2022-08-24 21:45:55 +00:00
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
2020-09-16 14:19:51 +00:00
// SPDX-License-Identifier: Apache-2.0
2020-07-14 15:50:14 +00:00
2020-10-15 19:40:56 +00:00
package concierge
2020-07-14 15:50:14 +00:00
import (
2022-04-16 02:43:53 +00:00
"context"
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
"os"
2020-07-14 15:50:14 +00:00
"testing"
"github.com/stretchr/testify/require"
2021-05-12 20:20:00 +00:00
"k8s.io/utils/pointer"
2020-07-14 15:50:14 +00:00
2020-09-18 23:39:58 +00:00
"go.pinniped.dev/internal/here"
2021-03-02 17:31:24 +00:00
"go.pinniped.dev/internal/plog"
2020-07-14 15:50:14 +00:00
)
func TestFromPath ( t * testing . T ) {
2020-08-03 14:17:11 +00:00
tests := [ ] struct {
name string
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
yaml string
2020-10-15 19:40:56 +00:00
wantConfig * Config
2020-08-20 19:17:18 +00:00
wantError string
2020-08-03 14:17:11 +00:00
} {
{
2021-03-02 17:31:24 +00:00
name : "Fully filled out" ,
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
yaml : here . Doc ( `
-- -
discovery :
url : https : //some.discovery/url
api :
servingCertificate :
durationSeconds : 3600
renewBeforeSeconds : 2400
2021-01-19 15:52:12 +00:00
apiGroupSuffix : some . suffix . com
2021-11-17 00:43:51 +00:00
aggregatedAPIServerPort : 12345
2021-11-17 21:27:59 +00:00
impersonationProxyServerPort : 4242
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
names :
2020-10-09 21:25:34 +00:00
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
2020-11-02 21:39:43 +00:00
credentialIssuer : pinniped - config
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
apiService : pinniped - api
2020-09-21 18:16:14 +00:00
kubeCertAgentPrefix : kube - cert - agent - prefix
2021-03-02 17:31:24 +00:00
impersonationLoadBalancerService : impersonationLoadBalancerService - value
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-02 17:31:24 +00:00
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
impersonationSignerSecret : impersonationSignerSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
2021-05-26 20:24:59 +00:00
extraName : extraName - value
2020-10-15 17:14:23 +00:00
labels :
myLabelKey1 : myLabelValue1
myLabelKey2 : myLabelValue2
2021-03-02 17:31:24 +00:00
kubeCertAgent :
2020-09-21 18:16:14 +00:00
namePrefix : kube - cert - agent - name - prefix -
image : kube - cert - agent - image
2020-09-24 19:52:05 +00:00
imagePullSecrets : [ kube - cert - agent - image - pull - secret ]
2021-03-02 17:31:24 +00:00
logLevel : debug
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
` ) ,
2020-10-15 19:40:56 +00:00
wantConfig : & Config {
DiscoveryInfo : DiscoveryInfoSpec {
2021-05-12 20:20:00 +00:00
URL : pointer . StringPtr ( "https://some.discovery/url" ) ,
2020-08-03 14:17:11 +00:00
} ,
2020-10-15 19:40:56 +00:00
APIConfig : APIConfigSpec {
ServingCertificateConfig : ServingCertificateConfigSpec {
2021-05-12 21:00:26 +00:00
DurationSeconds : pointer . Int64Ptr ( 3600 ) ,
RenewBeforeSeconds : pointer . Int64Ptr ( 2400 ) ,
2020-08-20 19:17:18 +00:00
} ,
} ,
2021-11-17 21:27:59 +00:00
APIGroupSuffix : pointer . StringPtr ( "some.suffix.com" ) ,
AggregatedAPIServerPort : pointer . Int64Ptr ( 12345 ) ,
ImpersonationProxyServerPort : pointer . Int64Ptr ( 4242 ) ,
2020-10-15 19:40:56 +00:00
NamesConfig : NamesConfigSpec {
2021-03-02 17:31:24 +00:00
ServingCertificateSecret : "pinniped-concierge-api-tls-serving-certificate" ,
CredentialIssuer : "pinniped-config" ,
APIService : "pinniped-api" ,
ImpersonationLoadBalancerService : "impersonationLoadBalancerService-value" ,
2021-05-20 21:11:35 +00:00
ImpersonationClusterIPService : "impersonationClusterIPService-value" ,
2021-03-02 17:31:24 +00:00
ImpersonationTLSCertificateSecret : "impersonationTLSCertificateSecret-value" ,
ImpersonationCACertificateSecret : "impersonationCACertificateSecret-value" ,
2021-03-10 18:30:06 +00:00
ImpersonationSignerSecret : "impersonationSignerSecret-value" ,
