From 89b00e3702b9961e822c897a0f28390ab32cef33 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Tue, 9 Feb 2021 13:59:32 -0500 Subject: [PATCH] Declare war on namespaces Signed-off-by: Monis Khan --- cmd/pinniped/cmd/cobra_util.go | 6 ++ cmd/pinniped/cmd/kubeconfig.go | 33 ++++---- cmd/pinniped/cmd/kubeconfig_test.go | 39 ++++------ cmd/pinniped/cmd/login_oidc.go | 19 +++-- cmd/pinniped/cmd/login_oidc_test.go | 2 - cmd/pinniped/cmd/login_static.go | 15 ++-- cmd/pinniped/cmd/login_static_test.go | 1 - deploy/concierge/rbac.yaml | 13 ++-- .../jwtcachefiller/jwtcachefiller.go | 2 +- .../jwtcachefiller/jwtcachefiller_test.go | 77 ++++++++----------- .../webhookcachefiller/webhookcachefiller.go | 2 +- .../webhookcachefiller_test.go | 14 ++-- ...eate_or_update_credential_issuer_config.go | 13 ++-- ...or_update_credential_issuer_config_test.go | 33 +++----- .../kube_config_info_publisher.go | 24 +++--- .../kube_config_info_publisher_test.go | 31 +++----- .../kubecertagent/annotater_test.go | 22 ++---- .../controller/kubecertagent/creater_test.go | 40 ++++------ .../controller/kubecertagent/execer_test.go | 35 ++++----- .../controller/kubecertagent/kubecertagent.go | 4 - .../controllermanager/prepare_controllers.go | 27 +++---- internal/kubeclient/kubeclient_test.go | 8 +- pkg/conciergeclient/conciergeclient.go | 18 +---- pkg/conciergeclient/conciergeclient_test.go | 8 +- .../docs/concierge-and-supervisor-demo.md | 3 +- site/content/docs/concierge-only-demo.md | 4 +- test/integration/cli_test.go | 1 - .../concierge_api_serving_certs_test.go | 2 +- test/integration/concierge_client_test.go | 1 - .../concierge_credentialissuerconfig_test.go | 2 +- .../concierge_credentialrequest_test.go | 2 +- test/integration/e2e_test.go | 1 - test/integration/kubeclient_test.go | 4 +- test/library/client.go | 5 +- 34 files changed, 207 insertions(+), 304 deletions(-) diff --git a/cmd/pinniped/cmd/cobra_util.go b/cmd/pinniped/cmd/cobra_util.go index c861dabf..9d5aacd8 100644 --- a/cmd/pinniped/cmd/cobra_util.go +++ b/cmd/pinniped/cmd/cobra_util.go @@ -22,3 +22,9 @@ func mustMarkHidden(cmd *cobra.Command, flags ...string) { } } } + +func mustMarkDeprecated(cmd *cobra.Command, flag, usageMessage string) { + if err := cmd.Flags().MarkDeprecated(flag, usageMessage); err != nil { + panic(err) + } +} diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go index 1b108c02..1dd43074 100644 --- a/cmd/pinniped/cmd/kubeconfig.go +++ b/cmd/pinniped/cmd/kubeconfig.go @@ -74,7 +74,6 @@ type getKubeconfigOIDCParams struct { type getKubeconfigConciergeParams struct { disabled bool - namespace string authenticatorName string authenticatorType string apiGroupSuffix string @@ -91,13 +90,14 @@ type getKubeconfigParams struct { func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command { var ( - cmd = cobra.Command{ + cmd = &cobra.Command{ Args: cobra.NoArgs, Use: "kubeconfig", Short: "Generate a Pinniped-based kubeconfig for a cluster", SilenceUsage: true, } - flags getKubeconfigParams + flags getKubeconfigParams + namespace string // unused now ) f := cmd.Flags() @@ -105,7 +105,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command { f.StringVar(&flags.staticTokenEnvName, "static-token-env", "", "Instead of doing an OIDC-based login, read a static token from the environment") f.BoolVar(&flags.concierge.disabled, "no-concierge", false, "Generate a configuration which does not use the concierge, but sends the credential to the cluster directly") - f.StringVar(&flags.concierge.namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed") + f.StringVar(&namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed") f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)") f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)") f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix") @@ -122,10 +122,13 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command { f.StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file") f.StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)") - mustMarkHidden(&cmd, "oidc-debug-session-cache") + mustMarkHidden(cmd, "oidc-debug-session-cache") + + mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore") + mustMarkHidden(cmd, "concierge-namespace") cmd.RunE = func(cmd *cobra.Command, args []string) error { return runGetKubeconfig(cmd.OutOrStdout(), deps, flags) } - return &cmd + return cmd } //nolint:funlen @@ -170,7 +173,6 @@ func runGetKubeconfig(out io.Writer, deps kubeconfigDeps, flags getKubeconfigPar if !flags.concierge.disabled { authenticator, err := lookupAuthenticator( clientset, - flags.concierge.namespace, flags.concierge.authenticatorType, flags.concierge.authenticatorName, ) @@ -260,7 +262,7 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams, if *oidcCABundle == "" && auth.Spec.TLS != nil && auth.Spec.TLS.CertificateAuthorityData != "" { decoded, err := base64.StdEncoding.DecodeString(auth.Spec.TLS.CertificateAuthorityData) if err != nil { - return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s/%s has invalid spec.tls.certificateAuthorityData: %w", auth.Namespace, auth.Name, err) + return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s has invalid spec.tls.certificateAuthorityData: %w", auth.Name, err) } *oidcCABundle = string(decoded) } @@ -270,7 +272,6 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams, execConfig.Args = append(execConfig.Args, "--enable-concierge", "--concierge-api-group-suffix="+flags.concierge.apiGroupSuffix, - "--concierge-namespace="+flags.concierge.namespace, "--concierge-authenticator-name="+flags.concierge.authenticatorName, "--concierge-authenticator-type="+flags.concierge.authenticatorType, "--concierge-endpoint="+v1Cluster.Server, @@ -306,7 +307,7 @@ func newExecKubeconfig(cluster *clientcmdapi.Cluster, execConfig *clientcmdapi.E } } -func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, authType, authName string) (metav1.Object, error) { +func lookupAuthenticator(clientset conciergeclientset.Interface, authType, authName string) (metav1.Object, error) { ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20) defer cancelFunc() @@ -314,9 +315,9 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth if authName != "" && authType != "" { switch strings.ToLower(authType) { case "webhook": - return clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).Get(ctx, authName, metav1.GetOptions{}) + return clientset.AuthenticationV1alpha1().WebhookAuthenticators().Get(ctx, authName, metav1.GetOptions{}) case "jwt": - return clientset.AuthenticationV1alpha1().JWTAuthenticators(namespace).Get(ctx, authName, metav1.GetOptions{}) + return clientset.AuthenticationV1alpha1().JWTAuthenticators().Get(ctx, authName, metav1.GetOptions{}) default: return nil, fmt.Errorf(`invalid authenticator type %q, supported values are "webhook" and "jwt"`, authType) } @@ -324,11 +325,11 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth // Otherwise list all the available authenticators and hope there's just a single one. - jwtAuths, err := clientset.AuthenticationV1alpha1().JWTAuthenticators(namespace).List(ctx, metav1.ListOptions{}) + jwtAuths, err := clientset.AuthenticationV1alpha1().JWTAuthenticators().List(ctx, metav1.ListOptions{}) if err != nil { return nil, fmt.Errorf("failed to list JWTAuthenticator objects for autodiscovery: %w", err) } - webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators(namespace).List(ctx, metav1.ListOptions{}) + webhooks, err := clientset.AuthenticationV1alpha1().WebhookAuthenticators().List(ctx, metav1.ListOptions{}) if err != nil { return nil, fmt.Errorf("failed to list WebhookAuthenticator objects for autodiscovery: %w", err) } @@ -341,10 +342,10 @@ func lookupAuthenticator(clientset conciergeclientset.Interface, namespace, auth results = append(results, &webhooks.Items[i]) } if len(results) == 0 { - return nil, fmt.Errorf("no authenticators were found in namespace %q (try setting --concierge-namespace)", namespace) + return nil, fmt.Errorf("no authenticators were found") } if len(results) > 1 { - return nil, fmt.Errorf("multiple authenticators were found in namespace %q, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified", namespace) + return nil, fmt.Errorf("multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified") } return results[0], nil } diff --git a/cmd/pinniped/cmd/kubeconfig_test.go b/cmd/pinniped/cmd/kubeconfig_test.go index a1ac8c84..6bb4c519 100644 --- a/cmd/pinniped/cmd/kubeconfig_test.go +++ b/cmd/pinniped/cmd/kubeconfig_test.go @@ -61,7 +61,6 @@ func TestGetKubeconfig(t *testing.T) { --concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev") --concierge-authenticator-name string Concierge authenticator name (default: autodiscover) --concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover) - --concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge") -h, --help help for kubeconfig --kubeconfig string Path to kubeconfig file --kubeconfig-context string Kubeconfig context name (default: current active context) @@ -210,34 +209,32 @@ func TestGetKubeconfig(t *testing.T) { }, wantError: true, wantStderr: here.Doc(` - Error: no authenticators were found in namespace "pinniped-concierge" (try setting --concierge-namespace) + Error: no authenticators were