authncache: remove namespace concept
Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan
parent
741b8fe88d
commit
2eb01bd307
@ -28,10 +28,9 @@ type Cache struct {
|
||||
}
|
||||
|
||||
type Key struct {
|
||||
APIGroup string
|
||||
Kind string
|
||||
Namespace string
|
||||
Name string
|
||||
APIGroup string
|
||||
Kind string
|
||||
Name string
|
||||
}
|
||||
|
||||
type Value interface {
|
||||
@ -74,7 +73,6 @@ func (c *Cache) Keys() []Key {
|
||||
sort.Slice(result, func(i, j int) bool {
|
||||
return result[i].APIGroup < result[j].APIGroup ||
|
||||
result[i].Kind < result[j].Kind ||
|
||||
result[i].Namespace < result[j].Namespace ||
|
||||
result[i].Name < result[j].Name
|
||||
})
|
||||
return result
|
||||
@ -83,9 +81,8 @@ func (c *Cache) Keys() []Key {
|
||||
func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *loginapi.TokenCredentialRequest) (user.Info, error) {
|
||||
// Map the incoming request to a cache key.
|
||||
key := Key{
|
||||
Namespace: req.Namespace,
|
||||
Name: req.Spec.Authenticator.Name,
|
||||
Kind: req.Spec.Authenticator.Kind,
|
||||
Name: req.Spec.Authenticator.Name,
|
||||
Kind: req.Spec.Authenticator.Kind,
|
||||
}
|
||||
if req.Spec.Authenticator.APIGroup != nil {
|
||||
key.APIGroup = *req.Spec.Authenticator.APIGroup
|
||||
@ -95,7 +92,7 @@ func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *log
|
||||
if val == nil {
|
||||
plog.Debug(
|
||||
"authenticator does not exist",
|
||||
"authenticator", klog.KRef(key.Namespace, key.Name),
|
||||
"authenticator", klog.KRef("", key.Name),
|
||||
"kind", key.Kind,
|
||||
"apiGroup", key.APIGroup,
|
||||
)
|
||||
|
||||
@ -31,13 +31,13 @@ func TestCache(t *testing.T) {
|
||||
cache := New()
|
||||
require.NotNil(t, cache)
|
||||
|
||||
key1 := Key{Namespace: "foo", Name: "authenticator-one"}
|
||||
key1 := Key{Name: "authenticator-one"}
|
||||
mockToken1 := mocktokenauthenticator.NewMockToken(ctrl)
|
||||
cache.Store(key1, mockToken1)
|
||||
require.Equal(t, mockToken1, cache.Get(key1))
|
||||
require.Equal(t, 1, len(cache.Keys()))
|
||||
|
||||
key2 := Key{Namespace: "foo", Name: "authenticator-two"}
|
||||
key2 := Key{Name: "authenticator-two"}
|
||||
mockToken2 := mocktokenauthenticator.NewMockToken(ctrl)
|
||||
cache.Store(key2, mockToken2)
|
||||
require.Equal(t, mockToken2, cache.Get(key2))
|
||||
@ -50,11 +50,10 @@ func TestCache(t *testing.T) {
|
||||
|
||||
// Fill the cache back up with a fixed set of keys, but inserted in shuffled order.
|
||||
keysInExpectedOrder := []Key{
|
||||
{APIGroup: "a", Kind: "a", Namespace: "a", Name: "a"},
|
||||
{APIGroup: "b", Kind: "a", Namespace: "a", Name: "a"},
|
||||
{APIGroup: "b", Kind: "b", Namespace: "a", Name: "a"},
|
||||
{APIGroup: "b", Kind: "b", Namespace: "b", Name: "a"},
|
||||
{APIGroup: "b", Kind: "b", Namespace: "b", Name: "b"},
|
||||
{APIGroup: "a", Kind: "a", Name: "a"},
|
||||
{APIGroup: "b", Kind: "a", Name: "a"},
|
||||
{APIGroup: "b", Kind: "b", Name: "a"},
|
||||
{APIGroup: "b", Kind: "b", Name: "b"},
|
||||
}
|
||||
for tries := 0; tries < 10; tries++ {
|
||||
cache := New()
|
||||
@ -85,10 +84,9 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
|
||||
Status: loginapi.TokenCredentialRequestStatus{},
|
||||
}
|
||||
validRequestKey := Key{
|
||||
APIGroup: *validRequest.Spec.Authenticator.APIGroup,
|
||||
Kind: validRequest.Spec.Authenticator.Kind,
|
||||
Namespace: validRequest.Namespace,
|
||||
Name: validRequest.Spec.Authenticator.Name,
|
||||
APIGroup: *validRequest.Spec.Authenticator.APIGroup,
|
||||
Kind: validRequest.Spec.Authenticator.Kind,
|
||||
Name: validRequest.Spec.Authenticator.Name,
|
||||
}
|
||||
|
||||
mockCache := func(t *testing.T, res *authenticator.Response, authenticated bool, err error) *Cache {
|
||||
|
||||
@ -72,19 +72,17 @@ func (c *controller) Sync(_ controllerlib.Context) error {
|
||||
authenticatorSet := map[authncache.Key]bool{}
|
||||
for _, webhook := range webhooks {
|
||||