2021-05-03 21:31:48 +00:00
AgentServiceAccount : "agentServiceAccount-value" ,
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
} ,
2020-10-15 17:14:23 +00:00
Labels : map [ string ] string {
"myLabelKey1" : "myLabelValue1" ,
"myLabelKey2" : "myLabelValue2" ,
} ,
2020-10-15 19:40:56 +00:00
KubeCertAgentConfig : KubeCertAgentSpec {
2021-05-12 20:20:00 +00:00
NamePrefix : pointer . StringPtr ( "kube-cert-agent-name-prefix-" ) ,
Image : pointer . StringPtr ( "kube-cert-agent-image" ) ,
2020-09-24 19:52:05 +00:00
ImagePullSecrets : [ ] string { "kube-cert-agent-image-pull-secret" } ,
2020-09-21 18:16:14 +00:00
} ,
2022-04-16 02:43:53 +00:00
LogLevel : func ( level plog . LogLevel ) * plog . LogLevel { return & level } ( plog . LevelDebug ) ,
Log : plog . LogSpec {
Level : plog . LevelDebug ,
} ,
} ,
} ,
{
name : "Fully filled out new log struct" ,
yaml : here . Doc ( `
-- -
discovery :
url : https : //some.discovery/url
api :
servingCertificate :
durationSeconds : 3600
renewBeforeSeconds : 2400
apiGroupSuffix : some . suffix . com
aggregatedAPIServerPort : 12345
impersonationProxyServerPort : 4242
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
kubeCertAgentPrefix : kube - cert - agent - prefix
impersonationLoadBalancerService : impersonationLoadBalancerService - value
impersonationClusterIPService : impersonationClusterIPService - value
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
impersonationSignerSecret : impersonationSignerSecret - value
impersonationSignerSecret : impersonationSignerSecret - value
agentServiceAccount : agentServiceAccount - value
extraName : extraName - value
labels :
myLabelKey1 : myLabelValue1
myLabelKey2 : myLabelValue2
kubeCertAgent :
namePrefix : kube - cert - agent - name - prefix -
image : kube - cert - agent - image
imagePullSecrets : [ kube - cert - agent - image - pull - secret ]
log :
level : all
format : json
` ) ,
wantConfig : & Config {
DiscoveryInfo : DiscoveryInfoSpec {
URL : pointer . StringPtr ( "https://some.discovery/url" ) ,
} ,
APIConfig : APIConfigSpec {
ServingCertificateConfig : ServingCertificateConfigSpec {
DurationSeconds : pointer . Int64Ptr ( 3600 ) ,
RenewBeforeSeconds : pointer . Int64Ptr ( 2400 ) ,
} ,
} ,
APIGroupSuffix : pointer . StringPtr ( "some.suffix.com" ) ,
AggregatedAPIServerPort : pointer . Int64Ptr ( 12345 ) ,
ImpersonationProxyServerPort : pointer . Int64Ptr ( 4242 ) ,
NamesConfig : NamesConfigSpec {
ServingCertificateSecret : "pinniped-concierge-api-tls-serving-certificate" ,
CredentialIssuer : "pinniped-config" ,
APIService : "pinniped-api" ,
ImpersonationLoadBalancerService : "impersonationLoadBalancerService-value" ,
ImpersonationClusterIPService : "impersonationClusterIPService-value" ,
ImpersonationTLSCertificateSecret : "impersonationTLSCertificateSecret-value" ,
ImpersonationCACertificateSecret : "impersonationCACertificateSecret-value" ,
ImpersonationSignerSecret : "impersonationSignerSecret-value" ,
AgentServiceAccount : "agentServiceAccount-value" ,
} ,
Labels : map [ string ] string {
"myLabelKey1" : "myLabelValue1" ,
"myLabelKey2" : "myLabelValue2" ,
} ,
KubeCertAgentConfig : KubeCertAgentSpec {
NamePrefix : pointer . StringPtr ( "kube-cert-agent-name-prefix-" ) ,
Image : pointer . StringPtr ( "kube-cert-agent-image" ) ,
ImagePullSecrets : [ ] string { "kube-cert-agent-image-pull-secret" } ,
} ,
Log : plog . LogSpec {
Level : plog . LevelAll ,
Format : plog . FormatJSON ,
} ,
} ,
} ,
{
name : "Fully filled out old log and new log struct" ,
yaml : here . Doc ( `
-- -
discovery :
url : https : //some.discovery/url
api :
servingCertificate :
durationSeconds : 3600
renewBeforeSeconds : 2400
apiGroupSuffix : some . suffix . com
aggregatedAPIServerPort : 12345
impersonationProxyServerPort : 4242
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
kubeCertAgentPrefix : kube - cert - agent - prefix
impersonationLoadBalancerService : impersonationLoadBalancerService - value
