djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enhance Kube middleware to rewrite API group of ownerRefs on update verb

Browse Source 
When oidcclientsecretstorage.Set() wants to update the contents of the
storage Secret, it also wants to keep the original ownerRef of the
storage Secret, so it needs the middleware to rewrite the API group
of the ownerRef again during the update (just like it had initially done
during the create of the Secret).
This commit is contained in:
Ryan Richard 2022-09-21 21:30:44 -07:00
parent 31716358a9
commit ba98c8cc14
2 changed files with 42 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
internal/groupsuffix/groupsuffix.go
View File

@ -51,8 +51,11 @@ func New(apiGroupSuffix string) kubeclient.Middleware {
}), }),
kubeclient.MiddlewareFunc(func(_ context.Context, rt kubeclient.RoundTrip) { kubeclient.MiddlewareFunc(func(_ context.Context, rt kubeclient.RoundTrip) {
// we should not mess with owner refs on things we did not create // Only mess with ownerRefs on requests to perform edits.
if rt.Verb() != kubeclient.VerbCreate { // Not needed on deletes since the object is getting deleted anyway.
// WARNING: This code might need to be enhanced to handle the patch verb
// if we start using patches for objects that have ownerRefs.
if rt.Verb() != kubeclient.VerbCreate && rt.Verb() != kubeclient.VerbUpdate {
return return
} }

42
internal/groupsuffix/groupsuffix_test.go
View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package groupsuffix package groupsuffix
@ -302,7 +302,7 @@ func TestMiddlware(t *testing.T) {
wantResponseObj: podWithPinnipedOwner, wantResponseObj: podWithPinnipedOwner,
}, },
{ {
// test that multiple of our middleware request mutations play nicely with each other // test that multiple of our middleware request mutations play nicely with each other on create
name: "create resource with pinniped.dev and with owner ref that has pinniped.dev owner", name: "create resource with pinniped.dev and with owner ref that has pinniped.dev owner",
apiGroupSuffix: newSuffix, apiGroupSuffix: newSuffix,
rt: (&testutil.RoundTrip{}). rt: (&testutil.RoundTrip{}).
@ -317,25 +317,57 @@ func TestMiddlware(t *testing.T) {
wantResponseObj: federationDomainWithNewGroupAndPinnipedOwner, // the middleware will reset object GVK for us wantResponseObj: federationDomainWithNewGroupAndPinnipedOwner, // the middleware will reset object GVK for us
}, },
{ {
name: "update resource without pinniped.dev", // test that multiple of our middleware request mutations play nicely with each other on update
name: "update resource with pinniped.dev and with owner ref that has pinniped.dev owner",
apiGroupSuffix: newSuffix,
rt: (&testutil.RoundTrip{}).
WithVerb(kubeclient.VerbUpdate).
WithNamespace("some-namespace").
WithResource(configv1alpha1.SchemeGroupVersion.WithResource("federationdomains")),
requestObj: federationDomainWithPinnipedOwner,
responseObj: federationDomainWithNewGroupAndPinnipedOwnerWithNewGroup,
wantMutateRequests: 2,
wantMutateResponses: 1,
wantRequestObj: federationDomainWithNewGroupAndPinnipedOwnerWithNewGroup,
wantResponseObj: federationDomainWithNewGroupAndPinnipedOwner, // the middleware will reset object GVK for us
},
{
name: "update resource without pinniped.dev and without owner ref",
apiGroupSuffix: newSuffix, apiGroupSuffix: newSuffix,
rt: (&testutil.RoundTrip{}). rt: (&testutil.RoundTrip{}).
WithVerb(kubeclient.VerbUpdate). WithVerb(kubeclient.VerbUpdate).
WithNamespace("some-namespace"). WithNamespace("some-namespace").
WithResource(corev1.SchemeGroupVersion.WithResource("pods")), WithResource(corev1.SchemeGroupVersion.WithResource("pods")),
requestObj: podWithoutOwner,
responseObj: podWithoutOwner, responseObj: podWithoutOwner,
wantMutateRequests: 1,
wantMutateResponses: 1, wantMutateResponses: 1,
wantRequestObj: podWithoutOwner,
wantResponseObj: podWithoutOwner, wantResponseObj: podWithoutOwner,
}, },
{ {
name: "update resource with pinniped.dev", name: "update resource without pinniped.dev and with owner ref that has pinniped.dev owner",
apiGroupSuffix: newSuffix,
rt: (&testutil.RoundTrip{}).
WithVerb(kubeclient.VerbUpdate).
WithNamespace("some-namespace").
WithResource(corev1.SchemeGroupVersion.WithResource("pods")),
requestObj: podWithPinnipedOwner,
responseObj: podWithPinnipedOwnerWithNewGroup,
wantMutateRequests: 1,
wantMutateResponses: 1,
wantRequestObj: podWithPinnipedOwnerWithNewGroup,
wantResponseObj: podWithPinnipedOwner,
},
{
name: "update resource with pinniped.dev and without owner ref",
apiGroupSuffix: newSuffix, apiGroupSuffix: newSuffix,
rt: (&testutil.RoundTrip{}). rt: (&testutil.RoundTrip{}).
WithVerb(kubeclient.VerbUpdate). WithVerb(kubeclient.VerbUpdate).
WithResource(loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests")), WithResource(loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests")),
requestObj: tokenCredentialRequest, requestObj: tokenCredentialRequest,
responseObj: tokenCredentialRequestWithNewGroup, responseObj: tokenCredentialRequestWithNewGroup,
wantMutateRequests: 1, wantMutateRequests: 2,
wantMutateResponses: 1, wantMutateResponses: 1,
wantRequestObj: tokenCredentialRequestWithNewGroup, wantRequestObj: tokenCredentialRequestWithNewGroup,
wantResponseObj: tokenCredentialRequestWithNewGroup, // the middleware will reset object GVK for us wantResponseObj: tokenCredentialRequestWithNewGroup, // the middleware will reset object GVK for us