Skip to content

Commit

Permalink
add customer admin groups to auth configmap (#99)
Browse files Browse the repository at this point in the history
* add customer admin groups to auth configmap

* remove migration test

* update rbac
  • Loading branch information
anvddriesch authored Nov 30, 2023
1 parent cb7adda commit 2f4f609
Show file tree
Hide file tree
Showing 11 changed files with 137 additions and 220 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Added

- Add customer write-all groups to auth-configmap

### Removed

- Remove secret migration code

## [0.11.0] - 2023-11-28

### Added
Expand Down
50 changes: 25 additions & 25 deletions controllers/app_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ type AppReconciler struct {
ManagementCluster string
ProviderCredentials string
GiantswarmWriteAllGroups []string
CustomerWriteAllGroups []string
}

//+kubebuilder:rbac:groups=application.giantswarm.io.giantswarm,resources=apps,verbs=get;list;watch;create;update;patch;delete
Expand Down Expand Up @@ -86,44 +87,45 @@ func (r *AppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.R
return ctrl.Result{}, err
}

var idpService *idp.Service
var authService *auth.Service
{
providers, err := r.GetProviders()
writeAllGroups, err := r.GetWriteAllGroups()
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}

c := idp.Config{
Log: &log,
Client: r.Client,
App: app,
Providers: providers,
ManagementClusterBaseDomain: r.BaseDomain,
ManagementClusterIssuerAddress: r.IssuerAddress,
ManagementClusterName: r.ManagementCluster,
c := auth.Config{
Log: &log,
Client: r.Client,
App: app,
ManagementClusterName: r.ManagementCluster,
ManagementClusterWriteAllGroups: writeAllGroups,
}

idpService, err = idp.New(c)
authService, err = auth.New(c)
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
}
var authService *auth.Service

var idpService *idp.Service
{
writeAllGroups, err := r.GetWriteAllGroups()
providers, err := r.GetProviders()
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}

c := auth.Config{
Log: &log,
Client: r.Client,
App: app,
ManagementClusterName: r.ManagementCluster,
WriteAllGroups: writeAllGroups,
c := idp.Config{
Log: &log,
Client: r.Client,
App: app,
Providers: providers,
ManagementClusterBaseDomain: r.BaseDomain,
ManagementClusterIssuerAddress: r.IssuerAddress,
ManagementClusterName: r.ManagementCluster,
}

authService, err = auth.New(c)
idpService, err = idp.New(c)
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
Expand Down Expand Up @@ -157,10 +159,10 @@ func (r *AppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.R
log.Info("Added finalizer to dex app instance.")
}
// App is not deleted
if err := idpService.Reconcile(ctx); err != nil {
if err := authService.Reconcile(ctx); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
if err := authService.Reconcile(ctx); err != nil {
if err := idpService.Reconcile(ctx); err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
return DefaultRequeue(), nil
Expand Down Expand Up @@ -218,9 +220,7 @@ func (r *AppReconciler) GetProviders() ([]provider.Provider, error) {
}

func (r *AppReconciler) GetWriteAllGroups() ([]string, error) {
// For now, we only return the global giantswarm write-all groups here.
// This could be changed to include specific ones to the app
return r.GiantswarmWriteAllGroups, nil
return append(r.GiantswarmWriteAllGroups, r.CustomerWriteAllGroups...), nil
}

func NewProvider(p provider.ProviderCredential, log *logr.Logger) (provider.Provider, error) {
Expand Down
102 changes: 0 additions & 102 deletions controllers/app_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -163,106 +163,4 @@ var _ = Describe("App controller", func() {
}, timeout, interval).Should(BeTrue())
})
})
const (
SecondAppNamespace = "test-namespace-2"
)

Context("When reconciling an app with vintage dex config secret", func() {
It("Should update to new dex config secret", func() {
ctx := context.Background()
By("Creating the namespace")
namespace := &corev1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: SecondAppNamespace,
},
}
Expect(k8sClient.Create(ctx, namespace)).Should(Succeed())

By("Creating the app")
app := &v1alpha1.App{
TypeMeta: metav1.TypeMeta{
APIVersion: "application.giantswarm.io/v1alpha1",
Kind: "App",
},
ObjectMeta: metav1.ObjectMeta{
Name: AppName,
Namespace: SecondAppNamespace,
},
Spec: v1alpha1.AppSpec{
ExtraConfigs: []v1alpha1.AppExtraConfig{
idp.GetVintageDexSecretConfig(SecondAppNamespace),
},
},
}
Expect(k8sClient.Create(ctx, app)).Should(Succeed())
appLookupKey := types.NamespacedName{Name: AppName, Namespace: SecondAppNamespace}
createdApp := &v1alpha1.App{}

// We'll need to retry getting this newly created App, given that creation may not immediately happen.
Eventually(func() ([]v1alpha1.AppExtraConfig, error) {
err := k8sClient.Get(ctx, appLookupKey, createdApp)
if err != nil {
return nil, microerror.Mask(err)
}
return createdApp.Spec.ExtraConfigs, nil
}, duration, interval).Should(Equal([]v1alpha1.AppExtraConfig{
idp.GetVintageDexSecretConfig(SecondAppNamespace),
}))

