djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Concierge controllers add labels to all created resources

Browse Source
This commit is contained in:
Ryan Richard 2020-10-15 10:14:23 -07:00
parent c05bdb58ac
commit 94f20e57b1
28 changed files with 220 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/local-user-authenticator/main.go
View File

@ -310,6 +310,9 @@ func startControllers(
apicerts.NewCertsManagerController( apicerts.NewCertsManagerController(
namespace, namespace,
certsSecretResourceName, certsSecretResourceName,
map[string]string{
"app": "local-user-authenticator",
},
kubeClient, kubeClient,
kubeInformers.Core().V1().Secrets(), kubeInformers.Core().V1().Secrets(),
controllerlib.WithInformer, controllerlib.WithInformer,

2
deploy/concierge/deployment.yaml
View File

@ -2,6 +2,7 @@
#! SPDX-License-Identifier: Apache-2.0 #! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data") #@ load("@ytt:data", "data")
#@ load("@ytt:json", "json")
#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix") #@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
#@ if not data.values.into_namespace: #@ if not data.values.into_namespace:
@ -40,6 +41,7 @@ data:
servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @) servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
credentialIssuerConfig: (@= defaultResourceNameWithSuffix("config") @) credentialIssuerConfig: (@= defaultResourceNameWithSuffix("config") @)
apiService: (@= defaultResourceNameWithSuffix("api") @) apiService: (@= defaultResourceNameWithSuffix("api") @)
labels: (@= json.encode(labels()).rstrip() @)
kubeCertAgent: kubeCertAgent:
namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @) namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
(@ if data.values.kube_cert_agent_image: @) (@ if data.values.kube_cert_agent_image: @)

3
deploy/concierge/values.yaml
View File

@ -14,7 +14,8 @@ into_namespace: #! e.g. my-preexisting-namespace
#! All resources created statically by yaml at install-time and all resources created dynamically #! All resources created statically by yaml at install-time and all resources created dynamically
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels #! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
#! specified here. The app can be uninstalled either by: #! specified here. The value of `custom_labels` must be a map of string keys to string values.
#! The app can be uninstalled either by:
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete #! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
#! resources that were dynamically created by controllers at runtime #! resources that were dynamically created by controllers at runtime
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace. #! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.

2
deploy/supervisor/deployment.yaml
View File

@ -2,6 +2,7 @@
#! SPDX-License-Identifier: Apache-2.0 #! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data") #@ load("@ytt:data", "data")
#@ load("@ytt:json", "json")
#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix") #@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
#@ if not data.values.into_namespace: #@ if not data.values.into_namespace:
@ -31,6 +32,7 @@ data:
pinniped.yaml: | pinniped.yaml: |
names: names:
dynamicConfigMap: (@= defaultResourceNameWithSuffix("dynamic-config") @) dynamicConfigMap: (@= defaultResourceNameWithSuffix("dynamic-config") @)
labels: (@= json.encode(labels()).rstrip() @)
--- ---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1 apiVersion: v1

3
deploy/supervisor/values.yaml
View File

@ -14,7 +14,8 @@ into_namespace: #! e.g. my-preexisting-namespace
#! All resources created statically by yaml at install-time and all resources created dynamically #! All resources created statically by yaml at install-time and all resources created dynamically
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels #! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
#! specified here. The app can be uninstalled either by: #! specified here. The value of `custom_labels` must be a map of string keys to string values.
#! The app can be uninstalled either by:
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete #! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
#! resources that were dynamically created by controllers at runtime #! resources that were dynamically created by controllers at runtime
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace. #! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.

4
hack/lib/tilt/Tiltfile
View File

@ -94,6 +94,7 @@ k8s_yaml(local([
'--data-value', 'image_tag=tilt-dev', '--data-value', 'image_tag=tilt-dev',
'--data-value-yaml', 'replicas=1', '--data-value-yaml', 'replicas=1',
'--data-value-yaml', 'service_nodeport_port=31234', '--data-value-yaml', 'service_nodeport_port=31234',
'--data-value-yaml', 'custom_labels={mySupervisorCustomLabelName: mySupervisorCustomLabelValue}',
])) ]))
# Tell tilt to watch all of those files for changes. # Tell tilt to watch all of those files for changes.
watch_file('../../../deploy/supervisor') watch_file('../../../deploy/supervisor')
@ -135,7 +136,8 @@ k8s_yaml(local([
'--data-value image_tag=tilt-dev ' + '--data-value image_tag=tilt-dev ' +
'--data-value kube_cert_agent_image=debian:10.5-slim ' + '--data-value kube_cert_agent_image=debian:10.5-slim ' +
'--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/Kubernetes master/ {print $NF}\') ' + '--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/Kubernetes master/ {print $NF}\') ' +
'--data-value-yaml replicas=1', '--data-value-yaml replicas=1 ' +
'--data-value-yaml "custom_labels={myConciergeCustomLabelName: myConciergeCustomLabelValue}"'
])) ]))
# Tell tilt to watch all of those files for changes. # Tell tilt to watch all of those files for changes.
watch_file('../../../deploy/concierge') watch_file('../../../deploy/concierge')

