Make concierge APIs cluster scoped

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 11:57:34 -05:00 · 2021-02-09 11:57:34 -05:00 · 4205e3dedc
commit 4205e3dedc
parent ee80920ffd
11 changed files with 30 additions and 10 deletions
--- a/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl
@ -57,6 +57,7 @@ type JWTTokenClaims struct {
 // signature, existence of claims, etc.) and extract the username and groups from the token.
 //
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
 // +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
--- a/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
@ -29,6 +29,7 @@ type WebhookAuthenticatorSpec struct {

 // WebhookAuthenticator describes the configuration of a webhook authenticator.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
--- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
+++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
@ -67,6 +67,7 @@ type CredentialIssuerStrategy struct {

 // Describes the configuration status of a Pinniped credential issuer.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=pinniped
 type CredentialIssuer struct {
--- a/apis/concierge/login/types_token.go.tmpl
+++ b/apis/concierge/login/types_token.go.tmpl
@ -27,7 +27,6 @@ type TokenCredentialRequestStatus struct {
 }

 // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
-// +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type TokenCredentialRequest struct {
 	metav1.TypeMeta
--- a/apis/concierge/login/v1alpha1/types_token.go.tmpl
+++ b/apis/concierge/login/v1alpha1/types_token.go.tmpl
@ -30,6 +30,7 @@ type TokenCredentialRequestStatus struct {

 // TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type TokenCredentialRequest struct {
 	metav1.TypeMeta   `json:",inline"`
--- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@ -18,7 +18,7 @@ spec:
    listKind: JWTAuthenticatorList
    plural: jwtauthenticators
    singular: jwtauthenticator
-  scope: Namespaced
+  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.issuer
--- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@ -18,7 +18,7 @@ spec:
    listKind: WebhookAuthenticatorList
    plural: webhookauthenticators
    singular: webhookauthenticator
-  scope: Namespaced
+  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.endpoint
--- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
@ -16,7 +16,7 @@ spec:
    listKind: CredentialIssuerList
    plural: credentialissuers
    singular: credentialissuer
-  scope: Namespaced
+  scope: Cluster
  versions:
  - name: v1alpha1
    schema:
--- a/internal/registry/credentialrequest/rest.go
+++ b/internal/registry/credentialrequest/rest.go
@ -80,7 +80,7 @@ func (r *REST) ConvertToTable(ctx context.Context, obj runtime.Object, tableOpti
 }

 func (*REST) NamespaceScoped() bool {
-	return true
+	return false
 }

 func (*REST) Categories() []string {
--- a/internal/registry/credentialrequest/rest_test.go
+++ b/internal/registry/credentialrequest/rest_test.go
@ -31,7 +31,7 @@ import (
 func TestNew(t *testing.T) {
 	r := NewREST(nil, nil, schema.GroupResource{Group: "bears", Resource: "panda"})
 	require.NotNil(t, r)
-	require.True(t, r.NamespaceScoped())
+	require.False(t, r.NamespaceScoped())
 	require.Equal(t, []string{"pinniped"}, r.Categories())
 	require.IsType(t, &loginapi.TokenCredentialRequest{}, r.New())
 	require.IsType(t, &loginapi.TokenCredentialRequestList{}, r.NewList())
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@ -73,7 +73,7 @@ func TestGetAPIResourceList(t *testing.T) {
 						Name:       "tokencredentialrequests",
 						Kind:       "TokenCredentialRequest",
 						Verbs:      []string{"create", "list"},
-						Namespaced: true,
+						Namespaced: false,
 						Categories: []string{"pinniped"},
 					},
 				},
@ -158,7 +158,7 @@ func TestGetAPIResourceList(t *testing.T) {
 					{
 						Name:         "credentialissuers",
 						SingularName: "credentialissuer",
-						Namespaced:   true,
+						Namespaced:   false,
 						Kind:         "CredentialIssuer",
 						Verbs:        []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
 						Categories:   []string{"pinniped"},
@ -185,7 +185,7 @@ func TestGetAPIResourceList(t *testing.T) {
 					{
 						Name:         "webhookauthenticators",
 						SingularName: "webhookauthenticator",
-						Namespaced:   true,
+						Namespaced:   false,
 						Kind:         "WebhookAuthenticator",
 						Verbs:        []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
 						Categories:   []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"},
@ -193,7 +193,7 @@ func TestGetAPIResourceList(t *testing.T) {
 					{
 						Name:         "jwtauthenticators",
 						SingularName: "jwtauthenticator",
-						Namespaced:   true,
+						Namespaced:   false,
 						Kind:         "JWTAuthenticator",
 						Verbs:        []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
 						Categories:   []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"},
@ -236,6 +236,23 @@ func TestGetAPIResourceList(t *testing.T) {
 		}
 	})

+	t.Run("every concierge API is cluster scoped", func(t *testing.T) {
+		t.Parallel()
+		for _, r := range resources {
+			if !strings.Contains(r.GroupVersion, env.APIGroupSuffix) {
+				continue
+			}
+
+			if !strings.Contains(r.GroupVersion, ".concierge.") {
+				continue
+			}
+
+			for _, a := range r.APIResources {
+				assert.False(t, a.Namespaced, "concierge APIs must be cluster scoped: %#v", a)
+			}
+		}
+	})
+
 	t.Run("Pinniped resources do not have short names", func(t *testing.T) {
 		t.Parallel()
 		for _, r := range resources {