djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make concierge APIs cluster scoped

Browse Source 
Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2021-02-09 11:57:34 -05:00
parent ee80920ffd
commit 4205e3dedc
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
11 changed files with 30 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl
View File

@ -57,6 +57,7 @@ type JWTTokenClaims struct {
// signature, existence of claims, etc.) and extract the username and groups from the token. // signature, existence of claims, etc.) and extract the username and groups from the token.
// //
// +genclient // +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`

1
apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
View File

@ -29,6 +29,7 @@ type WebhookAuthenticatorSpec struct {
// WebhookAuthenticator describes the configuration of a webhook authenticator. // WebhookAuthenticator describes the configuration of a webhook authenticator.
// +genclient // +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`

1
apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
View File

@ -67,6 +67,7 @@ type CredentialIssuerStrategy struct {
// Describes the configuration status of a Pinniped credential issuer. // Describes the configuration status of a Pinniped credential issuer.
// +genclient // +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
type CredentialIssuer struct { type CredentialIssuer struct {

1
apis/concierge/login/types_token.go.tmpl
View File

@ -27,7 +27,6 @@ type TokenCredentialRequestStatus struct {
} }
// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequest struct { type TokenCredentialRequest struct {
metav1.TypeMeta metav1.TypeMeta

1
apis/concierge/login/v1alpha1/types_token.go.tmpl
View File

@ -30,6 +30,7 @@ type TokenCredentialRequestStatus struct {
// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
// +genclient // +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequest struct { type TokenCredentialRequest struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`

2
deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
View File

@ -18,7 +18,7 @@ spec:
listKind: JWTAuthenticatorList listKind: JWTAuthenticatorList
plural: jwtauthenticators plural: jwtauthenticators
singular: jwtauthenticator singular: jwtauthenticator
scope: Namespaced scope: Cluster
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: .spec.issuer - jsonPath: .spec.issuer

2
deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
View File

@ -18,7 +18,7 @@ spec:
listKind: WebhookAuthenticatorList listKind: WebhookAuthenticatorList
plural: webhookauthenticators plural: webhookauthenticators
singular: webhookauthenticator singular: webhookauthenticator
scope: Namespaced scope: Cluster
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: .spec.endpoint - jsonPath: .spec.endpoint

2
deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
View File

@ -16,7 +16,7 @@ spec:
listKind: CredentialIssuerList listKind: CredentialIssuerList
plural: credentialissuers plural: credentialissuers
singular: credentialissuer singular: credentialissuer
scope: Namespaced scope: Cluster
versions: versions:
- name: v1alpha1 - name: v1alpha1
schema: schema:

2
internal/registry/credentialrequest/rest.go
View File

@ -80,7 +80,7 @@ func (r *REST) ConvertToTable(ctx context.Context, obj runtime.Object, tableOpti
} }
func (*REST) NamespaceScoped() bool { func (*REST) NamespaceScoped() bool {
return true return false
} }
func (*REST) Categories() []string { func (*REST) Categories() []string {

2
internal/registry/credentialrequest/rest_test.go
View File

@ -31,7 +31,7 @@ import (
func TestNew(t *testing.T) { func TestNew(t *testing.T) {
r := NewREST(nil, nil, schema.GroupResource{Group: "bears", Resource: "panda"}) r := NewREST(nil, nil, schema.GroupResource{Group: "bears", Resource: "panda"})
require.NotNil(t, r) require.NotNil(t, r)
require.True(t, r.NamespaceScoped()) require.False(t, r.NamespaceScoped())
require.Equal(t, []string{"pinniped"}, r.Categories()) require.Equal(t, []string{"pinniped"}, r.Categories())
require.IsType(t, &loginapi.TokenCredentialRequest{}, r.New()) require.IsType(t, &loginapi.TokenCredentialRequest{}, r.New())
require.IsType(t, &loginapi.TokenCredentialRequestList{}, r.NewList()) require.IsType(t, &loginapi.TokenCredentialRequestList{}, r.NewList())

25
test/integration/kube_api_discovery_test.go
View File

@ -73,7 +73,7 @@ func TestGetAPIResourceList(t *testing.T) {
Name: "tokencredentialrequests", Name: "tokencredentialrequests",
Kind: "TokenCredentialRequest", Kind: "TokenCredentialRequest",
Verbs: []string{"create", "list"}, Verbs: []string{"create", "list"},
Namespaced: true, Namespaced: false,
Categories: []string{"pinniped"}, Categories: []string{"pinniped"},
}, },
}, },
@ -158,7 +158,7 @@ func TestGetAPIResourceList(t *testing.T) {
{ {
Name: "credentialissuers", Name: "credentialissuers",
SingularName: "credentialissuer", SingularName: "credentialissuer",
Namespaced: true, Namespaced: false,
Kind: "CredentialIssuer", Kind: "CredentialIssuer",
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
Categories: []string{"pinniped"}, Categories: []string{"pinniped"},
@ -185,7 +185,7 @@ func TestGetAPIResourceList(t *testing.T) {
{ {
Name: "webhookauthenticators", Name: "webhookauthenticators",
SingularName: "webhookauthenticator", SingularName: "webhookauthenticator",
Namespaced: true, Namespaced: false,
Kind: "WebhookAuthenticator", Kind: "WebhookAuthenticator",
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
Categories: []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"}, Categories: []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"},
@ -193,7 +193,7 @@ func TestGetAPIResourceList(t *testing.T) {
{ {
Name: "jwtauthenticators", Name: "jwtauthenticators",
SingularName: "jwtauthenticator", SingularName: "jwtauthenticator",
Namespaced: true, Namespaced: false,
Kind: "JWTAuthenticator", Kind: "JWTAuthenticator",
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
Categories: []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"}, Categories: []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"},
@ -236,6 +236,23 @@ func TestGetAPIResourceList(t *testing.T) {
} }
}) })
t.Run("every concierge API is cluster scoped", func(t *testing.T) {
t.Parallel()
for _, r := range resources {
if !strings.Contains(r.GroupVersion, env.APIGroupSuffix) {
continue
}
if !strings.Contains(r.GroupVersion, ".concierge.") {
continue
}
for _, a := range r.APIResources {
assert.False(t, a.Namespaced, "concierge APIs must be cluster scoped: %#v", a)
}
}
})
t.Run("Pinniped resources do not have short names", func(t *testing.T) { t.Run("Pinniped resources do not have short names", func(t *testing.T) {
t.Parallel() t.Parallel()
for _, r := range resources { for _, r := range resources {