diff --git a/cmd/pinniped-supervisor/main.go b/cmd/pinniped-supervisor/main.go index a351cdba..14d98096 100644 --- a/cmd/pinniped-supervisor/main.go +++ b/cmd/pinniped-supervisor/main.go @@ -92,7 +92,7 @@ func startControllers( kubeInformers kubeinformers.SharedInformerFactory, pinnipedInformers pinnipedinformers.SharedInformerFactory, ) { - opInformer := pinnipedInformers.Config().V1alpha1().FederationDomains() + federationDomainInformer := pinnipedInformers.Config().V1alpha1().FederationDomains() secretInformer := kubeInformers.Core().V1().Secrets() // Create controller manager. @@ -112,7 +112,7 @@ func startControllers( issuerManager, clock.RealClock{}, pinnipedClient, - opInformer, + federationDomainInformer, controllerlib.WithInformer, ), singletonWorker, @@ -123,7 +123,7 @@ func startControllers( kubeClient, pinnipedClient, secretInformer, - opInformer, + federationDomainInformer, controllerlib.WithInformer, ), singletonWorker, @@ -132,7 +132,7 @@ func startControllers( supervisorconfig.NewJWKSObserverController( dynamicJWKSProvider, secretInformer, - opInformer, + federationDomainInformer, controllerlib.WithInformer, ), singletonWorker, @@ -142,7 +142,7 @@ func startControllers( dynamicTLSCertProvider, cfg.NamesConfig.DefaultTLSCertificateSecret, secretInformer, - opInformer, + federationDomainInformer, controllerlib.WithInformer, ), singletonWorker, @@ -180,7 +180,7 @@ func startControllers( kubeClient, pinnipedClient, secretInformer, - opInformer, + federationDomainInformer, controllerlib.WithInformer, ), singletonWorker, @@ -203,7 +203,7 @@ func startControllers( kubeClient, pinnipedClient, secretInformer, - opInformer, + federationDomainInformer, controllerlib.WithInformer, ), singletonWorker, @@ -226,7 +226,7 @@ func startControllers( kubeClient, pinnipedClient, secretInformer, - opInformer, + federationDomainInformer, controllerlib.WithInformer, ), singletonWorker, @@ -236,7 +236,7 @@ func startControllers( dynamicUpstreamIDPProvider, pinnipedClient, pinnipedInformers.IDP().V1alpha1().OIDCIdentityProviders(), - kubeInformers.Core().V1().Secrets(), + secretInformer, klogr.New()), singletonWorker) diff --git a/internal/controller/supervisorconfig/generator/generator.go b/internal/controller/supervisorconfig/generator/generator.go index df4b73c5..d37ec235 100644 --- a/internal/controller/supervisorconfig/generator/generator.go +++ b/internal/controller/supervisorconfig/generator/generator.go @@ -15,7 +15,7 @@ import ( ) const ( - opKind = "FederationDomain" + federationDomainKind = "FederationDomain" ) func generateSymmetricKey() ([]byte, error) { @@ -100,5 +100,5 @@ func isFederationDomainControllee(obj metav1.Object) bool { controller := metav1.GetControllerOf(obj) return controller != nil && controller.APIVersion == configv1alpha1.SchemeGroupVersion.String() && - controller.Kind == opKind + controller.Kind == federationDomainKind } diff --git a/internal/controller/supervisorconfig/generator/secret_helper.go b/internal/controller/supervisorconfig/generator/secret_helper.go index c5952e2e..c0e66fb7 100644 --- a/internal/controller/supervisorconfig/generator/secret_helper.go +++ b/internal/controller/supervisorconfig/generator/secret_helper.go @@ -126,26 +126,26 @@ func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.FederationDomain, // ObserveActiveSecretAndUpdateParentFederationDomain implements SecretHelper.ObserveActiveSecretAndUpdateParentFederationDomain(). func (s *symmetricSecretHelper) ObserveActiveSecretAndUpdateParentFederationDomain( - op *configv1alpha1.FederationDomain, + federationDomain *configv1alpha1.FederationDomain, secret *corev1.Secret, ) *configv1alpha1.FederationDomain { var cacheKey string - if op != nil { - cacheKey = op.Spec.Issuer + if federationDomain != nil { + cacheKey = federationDomain.Spec.Issuer } s.updateCacheFunc(cacheKey, secret.Data[symmetricSecretDataKey]) switch s.secretUsage { case SecretUsageTokenSigningKey: - op.Status.Secrets.TokenSigningKey.Name = secret.Name + federationDomain.Status.Secrets.TokenSigningKey.Name = secret.Name case SecretUsageStateSigningKey: - op.Status.Secrets.StateSigningKey.Name = secret.Name + federationDomain.Status.Secrets.StateSigningKey.Name = secret.Name case SecretUsageStateEncryptionKey: - op.Status.Secrets.StateEncryptionKey.Name = secret.Name + federationDomain.Status.Secrets.StateEncryptionKey.Name = secret.Name default: plog.Warning("unknown secret usage enum value: %d", s.secretUsage) } - return op + return federationDomain } diff --git a/internal/controller/supervisorconfig/generator/secret_helper_test.go b/internal/controller/supervisorconfig/generator/secret_helper_test.go