10
hack/prepare-for-integration-tests.sh
View File

@ -212,6 +212,7 @@ kubectl create secret generic "$test_username" \
# #
supervisor_app_name="pinniped-supervisor" supervisor_app_name="pinniped-supervisor"
supervisor_namespace="supervisor" supervisor_namespace="supervisor"
supervisor_custom_labels="{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}"
if ! tilt_mode; then if ! tilt_mode; then
pushd deploy/supervisor >/dev/null pushd deploy/supervisor >/dev/null
@ -222,6 +223,7 @@ if ! tilt_mode; then
--data-value "namespace=$supervisor_namespace" \ --data-value "namespace=$supervisor_namespace" \
--data-value "image_repo=$registry_repo" \ --data-value "image_repo=$registry_repo" \
--data-value "image_tag=$tag" \ --data-value "image_tag=$tag" \
--data-value-yaml "custom_labels=$supervisor_custom_labels" \
--data-value-yaml 'service_nodeport_port=31234' >"$manifest" --data-value-yaml 'service_nodeport_port=31234' >"$manifest"
kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest" kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
@ -230,21 +232,23 @@ if ! tilt_mode; then
fi fi
# #
# Deploy Pinniped # Deploy the Pinniped Concierge
# #
concierge_app_name="pinniped-concierge" concierge_app_name="pinniped-concierge"
concierge_namespace="concierge" concierge_namespace="concierge"
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate" webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')" discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')"
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
if ! tilt_mode; then if ! tilt_mode; then
pushd deploy/concierge >/dev/null pushd deploy/concierge >/dev/null
log_note "Deploying the Pinniped app to the cluster..." log_note "Deploying the Pinniped Concierge app to the cluster..."
ytt --file . \ ytt --file . \
--data-value "app_name=$concierge_app_name" \ --data-value "app_name=$concierge_app_name" \
--data-value "namespace=$concierge_namespace" \ --data-value "namespace=$concierge_namespace" \
--data-value-yaml "custom_labels=$concierge_custom_labels" \
--data-value "image_repo=$registry_repo" \ --data-value "image_repo=$registry_repo" \
--data-value "image_tag=$tag" \ --data-value "image_tag=$tag" \
--data-value "discovery_url=$discovery_url" >"$manifest" --data-value "discovery_url=$discovery_url" >"$manifest"
@ -264,6 +268,7 @@ cat <<EOF >/tmp/integration-test-env
# The following env vars should be set before running 'go test -v -count 1 ./test/integration' # The following env vars should be set before running 'go test -v -count 1 ./test/integration'
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace} export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name} export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name}
export PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS='${concierge_custom_labels}'
export PINNIPED_TEST_USER_USERNAME=${test_username} export PINNIPED_TEST_USER_USERNAME=${test_username}
export PINNIPED_TEST_USER_GROUPS=${test_groups} export PINNIPED_TEST_USER_GROUPS=${test_groups}
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password} export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
@ -271,6 +276,7 @@ export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url}
export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle} export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}
export PINNIPED_TEST_SUPERVISOR_NAMESPACE=${supervisor_namespace} export PINNIPED_TEST_SUPERVISOR_NAMESPACE=${supervisor_namespace}
export PINNIPED_TEST_SUPERVISOR_APP_NAME=${supervisor_app_name} export PINNIPED_TEST_SUPERVISOR_APP_NAME=${supervisor_app_name}
export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='${supervisor_custom_labels}'
export PINNIPED_TEST_SUPERVISOR_ADDRESS="127.0.0.1:12345" export PINNIPED_TEST_SUPERVISOR_ADDRESS="127.0.0.1:12345"
export PINNIPED_TEST_CLI_OIDC_ISSUER=http://127.0.0.1:12346/dex export PINNIPED_TEST_CLI_OIDC_ISSUER=http://127.0.0.1:12346/dex
export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli

1
internal/concierge/server/server.go
View File

@ -124,6 +124,7 @@ func (a *App) runServer(ctx context.Context) error {
&controllermanager.Config{ &controllermanager.Config{
ServerInstallationNamespace: serverInstallationNamespace, ServerInstallationNamespace: serverInstallationNamespace,
NamesConfig: &cfg.NamesConfig, NamesConfig: &cfg.NamesConfig,
Labels: cfg.Labels,
KubeCertAgentConfig: &cfg.KubeCertAgentConfig, KubeCertAgentConfig: &cfg.KubeCertAgentConfig,
DiscoveryURLOverride: cfg.DiscoveryInfo.URL, DiscoveryURLOverride: cfg.DiscoveryInfo.URL,
DynamicServingCertProvider: dynamicServingCertProvider, DynamicServingCertProvider: dynamicServingCertProvider,

4
internal/controller/apicerts/certs_manager.go
View File

@ -29,6 +29,7 @@ const (
type certsManagerController struct { type certsManagerController struct {
namespace string namespace string
certsSecretResourceName string certsSecretResourceName string
certsSecretLabels map[string]string
k8sClient kubernetes.Interface k8sClient kubernetes.Interface
secretInformer corev1informers.SecretInformer secretInformer corev1informers.SecretInformer
@ -43,6 +44,7 @@ type certsManagerController struct {
func NewCertsManagerController( func NewCertsManagerController(
namespace string, namespace string,
certsSecretResourceName string, certsSecretResourceName string,
certsSecretLabels map[string]string,
k8sClient kubernetes.Interface, k8sClient kubernetes.Interface,
secretInformer corev1informers.SecretInformer, secretInformer corev1informers.SecretInformer,
withInformer pinnipedcontroller.WithInformerOptionFunc, withInformer pinnipedcontroller.WithInformerOptionFunc,
@ -57,6 +59,7 @@ func NewCertsManagerController(
Syncer: &certsManagerController{ Syncer: &certsManagerController{
namespace: namespace, namespace: namespace,
certsSecretResourceName: certsSecretResourceName, certsSecretResourceName: certsSecretResourceName,
certsSecretLabels: certsSecretLabels,
k8sClient: k8sClient, k8sClient: k8sClient,
secretInformer: secretInformer, secretInformer: secretInformer,
certDuration: certDuration, certDuration: certDuration,
@ -116,6 +119,7 @@ func (c *certsManagerController) Sync(ctx controllerlib.Context) error {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: c.certsSecretResourceName, Name: c.certsSecretResourceName,
Namespace: c.namespace, Namespace: c.namespace,
Labels: c.certsSecretLabels,
}, },
StringData: map[string]string{ StringData: map[string]string{
caCertificateSecretKey: string(aggregatedAPIServerCA.Bundle()), caCertificateSecretKey: string(aggregatedAPIServerCA.Bundle()),

9
internal/controller/apicerts/certs_manager_test.go
View File

@ -42,6 +42,7 @@ func TestManagerControllerOptions(t *testing.T) {
_ = NewCertsManagerController( _ = NewCertsManagerController(
installedInNamespace, installedInNamespace,
certsSecretResourceName, certsSecretResourceName,
make(map[string]string),
nil, nil,
secretsInformer, secretsInformer,
observableWithInformerOption.WithInformer, observableWithInformerOption.WithInformer,
@ -135,6 +136,10 @@ func TestManagerControllerSync(t *testing.T) {
subject = NewCertsManagerController( subject = NewCertsManagerController(
installedInNamespace, installedInNamespace,
certsSecretResourceName, certsSecretResourceName,
map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
kubeAPIClient, kubeAPIClient,
kubeInformers.Core().V1().Secrets(), kubeInformers.Core().V1().Secrets(),
controllerlib.WithInformer, controllerlib.WithInformer,
@ -198,6 +203,10 @@ func TestManagerControllerSync(t *testing.T) {
actualSecret := actualAction.GetObject().(*corev1.Secret) actualSecret := actualAction.GetObject().(*corev1.Secret)
r.Equal(certsSecretResourceName, actualSecret.Name) r.Equal(certsSecretResourceName, actualSecret.Name)
r.Equal(installedInNamespace, actualSecret.Namespace) r.Equal(installedInNamespace, actualSecret.Namespace)
r.Equal(map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
}, actualSecret.Labels)
actualCACert := actualSecret.StringData["caCertificate"] actualCACert := actualSecret.StringData["caCertificate"]
actualPrivateKey := actualSecret.StringData["tlsPrivateKey"] actualPrivateKey := actualSecret.StringData["tlsPrivateKey"]
actualCertChain := actualSecret.StringData["tlsCertificateChain"] actualCertChain := actualSecret.StringData["tlsCertificateChain"]