impersonationClusterIPService : impersonationClusterIPService - value
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
impersonationSignerSecret : impersonationSignerSecret - value
impersonationSignerSecret : impersonationSignerSecret - value
agentServiceAccount : agentServiceAccount - value
extraName : extraName - value
labels :
myLabelKey1 : myLabelValue1
myLabelKey2 : myLabelValue2
kubeCertAgent :
namePrefix : kube - cert - agent - name - prefix -
image : kube - cert - agent - image
imagePullSecrets : [ kube - cert - agent - image - pull - secret ]
logLevel : debug
log :
level : all
format : json
` ) ,
wantConfig : & Config {
DiscoveryInfo : DiscoveryInfoSpec {
URL : pointer . StringPtr ( "https://some.discovery/url" ) ,
} ,
APIConfig : APIConfigSpec {
ServingCertificateConfig : ServingCertificateConfigSpec {
DurationSeconds : pointer . Int64Ptr ( 3600 ) ,
RenewBeforeSeconds : pointer . Int64Ptr ( 2400 ) ,
} ,
} ,
APIGroupSuffix : pointer . StringPtr ( "some.suffix.com" ) ,
AggregatedAPIServerPort : pointer . Int64Ptr ( 12345 ) ,
ImpersonationProxyServerPort : pointer . Int64Ptr ( 4242 ) ,
NamesConfig : NamesConfigSpec {
ServingCertificateSecret : "pinniped-concierge-api-tls-serving-certificate" ,
CredentialIssuer : "pinniped-config" ,
APIService : "pinniped-api" ,
ImpersonationLoadBalancerService : "impersonationLoadBalancerService-value" ,
ImpersonationClusterIPService : "impersonationClusterIPService-value" ,
ImpersonationTLSCertificateSecret : "impersonationTLSCertificateSecret-value" ,
ImpersonationCACertificateSecret : "impersonationCACertificateSecret-value" ,
ImpersonationSignerSecret : "impersonationSignerSecret-value" ,
AgentServiceAccount : "agentServiceAccount-value" ,
} ,
Labels : map [ string ] string {
"myLabelKey1" : "myLabelValue1" ,
"myLabelKey2" : "myLabelValue2" ,
} ,
KubeCertAgentConfig : KubeCertAgentSpec {
NamePrefix : pointer . StringPtr ( "kube-cert-agent-name-prefix-" ) ,
Image : pointer . StringPtr ( "kube-cert-agent-image" ) ,
ImagePullSecrets : [ ] string { "kube-cert-agent-image-pull-secret" } ,
} ,
LogLevel : func ( level plog . LogLevel ) * plog . LogLevel { return & level } ( plog . LevelDebug ) ,
Log : plog . LogSpec {
Level : plog . LevelDebug ,
Format : plog . FormatJSON ,
} ,
2020-08-03 14:17:11 +00:00
} ,
} ,
2022-04-16 02:43:53 +00:00
{
name : "invalid log format" ,
yaml : here . Doc ( `
-- -
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
impersonationLoadBalancerService : impersonationLoadBalancerService - value
impersonationClusterIPService : impersonationClusterIPService - value
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
impersonationSignerSecret : impersonationSignerSecret - value
agentServiceAccount : agentServiceAccount - value
log :
level : all
format : snorlax
` ) ,
wantError : "decode yaml: error unmarshaling JSON: while decoding JSON: invalid log format, valid choices are the empty string, json and text" ,
} ,
2020-08-03 14:17:11 +00:00
{
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
name : "When only the required fields are present, causes other fields to be defaulted" ,
yaml : here . Doc ( `
-- -
names :
2020-10-09 21:25:34 +00:00
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
2020-11-02 21:39:43 +00:00
credentialIssuer : pinniped - config
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
apiService : pinniped - api
2021-03-02 17:31:24 +00:00
impersonationLoadBalancerService : impersonationLoadBalancerService - value
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-02 17:31:24 +00:00
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
` ) ,
2020-10-15 19:40:56 +00:00
wantConfig : & Config {
DiscoveryInfo : DiscoveryInfoSpec {
2020-08-03 14:17:11 +00:00
URL : nil ,
} ,
2021-11-17 21:27:59 +00:00
APIGroupSuffix : pointer . StringPtr ( "pinniped.dev" ) ,
AggregatedAPIServerPort : pointer . Int64Ptr ( 10250 ) ,
ImpersonationProxyServerPort : pointer . Int64Ptr ( 8444 ) ,
2020-10-15 19:40:56 +00:00
APIConfig : APIConfigSpec {