key := authncache.Key{
|
||||
Namespace: webhook.Namespace,
|
||||
Name: webhook.Name,
|
||||
Kind: "WebhookAuthenticator",
|
||||
APIGroup: auth1alpha1.SchemeGroupVersion.Group,
|
||||
Name: webhook.Name,
|
||||
Kind: "WebhookAuthenticator",
|
||||
APIGroup: auth1alpha1.SchemeGroupVersion.Group,
|
||||
}
|
||||
authenticatorSet[key] = true
|
||||
}
|
||||
for _, jwtAuthenticator := range jwtAuthenticators {
|
||||
key := authncache.Key{
|
||||
Namespace: jwtAuthenticator.Namespace,
|
||||
Name: jwtAuthenticator.Name,
|
||||
Kind: "JWTAuthenticator",
|
||||
APIGroup: auth1alpha1.SchemeGroupVersion.Group,
|
||||
Name: jwtAuthenticator.Name,
|
||||
Kind: "JWTAuthenticator",
|
||||
APIGroup: auth1alpha1.SchemeGroupVersion.Group,
|
||||
}
|
||||
authenticatorSet[key] = true
|
||||
}
|
||||
@ -97,7 +95,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
|
||||
if _, exists := authenticatorSet[key]; !exists {
|
||||
c.log.WithValues(
|
||||
"authenticator",
|
||||
klog.KRef(key.Namespace, key.Name),
|
||||
klog.KRef("", key.Name),
|
||||
"kind",
|
||||
key.Kind,
|
||||
).Info("deleting authenticator from cache")
|
||||
|
||||
@ -26,34 +26,29 @@ func TestController(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testWebhookKey1 := authncache.Key{
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "WebhookAuthenticator",
|
||||
Namespace: "test-namespace",
|
||||
Name: "test-webhook-name-one",
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "WebhookAuthenticator",
|
||||
Name: "test-webhook-name-one",
|
||||
}
|
||||
testWebhookKey2 := authncache.Key{
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "WebhookAuthenticator",
|
||||
Namespace: "test-namespace",
|
||||
Name: "test-webhook-name-two",
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "WebhookAuthenticator",
|
||||
Name: "test-webhook-name-two",
|
||||
}
|
||||
testJWTAuthenticatorKey1 := authncache.Key{
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "JWTAuthenticator",
|
||||
Namespace: "test-namespace",
|
||||
Name: "test-jwt-authenticator-name-one",
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "JWTAuthenticator",
|
||||
Name: "test-jwt-authenticator-name-one",
|
||||
}
|
||||
testJWTAuthenticatorKey2 := authncache.Key{
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "JWTAuthenticator",
|
||||
Namespace: "test-namespace",
|
||||
Name: "test-jwt-authenticator-name-two",
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "JWTAuthenticator",
|
||||
Name: "test-jwt-authenticator-name-two",
|
||||
}
|
||||
testKeyUnknownType := authncache.Key{
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "SomeOtherAuthenticator",
|
||||
Namespace: "test-namespace",
|
||||
Name: "test-name-one",
|
||||
APIGroup: "authentication.concierge.pinniped.dev",
|
||||
Kind: "SomeOtherAuthenticator",
|
||||
Name: "test-name-one",
|
||||
}
|
||||
|
||||
tests := []struct {
|
||||
@ -73,14 +68,12 @@ func TestController(t *testing.T) {
|
||||
objects: []runtime.Object{
|
||||
&authv1alpha.WebhookAuthenticator{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: testWebhookKey1.Namespace,
|
||||
Name: testWebhookKey1.Name,
|
||||
Name: testWebhookKey1.Name,
|
||||
},
|
||||
},
|
||||
&authv1alpha.JWTAuthenticator{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: testJWTAuthenticatorKey1.Namespace,
|
||||
Name: testJWTAuthenticatorKey1.Name,
|
||||
Name: testJWTAuthenticatorKey1.Name,
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -91,26 +84,22 @@ func TestController(t *testing.T) {
|
||||
objects: []runtime.Object{
|
||||
&authv1alpha.WebhookAuthenticator{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: testWebhookKey1.Namespace,
|
||||
Name: testWebhookKey1.Name,
|
||||
Name: testWebhookKey1.Name,
|
||||
},
|
||||
},
|
||||
&authv1alpha.WebhookAuthenticator{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: testWebhookKey2.Namespace,
|
||||
Name: testWebhookKey2.Name,
|
||||