7
internal/controller/issuerconfig/create_or_update_credential_issuer_config.go
View File

@ -21,6 +21,7 @@ func CreateOrUpdateCredentialIssuerConfig(
ctx context.Context, ctx context.Context,
credentialIssuerConfigNamespace string, credentialIssuerConfigNamespace string,
credentialIssuerConfigResourceName string, credentialIssuerConfigResourceName string,
credentialIssuerConfigLabels map[string]string,
pinnipedClient pinnipedclientset.Interface, pinnipedClient pinnipedclientset.Interface,
applyUpdatesToCredentialIssuerConfigFunc func(configToUpdate *configv1alpha1.CredentialIssuerConfig), applyUpdatesToCredentialIssuerConfigFunc func(configToUpdate *configv1alpha1.CredentialIssuerConfig),
) error { ) error {
@ -39,7 +40,9 @@ func CreateOrUpdateCredentialIssuerConfig(
if notFound { if notFound {
// Create it // Create it
credentialIssuerConfig := minimalValidCredentialIssuerConfig(credentialIssuerConfigResourceName, credentialIssuerConfigNamespace) credentialIssuerConfig := minimalValidCredentialIssuerConfig(
credentialIssuerConfigResourceName, credentialIssuerConfigNamespace, credentialIssuerConfigLabels,
)
applyUpdatesToCredentialIssuerConfigFunc(credentialIssuerConfig) applyUpdatesToCredentialIssuerConfigFunc(credentialIssuerConfig)
if _, err := credentialIssuerConfigsClient.Create(ctx, credentialIssuerConfig, metav1.CreateOptions{}); err != nil { if _, err := credentialIssuerConfigsClient.Create(ctx, credentialIssuerConfig, metav1.CreateOptions{}); err != nil {
@ -71,12 +74,14 @@ func CreateOrUpdateCredentialIssuerConfig(
func minimalValidCredentialIssuerConfig( func minimalValidCredentialIssuerConfig(
credentialIssuerConfigName string, credentialIssuerConfigName string,
credentialIssuerConfigNamespace string, credentialIssuerConfigNamespace string,
credentialIssuerConfigLabels map[string]string,
) *configv1alpha1.CredentialIssuerConfig { ) *configv1alpha1.CredentialIssuerConfig {
return &configv1alpha1.CredentialIssuerConfig{ return &configv1alpha1.CredentialIssuerConfig{
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerConfigName, Name: credentialIssuerConfigName,
Namespace: credentialIssuerConfigNamespace, Namespace: credentialIssuerConfigNamespace,
Labels: credentialIssuerConfigLabels,
}, },
Status: configv1alpha1.CredentialIssuerConfigStatus{ Status: configv1alpha1.CredentialIssuerConfigStatus{
Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{}, Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{},

65
internal/controller/issuerconfig/create_or_update_credential_issuer_config_test.go
View File

@ -45,7 +45,15 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
when("the config does not exist", func() { when("the config does not exist", func() {
it("creates a new config which includes only the updates made by the func parameter", func() { it("creates a new config which includes only the updates made by the func parameter", func() {
err := CreateOrUpdateCredentialIssuerConfig(ctx, installationNamespace, credentialIssuerConfigResourceName, pinnipedAPIClient, err := CreateOrUpdateCredentialIssuerConfig(
ctx,
installationNamespace,
credentialIssuerConfigResourceName,
map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
pinnipedAPIClient,
func(configToUpdate *configv1alpha1.CredentialIssuerConfig) { func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
configToUpdate.Status.KubeConfigInfo = &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{ configToUpdate.Status.KubeConfigInfo = &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
CertificateAuthorityData: "some-ca-value", CertificateAuthorityData: "some-ca-value",
@ -64,6 +72,10 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerConfigResourceName, Name: credentialIssuerConfigResourceName,
Namespace: installationNamespace, Namespace: installationNamespace,
Labels: map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
}, },
Status: configv1alpha1.CredentialIssuerConfigStatus{ Status: configv1alpha1.CredentialIssuerConfigStatus{
Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{}, Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{},
@ -86,7 +98,12 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
}) })
it("returns an error", func() { it("returns an error", func() {
err := CreateOrUpdateCredentialIssuerConfig(ctx, installationNamespace, credentialIssuerConfigResourceName, pinnipedAPIClient, err := CreateOrUpdateCredentialIssuerConfig(
ctx,
installationNamespace,
credentialIssuerConfigResourceName,
map[string]string{},
pinnipedAPIClient,
func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {}, func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {},
) )
r.EqualError(err, "could not create or update credentialissuerconfig: create failed: error on create") r.EqualError(err, "could not create or update credentialissuerconfig: create failed: error on create")
@ -103,6 +120,9 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerConfigResourceName, Name: credentialIssuerConfigResourceName,
Namespace: installationNamespace, Namespace: installationNamespace,
Labels: map[string]string{
"myLabelKey1": "myLabelValue1",
},
}, },
Status: configv1alpha1.CredentialIssuerConfigStatus{ Status: configv1alpha1.CredentialIssuerConfigStatus{
Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{ Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{
@ -124,7 +144,15 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
}) })
it("updates the existing config to only apply the updates made by the func parameter", func() { it("updates the existing config to only apply the updates made by the func parameter", func() {
err := CreateOrUpdateCredentialIssuerConfig(ctx, installationNamespace, credentialIssuerConfigResourceName, pinnipedAPIClient, err := CreateOrUpdateCredentialIssuerConfig(
ctx,
installationNamespace,
credentialIssuerConfigResourceName,
map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
pinnipedAPIClient,
func(configToUpdate *configv1alpha1.CredentialIssuerConfig) { func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value" configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
}, },
@ -142,7 +170,12 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
}) })
it("avoids the cost of an update if the local updates made by the func parameter did not actually change anything", func() { it("avoids the cost of an update if the local updates made by the func parameter did not actually change anything", func() {
err := CreateOrUpdateCredentialIssuerConfig(ctx, installationNamespace, credentialIssuerConfigResourceName, pinnipedAPIClient, err := CreateOrUpdateCredentialIssuerConfig(
ctx,
installationNamespace,
credentialIssuerConfigResourceName,
map[string]string{},
pinnipedAPIClient,
func(configToUpdate *configv1alpha1.CredentialIssuerConfig) { func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "initial-ca-value" configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "initial-ca-value"
@ -166,7 +199,12 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
}) })
it("returns an error", func() { it("returns an error", func() {
err := CreateOrUpdateCredentialIssuerConfig(ctx, installationNamespace, credentialIssuerConfigResourceName, pinnipedAPIClient, err := CreateOrUpdateCredentialIssuerConfig(
ctx,
installationNamespace,
credentialIssuerConfigResourceName,
map[string]string{},
pinnipedAPIClient,
func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {}, func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {},
) )
r.EqualError(err, "could not create or update credentialissuerconfig: get failed: error on get") r.EqualError(err, "could not create or update credentialissuerconfig: get failed: error on get")
@ -181,7 +219,12 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
}) })
it("returns an error", func() { it("returns an error", func() {
err := CreateOrUpdateCredentialIssuerConfig(ctx, installationNamespace, credentialIssuerConfigResourceName, pinnipedAPIClient, err := CreateOrUpdateCredentialIssuerConfig(
ctx,
installationNamespace,
credentialIssuerConfigResourceName,
map[string]string{},
pinnipedAPIClient,
func(configToUpdate *configv1alpha1.CredentialIssuerConfig) { func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value" configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
}, },
@ -215,7 +258,15 @@ func TestCreateOrUpdateCredentialIssuerConfig(t *testing.T) {
}) })
it("retries updates on conflict", func() { it("retries updates on conflict", func() {
err := CreateOrUpdateCredentialIssuerConfig(ctx, installationNamespace, credentialIssuerConfigResourceName, pinnipedAPIClient, err := CreateOrUpdateCredentialIssuerConfig(
ctx,
installationNamespace,
credentialIssuerConfigResourceName,
map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
pinnipedAPIClient,
func(configToUpdate *configv1alpha1.CredentialIssuerConfig) { func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value" configToUpdate.Status.KubeConfigInfo.CertificateAuthorityData = "new-ca-value"
}, },

