ContainerImage.Pinniped/internal/controller/issuerconfig/issuerconfig.go

// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package issuerconfig contains helpers for updating CredentialIssuer status entries.
package issuerconfig

import (
	"context"
	"fmt"
	"sort"

	apiequality "k8s.io/apimachinery/pkg/api/equality"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	"go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
	"go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
)

// Update a strategy on an existing CredentialIssuer, merging into any existing strategy entries.
func Update(ctx context.Context, client versioned.Interface, issuer *v1alpha1.CredentialIssuer, strategy v1alpha1.CredentialIssuerStrategy) error {
	// Update the existing object to merge in the new strategy.
	updated := issuer.DeepCopy()
	mergeStrategy(&updated.Status, strategy)

	// If the status has not changed, we're done.
	if apiequality.Semantic.DeepEqual(issuer.Status, updated.Status) {
		return nil
	}

	if _, err := client.ConfigV1alpha1().CredentialIssuers().UpdateStatus(ctx, updated, metav1.UpdateOptions{}); err != nil {
		return fmt.Errorf("failed to update CredentialIssuer status: %w", err)
	}
	return nil
}

func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1alpha1.CredentialIssuerStrategy) {
	var existing *v1alpha1.CredentialIssuerStrategy
	for i := range configToUpdate.Strategies {
		if configToUpdate.Strategies[i].Type == strategy.Type {
			existing = &configToUpdate.Strategies[i]
			break
		}
	}
	if existing != nil {
		strategy.DeepCopyInto(existing)
	} else {
		configToUpdate.Strategies = append(configToUpdate.Strategies, strategy)
	}
	sort.Stable(sortableStrategies(configToUpdate.Strategies))

	// Special case: the "TokenCredentialRequestAPI" data is mirrored into the deprecated status.kubeConfigInfo field.
	if strategy.Frontend != nil && strategy.Frontend.Type == v1alpha1.TokenCredentialRequestAPIFrontendType {
		configToUpdate.KubeConfigInfo = &v1alpha1.CredentialIssuerKubeConfigInfo{
			Server:                   strategy.Frontend.TokenCredentialRequestAPIInfo.Server,
			CertificateAuthorityData: strategy.Frontend.TokenCredentialRequestAPIInfo.CertificateAuthorityData,
		}
	}
}

// weights are a set of priorities for each strategy type.
//nolint: gochecknoglobals
var weights = map[v1alpha1.StrategyType]int{
	v1alpha1.KubeClusterSigningCertificateStrategyType: 2, // most preferred strategy
	v1alpha1.ImpersonationProxyStrategyType:            1,
	// unknown strategy types will have weight 0 by default
}

type sortableStrategies []v1alpha1.CredentialIssuerStrategy

func (s sortableStrategies) Len() int { return len(s) }
func (s sortableStrategies) Less(i, j int) bool {
	if wi, wj := weights[s[i].Type], weights[s[j].Type]; wi != wj {
		return wi > wj
	}
	return s[i].Type < s[j].Type
}
func (s sortableStrategies) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
Factor out issuerconfig.UpdateStrategy helper. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-01 21:41:55 +00:00			`// Copyright 2021 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

Update impersonatorconfig controller to use new CredentialIssuer update helper. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-05-20 17:26:07 +00:00			`// Package issuerconfig contains helpers for updating CredentialIssuer status entries.`
Factor out issuerconfig.UpdateStrategy helper. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-01 21:41:55 +00:00			`package issuerconfig`

			`import (`
			`"context"`
Create CredentialIssuer at install, not runtime. Previously, our controllers would automatically create a CredentialIssuer with a singleton name. The helpers we had for this also used "raw" client access and did not take advantage of the informer cache pattern. With this change, the CredentialIssuer is always created at install time in the ytt YAML. The controllers now only update the existing CredentialIssuer status, and they do so using the informer cache as much as possible. This change is targeted at only the kubecertagent controller to start. The impersonatorconfig controller will be updated in a following PR along with other changes. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-05-19 21:53:00 +00:00			`"fmt"`
Factor out issuerconfig.UpdateStrategy helper. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-01 21:41:55 +00:00			`"sort"`

Create CredentialIssuer at install, not runtime. Previously, our controllers would automatically create a CredentialIssuer with a singleton name. The helpers we had for this also used "raw" client access and did not take advantage of the informer cache pattern. With this change, the CredentialIssuer is always created at install time in the ytt YAML. The controllers now only update the existing CredentialIssuer status, and they do so using the informer cache as much as possible. This change is targeted at only the kubecertagent controller to start. The impersonatorconfig controller will be updated in a following PR along with other changes. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-05-19 21:53:00 +00:00			`apiequality "k8s.io/apimachinery/pkg/api/equality"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`