Name: testWebhookKey2.Name,
|
||||
},
|
||||
},
|
||||
&authv1alpha.JWTAuthenticator{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: testJWTAuthenticatorKey1.Namespace,
|
||||
Name: testJWTAuthenticatorKey1.Name,
|
||||
Name: testJWTAuthenticatorKey1.Name,
|
||||
},
|
||||
},
|
||||
&authv1alpha.JWTAuthenticator{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: testJWTAuthenticatorKey2.Namespace,
|
||||
Name: testJWTAuthenticatorKey2.Name,
|
||||
Name: testJWTAuthenticatorKey2.Name,
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -128,20 +117,18 @@ func TestController(t *testing.T) {
|
||||
objects: []runtime.Object{
|
||||
&authv1alpha.WebhookAuthenticator{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: testWebhookKey1.Namespace,
|
||||
Name: testWebhookKey1.Name,
|
||||
Name: testWebhookKey1.Name,
|
||||
},
|
||||
},
|
||||
&authv1alpha.JWTAuthenticator{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: testJWTAuthenticatorKey1.Namespace,
|
||||
Name: testJWTAuthenticatorKey1.Name,
|
||||
Name: testJWTAuthenticatorKey1.Name,
|
||||
},
|
||||
},
|
||||
},
|
||||
wantLogs: []string{
|
||||
`cachecleaner-controller "level"=0 "msg"="deleting authenticator from cache" "authenticator"={"name":"test-jwt-authenticator-name-two","namespace":"test-namespace"} "kind"="JWTAuthenticator"`,
|
||||
`cachecleaner-controller "level"=0 "msg"="deleting authenticator from cache" "authenticator"={"name":"test-webhook-name-two","namespace":"test-namespace"} "kind"="WebhookAuthenticator"`,
|
||||
`cachecleaner-controller "level"=0 "msg"="deleting authenticator from cache" "authenticator"={"name":"test-jwt-authenticator-name-two"} "kind"="JWTAuthenticator"`,
|
||||
`cachecleaner-controller "level"=0 "msg"="deleting authenticator from cache" "authenticator"={"name":"test-webhook-name-two"} "kind"="WebhookAuthenticator"`,
|
||||
},
|
||||
wantCacheKeys: []authncache.Key{testWebhookKey1, testJWTAuthenticatorKey1, testKeyUnknownType},
|
||||
},
|
||||
@ -173,8 +160,7 @@ func TestController(t *testing.T) {
|
||||
syncCtx := controllerlib.Context{
|
||||
Context: ctx,
|
||||
Key: controllerlib.Key{
|
||||
Namespace: "test-namespace",
|
||||
Name: "test-webhook-name-one",
|
||||
Name: "test-webhook-name-one",
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
@ -98,10 +98,9 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
|
||||
}
|
||||
|
||||
cacheKey := authncache.Key{
|
||||
APIGroup: auth1alpha1.GroupName,
|
||||
Kind: "JWTAuthenticator",
|
||||
Namespace: ctx.Key.Namespace,
|
||||
Name: ctx.Key.Name,
|
||||
APIGroup: auth1alpha1.GroupName,
|
||||
Kind: "JWTAuthenticator",
|
||||
Name: ctx.Key.Name,
|
||||
}
|
||||
|
||||
// If this authenticator already exists, then only recreate it if is different from the desired
|
||||
|
||||
@ -356,10 +356,9 @@ func TestController(t *testing.T) {
|
||||
|
||||
// We expected the cache to have an entry, so pull that entry from the cache and test it.
|
||||
expectedCacheKey := authncache.Key{
|
||||
APIGroup: auth1alpha1.GroupName,
|
||||
Kind: "JWTAuthenticator",
|
||||
Namespace: syncCtx.Key.Namespace,
|
||||
Name: syncCtx.Key.Name,
|
||||
APIGroup: auth1alpha1.GroupName,
|
||||
Kind: "JWTAuthenticator",
|
||||
Name: syncCtx.Key.Name,
|
||||
}
|
||||
cachedAuthenticator := cache.Get(expectedCacheKey)
|
||||
require.NotNil(t, cachedAuthenticator)
|
||||
|
||||
@ -69,10 +69,9 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
|
||||
}
|
||||
|
||||
c.cache.Store(authncache.Key{
|
||||
APIGroup: auth1alpha1.GroupName,
|
||||
Kind: "WebhookAuthenticator",
|
||||
Namespace: ctx.Key.Namespace,
|
||||
Name: ctx.Key.Name,
|
||||
APIGroup: auth1alpha1.GroupName,
|
||||
Kind: "WebhookAuthenticator",
|
||||
Name: ctx.Key.Name,
|
||||
}, webhookAuthenticator)
|
||||
c.log.WithValues("webhook", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook authenticator")
|
||||
return nil
|
||||
|
||||
Loading…
Reference in New Issue
Block a user