index 50ff7d33..f25a515b 100644 --- a/internal/controller/supervisorconfig/generator/secret_helper_test.go +++ b/internal/controller/supervisorconfig/generator/secret_helper_test.go @@ -28,22 +28,22 @@ func TestSymmetricSecretHelper(t *testing.T) { { name: "token signing key", secretUsage: SecretUsageTokenSigningKey, - wantSetFederationDomainField: func(op *configv1alpha1.FederationDomain) string { - return op.Status.Secrets.TokenSigningKey.Name + wantSetFederationDomainField: func(federationDomain *configv1alpha1.FederationDomain) string { + return federationDomain.Status.Secrets.TokenSigningKey.Name }, }, { name: "state signing key", secretUsage: SecretUsageStateSigningKey, - wantSetFederationDomainField: func(op *configv1alpha1.FederationDomain) string { - return op.Status.Secrets.StateSigningKey.Name + wantSetFederationDomainField: func(federationDomain *configv1alpha1.FederationDomain) string { + return federationDomain.Status.Secrets.StateSigningKey.Name }, }, { name: "state encryption key", secretUsage: SecretUsageStateEncryptionKey, - wantSetFederationDomainField: func(op *configv1alpha1.FederationDomain) string { - return op.Status.Secrets.StateEncryptionKey.Name + wantSetFederationDomainField: func(federationDomain *configv1alpha1.FederationDomain) string { + return federationDomain.Status.Secrets.StateEncryptionKey.Name }, }, } @@ -145,8 +145,8 @@ func TestSymmetricSecretHelperIsValid(t *testing.T) { }, { name: "child not owned by parent", - parent: func(op *configv1alpha1.FederationDomain) { - op.UID = "wrong" + parent: func(federationDomain *configv1alpha1.FederationDomain) { + federationDomain.UID = "wrong" }, want: false, }, diff --git a/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher.go b/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher.go index 69252317..19b79fb4 100644 --- a/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher.go +++ b/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher.go @@ -97,12 +97,12 @@ func (c *lruValidatorCache) cacheKey(spec *v1alpha1.OIDCIdentityProviderSpec) in } type controller struct { - cache IDPCache - log logr.Logger - client pinnipedclientset.Interface - providers idpinformers.OIDCIdentityProviderInformer - secrets corev1informers.SecretInformer - validatorCache interface { + cache IDPCache + log logr.Logger + client pinnipedclientset.Interface + oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer + secretInformer corev1informers.SecretInformer + validatorCache interface { getProvider(*v1alpha1.OIDCIdentityProviderSpec) (*oidc.Provider, *http.Client) putProvider(*v1alpha1.OIDCIdentityProviderSpec, *oidc.Provider, *http.Client) } @@ -112,29 +112,29 @@ type controller struct { func New( idpCache IDPCache, client pinnipedclientset.Interface, - providers idpinformers.OIDCIdentityProviderInformer, - secrets corev1informers.SecretInformer, + oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer, + secretInformer corev1informers.SecretInformer, log logr.Logger, ) controllerlib.Controller { c := controller{ - cache: idpCache, - log: log.WithName(controllerName), - client: client, - providers: providers, - secrets: secrets, - validatorCache: &lruValidatorCache{cache: cache.NewExpiring()}, + cache: idpCache, + log: log.WithName(controllerName), + client: client, + oidcIdentityProviderInformer: oidcIdentityProviderInformer, + secretInformer: secretInformer, + validatorCache: &lruValidatorCache{cache: cache.NewExpiring()}, } filter := pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()) return controllerlib.New( controllerlib.Config{Name: controllerName, Syncer: &c}, - controllerlib.WithInformer(providers, filter, controllerlib.InformerOption{}), - controllerlib.WithInformer(secrets, filter, controllerlib.InformerOption{}), + controllerlib.WithInformer(oidcIdentityProviderInformer, filter, controllerlib.InformerOption{}), + controllerlib.WithInformer(secretInformer, filter, controllerlib.InformerOption{}), ) } // Sync implements controllerlib.Syncer. func (c *controller) Sync(ctx controllerlib.Context) error { - actualUpstreams, err := c.providers.Lister().List(labels.Everything()) + actualUpstreams, err := c.oidcIdentityProviderInformer.Lister().List(labels.Everything()) if err != nil { return fmt.Errorf("failed to list OIDCIdentityProviders: %w", err) } @@ -196,7 +196,7 @@ func (c *controller) validateSecret(upstream *v1alpha1.OIDCIdentityProvider, res secretName := upstream.Spec.Client.SecretName // Fetch the Secret from informer cache. - secret, err := c.secrets.Lister().Secrets(upstream.Namespace).Get(secretName) + secret, err := c.secretInformer.Lister().Secrets(upstream.Namespace).Get(secretName) if