Factor out issuerconfig.UpdateStrategy helper. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-01 21:41:55 +00:00			`"go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"`
			`"go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"`
			`)`

Create CredentialIssuer at install, not runtime. Previously, our controllers would automatically create a CredentialIssuer with a singleton name. The helpers we had for this also used "raw" client access and did not take advantage of the informer cache pattern. With this change, the CredentialIssuer is always created at install time in the ytt YAML. The controllers now only update the existing CredentialIssuer status, and they do so using the informer cache as much as possible. This change is targeted at only the kubecertagent controller to start. The impersonatorconfig controller will be updated in a following PR along with other changes. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-05-19 21:53:00 +00:00			`// Update a strategy on an existing CredentialIssuer, merging into any existing strategy entries.`
			`func Update(ctx context.Context, client versioned.Interface, issuer *v1alpha1.CredentialIssuer, strategy v1alpha1.CredentialIssuerStrategy) error {`
			`// Update the existing object to merge in the new strategy.`
			`updated := issuer.DeepCopy()`
			`mergeStrategy(&updated.Status, strategy)`

			`// If the status has not changed, we're done.`
			`if apiequality.Semantic.DeepEqual(issuer.Status, updated.Status) {`
			`return nil`
			`}`

			`if _, err := client.ConfigV1alpha1().CredentialIssuers().UpdateStatus(ctx, updated, metav1.UpdateOptions{}); err != nil {`
			`return fmt.Errorf("failed to update CredentialIssuer status: %w", err)`
			`}`
			`return nil`
			`}`

Factor out issuerconfig.UpdateStrategy helper. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-01 21:41:55 +00:00			`func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1alpha1.CredentialIssuerStrategy) {`
			`var existing *v1alpha1.CredentialIssuerStrategy`
			`for i := range configToUpdate.Strategies {`
			`if configToUpdate.Strategies[i].Type == strategy.Type {`
			`existing = &configToUpdate.Strategies[i]`
			`break`
			`}`
			`}`
			`if existing != nil {`
			`strategy.DeepCopyInto(existing)`
			`} else {`
			`configToUpdate.Strategies = append(configToUpdate.Strategies, strategy)`
			`}`
			`sort.Stable(sortableStrategies(configToUpdate.Strategies))`
Drop NewKubeConfigInfoPublisherController, start populating strategy frontend from kubecertagent execer controller. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-02 18:55:24 +00:00
			`// Special case: the "TokenCredentialRequestAPI" data is mirrored into the deprecated status.kubeConfigInfo field.`
			`if strategy.Frontend != nil && strategy.Frontend.Type == v1alpha1.TokenCredentialRequestAPIFrontendType {`
			`configToUpdate.KubeConfigInfo = &v1alpha1.CredentialIssuerKubeConfigInfo{`
			`Server: strategy.Frontend.TokenCredentialRequestAPIInfo.Server,`
			`CertificateAuthorityData: strategy.Frontend.TokenCredentialRequestAPIInfo.CertificateAuthorityData,`
			`}`
			`}`
Factor out issuerconfig.UpdateStrategy helper. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-01 21:41:55 +00:00			`}`

Sort CredentialIssuer strategies in preferred order. This updates our issuerconfig.UpdateStrategy to sort strategies according to a weighted preference. The TokenCredentialRequest API strategy is preffered, followed by impersonation proxy, followed by any other unknown types. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-03 20:03:27 +00:00			`// weights are a set of priorities for each strategy type.`
			`//nolint: gochecknoglobals`
			`var weights = map[v1alpha1.StrategyType]int{`
			`v1alpha1.KubeClusterSigningCertificateStrategyType: 2, // most preferred strategy`
			`v1alpha1.ImpersonationProxyStrategyType: 1,`
			`// unknown strategy types will have weight 0 by default`
			`}`

Factor out issuerconfig.UpdateStrategy helper. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-01 21:41:55 +00:00			`type sortableStrategies []v1alpha1.CredentialIssuerStrategy`

Sort CredentialIssuer strategies in preferred order. This updates our issuerconfig.UpdateStrategy to sort strategies according to a weighted preference. The TokenCredentialRequest API strategy is preffered, followed by impersonation proxy, followed by any other unknown types. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-03-03 20:03:27 +00:00			`func (s sortableStrategies) Len() int { return len(s) }`
			`func (s sortableStrategies) Less(i, j int) bool {`
			`if wi, wj := weights[s[i].Type], weights[s[j].Type]; wi != wj {`
			`return wi > wj`
			`}`
			`return s[i].Type < s[j].Type`
			`}`
			`func (s sortableStrategies) Swap(i, j int) { s[i], s[j] = s[j], s[i] }`