ServingCertificateConfig : ServingCertificateConfigSpec {
2021-05-12 21:00:26 +00:00
DurationSeconds : pointer . Int64Ptr ( 60 * 60 * 24 * 365 ) , // about a year
RenewBeforeSeconds : pointer . Int64Ptr ( 60 * 60 * 24 * 30 * 9 ) , // about 9 months
2020-08-20 19:17:18 +00:00
} ,
} ,
2020-10-15 19:40:56 +00:00
NamesConfig : NamesConfigSpec {
2021-03-02 17:31:24 +00:00
ServingCertificateSecret : "pinniped-concierge-api-tls-serving-certificate" ,
CredentialIssuer : "pinniped-config" ,
APIService : "pinniped-api" ,
ImpersonationLoadBalancerService : "impersonationLoadBalancerService-value" ,
2021-05-20 21:11:35 +00:00
ImpersonationClusterIPService : "impersonationClusterIPService-value" ,
2021-03-02 17:31:24 +00:00
ImpersonationTLSCertificateSecret : "impersonationTLSCertificateSecret-value" ,
ImpersonationCACertificateSecret : "impersonationCACertificateSecret-value" ,
2021-03-10 18:30:06 +00:00
ImpersonationSignerSecret : "impersonationSignerSecret-value" ,
2021-05-03 21:31:48 +00:00
AgentServiceAccount : "agentServiceAccount-value" ,
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
} ,
2020-10-15 17:14:23 +00:00
Labels : map [ string ] string { } ,
2020-10-15 19:40:56 +00:00
KubeCertAgentConfig : KubeCertAgentSpec {
2021-05-12 20:20:00 +00:00
NamePrefix : pointer . StringPtr ( "pinniped-kube-cert-agent-" ) ,
Image : pointer . StringPtr ( "debian:latest" ) ,
2020-09-21 18:16:14 +00:00
} ,
2020-08-03 14:17:11 +00:00
} ,
2020-07-14 15:50:14 +00:00
} ,
2020-08-20 19:17:18 +00:00
{
2021-03-02 17:31:24 +00:00
name : "Empty" ,
yaml : here . Doc ( ` ` ) ,
wantError : "validate names: missing required names: servingCertificateSecret, credentialIssuer, " +
2021-05-26 20:24:59 +00:00
"apiService, impersonationLoadBalancerService, " +
2021-05-20 21:11:35 +00:00
"impersonationClusterIPService, impersonationTLSCertificateSecret, impersonationCACertificateSecret, " +
2021-05-03 21:31:48 +00:00
"impersonationSignerSecret, agentServiceAccount" ,
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
} ,
{
name : "Missing apiService name" ,
yaml : here . Doc ( `
-- -
names :
2020-10-09 21:25:34 +00:00
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
2020-11-02 21:39:43 +00:00
credentialIssuer : pinniped - config
2021-03-02 17:31:24 +00:00
impersonationLoadBalancerService : impersonationLoadBalancerService - value
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-02 17:31:24 +00:00
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
` ) ,
wantError : "validate names: missing required names: apiService" ,
} ,
{
2020-11-02 21:39:43 +00:00
name : "Missing credentialIssuer name" ,
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
yaml : here . Doc ( `
-- -
names :
2020-10-09 21:25:34 +00:00
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
apiService : pinniped - api
2021-03-02 17:31:24 +00:00
impersonationLoadBalancerService : impersonationLoadBalancerService - value
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-02 17:31:24 +00:00
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
` ) ,
2020-11-02 21:39:43 +00:00
wantError : "validate names: missing required names: credentialIssuer" ,
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
} ,
{
name : "Missing servingCertificateSecret name" ,
yaml : here . Doc ( `
-- -
names :
2020-11-02 21:39:43 +00:00
credentialIssuer : pinniped - config
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
apiService : pinniped - api
2021-03-02 17:31:24 +00:00
impersonationLoadBalancerService : impersonationLoadBalancerService - value
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-02 17:31:24 +00:00
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
` ) ,
wantError : "validate names: missing required names: servingCertificateSecret" ,
} ,
2021-03-02 17:31:24 +00:00
{
name : "Missing impersonationLoadBalancerService name" ,
yaml : here . Doc ( `
-- -
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-02 17:31:24 +00:00