err != nil { return &v1alpha1.Condition{ Type: typeClientCredsValid, diff --git a/test/integration/supervisor_secrets_test.go b/test/integration/supervisor_secrets_test.go index 1c8f4ffb..a0387ec0 100644 --- a/test/integration/supervisor_secrets_test.go +++ b/test/integration/supervisor_secrets_test.go @@ -27,46 +27,46 @@ func TestSupervisorSecrets(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) defer cancel() - // Create our OP under test. - op := library.CreateTestFederationDomain(ctx, t, "", "", "") + // Create our FederationDomain under test. + federationDomain := library.CreateTestFederationDomain(ctx, t, "", "", "") tests := []struct { name string - secretName func(op *configv1alpha1.FederationDomain) string + secretName func(federationDomain *configv1alpha1.FederationDomain) string ensureValid func(t *testing.T, secret *corev1.Secret) }{ { name: "csrf cookie signing key", - secretName: func(op *configv1alpha1.FederationDomain) string { + secretName: func(federationDomain *configv1alpha1.FederationDomain) string { return env.SupervisorAppName + "-key" }, ensureValid: ensureValidSymmetricKey, }, { name: "jwks", - secretName: func(op *configv1alpha1.FederationDomain) string { - return op.Status.Secrets.JWKS.Name + secretName: func(federationDomain *configv1alpha1.FederationDomain) string { + return federationDomain.Status.Secrets.JWKS.Name }, ensureValid: ensureValidJWKS, }, { name: "hmac signing secret", - secretName: func(op *configv1alpha1.FederationDomain) string { - return op.Status.Secrets.TokenSigningKey.Name + secretName: func(federationDomain *configv1alpha1.FederationDomain) string { + return federationDomain.Status.Secrets.TokenSigningKey.Name }, ensureValid: ensureValidSymmetricKey, }, { name: "state signature secret", - secretName: func(op *configv1alpha1.FederationDomain) string { - return op.Status.Secrets.StateSigningKey.Name + secretName: func(federationDomain *configv1alpha1.FederationDomain) string { + return federationDomain.Status.Secrets.StateSigningKey.Name }, ensureValid: ensureValidSymmetricKey, }, { name: "state encryption secret", - secretName: func(op *configv1alpha1.FederationDomain) string { - return op.Status.Secrets.StateEncryptionKey.Name + secretName: func(federationDomain *configv1alpha1.FederationDomain) string { + return federationDomain.Status.Secrets.StateEncryptionKey.Name }, ensureValid: ensureValidSymmetricKey, }, @@ -74,24 +74,24 @@ func TestSupervisorSecrets(t *testing.T) { for _, test := range tests { test := test t.Run(test.name, func(t *testing.T) { - // Ensure a secret is created with the OP's JWKS. - var updatedOP *configv1alpha1.FederationDomain + // Ensure a secret is created with the FederationDomain's JWKS. + var updatedFederationDomain *configv1alpha1.FederationDomain var err error assert.Eventually(t, func() bool { - updatedOP, err = supervisorClient. + updatedFederationDomain, err = supervisorClient. ConfigV1alpha1(). FederationDomains(env.SupervisorNamespace). - Get(ctx, op.Name, metav1.GetOptions{}) - return err == nil && test.secretName(updatedOP) != "" + Get(ctx, federationDomain.Name, metav1.GetOptions{}) + return err == nil && test.secretName(updatedFederationDomain) != "" }, time.Second*10, time.Millisecond*500) require.NoError(t, err) - require.NotEmpty(t, test.secretName(updatedOP)) + require.NotEmpty(t, test.secretName(updatedFederationDomain)) // Ensure the secret actually exists. secret, err := kubeClient. CoreV1(). Secrets(env.SupervisorNamespace). - Get(ctx, test.secretName(updatedOP), metav1.GetOptions{}) + Get(ctx, test.secretName(updatedFederationDomain), metav1.GetOptions{}) require.NoError(t, err) // Ensure that the secret was labelled. @@ -107,13 +107,13 @@ func TestSupervisorSecrets(t *testing.T) { err = kubeClient. CoreV1(). Secrets(env.SupervisorNamespace). - Delete(ctx, test.secretName(updatedOP), metav1.DeleteOptions{}) + Delete(ctx, test.secretName(updatedFederationDomain), metav1.DeleteOptions{}) require.NoError(t, err) assert.Eventually(t, func() bool { secret, err = kubeClient. CoreV1(). Secrets(env.SupervisorNamespace). - Get(ctx, test.secretName(updatedOP), metav1.GetOptions{}) + Get(ctx, test.secretName(updatedFederationDomain), metav1.GetOptions{}) return err == nil }, time.Second*10, time.Millisecond*500) require.NoError(t, err) @@ -123,7 +123,7 @@ func TestSupervisorSecrets(t *testing.T) { }) } - // Upon deleting the OP, the secret is deleted (we test this behavior in our uninstall tests). + // Upon deleting the FederationDomain, the secret is deleted (we test this behavior in our uninstall tests). } func ensureValidJWKS(t *testing.T, secret *corev1.Secret) {