found `), }, { name: "fail to autodetect authenticator, multiple found", args: []string{ "--kubeconfig", "./testdata/kubeconfig.yaml", - "--concierge-namespace", "test-namespace", }, conciergeObjects: []runtime.Object{ - &conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1", Namespace: "test-namespace"}}, - &conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2", Namespace: "test-namespace"}}, - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3", Namespace: "test-namespace"}}, - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4", Namespace: "test-namespace"}}, + &conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1"}}, + &conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2"}}, + &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3"}}, + &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4"}}, }, wantError: true, wantStderr: here.Doc(` - Error: multiple authenticators were found in namespace "test-namespace", so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified + Error: multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified `), }, { name: "autodetect webhook authenticator, missing --oidc-issuer", args: []string{ "--kubeconfig", "./testdata/kubeconfig.yaml", - "--concierge-namespace", "test-namespace", }, conciergeObjects: []runtime.Object{ - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}}, + &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, }, wantError: true, wantStderr: here.Doc(` @@ -248,11 +245,10 @@ func TestGetKubeconfig(t *testing.T) { name: "autodetect JWT authenticator, invalid TLS bundle", args: []string{ "--kubeconfig", "./testdata/kubeconfig.yaml", - "--concierge-namespace", "test-namespace", }, conciergeObjects: []runtime.Object{ &conciergev1alpha1.JWTAuthenticator{ - ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}, + ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}, Spec: conciergev1alpha1.JWTAuthenticatorSpec{ TLS: &conciergev1alpha1.TLSSpec{ CertificateAuthorityData: "invalid-base64", @@ -262,19 +258,18 @@ func TestGetKubeconfig(t *testing.T) { }, wantError: true, wantStderr: here.Doc(` - Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-namespace/test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7 + Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7 `), }, { name: "invalid static token flags", args: []string{ "--kubeconfig", "./testdata/kubeconfig.yaml", - "--concierge-namespace", "test-namespace", "--static-token", "test-token", "--static-token-env", "TEST_TOKEN", }, conciergeObjects: []runtime.Object{ - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}}, + &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, }, wantError: true, wantStderr: here.Doc(` @@ -295,11 +290,10 @@ func TestGetKubeconfig(t *testing.T) { name: "valid static token", args: []string{ "--kubeconfig", "./testdata/kubeconfig.yaml", - "--concierge-namespace", "test-namespace", "--static-token", "test-token", }, conciergeObjects: []runtime.Object{ - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}}, + &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, }, wantStdout: here.Doc(` apiVersion: v1 @@ -326,7 +320,6 @@ func TestGetKubeconfig(t *testing.T) { - static - --enable-concierge - --concierge-api-group-suffix=pinniped.dev - - --concierge-namespace=test-namespace - --concierge-authenticator-name=test-authenticator - --concierge-authenticator-type=webhook - --concierge-endpoint=https://fake-server-url-value @@ -341,11 +334,10 @@ func TestGetKubeconfig(t *testing.T) { name: "valid static token from env var", args: []string{ "--kubeconfig", "./testdata/kubeconfig.yaml", - "--concierge-namespace", "test-namespace", "--static-token-env", "TEST_TOKEN", }, conciergeObjects: []runtime.Object{ - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}}, + &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, }, wantStdout: here.Doc(` apiVersion: v1 @@ -372,7 +364,6 @@ func TestGetKubeconfig(t *testing.T) { - static - --enable-concierge - --concierge-api-group-suffix=pinniped.dev - - --concierge-namespace=test-namespace - --concierge-authenticator-name=test-authenticator - --concierge-authenticator-type=webhook - --concierge-endpoint=https://fake-server-url-value @@ -390,7 +381,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: []runtime.Object{ &conciergev1alpha1.JWTAuthenticator{ - ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "pinniped-concierge"}, + ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}, Spec: conciergev1alpha1.JWTAuthenticatorSpec{ Issuer: "https://example.com/issuer", Audience: "test-audience", @@ -425,7 +416,6 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --enable-concierge - --concierge-api-group-suffix=pinniped.dev - - --concierge-namespace=pinniped-concierge - --concierge-authenticator-name=test-authenticator - --concierge-authenticator-type=jwt - --concierge-endpoint=https://fake-server-url-value @@ -457,7 +447,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: []runtime.Object{ &conciergev1alpha1.WebhookAuthenticator{ - ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "pinniped-concierge"}, + ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}, }, }, wantStdout: here.Docf(` @@ -485,7 +475,6 @@ func TestGetKubeconfig(t *testing.T) { - oidc - --enable-concierge - --concierge-api-group-suffix=tuna.io - - --concierge-namespace=pinniped-concierge - --concierge-authenticator-name=test-authenticator - --concierge-authenticator-type=webhook - --concierge-endpoint=https://fake-server-url-value diff --git a/cmd/pinniped/cmd/login_oidc.go b/cmd/pinniped/cmd/login_oidc.go index 7b5f53f3..07cb3560 100644 --- a/cmd/pinniped/cmd/login_oidc.go +++ b/cmd/pinniped/cmd/login_oidc.go @@ -59,7 +59,6 @@ type oidcLoginFlags struct { debugSessionCache bool requestAudience string conciergeEnabled bool - conciergeNamespace string conciergeAuthenticatorType string conciergeAuthenticatorName string conciergeEndpoint string @@ -69,13 +68,14 @@ type oidcLoginFlags struct { func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command { var ( - cmd = cobra.Command{ + cmd = &cobra.Command{ Args: cobra.NoArgs, Use: "oidc --issuer ISSUER", Short: "Login using an OpenID Connect provider", SilenceUsage: true, } - flags oidcLoginFlags + flags oidcLoginFlags + conciergeNamespace string // unused now ) cmd.Flags().StringVar(&flags.issuer, "issuer", "", "OpenID Connect issuer URL") cmd.Flags().StringVar(&flags.clientID, "client-id", "pinniped-cli", "OpenID Connect client ID") @@ -88,17 +88,21 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command { cmd.Flags().BoolVar(&flags.debugSessionCache, "debug-session-cache", false, "Print debug logs related to the session cache") cmd.Flags().StringVar(&flags.requestAudience, "request-audience", "", "Request a token with an alternate audience using RFC8693 token exchange") cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the OIDC ID token with the Pinniped concierge during login") - cmd.Flags().StringVar(&flags.conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed") + cmd.Flags().StringVar(&conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed") cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')") cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name") cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint") cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge") cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix") - mustMarkHidden(&cmd, "debug-session-cache") - mustMarkRequired(&cmd, "issuer") + mustMarkHidden(cmd, "debug-session-cache") + mustMarkRequired(cmd, "issuer") cmd.RunE = func(cmd *cobra.Command, args []string) error { return runOIDCLogin(cmd, deps, flags) } - return &cmd + + mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore") + mustMarkHidden(cmd, "concierge-namespace") + + return cmd } func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLoginFlags) error { @@ -133,7 +137,6 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin if flags.conciergeEnabled { var err error concierge, err = conciergeclient.New( - conciergeclient.WithNamespace(flags.conciergeNamespace), conciergeclient.WithEndpoint(flags.conciergeEndpoint), conciergeclient.WithBase64CABundle(flags.conciergeCABundle), conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName), diff --git a/cmd/pinniped/cmd/login_oidc_test.go b/cmd/pinniped/cmd/login_oidc_test.go index 822b9f82..9a30de4a 100644 --- a/cmd/pinniped/cmd/login_oidc_test.go +++ b/cmd/pinniped/cmd/login_oidc_test.go @@ -65,7 +65,6 @@ func TestLoginOIDCCommand(t *testing.T) { --concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') --concierge-ca-bundle-data string CA bundle to use when connecting to the concierge --concierge-endpoint string API base for the Pinniped concierge endpoint - --concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge") --enable-concierge Exchange the OIDC ID token with the Pinniped concierge during login -h, --help help for oidc --issuer string OpenID Connect issuer URL @@ -186,7 +185,6 @@ func TestLoginOIDCCommand(t *testing.T) { "--ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()), "--ca-bundle", testCABundlePath, "--enable-concierge", - "--concierge-namespace", "test-namespace", "--concierge-authenticator-type", "webhook", "--concierge-authenticator-name", "test-authenticator", "--concierge-endpoint", "https://127.0.0.1:1234/", diff --git a/cmd/pinniped/cmd/login_static.go b/cmd/pinniped/cmd/login_static.go index 52fcf095..863afc28 100644 --- a/cmd/pinniped/cmd/login_static.go +++ b/cmd/pinniped/cmd/login_static.go @@ -41,7 +41,6 @@ type staticLoginParams struct { staticToken string staticTokenEnvName string conciergeEnabled bool - conciergeNamespace string conciergeAuthenticatorType string conciergeAuthenticatorName string conciergeEndpoint string @@ -51,25 +50,30 @@ type staticLoginParams struct { func staticLoginCommand(deps staticLoginDeps) *cobra.Command { var ( - cmd = cobra.Command{ + cmd = &cobra.Command{ Args: cobra.NoArgs, Use: "static [--token TOKEN] [--token-env TOKEN_NAME]", Short: "Login using a static token", SilenceUsage: true, } - flags staticLoginParams + flags staticLoginParams + conciergeNamespace string // unused now ) cmd.Flags().StringVar(&flags.staticToken, "token", "", "Static token to present during login") cmd.Flags().StringVar(&flags.staticTokenEnvName, "token-env", "", "Environment variable containing a static token") cmd.Flags().BoolVar(&flags.conciergeEnabled, "enable-concierge", false, "Exchange the token with the Pinniped concierge during login") - cmd.Flags().StringVar(&flags.conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed") + cmd.Flags().StringVar(&conciergeNamespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed") cmd.Flags().StringVar(&flags.conciergeAuthenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt')") cmd.Flags().StringVar(&flags.conciergeAuthenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name") cmd.Flags().StringVar(&flags.conciergeEndpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint") cmd.Flags().StringVar(&flags.conciergeCABundle, "concierge-ca-bundle-data", "", "CA bundle to use when connecting to the concierge") cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", "pinniped.dev", "Concierge API group suffix") cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd.OutOrStdout(), deps, flags) } - return &cmd + + mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore") + mustMarkHidden(cmd, "concierge-namespace") + + return cmd } func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams) error { @@ -81,7 +85,6 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams if flags.conciergeEnabled { var err error concierge, err = conciergeclient.New( - conciergeclient.WithNamespace(flags.conciergeNamespace), conciergeclient.WithEndpoint(flags.conciergeEndpoint), conciergeclient.WithBase64CABundle(flags.conciergeCABundle), conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName), diff --git a/cmd/pinniped/cmd/login_static_test.go b/cmd/pinniped/cmd/login_static_test.go index 5d0114cb..6f9ced9e 100644 --- a/cmd/pinniped/cmd/login_static_test.go +++ b/cmd/pinniped/cmd/login_static_test.go @@ -56,7 +56,6 @@ func TestLoginStaticCommand(t *testing.T) { --concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') --concierge-ca-bundle-data string CA bundle to use when connecting to the concierge --concierge-endpoint string API base for the Pinniped concierge endpoint - --concierge-namespace string Namespace in which the concierge was installed (default "pinniped-concierge") --enable-concierge Exchange the token with the Pinniped concierge during login -h, --help help for static --token string Static token to present during login diff --git a/deploy/concierge/rbac.yaml b/deploy/concierge/rbac.yaml index b9165714..a54c94a2 100644 --- a/deploy/concierge/rbac.yaml +++ b/deploy/concierge/rbac.yaml @@ -31,6 +31,14 @@ rules: resources: [ securitycontextconstraints ] verbs: [ use ] resourceNames: [ nonroot ] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("config.concierge") + resources: [ credentialissuers ] + verbs: [ get, list, watch, create, update ] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge") + resources: [ jwtauthenticators, webhookauthenticators ] + verbs: [ get, list, watch ] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -69,11 +77,6 @@ rules: - apiGroups: [ "" ] resources: [ pods/exec ] verbs: [ create ] - - apiGroups: - - #@ pinnipedDevAPIGroupWithPrefix("config.concierge") - - #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge") - resources: [ "*" ] - verbs: [ create, get, list, update, watch ] - apiGroups: [apps] resources: [replicasets,deployments] verbs: [get] diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go index 71614492..4c54a37a 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go @@ -88,7 +88,7 @@ type controller struct { // Sync implements controllerlib.Syncer. func (c *controller) Sync(ctx controllerlib.Context) error { - obj, err := c.jwtAuthenticators.Lister().JWTAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name) + obj, err := c.jwtAuthenticators.Lister().Get(ctx.Key.Name) if err != nil && errors.IsNotFound(err) { c.log.Info("Sync() found that the JWTAuthenticator does not exist yet or was deleted") return nil diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go index 17b8073d..cd66fdcb 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go @@ -135,43 +135,41 @@ func TestController(t *testing.T) { }{ { name: "not found", - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, wantLogs: []string{ `jwtcachefiller-controller "level"=0 "msg"="Sync() found that the JWTAuthenticator does not exist yet or was deleted"`, }, }, { name: "valid jwt authenticator with CA", - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ &auth1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, }, }, wantLogs: []string{ - `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, + `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`, }, wantCacheEntries: 1, runTestsOnResultingAuthenticator: true, }, { name: "valid jwt authenticator with custom username claim", - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ &auth1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: *someJWTAuthenticatorSpecWithUsernameClaim, }, }, wantLogs: []string{ - `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, + `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`, }, wantCacheEntries: 1, wantUsernameClaim: someJWTAuthenticatorSpecWithUsernameClaim.Claims.Username, @@ -179,18 +177,17 @@ func TestController(t *testing.T) { }, { name: "valid jwt authenticator with custom groups claim", - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ &auth1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: *someJWTAuthenticatorSpecWithGroupsClaim, }, }, wantLogs: []string{ - `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, + `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`, }, wantCacheEntries: 1, wantGroupsClaim: someJWTAuthenticatorSpecWithGroupsClaim.Claims.Groups, @@ -201,27 +198,25 @@ func TestController(t *testing.T) { cache: func(t *testing.T, cache *authncache.Cache, wantClose bool) { cache.Store( authncache.Key{ - Name: "test-name", - Namespace: "test-namespace", - Kind: "JWTAuthenticator", - APIGroup: auth1alpha1.SchemeGroupVersion.Group, + Name: "test-name", + Kind: "JWTAuthenticator", + APIGroup: auth1alpha1.SchemeGroupVersion.Group, }, newCacheValue(t, *otherJWTAuthenticatorSpec, wantClose), ) }, wantClose: true, - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ &auth1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, }, }, wantLogs: []string{ - `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, + `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`, }, wantCacheEntries: 1, runTestsOnResultingAuthenticator: true, @@ -231,27 +226,25 @@ func TestController(t *testing.T) { cache: func(t *testing.T, cache *authncache.Cache, wantClose bool) { cache.Store( authncache.Key{ - Name: "test-name", - Namespace: "test-namespace", - Kind: "JWTAuthenticator", - APIGroup: auth1alpha1.SchemeGroupVersion.Group, + Name: "test-name", + Kind: "JWTAuthenticator", + APIGroup: auth1alpha1.SchemeGroupVersion.Group, }, newCacheValue(t, *someJWTAuthenticatorSpec, wantClose), ) }, wantClose: false, - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ &auth1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, }, }, wantLogs: []string{ - `jwtcachefiller-controller "level"=0 "msg"="actual jwt authenticator and desired jwt authenticator are the same" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, + `jwtcachefiller-controller "level"=0 "msg"="actual jwt authenticator and desired jwt authenticator are the same" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`, }, wantCacheEntries: 1, runTestsOnResultingAuthenticator: false, // skip the tests because the authenticator left in the cache is the mock version that was added above @@ -261,57 +254,53 @@ func TestController(t *testing.T) { cache: func(t *testing.T, cache *authncache.Cache, wantClose bool) { cache.Store( authncache.Key{ - Name: "test-name", - Namespace: "test-namespace", - Kind: "JWTAuthenticator", - APIGroup: auth1alpha1.SchemeGroupVersion.Group, + Name: "test-name", + Kind: "JWTAuthenticator", + APIGroup: auth1alpha1.SchemeGroupVersion.Group, }, struct{ authenticator.Token }{}, ) }, - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ &auth1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, }, }, wantLogs: []string{ `jwtcachefiller-controller "level"=0 "msg"="wrong JWT authenticator type in cache" "actualType"="struct { authenticator.Token }"`, - `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, + `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`, }, wantCacheEntries: 1, runTestsOnResultingAuthenticator: true, }, { name: "valid jwt authenticator without CA", - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ &auth1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: *missingTLSJWTAuthenticatorSpec, }, }, wantLogs: []string{ - `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`, + `jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name"}`, }, wantCacheEntries: 1, runTestsOnResultingAuthenticator: false, // skip the tests because the authenticator left in the cache doesn't have the CA for our test discovery server }, { name: "invalid jwt authenticator CA", - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ &auth1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: *invalidTLSJWTAuthenticatorSpec, }, diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go index f729a07c..275f6859 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go @@ -54,7 +54,7 @@ type controller struct { // Sync implements controllerlib.Syncer. func (c *controller) Sync(ctx controllerlib.Context) error { - obj, err := c.webhooks.Lister().WebhookAuthenticators(ctx.Key.Namespace).Get(ctx.Key.Name) + obj, err := c.webhooks.Lister().Get(ctx.Key.Name) if err != nil && errors.IsNotFound(err) { c.log.Info("Sync() found that the WebhookAuthenticator does not exist yet or was deleted") return nil diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go index 6b0bec0b..da6fe20f 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go @@ -41,19 +41,18 @@ func TestController(t *testing.T) { }{ { name: "not found", - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, wantLogs: []string{ `webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookAuthenticator does not exist yet or was deleted"`, }, }, { name: "invalid webhook", - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ &auth1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: auth1alpha1.WebhookAuthenticatorSpec{ Endpoint: "invalid url", @@ -64,12 +63,11 @@ func TestController(t *testing.T) { }, { name: "valid webhook", - syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ &auth1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ - Namespace: "test-namespace", - Name: "test-name", + Name: "test-name", }, Spec: auth1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://example.com", @@ -78,7 +76,7 @@ func TestController(t *testing.T) { }, }, wantLogs: []string{ - `webhookcachefiller-controller "level"=0 "msg"="added new webhook authenticator" "endpoint"="https://example.com" "webhook"={"name":"test-name","namespace":"test-namespace"}`, + `webhookcachefiller-controller "level"=0 "msg"="added new webhook authenticator" "endpoint"="https://example.com" "webhook"={"name":"test-name"}`, }, wantCacheEntries: 1, }, diff --git a/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go b/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go index ff0c111e..859dc721 100644 --- a/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go +++ b/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go @@ -19,7 +19,6 @@ import ( func CreateOrUpdateCredentialIssuer( ctx context.Context, - credentialIssuerNamespace string, credentialIssuerResourceName string, credentialIssuerLabels map[string]string, pinnipedClient pinnipedclientset.Interface, @@ -28,7 +27,7 @@ func CreateOrUpdateCredentialIssuer( err := retry.RetryOnConflict(retry.DefaultRetry, func() error { existingCredentialIssuer, err := pinnipedClient. ConfigV1alpha1(). - CredentialIssuers(credentialIssuerNamespace). + CredentialIssuers(). Get(ctx, credentialIssuerResourceName, metav1.GetOptions{}) notFound := k8serrors.IsNotFound(err) @@ -36,12 +35,12 @@ func CreateOrUpdateCredentialIssuer( return fmt.Errorf("get failed: %w", err) } - credentialIssuersClient := pinnipedClient.ConfigV1alpha1().CredentialIssuers(credentialIssuerNamespace) + credentialIssuersClient := pinnipedClient.ConfigV1alpha1().CredentialIssuers() if notFound { // Create it credentialIssuer := minimalValidCredentialIssuer( - credentialIssuerResourceName, credentialIssuerNamespace, credentialIssuerLabels, + credentialIssuerResourceName, credentialIssuerLabels, ) applyUpdatesToCredentialIssuerFunc(credentialIssuer) @@ -73,15 +72,13 @@ func CreateOrUpdateCredentialIssuer( func minimalValidCredentialIssuer( credentialIssuerName string, - credentialIssuerNamespace string, credentialIssuerLabels map[string]string, ) *configv1alpha1.CredentialIssuer { return &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerName, - Namespace: credentialIssuerNamespace, - Labels: credentialIssuerLabels, + Name: credentialIssuerName, + Labels: credentialIssuerLabels, }, Status: configv1alpha1.CredentialIssuerStatus{ Strategies: []configv1alpha1.CredentialIssuerStrategy{}, diff --git a/internal/controller/issuerconfig/create_or_update_credential_issuer_config_test.go b/internal/controller/issuerconfig/create_or_update_credential_issuer_config_test.go index 26b9edc0..9745545e 100644 --- a/internal/controller/issuerconfig/create_or_update_credential_issuer_config_test.go +++ b/internal/controller/issuerconfig/create_or_update_credential_issuer_config_test.go @@ -29,7 +29,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { var ctx context.Context var pinnipedAPIClient *pinnipedfake.Clientset var credentialIssuerGVR schema.GroupVersionResource - const installationNamespace = "some-namespace" const credentialIssuerResourceName = "some-resource-name" it.Before(func() { @@ -47,7 +46,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { it("creates a new config which includes only the updates made by the func parameter", func() { err := CreateOrUpdateCredentialIssuer( ctx, - installationNamespace, credentialIssuerResourceName, map[string]string{ "myLabelKey1": "myLabelValue1", @@ -62,16 +60,14 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { ) r.NoError(err) - expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName) + expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName) - expectedCreateAction := coretesting.NewCreateAction( + expectedCreateAction := coretesting.NewRootCreateAction( credentialIssuerGVR, - installationNamespace, &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: installationNamespace, + Name: credentialIssuerResourceName, Labels: map[string]string{ "myLabelKey1": "myLabelValue1", "myLabelKey2": "myLabelValue2", @@ -100,7 +96,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { it("returns an error", func() { err := CreateOrUpdateCredentialIssuer( ctx, - installationNamespace, credentialIssuerResourceName, map[string]string{}, pinnipedAPIClient, @@ -118,8 +113,7 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { existingConfig = &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: installationNamespace, + Name: credentialIssuerResourceName, Labels: map[string]string{ "myLabelKey1": "myLabelValue1", }, @@ -146,7 +140,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { it("updates the existing config to only apply the updates made by the func parameter", func() { err := CreateOrUpdateCredentialIssuer( ctx, - installationNamespace, credentialIssuerResourceName, map[string]string{ "myLabelKey1": "myLabelValue1", @@ -159,12 +152,12 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { ) r.NoError(err) - expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName) + expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName) // Only the edited field should be changed. expectedUpdatedConfig := existingConfig.DeepCopy() expectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value" - expectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, expectedUpdatedConfig) + expectedUpdateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, expectedUpdatedConfig) r.Equal([]coretesting.Action{expectedGetAction, expectedUpdateAction}, pinnipedAPIClient.Actions()) }) @@ -172,7 +165,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { it("avoids the cost of an update if the local updates made by the func parameter did not actually change anything", func() { err := CreateOrUpdateCredentialIssuer( ctx, - installationNamespace, credentialIssuerResourceName, map[string]string{}, pinnipedAPIClient, @@ -187,7 +179,7 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { ) r.NoError(err) - expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName) + expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName) r.Equal([]coretesting.Action{expectedGetAction}, pinnipedAPIClient.Actions()) }) @@ -201,7 +193,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { it("returns an error", func() { err := CreateOrUpdateCredentialIssuer( ctx, - installationNamespace, credentialIssuerResourceName, map[string]string{}, pinnipedAPIClient, @@ -221,7 +212,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { it("returns an error", func() { err := CreateOrUpdateCredentialIssuer( ctx, - installationNamespace, credentialIssuerResourceName, map[string]string{}, pinnipedAPIClient, @@ -246,7 +236,7 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { if !hit { // Before the update fails, also change the object that will be returned by the next Get(), // to make sure that the production code does a fresh Get() after detecting a conflict. - r.NoError(pinnipedAPIClient.Tracker().Update(credentialIssuerGVR, slightlyDifferentExistingConfig, installationNamespace)) + r.NoError(pinnipedAPIClient.Tracker().Update(credentialIssuerGVR, slightlyDifferentExistingConfig, "")) hit = true return true, nil, apierrors.NewConflict(schema.GroupResource{ Group: apiregistrationv1.GroupName, @@ -260,7 +250,6 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { it("retries updates on conflict", func() { err := CreateOrUpdateCredentialIssuer( ctx, - installationNamespace, credentialIssuerResourceName, map[string]string{ "myLabelKey1": "myLabelValue1", @@ -273,18 +262,18 @@ func TestCreateOrUpdateCredentialIssuer(t *testing.T) { ) r.NoError(err) - expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, installationNamespace, credentialIssuerResourceName) + expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName) // The first attempted update only includes its own edits. firstExpectedUpdatedConfig := existingConfig.DeepCopy() firstExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value" - firstExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, firstExpectedUpdatedConfig) + firstExpectedUpdateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, firstExpectedUpdatedConfig) // Both the edits made by this update and the edits made by the conflicting update should be included. secondExpectedUpdatedConfig := existingConfig.DeepCopy() secondExpectedUpdatedConfig.Status.KubeConfigInfo.Server = "some-other-server-value-from-conflicting-update" secondExpectedUpdatedConfig.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value" - secondExpectedUpdateAction := coretesting.NewUpdateAction(credentialIssuerGVR, installationNamespace, secondExpectedUpdatedConfig) + secondExpectedUpdateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, secondExpectedUpdatedConfig) expectedActions := []coretesting.Action{ expectedGetAction, diff --git a/internal/controller/issuerconfig/kube_config_info_publisher.go b/internal/controller/issuerconfig/kube_config_info_publisher.go index b782c08b..09f883b4 100644 --- a/internal/controller/issuerconfig/kube_config_info_publisher.go +++ b/internal/controller/issuerconfig/kube_config_info_publisher.go @@ -26,19 +26,17 @@ const ( ) type kubeConigInfoPublisherController struct { - credentialIssuerNamespaceName string - credentialIssuerResourceName string - credentialIssuerLabels map[string]string - serverOverride *string - pinnipedClient pinnipedclientset.Interface - configMapInformer corev1informers.ConfigMapInformer + credentialIssuerResourceName string + credentialIssuerLabels map[string]string + serverOverride *string + pinnipedClient pinnipedclientset.Interface + configMapInformer corev1informers.ConfigMapInformer } // NewKubeConfigInfoPublisherController returns a controller that syncs the // configv1alpha1.CredentialIssuer.Status.KubeConfigInfo field with the cluster-info ConfigMap // in the kube-public namespace. func NewKubeConfigInfoPublisherController( - credentialIssuerNamespaceName string, credentialIssuerResourceName string, credentialIssuerLabels map[string]string, serverOverride *string, @@ -50,12 +48,11 @@ func NewKubeConfigInfoPublisherController( controllerlib.Config{ Name: "publisher-controller", Syncer: &kubeConigInfoPublisherController{ - credentialIssuerResourceName: credentialIssuerResourceName, - credentialIssuerNamespaceName: credentialIssuerNamespaceName, - credentialIssuerLabels: credentialIssuerLabels, - serverOverride: serverOverride, - pinnipedClient: pinnipedClient, - configMapInformer: configMapInformer, + credentialIssuerResourceName: credentialIssuerResourceName, + credentialIssuerLabels: credentialIssuerLabels, + serverOverride: serverOverride, + pinnipedClient: pinnipedClient, + configMapInformer: configMapInformer, }, }, withInformer( @@ -116,7 +113,6 @@ func (c *kubeConigInfoPublisherController) Sync(ctx controllerlib.Context) error return CreateOrUpdateCredentialIssuer( ctx.Context, - c.credentialIssuerNamespaceName, c.credentialIssuerResourceName, c.credentialIssuerLabels, c.pinnipedClient, diff --git a/internal/controller/issuerconfig/kube_config_info_publisher_test.go b/internal/controller/issuerconfig/kube_config_info_publisher_test.go index dc1cec1e..fd6a6624 100644 --- a/internal/controller/issuerconfig/kube_config_info_publisher_test.go +++ b/internal/controller/issuerconfig/kube_config_info_publisher_test.go @@ -30,7 +30,6 @@ import ( func TestInformerFilters(t *testing.T) { spec.Run(t, "informer filters", func(t *testing.T, when spec.G, it spec.S) { const credentialIssuerResourceName = "some-resource-name" - const installedInNamespace = "some-namespace" var r *require.Assertions var observableWithInformerOption *testutil.ObservableWithInformerOption @@ -41,7 +40,6 @@ func TestInformerFilters(t *testing.T) { observableWithInformerOption = testutil.NewObservableWithInformerOption() configMapInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().ConfigMaps() _ = NewKubeConfigInfoPublisherController( - installedInNamespace, credentialIssuerResourceName, map[string]string{}, nil, @@ -105,7 +103,6 @@ func TestInformerFilters(t *testing.T) { func TestSync(t *testing.T) { spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) { const credentialIssuerResourceName = "some-resource-name" - const installedInNamespace = "some-namespace" var r *require.Assertions @@ -118,7 +115,7 @@ func TestSync(t *testing.T) { var timeoutContextCancel context.CancelFunc var syncContext *controllerlib.Context - var expectedCredentialIssuer = func(expectedNamespace, expectedServerURL, expectedCAData string) (schema.GroupVersionResource, *configv1alpha1.CredentialIssuer) { + var expectedCredentialIssuer = func(expectedServerURL, expectedCAData string) (schema.GroupVersionResource, *configv1alpha1.CredentialIssuer) { expectedCredentialIssuerGVR := schema.GroupVersionResource{ Group: configv1alpha1.GroupName, Version: "v1alpha1", @@ -126,8 +123,7 @@ func TestSync(t *testing.T) { } expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: expectedNamespace, + Name: credentialIssuerResourceName, Labels: map[string]string{ "myLabelKey1": "myLabelValue1", "myLabelKey2": "myLabelValue2", @@ -149,7 +145,6 @@ func TestSync(t *testing.T) { var startInformersAndController = func() { // Set this at the last second to allow for injection of server override. subject = NewKubeConfigInfoPublisherController( - installedInNamespace, credentialIssuerResourceName, map[string]string{ "myLabelKey1": "myLabelValue1", @@ -223,17 +218,15 @@ func TestSync(t *testing.T) { r.NoError(err) expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer( - installedInNamespace, kubeServerURL, caData, ) r.Equal( []coretesting.Action{ - coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name), - coretesting.NewCreateAction( + coretesting.NewRootGetAction(expectedCredentialIssuerGVR, expectedCredentialIssuer.Name), + coretesting.NewRootCreateAction( expectedCredentialIssuerGVR, - installedInNamespace, expectedCredentialIssuer, ), }, @@ -269,7 +262,6 @@ func TestSync(t *testing.T) { r.NoError(err) expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer( - installedInNamespace, kubeServerURL, caData, ) @@ -277,10 +269,9 @@ func TestSync(t *testing.T) { r.Equal( []coretesting.Action{ - coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name), - coretesting.NewCreateAction( + coretesting.NewRootGetAction(expectedCredentialIssuerGVR, expectedCredentialIssuer.Name), + coretesting.NewRootCreateAction( expectedCredentialIssuerGVR, - installedInNamespace, expectedCredentialIssuer, ), }, @@ -297,7 +288,6 @@ func TestSync(t *testing.T) { it.Before(func() { credentialIssuerGVR, credentialIssuer = expectedCredentialIssuer( - installedInNamespace, kubeServerURL, caData, ) @@ -312,7 +302,7 @@ func TestSync(t *testing.T) { r.Equal( []coretesting.Action{ - coretesting.NewGetAction(credentialIssuerGVR, installedInNamespace, credentialIssuer.Name), + coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuer.Name), }, pinnipedAPIClient.Actions(), ) @@ -322,7 +312,6 @@ func TestSync(t *testing.T) { when("the CredentialIssuer is stale compared to the data in the ConfigMap", func() { it.Before(func() { _, expectedCredentialIssuer := expectedCredentialIssuer( - installedInNamespace, kubeServerURL, caData, ) @@ -336,15 +325,13 @@ func TestSync(t *testing.T) { r.NoError(err) expectedCredentialIssuerGVR, expectedCredentialIssuer := expectedCredentialIssuer( - installedInNamespace, kubeServerURL, caData, ) expectedActions := []coretesting.Action{ - coretesting.NewGetAction(expectedCredentialIssuerGVR, installedInNamespace, expectedCredentialIssuer.Name), - coretesting.NewUpdateAction( + coretesting.NewRootGetAction(expectedCredentialIssuerGVR, expectedCredentialIssuer.Name), + coretesting.NewRootUpdateAction( expectedCredentialIssuerGVR, - installedInNamespace, expectedCredentialIssuer, ), } diff --git a/internal/controller/kubecertagent/annotater_test.go b/internal/controller/kubecertagent/annotater_test.go index 1674700f..ea3db3e3 100644 --- a/internal/controller/kubecertagent/annotater_test.go +++ b/internal/controller/kubecertagent/annotater_test.go @@ -59,7 +59,6 @@ func TestAnnotaterControllerSync(t *testing.T) { const agentPodNamespace = "agent-pod-namespace" const defaultKubeControllerManagerClusterSigningCertFileFlagValue = "/etc/kubernetes/ca/ca.pem" const defaultKubeControllerManagerClusterSigningKeyFileFlagValue = "/etc/kubernetes/ca/ca.key" - const credentialIssuerNamespaceName = "ci-namespace-name" const credentialIssuerResourceName = "ci-resource-name" const ( @@ -102,8 +101,7 @@ func TestAnnotaterControllerSync(t *testing.T) { }, }, &CredentialIssuerLocationConfig{ - Namespace: credentialIssuerNamespaceName, - Name: credentialIssuerResourceName, + Name: credentialIssuerResourceName, }, clock.NewFakeClock(frozenNow), kubeAPIClient, @@ -236,8 +234,7 @@ func TestAnnotaterControllerSync(t *testing.T) { initialCredentialIssuer = &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, }, Status: configv1alpha1.CredentialIssuerStatus{ Strategies: []configv1alpha1.CredentialIssuerStrategy{}, @@ -264,14 +261,12 @@ func TestAnnotaterControllerSync(t *testing.T) { LastUpdateTime: metav1.NewTime(frozenNow), }, } - expectedGetAction := coretesting.NewGetAction( + expectedGetAction := coretesting.NewRootGetAction( credentialIssuerGVR, - credentialIssuerNamespaceName, credentialIssuerResourceName, ) - expectedUpdateAction := coretesting.NewUpdateAction( + expectedUpdateAction := coretesting.NewRootUpdateAction( credentialIssuerGVR, - credentialIssuerNamespaceName, expectedCredentialIssuer, ) @@ -312,8 +307,7 @@ func TestAnnotaterControllerSync(t *testing.T) { expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, }, Status: configv1alpha1.CredentialIssuerStatus{ Strategies: []configv1alpha1.CredentialIssuerStrategy{ @@ -327,14 +321,12 @@ func TestAnnotaterControllerSync(t *testing.T) { }, }, } - expectedGetAction := coretesting.NewGetAction( + expectedGetAction := coretesting.NewRootGetAction( credentialIssuerGVR, - credentialIssuerNamespaceName, credentialIssuerResourceName, ) - expectedCreateAction := coretesting.NewCreateAction( + expectedCreateAction := coretesting.NewRootCreateAction( credentialIssuerGVR, - credentialIssuerNamespaceName, expectedCredentialIssuer, ) diff --git a/internal/controller/kubecertagent/creater_test.go b/internal/controller/kubecertagent/creater_test.go index 70643f85..d63363c1 100644 --- a/internal/controller/kubecertagent/creater_test.go +++ b/internal/controller/kubecertagent/creater_test.go @@ -83,7 +83,6 @@ func TestCreaterControllerSync(t *testing.T) { spec.Run(t, "CreaterControllerSync", func(t *testing.T, when spec.G, it spec.S) { const kubeSystemNamespace = "kube-system" const agentPodNamespace = "agent-pod-namespace" - const credentialIssuerNamespaceName = "ci-namespace-name" const credentialIssuerResourceName = "ci-resource-name" var r *require.Assertions @@ -119,8 +118,7 @@ func TestCreaterControllerSync(t *testing.T) { }, }, &CredentialIssuerLocationConfig{ - Namespace: credentialIssuerNamespaceName, - Name: credentialIssuerResourceName, + Name: credentialIssuerResourceName, }, map[string]string{ "myLabelKey1": "myLabelValue1", @@ -307,8 +305,7 @@ func TestCreaterControllerSync(t *testing.T) { initialCredentialIssuer = &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, }, Status: configv1alpha1.CredentialIssuerStatus{ Strategies: []configv1alpha1.CredentialIssuerStrategy{}, @@ -335,14 +332,12 @@ func TestCreaterControllerSync(t *testing.T) { LastUpdateTime: metav1.NewTime(frozenNow), }, } - expectedGetAction := coretesting.NewGetAction( + expectedGetAction := coretesting.NewRootGetAction( credentialIssuerGVR, - credentialIssuerNamespaceName, credentialIssuerResourceName, ) - expectedUpdateAction := coretesting.NewUpdateAction( + expectedUpdateAction := coretesting.NewRootUpdateAction( credentialIssuerGVR, - credentialIssuerNamespaceName, expectedCredentialIssuer, ) @@ -383,8 +378,7 @@ func TestCreaterControllerSync(t *testing.T) { expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, Labels: map[string]string{ "myLabelKey1": "myLabelValue1", "myLabelKey2": "myLabelValue2", @@ -402,14 +396,12 @@ func TestCreaterControllerSync(t *testing.T) { }, }, } - expectedGetAction := coretesting.NewGetAction( + expectedGetAction := coretesting.NewRootGetAction( credentialIssuerGVR, - credentialIssuerNamespaceName, credentialIssuerResourceName, ) - expectedCreateAction := coretesting.NewCreateAction( + expectedCreateAction := coretesting.NewRootCreateAction( credentialIssuerGVR, - credentialIssuerNamespaceName, expectedCredentialIssuer, ) @@ -435,8 +427,7 @@ func TestCreaterControllerSync(t *testing.T) { initialCredentialIssuer = &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, }, Status: configv1alpha1.CredentialIssuerStatus{ Strategies: []configv1alpha1.CredentialIssuerStrategy{}, @@ -463,14 +454,12 @@ func TestCreaterControllerSync(t *testing.T) { LastUpdateTime: metav1.NewTime(frozenNow), }, } - expectedGetAction := coretesting.NewGetAction( + expectedGetAction := coretesting.NewRootGetAction( credentialIssuerGVR, - credentialIssuerNamespaceName, credentialIssuerResourceName, ) - expectedUpdateAction := coretesting.NewUpdateAction( + expectedUpdateAction := coretesting.NewRootUpdateAction( credentialIssuerGVR, - credentialIssuerNamespaceName, expectedCredentialIssuer, ) @@ -528,8 +517,7 @@ func TestCreaterControllerSync(t *testing.T) { expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, Labels: map[string]string{ "myLabelKey1": "myLabelValue1", "myLabelKey2": "myLabelValue2", @@ -547,14 +535,12 @@ func TestCreaterControllerSync(t *testing.T) { }, }, } - expectedGetAction := coretesting.NewGetAction( + expectedGetAction := coretesting.NewRootGetAction( credentialIssuerGVR, - credentialIssuerNamespaceName, credentialIssuerResourceName, ) - expectedCreateAction := coretesting.NewCreateAction( + expectedCreateAction := coretesting.NewRootCreateAction( credentialIssuerGVR, - credentialIssuerNamespaceName, expectedCredentialIssuer, ) diff --git a/internal/controller/kubecertagent/execer_test.go b/internal/controller/kubecertagent/execer_test.go index 8ca37e25..e7ae425a 100644 --- a/internal/controller/kubecertagent/execer_test.go +++ b/internal/controller/kubecertagent/execer_test.go @@ -44,8 +44,7 @@ func TestExecerControllerOptions(t *testing.T) { agentPodsInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().Pods() _ = NewExecerController( &CredentialIssuerLocationConfig{ - Namespace: "ignored by this test", - Name: "ignored by this test", + Name: "ignored by this test", }, nil, // dynamicCertProvider, not needed for this test nil, // podCommandExecutor, not needed for this test @@ -136,7 +135,6 @@ func TestManagerControllerSync(t *testing.T) { const fakeKeyPath = "/some/key/path" const defaultDynamicCertProviderCert = "initial-cert" const defaultDynamicCertProviderKey = "initial-key" - const credentialIssuerNamespaceName = "ci-namespace-name" const credentialIssuerResourceName = "ci-resource-name" var r *require.Assertions @@ -160,8 +158,7 @@ func TestManagerControllerSync(t *testing.T) { // Set this at the last second to allow for injection of server override. subject = NewExecerController( &CredentialIssuerLocationConfig{ - Namespace: credentialIssuerNamespaceName, - Name: credentialIssuerResourceName, + Name: credentialIssuerResourceName, }, dynamicCertProvider, fakeExecutor, @@ -333,8 +330,7 @@ func TestManagerControllerSync(t *testing.T) { initialCredentialIssuer = &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, }, Status: configv1alpha1.CredentialIssuerStatus{ Strategies: []configv1alpha1.CredentialIssuerStrategy{}, @@ -361,8 +357,8 @@ func TestManagerControllerSync(t *testing.T) { LastUpdateTime: metav1.NewTime(frozenNow), }, } - expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName) - expectedCreateAction := coretesting.NewUpdateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer) + expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName) + expectedCreateAction := coretesting.NewRootUpdateAction(credentialIssuerGVR, expectedCredentialIssuer) r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions()) }) @@ -396,8 +392,7 @@ func TestManagerControllerSync(t *testing.T) { expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, }, Status: configv1alpha1.CredentialIssuerStatus{ Strategies: []configv1alpha1.CredentialIssuerStrategy{ @@ -411,8 +406,8 @@ func TestManagerControllerSync(t *testing.T) { }, }, } - expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName) - expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer) + expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName) + expectedCreateAction := coretesting.NewRootCreateAction(credentialIssuerGVR, expectedCredentialIssuer) r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions()) }) }) @@ -439,8 +434,7 @@ func TestManagerControllerSync(t *testing.T) { expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, }, Status: configv1alpha1.CredentialIssuerStatus{ Strategies: []configv1alpha1.CredentialIssuerStrategy{ @@ -454,8 +448,8 @@ func TestManagerControllerSync(t *testing.T) { }, }, } - expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName) - expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer) + expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName) + expectedCreateAction := coretesting.NewRootCreateAction(credentialIssuerGVR, expectedCredentialIssuer) r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions()) }) }) @@ -481,8 +475,7 @@ func TestManagerControllerSync(t *testing.T) { expectedCredentialIssuer := &configv1alpha1.CredentialIssuer{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ - Name: credentialIssuerResourceName, - Namespace: credentialIssuerNamespaceName, + Name: credentialIssuerResourceName, }, Status: configv1alpha1.CredentialIssuerStatus{ Strategies: []configv1alpha1.CredentialIssuerStrategy{ @@ -496,8 +489,8 @@ func TestManagerControllerSync(t *testing.T) { }, }, } - expectedGetAction := coretesting.NewGetAction(credentialIssuerGVR, credentialIssuerNamespaceName, credentialIssuerResourceName) - expectedCreateAction := coretesting.NewCreateAction(credentialIssuerGVR, credentialIssuerNamespaceName, expectedCredentialIssuer) + expectedGetAction := coretesting.NewRootGetAction(credentialIssuerGVR, credentialIssuerResourceName) + expectedCreateAction := coretesting.NewRootCreateAction(credentialIssuerGVR, expectedCredentialIssuer) r.Equal([]coretesting.Action{expectedGetAction, expectedCreateAction}, pinnipedAPIClient.Actions()) }) }) diff --git a/internal/controller/kubecertagent/kubecertagent.go b/internal/controller/kubecertagent/kubecertagent.go index cb32d0b3..1dfe7a67 100644 --- a/internal/controller/kubecertagent/kubecertagent.go +++ b/internal/controller/kubecertagent/kubecertagent.go @@ -74,9 +74,6 @@ type AgentPodConfig struct { } type CredentialIssuerLocationConfig struct { - // The namespace in which the CredentialIssuer should be created/updated. - Namespace string - // The resource name for the CredentialIssuer to be created/updated. Name string } @@ -292,7 +289,6 @@ func createOrUpdateCredentialIssuer(ctx context.Context, ) error { return issuerconfig.CreateOrUpdateCredentialIssuer( ctx, - ciConfig.Namespace, ciConfig.Name, credentialIssuerLabels, pinnipedAPIClient, diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go index cbc3f069..6e3e0b75 100644 --- a/internal/controllermanager/prepare_controllers.go +++ b/internal/controllermanager/prepare_controllers.go @@ -109,8 +109,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) { AdditionalLabels: c.Labels, } credentialIssuerLocationConfig := &kubecertagent.CredentialIssuerLocationConfig{ - Namespace: c.ServerInstallationInfo.Namespace, - Name: c.NamesConfig.CredentialIssuer, + Name: c.NamesConfig.CredentialIssuer, } groupName, ok := groupsuffix.Replace(loginv1alpha1.GroupName, c.APIGroupSuffix) @@ -127,7 +126,6 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) { // CredentialIssuer resource and keeping that information up to date. WithController( issuerconfig.NewKubeConfigInfoPublisherController( - c.ServerInstallationInfo.Namespace, c.NamesConfig.CredentialIssuer, c.Labels, c.DiscoveryURLOverride, @@ -245,7 +243,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) { WithController( webhookcachefiller.New( c.AuthenticatorCache, - informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(), + informers.pinniped.Authentication().V1alpha1().WebhookAuthenticators(), klogr.New(), ), singletonWorker, @@ -253,7 +251,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) { WithController( jwtcachefiller.New( c.AuthenticatorCache, - informers.installationNamespacePinniped.Authentication().V1alpha1().JWTAuthenticators(), + informers.pinniped.Authentication().V1alpha1().JWTAuthenticators(), klogr.New(), ), singletonWorker, @@ -261,8 +259,8 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) { WithController( cachecleaner.New( c.AuthenticatorCache, - informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookAuthenticators(), - informers.installationNamespacePinniped.Authentication().V1alpha1().JWTAuthenticators(), + informers.pinniped.Authentication().V1alpha1().WebhookAuthenticators(), + informers.pinniped.Authentication().V1alpha1().JWTAuthenticators(), klogr.New(), ), singletonWorker, @@ -276,10 +274,10 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) { } type informers struct { - kubePublicNamespaceK8s k8sinformers.SharedInformerFactory - kubeSystemNamespaceK8s k8sinformers.SharedInformerFactory - installationNamespaceK8s k8sinformers.SharedInformerFactory - installationNamespacePinniped pinnipedinformers.SharedInformerFactory + kubePublicNamespaceK8s k8sinformers.SharedInformerFactory + kubeSystemNamespaceK8s k8sinformers.SharedInformerFactory + installationNamespaceK8s k8sinformers.SharedInformerFactory + pinniped pinnipedinformers.SharedInformerFactory } // Create the informers that will be used by the controllers. @@ -304,10 +302,9 @@ func createInformers( defaultResyncInterval, k8sinformers.WithNamespace(serverInstallationNamespace), ), - installationNamespacePinniped: pinnipedinformers.NewSharedInformerFactoryWithOptions( + pinniped: pinnipedinformers.NewSharedInformerFactoryWithOptions( pinnipedClient, defaultResyncInterval, - pinnipedinformers.WithNamespace(serverInstallationNamespace), ), } } @@ -316,10 +313,10 @@ func (i *informers) startAndWaitForSync(ctx context.Context) { i.kubePublicNamespaceK8s.Start(ctx.Done()) i.kubeSystemNamespaceK8s.Start(ctx.Done()) i.installationNamespaceK8s.Start(ctx.Done()) - i.installationNamespacePinniped.Start(ctx.Done()) + i.pinniped.Start(ctx.Done()) i.kubePublicNamespaceK8s.WaitForCacheSync(ctx.Done()) i.kubeSystemNamespaceK8s.WaitForCacheSync(ctx.Done()) i.installationNamespaceK8s.WaitForCacheSync(ctx.Done()) - i.installationNamespacePinniped.WaitForCacheSync(ctx.Done()) + i.pinniped.WaitForCacheSync(ctx.Done()) } diff --git a/internal/kubeclient/kubeclient_test.go b/internal/kubeclient/kubeclient_test.go index cd79a920..dba289e7 100644 --- a/internal/kubeclient/kubeclient_test.go +++ b/internal/kubeclient/kubeclient_test.go @@ -259,7 +259,7 @@ func TestKubeclient(t *testing.T) { // create tokenCredentialRequest, err := c.PinnipedConcierge. LoginV1alpha1(). - TokenCredentialRequests(goodTokenCredentialRequest.Namespace). + TokenCredentialRequests(). Create(context.Background(), goodTokenCredentialRequest, metav1.CreateOptions{}) require.NoError(t, err) require.Equal(t, goodTokenCredentialRequest, tokenCredentialRequest) @@ -267,7 +267,7 @@ func TestKubeclient(t *testing.T) { // read tokenCredentialRequest, err = c.PinnipedConcierge. LoginV1alpha1(). - TokenCredentialRequests(tokenCredentialRequest.Namespace). + TokenCredentialRequests(). Get(context.Background(), tokenCredentialRequest.Name, metav1.GetOptions{}) require.NoError(t, err) require.Equal(t, with(goodTokenCredentialRequest, annotations(), labels()), tokenCredentialRequest) @@ -276,7 +276,7 @@ func TestKubeclient(t *testing.T) { goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName := with(goodTokenCredentialRequest, annotations(), labels(), clusterName()).(*loginv1alpha1.TokenCredentialRequest) tokenCredentialRequest, err = c.PinnipedConcierge. LoginV1alpha1(). - TokenCredentialRequests(tokenCredentialRequest.Namespace). + TokenCredentialRequests(). Update(context.Background(), goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName, metav1.UpdateOptions{}) require.NoError(t, err) require.Equal(t, goodTokenCredentialRequestWithAnnotationsAndLabelsAndClusterName, tokenCredentialRequest) @@ -284,7 +284,7 @@ func TestKubeclient(t *testing.T) { // delete err = c.PinnipedConcierge. LoginV1alpha1(). - TokenCredentialRequests(tokenCredentialRequest.Namespace). + TokenCredentialRequests(). Delete(context.Background(), tokenCredentialRequest.Name, metav1.DeleteOptions{}) require.NoError(t, err) }, diff --git a/pkg/conciergeclient/conciergeclient.go b/pkg/conciergeclient/conciergeclient.go index 0bebd3d2..5943e24c 100644 --- a/pkg/conciergeclient/conciergeclient.go +++ b/pkg/conciergeclient/conciergeclient.go @@ -27,28 +27,19 @@ import ( ) // ErrLoginFailed is returned by Client.ExchangeToken when the concierge server rejects the login request for any reason. -var ErrLoginFailed = constable.Error("login failed") +const ErrLoginFailed = constable.Error("login failed") // Option is an optional configuration for New(). type Option func(*Client) error // Client is a configuration for talking to the Pinniped concierge. type Client struct { - namespace string authenticator *corev1.TypedLocalObjectReference caBundle string endpoint *url.URL apiGroupSuffix string } -// WithNamespace configures the namespace where the TokenCredentialRequest is to be sent. -func WithNamespace(namespace string) Option { - return func(c *Client) error { - c.namespace = namespace - return nil - } -} - // WithAuthenticator configures the authenticator reference (spec.authenticator) of the TokenCredentialRequests. func WithAuthenticator(authType, authName string) Option { return func(c *Client) error { @@ -127,7 +118,7 @@ func WithAPIGroupSuffix(apiGroupSuffix string) Option { // New validates the specified options and returns a newly initialized *Client. func New(opts ...Option) (*Client, error) { - c := Client{namespace: "pinniped-concierge", apiGroupSuffix: "pinniped.dev"} + c := Client{apiGroupSuffix: "pinniped.dev"} for _, opt := range opts { if err := opt(&c); err != nil { return nil, err @@ -180,10 +171,7 @@ func (c *Client) ExchangeToken(ctx context.Context, token string) (*clientauthen if err != nil { return nil, err } - resp, err := clientset.LoginV1alpha1().TokenCredentialRequests(c.namespace).Create(ctx, &loginv1alpha1.TokenCredentialRequest{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: c.namespace, - }, + resp, err := clientset.