4
internal/controller/issuerconfig/kube_config_info_publisher.go
View File

@ -27,6 +27,7 @@ const (
type kubeConigInfoPublisherController struct { type kubeConigInfoPublisherController struct {
credentialIssuerConfigNamespaceName string credentialIssuerConfigNamespaceName string
credentialIssuerConfigResourceName string credentialIssuerConfigResourceName string
credentialIssuerConfigLabels map[string]string
serverOverride *string serverOverride *string
pinnipedClient pinnipedclientset.Interface pinnipedClient pinnipedclientset.Interface
configMapInformer corev1informers.ConfigMapInformer configMapInformer corev1informers.ConfigMapInformer
@ -38,6 +39,7 @@ type kubeConigInfoPublisherController struct {
func NewKubeConfigInfoPublisherController( func NewKubeConfigInfoPublisherController(
credentialIssuerConfigNamespaceName string, credentialIssuerConfigNamespaceName string,
credentialIssuerConfigResourceName string, credentialIssuerConfigResourceName string,
credentialIssuerConfigLabels map[string]string,
serverOverride *string, serverOverride *string,
pinnipedClient pinnipedclientset.Interface, pinnipedClient pinnipedclientset.Interface,
configMapInformer corev1informers.ConfigMapInformer, configMapInformer corev1informers.ConfigMapInformer,
@ -49,6 +51,7 @@ func NewKubeConfigInfoPublisherController(
Syncer: &kubeConigInfoPublisherController{ Syncer: &kubeConigInfoPublisherController{
credentialIssuerConfigResourceName: credentialIssuerConfigResourceName, credentialIssuerConfigResourceName: credentialIssuerConfigResourceName,
credentialIssuerConfigNamespaceName: credentialIssuerConfigNamespaceName, credentialIssuerConfigNamespaceName: credentialIssuerConfigNamespaceName,
credentialIssuerConfigLabels: credentialIssuerConfigLabels,
serverOverride: serverOverride, serverOverride: serverOverride,
pinnipedClient: pinnipedClient, pinnipedClient: pinnipedClient,
configMapInformer: configMapInformer, configMapInformer: configMapInformer,
@ -114,6 +117,7 @@ func (c *kubeConigInfoPublisherController) Sync(ctx controllerlib.Context) error
ctx.Context, ctx.Context,
c.credentialIssuerConfigNamespaceName, c.credentialIssuerConfigNamespaceName,
c.credentialIssuerConfigResourceName, c.credentialIssuerConfigResourceName,
c.credentialIssuerConfigLabels,
c.pinnipedClient, c.pinnipedClient,
updateServerAndCAFunc, updateServerAndCAFunc,
) )

9
internal/controller/issuerconfig/kube_config_info_publisher_test.go
View File

@ -43,6 +43,7 @@ func TestInformerFilters(t *testing.T) {
_ = NewKubeConfigInfoPublisherController( _ = NewKubeConfigInfoPublisherController(
installedInNamespace, installedInNamespace,
credentialIssuerConfigResourceName, credentialIssuerConfigResourceName,
map[string]string{},
nil, nil,
nil, nil,
configMapInformer, configMapInformer,
@ -127,6 +128,10 @@ func TestSync(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerConfigResourceName, Name: credentialIssuerConfigResourceName,
Namespace: expectedNamespace, Namespace: expectedNamespace,
Labels: map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
}, },
Status: configv1alpha1.CredentialIssuerConfigStatus{ Status: configv1alpha1.CredentialIssuerConfigStatus{
Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{}, Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{},
@ -146,6 +151,10 @@ func TestSync(t *testing.T) {
subject = NewKubeConfigInfoPublisherController( subject = NewKubeConfigInfoPublisherController(
installedInNamespace, installedInNamespace,
credentialIssuerConfigResourceName, credentialIssuerConfigResourceName,
map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
serverOverride, serverOverride,
pinnipedAPIClient, pinnipedAPIClient,
kubeInformers.Core().V1().ConfigMaps(), kubeInformers.Core().V1().ConfigMaps(),