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
2021-03-02 17:31:24 +00:00
` ) ,
wantError : "validate names: missing required names: impersonationLoadBalancerService" ,
} ,
2021-05-20 21:11:35 +00:00
{
name : "Missing impersonationClusterIPService name" ,
yaml : here . Doc ( `
-- -
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
impersonationLoadBalancerService : impersonationLoadBalancerService - value
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
impersonationSignerSecret : impersonationSignerSecret - value
agentServiceAccount : agentServiceAccount - value
` ) ,
wantError : "validate names: missing required names: impersonationClusterIPService" ,
} ,
2021-03-02 17:31:24 +00:00
{
name : "Missing impersonationTLSCertificateSecret name" ,
yaml : here . Doc ( `
-- -
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
impersonationLoadBalancerService : impersonationLoadBalancerService - value
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-02 17:31:24 +00:00
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
2021-03-02 17:31:24 +00:00
` ) ,
wantError : "validate names: missing required names: impersonationTLSCertificateSecret" ,
} ,
{
name : "Missing impersonationCACertificateSecret name" ,
yaml : here . Doc ( `
-- -
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
impersonationLoadBalancerService : impersonationLoadBalancerService - value
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-02 17:31:24 +00:00
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
2021-03-02 17:31:24 +00:00
` ) ,
wantError : "validate names: missing required names: impersonationCACertificateSecret" ,
} ,
2021-03-10 18:30:06 +00:00
{
name : "Missing impersonationSignerSecret name" ,
yaml : here . Doc ( `
-- -
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
impersonationLoadBalancerService : impersonationLoadBalancerService - value
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-10 18:30:06 +00:00
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
2021-03-10 18:30:06 +00:00
` ) ,
wantError : "validate names: missing required names: impersonationSignerSecret" ,
} ,
2021-03-02 17:31:24 +00:00
{
name : "Missing several required names" ,
yaml : here . Doc ( `
-- -
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
impersonationLoadBalancerService : impersonationLoadBalancerService - value
2021-05-20 21:11:35 +00:00
impersonationClusterIPService : impersonationClusterIPService - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
2021-05-03 21:31:48 +00:00
agentServiceAccount : agentServiceAccount - value
2021-03-02 17:31:24 +00:00
` ) ,
2021-05-26 20:24:59 +00:00
wantError : "validate names: missing required names: " +
2021-03-02 17:31:24 +00:00
"impersonationTLSCertificateSecret, impersonationCACertificateSecret" ,
} ,
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
{
name : "InvalidDurationRenewBefore" ,
yaml : here . Doc ( `
-- -
api :
servingCertificate :
durationSeconds : 2400
renewBeforeSeconds : 3600
names :
2020-10-09 21:25:34 +00:00
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
2020-11-02 21:39:43 +00:00
credentialIssuer : pinniped - config
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
apiService : pinniped - api
2021-03-02 17:31:24 +00:00
impersonationLoadBalancerService : impersonationLoadBalancerService - value
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
` ) ,
2020-08-20 19:17:18 +00:00
wantError : "validate api: durationSeconds cannot be smaller than renewBeforeSeconds" ,
} ,
2020-08-20 22:14:07 +00:00
{
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
name : "NegativeRenewBefore" ,
yaml : here . Doc ( `
-- -
api :
servingCertificate :
durationSeconds : 2400
renewBeforeSeconds : - 10
names :
2020-10-09 21:25:34 +00:00
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
2020-11-02 21:39:43 +00:00
credentialIssuer : pinniped - config
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
apiService : pinniped - api