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{ Spec: loginv1alpha1.TokenCredentialRequestSpec{ Token: token, Authenticator: *c.authenticator, diff --git a/pkg/conciergeclient/conciergeclient_test.go b/pkg/conciergeclient/conciergeclient_test.go index c4f6702d..9a0a1500 100644 --- a/pkg/conciergeclient/conciergeclient_test.go +++ b/pkg/conciergeclient/conciergeclient_test.go @@ -125,7 +125,6 @@ func TestNew(t *testing.T) { { name: "valid", opts: []Option{ - WithNamespace("test-namespace"), WithEndpoint("https://example.com"), WithCABundle(""), WithCABundle(string(testCA.Bundle())), @@ -223,7 +222,7 @@ func TestExchangeToken(t *testing.T) { // Start a test server that returns successfully and asserts various properties of the request. caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { require.Equal(t, http.MethodPost, r.Method) - require.Equal(t, "/apis/login.concierge.pinniped.dev/v1alpha1/namespaces/test-namespace/tokencredentialrequests", r.URL.Path) + require.Equal(t, "/apis/login.concierge.pinniped.dev/v1alpha1/tokencredentialrequests", r.URL.Path) require.Equal(t, "application/json", r.Header.Get("content-type")) body, err := ioutil.ReadAll(r.Body) @@ -233,8 +232,7 @@ func TestExchangeToken(t *testing.T) { "kind": "TokenCredentialRequest", "apiVersion": "login.concierge.pinniped.dev/v1alpha1", "metadata": { - "creationTimestamp": null, - "namespace": "test-namespace" + "creationTimestamp": null }, "spec": { "token": "test-token", @@ -262,7 +260,7 @@ func TestExchangeToken(t *testing.T) { }) }) - client, err := New(WithNamespace("test-namespace"), WithEndpoint(endpoint), WithCABundle(caBundle), WithAuthenticator("webhook", "test-webhook")) + client, err := New(WithEndpoint(endpoint), WithCABundle(caBundle), WithAuthenticator("webhook", "test-webhook")) require.NoError(t, err) got, err := client.ExchangeToken(ctx, "test-token") diff --git a/site/content/docs/concierge-and-supervisor-demo.md b/site/content/docs/concierge-and-supervisor-demo.md index b268affa..0274c409 100644 --- a/site/content/docs/concierge-and-supervisor-demo.md +++ b/site/content/docs/concierge-and-supervisor-demo.md @@ -163,7 +163,7 @@ to authenticate federated identities from the Supervisor. object to configure the Pinniped Concierge to authenticate using the Pinniped Supervisor. ```bash - cat < /tmp/pinniped-kubeconfig ``` diff --git a/site/content/docs/concierge-only-demo.md b/site/content/docs/concierge-only-demo.md index e07b3650..8ecfa94a 100644 --- a/site/content/docs/concierge-only-demo.md +++ b/site/content/docs/concierge-only-demo.md @@ -102,7 +102,7 @@ as the authenticator. 1. Create a `WebhookAuthenticator` object to configure the Pinniped Concierge to authenticate using local-user-authenticator. ```bash - cat < /tmp/pinniped-kubeconfig + pinniped get kubeconfig --static-token "pinny-the-seal:password123" --concierge-authenticator-type webhook --concierge-authenticator-name local-user-authenticator > /tmp/pinniped-kubeconfig ``` If you are using MacOS, you may get an error dialog that says diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go index 7b33ca37..910d1ac4 100644 --- a/test/integration/cli_test.go +++ b/test/integration/cli_test.go @@ -57,7 +57,6 @@ func TestCLIGetKubeconfigStaticToken(t *testing.T) { "get", "kubeconfig", "--static-token", env.TestUser.Token, "--concierge-api-group-suffix", env.APIGroupSuffix, - "--concierge-namespace", env.ConciergeNamespace, "--concierge-authenticator-type", "webhook", "--concierge-authenticator-name", authenticator.Name, }, diff --git a/test/integration/concierge_api_serving_certs_test.go b/test/integration/concierge_api_serving_certs_test.go index a0a67acf..b912073d 100644 --- a/test/integration/concierge_api_serving_certs_test.go +++ b/test/integration/concierge_api_serving_certs_test.go @@ -146,7 +146,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) { // pod has rotated their cert, but not the other ones sitting behind the service. aggregatedAPIWorking := func() bool { for i := 0; i < 10; i++ { - _, err = conciergeClient.LoginV1alpha1().TokenCredentialRequests(env.ConciergeNamespace).Create(ctx, &loginv1alpha1.TokenCredentialRequest{ + _, err = conciergeClient.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{}, Spec: loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook}, diff --git a/test/integration/concierge_client_test.go b/test/integration/concierge_client_test.go index 5098664c..1cad0de5 100644 --- a/test/integration/concierge_client_test.go +++ b/test/integration/concierge_client_test.go @@ -72,7 +72,6 @@ func TestClient(t *testing.T) { // Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange. clientConfig := library.NewClientConfig(t) client, err := conciergeclient.New( - conciergeclient.WithNamespace(env.ConciergeNamespace), conciergeclient.WithCABundle(string(clientConfig.CAData)), conciergeclient.WithEndpoint(clientConfig.Host), conciergeclient.WithAuthenticator("webhook", webhook.Name), diff --git a/test/integration/concierge_credentialissuerconfig_test.go b/test/integration/concierge_credentialissuerconfig_test.go index 065fcf8c..583a0250 100644 --- a/test/integration/concierge_credentialissuerconfig_test.go +++ b/test/integration/concierge_credentialissuerconfig_test.go @@ -29,7 +29,7 @@ func TestCredentialIssuer(t *testing.T) { t.Run("test successful CredentialIssuer", func(t *testing.T) { actualConfigList, err := client. ConfigV1alpha1(). - CredentialIssuers(env.ConciergeNamespace). + CredentialIssuers(). List(ctx, metav1.ListOptions{}) require.NoError(t, err) diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go index 46ad2357..6f8236b7 100644 --- a/test/integration/concierge_credentialrequest_test.go +++ b/test/integration/concierge_credentialrequest_test.go @@ -211,7 +211,7 @@ func makeRequest(ctx context.Context, t *testing.T, spec loginv1alpha1.TokenCred ctx, cancel := context.WithTimeout(ctx, 10*time.Second) defer cancel() - return client.LoginV1alpha1().TokenCredentialRequests(env.ConciergeNamespace).Create(ctx, &loginv1alpha1.TokenCredentialRequest{ + return client.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{Namespace: env.ConciergeNamespace}, Spec: spec, diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go index 86f21599..42f51eb1 100644 --- a/test/integration/e2e_test.go +++ b/test/integration/e2e_test.go @@ -142,7 +142,6 @@ func TestE2EFullIntegration(t *testing.T) { // Run "pinniped get kubeconfig" to get a kubeconfig YAML. kubeconfigYAML, stderr := runPinnipedCLI(t, pinnipedExe, "get", "kubeconfig", "--concierge-api-group-suffix", env.APIGroupSuffix, - "--concierge-namespace", env.ConciergeNamespace, "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-skip-browser", diff --git a/test/integration/kubeclient_test.go b/test/integration/kubeclient_test.go index 211287f1..c8580e14 100644 --- a/test/integration/kubeclient_test.go +++ b/test/integration/kubeclient_test.go @@ -167,7 +167,7 @@ func TestKubeClientOwnerRef(t *testing.T) { require.NoError(t, err) // sanity check concierge client - credentialIssuer, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers(namespace.Name).Create( + credentialIssuer, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers().Create( ctx, &conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{ @@ -184,7 +184,7 @@ func TestKubeClientOwnerRef(t *testing.T) { hasOwnerRef(t, credentialIssuer, ref) // this owner has already been deleted so the cred issuer should be immediately deleted isEventuallyDeleted(t, func() error { - _, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers(namespace.Name).Get(ctx, credentialIssuer.Name, metav1.GetOptions{}) + _, err := ownerRefClient.PinnipedConcierge.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuer.Name, metav1.GetOptions{}) return err }) diff --git a/test/library/client.go b/test/library/client.go index 011f2b77..a98034d8 100644 --- a/test/library/client.go +++ b/test/library/client.go @@ -153,7 +153,7 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty testEnv := IntegrationEnv(t) client := NewConciergeClientset(t) - webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators(testEnv.ConciergeNamespace) + webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators() createContext, cancel := context.WithTimeout(ctx, 5*time.Second) defer cancel() @@ -220,10 +220,9 @@ func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) // authenticator within the test namespace. func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec) corev1.TypedLocalObjectReference { t.Helper() - testEnv := IntegrationEnv(t) client := NewConciergeClientset(t) - jwtAuthenticators := client.AuthenticationV1alpha1().JWTAuthenticators(testEnv.ConciergeNamespace) + jwtAuthenticators := client.AuthenticationV1alpha1().JWTAuthenticators() createContext, cancel := context.WithTimeout(ctx, 5*time.Second) defer cancel()