8
internal/controller/kubecertagent/annotater.go
View File

@ -122,13 +122,7 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
keyPath, keyPath,
); err != nil { ); err != nil {
err = fmt.Errorf("cannot update agent pod: %w", err) err = fmt.Errorf("cannot update agent pod: %w", err)
strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig( strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig(ctx.Context, *c.credentialIssuerConfigLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
ctx.Context,
*c.credentialIssuerConfigLocationConfig,
c.clock,
c.pinnipedAPIClient,
err,
)
if strategyResultUpdateErr != nil { if strategyResultUpdateErr != nil {
// If the CIC update fails, then we probably want to try again. This controller will get // If the CIC update fails, then we probably want to try again. This controller will get
// called again because of the pod create failure, so just try the CIC update again then. // called again because of the pod create failure, so just try the CIC update again then.

5
internal/controller/kubecertagent/creater.go
View File

@ -23,6 +23,7 @@ import (
type createrController struct { type createrController struct {
agentPodConfig *AgentPodConfig agentPodConfig *AgentPodConfig
credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig
credentialIssuerConfigLabels map[string]string
clock clock.Clock clock clock.Clock
k8sClient kubernetes.Interface k8sClient kubernetes.Interface
pinnipedAPIClient pinnipedclientset.Interface pinnipedAPIClient pinnipedclientset.Interface
@ -38,6 +39,7 @@ type createrController struct {
func NewCreaterController( func NewCreaterController(
agentPodConfig *AgentPodConfig, agentPodConfig *AgentPodConfig,
credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig, credentialIssuerConfigLocationConfig *CredentialIssuerConfigLocationConfig,
credentialIssuerConfigLabels map[string]string,
clock clock.Clock, clock clock.Clock,
k8sClient kubernetes.Interface, k8sClient kubernetes.Interface,
pinnipedAPIClient pinnipedclientset.Interface, pinnipedAPIClient pinnipedclientset.Interface,
@ -53,6 +55,7 @@ func NewCreaterController(
Syncer: &createrController{ Syncer: &createrController{
agentPodConfig: agentPodConfig, agentPodConfig: agentPodConfig,
credentialIssuerConfigLocationConfig: credentialIssuerConfigLocationConfig, credentialIssuerConfigLocationConfig: credentialIssuerConfigLocationConfig,
credentialIssuerConfigLabels: credentialIssuerConfigLabels,
clock: clock, clock: clock,
k8sClient: k8sClient, k8sClient: k8sClient,
pinnipedAPIClient: pinnipedAPIClient, pinnipedAPIClient: pinnipedAPIClient,
@ -95,6 +98,7 @@ func (c *createrController) Sync(ctx controllerlib.Context) error {
return createOrUpdateCredentialIssuerConfig( return createOrUpdateCredentialIssuerConfig(
ctx.Context, ctx.Context,
*c.credentialIssuerConfigLocationConfig, *c.credentialIssuerConfigLocationConfig,
c.credentialIssuerConfigLabels,
c.clock, c.clock,
c.pinnipedAPIClient, c.pinnipedAPIClient,
constable.Error("did not find kube-controller-manager pod(s)"), constable.Error("did not find kube-controller-manager pod(s)"),
@ -129,6 +133,7 @@ func (c *createrController) Sync(ctx controllerlib.Context) error {
strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig( strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig(
ctx.Context, ctx.Context,
*c.credentialIssuerConfigLocationConfig, *c.credentialIssuerConfigLocationConfig,
c.credentialIssuerConfigLabels,
c.clock, c.clock,
c.pinnipedAPIClient, c.pinnipedAPIClient,
err, err,

22
internal/controller/kubecertagent/creater_test.go
View File

@ -42,7 +42,8 @@ func TestCreaterControllerFilter(t *testing.T) {
_ = NewCreaterController( _ = NewCreaterController(
agentPodConfig, agentPodConfig,
credentialIssuerConfigLocationConfig, credentialIssuerConfigLocationConfig,
nil, // clock, shound't matter map[string]string{},
nil, // clock, shouldn't matter
nil, // k8sClient, shouldn't matter nil, // k8sClient, shouldn't matter
nil, // pinnipedAPIClient, shouldn't matter nil, // pinnipedAPIClient, shouldn't matter
kubeSystemPodInformer, kubeSystemPodInformer,
@ -66,7 +67,8 @@ func TestCreaterControllerInitialEvent(t *testing.T) {
_ = NewCreaterController( _ = NewCreaterController(
nil, // agentPodConfig, shouldn't matter nil, // agentPodConfig, shouldn't matter
nil, // credentialIssuerConfigLocationConfig, shouldn't matter nil, // credentialIssuerConfigLocationConfig, shouldn't matter
nil, // clock, shound't matter map[string]string{},
nil, // clock, shouldn't matter
nil, // k8sClient, shouldn't matter nil, // k8sClient, shouldn't matter
nil, // pinnipedAPIClient, shouldn't matter nil, // pinnipedAPIClient, shouldn't matter
kubeSystemInformers.Core().V1().Pods(), kubeSystemInformers.Core().V1().Pods(),
@ -111,11 +113,19 @@ func TestCreaterControllerSync(t *testing.T) {
ContainerImage: "some-agent-image", ContainerImage: "some-agent-image",
PodNamePrefix: "some-agent-name-", PodNamePrefix: "some-agent-name-",
ContainerImagePullSecrets: []string{"some-image-pull-secret"}, ContainerImagePullSecrets: []string{"some-image-pull-secret"},
AdditionalLabels: map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
}, },
&CredentialIssuerConfigLocationConfig{ &CredentialIssuerConfigLocationConfig{
Namespace: credentialIssuerConfigNamespaceName, Namespace: credentialIssuerConfigNamespaceName,
Name: credentialIssuerConfigResourceName, Name: credentialIssuerConfigResourceName,
}, },
map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
clock.NewFakeClock(frozenNow), clock.NewFakeClock(frozenNow),
kubeAPIClient, kubeAPIClient,
pinnipedAPIClient, pinnipedAPIClient,
@ -361,6 +371,10 @@ func TestCreaterControllerSync(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerConfigResourceName, Name: credentialIssuerConfigResourceName,
Namespace: credentialIssuerConfigNamespaceName, Namespace: credentialIssuerConfigNamespaceName,
Labels: map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
}, },
Status: configv1alpha1.CredentialIssuerConfigStatus{ Status: configv1alpha1.CredentialIssuerConfigStatus{
Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{ Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{
@ -502,6 +516,10 @@ func TestCreaterControllerSync(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerConfigResourceName, Name: credentialIssuerConfigResourceName,
Namespace: credentialIssuerConfigNamespaceName, Namespace: credentialIssuerConfigNamespaceName,
Labels: map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
}, },
Status: configv1alpha1.CredentialIssuerConfigStatus{ Status: configv1alpha1.CredentialIssuerConfigStatus{
Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{ Strategies: []configv1alpha1.CredentialIssuerConfigStrategy{