By("Creating the vintage secret")
vintageSecret := idp.GetDefaultDexConfigSecret(key.DexConfigName, SecondAppNamespace)
content, err := os.ReadFile(expectedContentFile)
Expect(err).NotTo(HaveOccurred())
vintageSecret.Data[dexConfigSecretKey] = []byte(strings.TrimSpace(string(content)))
Expect(k8sClient.Create(ctx, vintageSecret)).Should(Succeed())
vintageSecretLookupKey := types.NamespacedName{Name: key.DexConfigName, Namespace: SecondAppNamespace}
createdvintageSecret := &corev1.Secret{}

// We'll need to retry getting this newly created Secret, given that creation may not immediately happen.
Eventually(func() bool {
err := k8sClient.Get(ctx, vintageSecretLookupKey, createdvintageSecret)
return err == nil
}, timeout, interval).Should(BeTrue())

By("Adding the label to the app")
app.SetLabels(map[string]string{key.AppLabel: key.DexAppLabelValue})
Expect(k8sClient.Update(ctx, app)).Should(Succeed())

createdApp = &v1alpha1.App{}
Eventually(func() bool {
err := k8sClient.Get(ctx, appLookupKey, createdApp)
return err == nil
}, timeout, interval).Should(BeTrue())
Expect(createdApp.GetLabels()[key.AppLabel]).Should(Equal(key.DexAppLabelValue))

createdApp = &v1alpha1.App{}
By("Checking the app extra config was added and the old one removed")
Eventually(func() ([]v1alpha1.AppExtraConfig, error) {
err := k8sClient.Get(ctx, appLookupKey, createdApp)
if err != nil {
return nil, microerror.Mask(err)
}
return createdApp.Spec.ExtraConfigs, nil
}, duration, interval).Should(Equal([]v1alpha1.AppExtraConfig{
idp.GetDexSecretConfig(types.NamespacedName{Name: AppName, Namespace: SecondAppNamespace}),
}))

By("Checking the dex config secret was created and contents were copied")
secretLookupKey := types.NamespacedName{Name: key.GetDexConfigName(AppName), Namespace: SecondAppNamespace}
createdSecret := &corev1.Secret{}
Eventually(func() bool {
err := k8sClient.Get(ctx, secretLookupKey, createdSecret)
return err == nil
}, timeout, interval).Should(BeTrue())
Expect(createdSecret.Data).ShouldNot(BeNil())
Expect(createdSecret.Data).Should(HaveKey(dexConfigSecretKey))

By("Checking the vintage dex config secret was deleted")
Eventually(func() bool {
err := k8sClient.Get(ctx, vintageSecretLookupKey, createdvintageSecret)
return apierrors.IsNotFound(err)
}, timeout, interval).Should(BeTrue())
})
})

})
1 change: 1 addition & 0 deletions helm/dex-operator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ spec:
- --management-cluster={{ .Values.managementCluster }}
- --issuer-address={{ .Values.issuerAddress }}
- --giantswarm-write-all-groups={{ join "," .Values.oidc.giantswarm.write_all_groups }}
- --customer-write-all-groups={{ join "," .Values.oidc.customer.write_all_groups }}
ports:
- containerPort: 8080
name: metrics
Expand Down
9 changes: 8 additions & 1 deletion helm/dex-operator/templates/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,14 @@ rules:
- update
- patch
- delete

- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand Down
3 changes: 3 additions & 0 deletions helm/dex-operator/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@
"properties": {
"providers": {
"type": "array"
},
"write_all_groups": {
"type": "array"
}
}
},
Expand Down
1 change: 1 addition & 0 deletions helm/dex-operator/values.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
oidc:
customer:
providers: []
write_all_groups: []
giantswarm:
providers: []
write_all_groups: []
Expand Down
3 changes: 3 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ func main() {
metricsAddr string
probeAddr string
giantswarmWriteAllGroups string
customerWriteAllGroups string
)
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&idpCredentials, "idp-credentials-file", "/home/.idp/credentials", "The location of the idp credentials file.")
Expand All @@ -74,6 +75,7 @@ func main() {
flag.StringVar(&issuerAddress, "issuer-address", "", "URL of the identity issuer")
flag.StringVar(&managementCluster, "management-cluster", "", "Name of the management cluster.")
flag.StringVar(&giantswarmWriteAllGroups, "giantswarm-write-all-groups", "", "Comma separated list of giantswarm admin groups.")
flag.StringVar(&customerWriteAllGroups, "customer-write-all-groups", "", "Comma separated list of customer admin groups.")
opts := zap.Options{
Development: true,
TimeEncoder: zapcore.RFC3339TimeEncoder,
Expand Down Expand Up @@ -117,6 +119,7 @@ func main() {
LabelSelector: key.DexLabelSelector(),
ProviderCredentials: idpCredentials,
GiantswarmWriteAllGroups: strings.Split(giantswarmWriteAllGroups, ","),
CustomerWriteAllGroups: strings.Split(customerWriteAllGroups, ","),
}).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "App")
os.Exit(1)
Expand Down
Loading

0 comments on commit 2f4f609

Please sign in to comment.