diff --git a/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl b/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl index 3e159148..480b1015 100644 --- a/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl +++ b/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl @@ -57,6 +57,7 @@ type JWTTokenClaims struct { // signature, existence of claims, etc.) and extract the username and groups from the token. // // +genclient +// +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` diff --git a/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl b/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl index d12a1f3c..32062949 100644 --- a/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl +++ b/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl @@ -29,6 +29,7 @@ type WebhookAuthenticatorSpec struct { // WebhookAuthenticator describes the configuration of a webhook authenticator. // +genclient +// +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` diff --git a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl index f462056d..c0425a79 100644 --- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl +++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl @@ -67,6 +67,7 @@ type CredentialIssuerStrategy struct { // Describes the configuration status of a Pinniped credential issuer. // +genclient +// +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped type CredentialIssuer struct { diff --git a/apis/concierge/login/types_token.go.tmpl b/apis/concierge/login/types_token.go.tmpl index a0555f85..17a341b2 100644 --- a/apis/concierge/login/types_token.go.tmpl +++ b/apis/concierge/login/types_token.go.tmpl @@ -27,7 +27,6 @@ type TokenCredentialRequestStatus struct { } // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. -// +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type TokenCredentialRequest struct { metav1.TypeMeta diff --git a/apis/concierge/login/v1alpha1/types_token.go.tmpl b/apis/concierge/login/v1alpha1/types_token.go.tmpl index cb5965a2..66b744f3 100644 --- a/apis/concierge/login/v1alpha1/types_token.go.tmpl +++ b/apis/concierge/login/v1alpha1/types_token.go.tmpl @@ -30,6 +30,7 @@ type TokenCredentialRequestStatus struct { // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // +genclient +// +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type TokenCredentialRequest struct { metav1.TypeMeta `json:",inline"` diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index e800411e..59facfd0 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -18,7 +18,7 @@ spec: listKind: JWTAuthenticatorList plural: jwtauthenticators singular: jwtauthenticator - scope: Namespaced + scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .spec.issuer diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index d31bae12..a23e8fcf 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -18,7 +18,7 @@ spec: listKind: WebhookAuthenticatorList plural: webhookauthenticators singular: webhookauthenticator - scope: Namespaced + scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .spec.endpoint diff --git a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml index 9b4c0056..87a454a7 100644 --- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml @@ -16,7 +16,7 @@ spec: listKind: CredentialIssuerList plural: credentialissuers singular: credentialissuer - scope: Namespaced + scope: Cluster versions: - name: v1alpha1 schema: diff --git a/internal/registry/credentialrequest/rest.go b/internal/registry/credentialrequest/rest.go index dbe6821a..8b9d12ab 100644 --- a/internal/registry/credentialrequest/rest.go +++ b/internal/registry/credentialrequest/rest.go @@ -80,7 +80,7 @@ func (r *REST) ConvertToTable(ctx context.Context, obj runtime.Object, tableOpti } func (*REST) NamespaceScoped() bool { - return true + return false } func (*REST) Categories() []string { diff --git a/internal/registry/credentialrequest/rest_test.go b/internal/registry/credentialrequest/rest_test.go index b72af025..50652a02 100644 --- a/internal/registry/credentialrequest/rest_test.go +++ b/internal/registry/credentialrequest/rest_test.go @@ -31,7 +31,7 @@ import ( func TestNew(t *testing.T) { r := NewREST(nil, nil, schema.GroupResource{Group: "bears", Resource: "panda"}) require.NotNil(t, r) - require.True(t, r.NamespaceScoped()) + require.False(t, r.NamespaceScoped()) require.Equal(t, []string{"pinniped"}, r.Categories()) require.IsType(t, &loginapi.TokenCredentialRequest{}, r.New()) require.IsType(t, &loginapi.TokenCredentialRequestList{}, r.NewList()) diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index dba382bc..9bab7796 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -73,7 +73,7 @@ func TestGetAPIResourceList(t *testing.T) { Name: "tokencredentialrequests", Kind: "TokenCredentialRequest", Verbs: []string{"create", "list"}, - Namespaced: true, + Namespaced: false, Categories: []string{"pinniped"}, }, }, @@ -158,7 +158,7 @@ func TestGetAPIResourceList(t *testing.T) { { Name: "credentialissuers", SingularName: "credentialissuer", - Namespaced: true, + Namespaced: false, Kind: "CredentialIssuer", Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, Categories: []string{"pinniped"}, @@ -185,7 +185,7 @@ func TestGetAPIResourceList(t *testing.T) { { Name: "webhookauthenticators", SingularName: "webhookauthenticator", - Namespaced: true, + Namespaced: false, Kind: "WebhookAuthenticator", Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, Categories: []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"}, @@ -193,7 +193,7 @@ func TestGetAPIResourceList(t *testing.T) { { Name: "jwtauthenticators", SingularName: "jwtauthenticator", - Namespaced: true, + Namespaced: false, Kind: "JWTAuthenticator", Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, Categories: []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"}, @@ -236,6 +236,23 @@ func TestGetAPIResourceList(t *testing.T) { } }) + t.Run("every concierge API is cluster scoped", func(t *testing.T) { + t.Parallel() + for _, r := range resources { + if !strings.Contains(r.GroupVersion, env.APIGroupSuffix) { + continue + } + + if !strings.Contains(r.GroupVersion, ".concierge.") { + continue + } + + for _, a := range r.APIResources { + assert.False(t, a.Namespaced, "concierge APIs must be cluster scoped: %#v", a) + } + } + }) + t.Run("Pinniped resources do not have short names", func(t *testing.T) { t.Parallel() for _, r := range resources {