24
internal/controller/kubecertagent/execer.go
View File

@ -87,39 +87,21 @@ func (c *execerController) Sync(ctx controllerlib.Context) error {
certPEM, err := c.podCommandExecutor.Exec(agentPod.Namespace, agentPod.Name, "cat", certPath) certPEM, err := c.podCommandExecutor.Exec(agentPod.Namespace, agentPod.Name, "cat", certPath)
if err != nil { if err != nil {
strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig( strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig(ctx.Context, *c.credentialIssuerConfigLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
ctx.Context,
*c.credentialIssuerConfigLocationConfig,
c.clock,
c.pinnipedAPIClient,
err,
)
klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuerConfig with strategy success") klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuerConfig with strategy success")
return err return err
} }
keyPEM, err := c.podCommandExecutor.Exec(agentPod.Namespace, agentPod.Name, "cat", keyPath) keyPEM, err := c.podCommandExecutor.Exec(agentPod.Namespace, agentPod.Name, "cat", keyPath)
if err != nil { if err != nil {
strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig( strategyResultUpdateErr := createOrUpdateCredentialIssuerConfig(ctx.Context, *c.credentialIssuerConfigLocationConfig, nil, c.clock, c.pinnipedAPIClient, err)
ctx.Context,
*c.credentialIssuerConfigLocationConfig,
c.clock,
c.pinnipedAPIClient,
err,
)
klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuerConfig with strategy success") klog.ErrorS(strategyResultUpdateErr, "could not create or update CredentialIssuerConfig with strategy success")
return err return err
} }
c.dynamicCertProvider.Set([]byte(certPEM), []byte(keyPEM)) c.dynamicCertProvider.Set([]byte(certPEM), []byte(keyPEM))
err = createOrUpdateCredentialIssuerConfig( err = createOrUpdateCredentialIssuerConfig(ctx.Context, *c.credentialIssuerConfigLocationConfig, nil, c.clock, c.pinnipedAPIClient, nil)
ctx.Context,
*c.credentialIssuerConfigLocationConfig,
c.clock,
c.pinnipedAPIClient,
nil, // nil error = success! yay!
)
if err != nil { if err != nil {
return err return err
} }

16
internal/controller/kubecertagent/kubecertagent.go
View File

@ -61,12 +61,15 @@ type AgentPodConfig struct {
// The container image used for the agent pods. // The container image used for the agent pods.
ContainerImage string ContainerImage string
// The name prefix for each of the agent pods. // The name prefix for each of the agent pods.
PodNamePrefix string PodNamePrefix string
// ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as // ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
// ImagePullSecrets on the kube-cert-agent pods. // ImagePullSecrets on the kube-cert-agent pods.
ContainerImagePullSecrets []string ContainerImagePullSecrets []string
// Additional labels that should be added to every agent pod during creation.
AdditionalLabels map[string]string
} }
type CredentialIssuerConfigLocationConfig struct { type CredentialIssuerConfigLocationConfig struct {
@ -78,9 +81,13 @@ type CredentialIssuerConfigLocationConfig struct {
} }
func (c *AgentPodConfig) Labels() map[string]string { func (c *AgentPodConfig) Labels() map[string]string {
return map[string]string{ labels := map[string]string{
agentPodLabelKey: agentPodLabelValue, agentPodLabelKey: agentPodLabelValue,
} }
for k, v := range c.AdditionalLabels {
labels[k] = v
}
return labels
} }
func (c *AgentPodConfig) PodTemplate() *corev1.Pod { func (c *AgentPodConfig) PodTemplate() *corev1.Pod {
@ -258,9 +265,9 @@ func findControllerManagerPodForSpecificAgentPod(
return maybeControllerManagerPod, nil return maybeControllerManagerPod, nil
} }
func createOrUpdateCredentialIssuerConfig( func createOrUpdateCredentialIssuerConfig(ctx context.Context,
ctx context.Context,
cicConfig CredentialIssuerConfigLocationConfig, cicConfig CredentialIssuerConfigLocationConfig,
credentialIssuerConfigLabels map[string]string,
clock clock.Clock, clock clock.Clock,
pinnipedAPIClient pinnipedclientset.Interface, pinnipedAPIClient pinnipedclientset.Interface,
err error, err error,
@ -269,6 +276,7 @@ func createOrUpdateCredentialIssuerConfig(
ctx, ctx,
cicConfig.Namespace, cicConfig.Namespace,
cicConfig.Name, cicConfig.Name,
credentialIssuerConfigLabels,
pinnipedAPIClient, pinnipedAPIClient,
func(configToUpdate *configv1alpha1.CredentialIssuerConfig) { func(configToUpdate *configv1alpha1.CredentialIssuerConfig) {
var strategyResult configv1alpha1.CredentialIssuerConfigStrategy var strategyResult configv1alpha1.CredentialIssuerConfigStrategy

2
internal/controller/kubecertagent/kubecertagent_test.go
View File

@ -79,6 +79,8 @@ func exampleControllerManagerAndAgentPods(
Namespace: agentPodNamespace, Namespace: agentPodNamespace,
Labels: map[string]string{ Labels: map[string]string{
"kube-cert-agent.pinniped.dev": "true", "kube-cert-agent.pinniped.dev": "true",
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
}, },
Annotations: map[string]string{ Annotations: map[string]string{
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name, "kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,