2021-03-02 17:31:24 +00:00
impersonationLoadBalancerService : impersonationLoadBalancerService - value
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
` ) ,
2020-08-20 22:14:07 +00:00
wantError : "validate api: renewBefore must be positive" ,
} ,
2021-11-17 00:43:51 +00:00
{
name : "AggregatedAPIServerPortDefault too small" ,
yaml : here . Doc ( `
-- -
aggregatedAPIServerPort : 1023
` ) ,
wantError : "validate aggregatedAPIServerPort: must be within range 1024 to 65535" ,
} ,
{
name : "AggregatedAPIServerPortDefault too large" ,
yaml : here . Doc ( `
-- -
aggregatedAPIServerPort : 65536
` ) ,
wantError : "validate aggregatedAPIServerPort: must be within range 1024 to 65535" ,
} ,
2021-11-17 21:27:59 +00:00
{
name : "ImpersonationProxyServerPort too small" ,
yaml : here . Doc ( `
-- -
impersonationProxyServerPort : 1023
` ) ,
wantError : "validate impersonationProxyServerPort: must be within range 1024 to 65535" ,
} ,
{
name : "ImpersonationProxyServerPort too large" ,
yaml : here . Doc ( `
-- -
impersonationProxyServerPort : 65536
` ) ,
wantError : "validate impersonationProxyServerPort: must be within range 1024 to 65535" ,
} ,
2020-08-20 22:14:07 +00:00
{
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
name : "ZeroRenewBefore" ,
yaml : here . Doc ( `
-- -
api :
servingCertificate :
durationSeconds : 2400
2021-01-13 01:27:41 +00:00
renewBeforeSeconds : 0
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
names :
2020-10-09 21:25:34 +00:00
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
2020-11-02 21:39:43 +00:00
credentialIssuer : pinniped - config
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
apiService : pinniped - api
2021-03-02 17:31:24 +00:00
impersonationLoadBalancerService : impersonationLoadBalancerService - value
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
` ) ,
2020-08-20 22:14:07 +00:00
wantError : "validate api: renewBefore must be positive" ,
} ,
2021-01-13 01:27:41 +00:00
{
name : "InvalidAPIGroupSuffix" ,
yaml : here . Doc ( `
-- -
api :
servingCertificate :
durationSeconds : 3600
renewBeforeSeconds : 2400
apiGroupSuffix : . starts . with . dot
names :
servingCertificateSecret : pinniped - concierge - api - tls - serving - certificate
credentialIssuer : pinniped - config
apiService : pinniped - api
2021-03-02 17:31:24 +00:00
impersonationLoadBalancerService : impersonationLoadBalancerService - value
impersonationTLSCertificateSecret : impersonationTLSCertificateSecret - value
impersonationCACertificateSecret : impersonationCACertificateSecret - value
2021-03-10 18:30:06 +00:00
impersonationSignerSecret : impersonationSignerSecret - value
2021-01-13 01:27:41 +00:00
` ) ,
2021-02-05 17:56:05 +00:00
wantError : "validate apiGroupSuffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')" ,
2021-01-13 01:27:41 +00:00
} ,
2020-08-03 14:17:11 +00:00
}
for _ , test := range tests {
test := test
t . Run ( test . name , func ( t * testing . T ) {
2022-04-16 02:43:53 +00:00
// this is a serial test because it sets the global logger
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
// Write yaml to temp file
2022-08-24 21:45:55 +00:00
f , err := os . CreateTemp ( "" , "pinniped-test-config-yaml-*" )
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
require . NoError ( t , err )
defer func ( ) {
err := os . Remove ( f . Name ( ) )
require . NoError ( t , err )
} ( )
_ , err = f . WriteString ( test . yaml )
require . NoError ( t , err )
err = f . Close ( )
require . NoError ( t , err )
// Test FromPath()
2022-04-16 02:43:53 +00:00
ctx , cancel := context . WithCancel ( context . Background ( ) )
t . Cleanup ( cancel )
config , err := FromPath ( ctx , f . Name ( ) )
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
2020-08-20 19:17:18 +00:00
if test . wantError != "" {
require . EqualError ( t , err , test . wantError )
} else {
require . NoError ( t , err )
require . Equal ( t , test . wantConfig , config )
}
2020-08-03 14:17:11 +00:00
} )
}
}