeconfig,`
`99`	`99`	`).Inc()`
`100`	`100`
`101`		`- return apierrors.NewInvalid(schema.GroupKind{Group: corev1.GroupName, Kind: "Secret"}, secret.Name, field.ErrorList{field.Invalid(field.NewPath("data", "kubeconfig"), kubeconfig, fmt.Sprintf("secret contains invalid kubeconfig: %s", err))})`
	`101`	`+ return nil, apierrors.NewInvalid(schema.GroupKind{Group: corev1.GroupName, Kind: "Secret"}, secret.Name, field.ErrorList{field.Invalid(field.NewPath("data", "kubeconfig"), kubeconfig, fmt.Sprintf("secret contains invalid kubeconfig: %s", err))})`
`102`	`102`	`}`
`103`	`103`
`104`		`- return nil`
	`104`	`+ return nil, nil`
`105`	`105`	`}`