7
internal/controllermanager/prepare_controllers.go
View File

@ -72,6 +72,9 @@ type Config struct {
// IDPCache is a cache of authenticators shared amongst various IDP-related controllers. // IDPCache is a cache of authenticators shared amongst various IDP-related controllers.
IDPCache *idpcache.Cache IDPCache *idpcache.Cache
// Labels are labels that should be added to any resources created by the controllers.
Labels map[string]string
} }
// Prepare the controllers and their informers and return a function that will start them when called. // Prepare the controllers and their informers and return a function that will start them when called.
@ -96,6 +99,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
ContainerImage: *c.KubeCertAgentConfig.Image, ContainerImage: *c.KubeCertAgentConfig.Image,
PodNamePrefix: *c.KubeCertAgentConfig.NamePrefix, PodNamePrefix: *c.KubeCertAgentConfig.NamePrefix,
ContainerImagePullSecrets: c.KubeCertAgentConfig.ImagePullSecrets, ContainerImagePullSecrets: c.KubeCertAgentConfig.ImagePullSecrets,
AdditionalLabels: c.Labels,
} }
credentialIssuerConfigLocationConfig := &kubecertagent.CredentialIssuerConfigLocationConfig{ credentialIssuerConfigLocationConfig := &kubecertagent.CredentialIssuerConfigLocationConfig{
Namespace: c.ServerInstallationNamespace, Namespace: c.ServerInstallationNamespace,
@ -112,6 +116,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
issuerconfig.NewKubeConfigInfoPublisherController( issuerconfig.NewKubeConfigInfoPublisherController(
c.ServerInstallationNamespace, c.ServerInstallationNamespace,
c.NamesConfig.CredentialIssuerConfig, c.NamesConfig.CredentialIssuerConfig,
c.Labels,
c.DiscoveryURLOverride, c.DiscoveryURLOverride,
pinnipedClient, pinnipedClient,
informers.kubePublicNamespaceK8s.Core().V1().ConfigMaps(), informers.kubePublicNamespaceK8s.Core().V1().ConfigMaps(),
@ -125,6 +130,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
apicerts.NewCertsManagerController( apicerts.NewCertsManagerController(
c.ServerInstallationNamespace, c.ServerInstallationNamespace,
c.NamesConfig.ServingCertificateSecret, c.NamesConfig.ServingCertificateSecret,
c.Labels,
k8sClient, k8sClient,
informers.installationNamespaceK8s.Core().V1().Secrets(), informers.installationNamespaceK8s.Core().V1().Secrets(),
controllerlib.WithInformer, controllerlib.WithInformer,
@ -174,6 +180,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
kubecertagent.NewCreaterController( kubecertagent.NewCreaterController(
agentPodConfig, agentPodConfig,
credentialIssuerConfigLocationConfig, credentialIssuerConfigLocationConfig,
c.Labels,
clock.RealClock{}, clock.RealClock{},
k8sClient, k8sClient,
pinnipedClient, pinnipedClient,

1
pkg/config/api/types.go
View File

@ -9,6 +9,7 @@ type Config struct {
APIConfig APIConfigSpec `json:"api"` APIConfig APIConfigSpec `json:"api"`
NamesConfig NamesConfigSpec `json:"names"` NamesConfig NamesConfigSpec `json:"names"`
KubeCertAgentConfig KubeCertAgentSpec `json:"kubeCertAgent"` KubeCertAgentConfig KubeCertAgentSpec `json:"kubeCertAgent"`
Labels map[string]string `json:"labels"`
} }
// DiscoveryInfoSpec contains configuration knobs specific to // DiscoveryInfoSpec contains configuration knobs specific to

4
pkg/config/config.go
View File

@ -50,6 +50,10 @@ func FromPath(path string) (*api.Config, error) {
return nil, fmt.Errorf("validate names: %w", err) return nil, fmt.Errorf("validate names: %w", err)
} }
if config.Labels == nil {
config.Labels = make(map[string]string)
}
return &config, nil return &config, nil
} }

8
pkg/config/config_test.go
View File

@ -36,6 +36,9 @@ func TestFromPath(t *testing.T) {
credentialIssuerConfig: pinniped-config credentialIssuerConfig: pinniped-config
apiService: pinniped-api apiService: pinniped-api
kubeCertAgentPrefix: kube-cert-agent-prefix kubeCertAgentPrefix: kube-cert-agent-prefix
labels:
myLabelKey1: myLabelValue1
myLabelKey2: myLabelValue2
KubeCertAgent: KubeCertAgent:
namePrefix: kube-cert-agent-name-prefix- namePrefix: kube-cert-agent-name-prefix-
image: kube-cert-agent-image image: kube-cert-agent-image
@ -56,6 +59,10 @@ func TestFromPath(t *testing.T) {
CredentialIssuerConfig: "pinniped-config", CredentialIssuerConfig: "pinniped-config",
APIService: "pinniped-api", APIService: "pinniped-api",
}, },
Labels: map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
KubeCertAgentConfig: api.KubeCertAgentSpec{ KubeCertAgentConfig: api.KubeCertAgentSpec{
NamePrefix: stringPtr("kube-cert-agent-name-prefix-"), NamePrefix: stringPtr("kube-cert-agent-name-prefix-"),
Image: stringPtr("kube-cert-agent-image"), Image: stringPtr("kube-cert-agent-image"),
@ -87,6 +94,7 @@ func TestFromPath(t *testing.T) {
CredentialIssuerConfig: "pinniped-config", CredentialIssuerConfig: "pinniped-config",
APIService: "pinniped-api", APIService: "pinniped-api",
}, },
Labels: map[string]string{},
KubeCertAgentConfig: api.KubeCertAgentSpec{ KubeCertAgentConfig: api.KubeCertAgentSpec{
NamePrefix: stringPtr("pinniped-kube-cert-agent-"), NamePrefix: stringPtr("pinniped-kube-cert-agent-"),
Image: stringPtr("debian:latest"), Image: stringPtr("debian:latest"),

8
test/integration/concierge_api_serving_certs_test.go
View File

@ -90,6 +90,10 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
require.NotEmpty(t, initialCACert) require.NotEmpty(t, initialCACert)
require.NotEmpty(t, initialPrivateKey) require.NotEmpty(t, initialPrivateKey)
require.NotEmpty(t, initialCertChain) require.NotEmpty(t, initialCertChain)
for k, v := range env.ConciergeCustomLabels {
require.Equalf(t, v, secret.Labels[k], "expected secret to have label %s: %s", k, v)
}
require.Equal(t, env.ConciergeAppName, secret.Labels["app"])
// Check that the APIService has the same CA. // Check that the APIService has the same CA.
apiService, err := aggregatedClient.ApiregistrationV1().APIServices().Get(ctx, apiServiceName, metav1.GetOptions{}) apiService, err := aggregatedClient.ApiregistrationV1().APIServices().Get(ctx, apiServiceName, metav1.GetOptions{})
@ -115,6 +119,10 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
require.NotEqual(t, initialCACert, regeneratedCACert) require.NotEqual(t, initialCACert, regeneratedCACert)
require.NotEqual(t, initialPrivateKey, regeneratedPrivateKey) require.NotEqual(t, initialPrivateKey, regeneratedPrivateKey)
require.NotEqual(t, initialCertChain, regeneratedCertChain) require.NotEqual(t, initialCertChain, regeneratedCertChain)
for k, v := range env.ConciergeCustomLabels {
require.Equalf(t, v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
}
require.Equal(t, env.ConciergeAppName, secret.Labels["app"])
// Expect that the APIService was also updated with the new CA. // Expect that the APIService was also updated with the new CA.
aggregatedAPIUpdated := func() bool { aggregatedAPIUpdated := func() bool {

6
test/integration/concierge_credentialissuerconfig_test.go
View File

@ -33,8 +33,14 @@ func TestCredentialIssuerConfig(t *testing.T) {
require.Len(t, actualConfigList.Items, 1) require.Len(t, actualConfigList.Items, 1)
actualConfig := actualConfigList.Items[0]
actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo
for k, v := range env.ConciergeCustomLabels {
require.Equalf(t, v, actualConfig.Labels[k], "expected cic to have label `%s: %s`", k, v)
}
require.Equal(t, env.ConciergeAppName, actualConfig.Labels["app"])
// Verify the cluster strategy status based on what's expected of the test cluster's ability to share signing keys. // Verify the cluster strategy status based on what's expected of the test cluster's ability to share signing keys.
actualStatusStrategies := actualConfigList.Items[0].Status.Strategies actualStatusStrategies := actualConfigList.Items[0].Status.Strategies
require.Len(t, actualStatusStrategies, 1) require.Len(t, actualStatusStrategies, 1)

8
test/integration/concierge_kubecertagent_test.go
View File

@ -44,6 +44,14 @@ func TestKubeCertAgent(t *testing.T) {
require.NotEmpty(t, originalAgentPods.Items) require.NotEmpty(t, originalAgentPods.Items)
sortPods(originalAgentPods) sortPods(originalAgentPods)
for _, agentPod := range originalAgentPods.Items {
// All agent pods should contain all custom labels
for k, v := range env.ConciergeCustomLabels {
require.Equalf(t, v, agentPod.Labels[k], "expected agent pod to have label `%s: %s`", k, v)
}
require.Equal(t, env.ConciergeAppName, agentPod.Labels["app"])
}
agentPodsReconciled := func() bool { agentPodsReconciled := func() bool {
var currentAgentPods *corev1.PodList var currentAgentPods *corev1.PodList
currentAgentPods, err = kubeClient.CoreV1().Pods(env.ConciergeNamespace).List(ctx, metav1.ListOptions{ currentAgentPods, err = kubeClient.CoreV1().Pods(env.ConciergeNamespace).List(ctx, metav1.ListOptions{

29
test/library/env.go
View File

@ -26,13 +26,15 @@ const (
type TestEnv struct { type TestEnv struct {
t *testing.T t *testing.T
ConciergeNamespace string `json:"conciergeNamespace"` ConciergeNamespace string `json:"conciergeNamespace"`
SupervisorNamespace string `json:"supervisorNamespace"` SupervisorNamespace string `json:"supervisorNamespace"`
ConciergeAppName string `json:"conciergeAppName"` ConciergeAppName string `json:"conciergeAppName"`
SupervisorAppName string `json:"supervisorAppName"` SupervisorAppName string `json:"supervisorAppName"`
Capabilities map[Capability]bool `json:"capabilities"` SupervisorCustomLabels map[string]string `json:"supervisorCustomLabels"`
TestWebhook idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"` ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"`
SupervisorAddress string `json:"supervisorAddress"` Capabilities map[Capability]bool `json:"capabilities"`
TestWebhook idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"`
SupervisorAddress string `json:"supervisorAddress"`
TestUser struct { TestUser struct {
Token string `json:"token"` Token string `json:"token"`
@ -89,6 +91,19 @@ func IntegrationEnv(t *testing.T) *TestEnv {
result.SupervisorAddress = needEnv("PINNIPED_TEST_SUPERVISOR_ADDRESS") result.SupervisorAddress = needEnv("PINNIPED_TEST_SUPERVISOR_ADDRESS")
result.TestWebhook.TLS = &idpv1alpha1.TLSSpec{CertificateAuthorityData: needEnv("PINNIPED_TEST_WEBHOOK_CA_BUNDLE")} result.TestWebhook.TLS = &idpv1alpha1.TLSSpec{CertificateAuthorityData: needEnv("PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}
conciergeCustomLabelsYAML := needEnv("PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS")
var conciergeCustomLabels map[string]string
err = yaml.Unmarshal([]byte(conciergeCustomLabelsYAML), &conciergeCustomLabels)
require.NoErrorf(t, err, "PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS must be a YAML map of string to string")
result.ConciergeCustomLabels = conciergeCustomLabels
require.NotEmpty(t, result.ConciergeCustomLabels, "PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS cannot be empty")
supervisorCustomLabelsYAML := needEnv("PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS")
var supervisorCustomLabels map[string]string
err = yaml.Unmarshal([]byte(supervisorCustomLabelsYAML), &supervisorCustomLabels)
require.NoErrorf(t, err, "PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS must be a YAML map of string to string")
result.SupervisorCustomLabels = supervisorCustomLabels
require.NotEmpty(t, result.SupervisorCustomLabels, "PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS cannot be empty")
result.OIDCUpstream.Issuer = needEnv("PINNIPED_TEST_CLI_OIDC_ISSUER") result.OIDCUpstream.Issuer = needEnv("PINNIPED_TEST_CLI_OIDC_ISSUER")
result.OIDCUpstream.ClientID = needEnv("PINNIPED_TEST_CLI_OIDC_CLIENT_ID") result.OIDCUpstream.ClientID = needEnv("PINNIPED_TEST_CLI_OIDC_CLIENT_ID")
result.OIDCUpstream.LocalhostPort, _ = strconv.Atoi(needEnv("PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT")) result.OIDCUpstream.LocalhostPort, _ = strconv.Atoi(needEnv("PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT"))