diff --git a/README.adoc b/README.adoc index ce70184..13c6117 100644 --- a/README.adoc +++ b/README.adoc @@ -58,7 +58,7 @@ NAME USERNAME COMPLETE REASON COMPLIANTUSERNAME ``` The first column is the name of the `UserSignup` resource. -To look-up a UserSignup resource from the user's email address, run: +To look up a UserSignup resource from the user's email address, run: in Linux: ``` ksctl get -t host usersignups -l toolchain.dev.openshift.com/email-hash=`echo -n | md5sum | cut -d ' ' -f 1` @@ -71,7 +71,7 @@ ksctl get -t host usersignups -l toolchain.dev.openshift.com/email-hash=`echo -n === Approving a user -To approve user, either use the user's email: +To approve a user, either use the user's email: ``` $ ksctl approve --email ``` @@ -81,7 +81,7 @@ or <>, and then run: $ ksctl approve --name ``` -WARNING: By default, the `approve` command checks if the user already initiated the phone verification process. To skip this check for the users or environments where the a phone verification is not required, use the `--skip-phone-check` flag. +WARNING: By default, the `approve` command checks if the user has already initiated the phone verification process. To skip this check for the users or environments where the phone verification is not required, use the `--skip-phone-check` flag. The command will print out additional information about the `UserSignup` resource to be approved and it will also ask for a confirmation. @@ -110,17 +110,17 @@ The command will print out additional information about the `UserSignup` resourc === Banning a user -To ban a user so the account is deprovisioned and the user is not able to sign up again, use the `ban` command. First <>, then run: +To ban a user which in turn de-provisions the account and doesn't allow the user to sign up again, use the `ban` command. First <>, second <>, then run: ``` -$ ksctl ban +$ ksctl ban ``` The command will print out additional information about the `UserSignup` resource to be banned and it will also ask for a confirmation. === Creating an Event -Social Events are a feature allowing users to sign up without having to go through the phone verification process. This is useful when running labs or workshops, as it lets attendees get up and running quickly without having to fulfil all the requirements of the standard signup process. +Social Events are a feature allowing users to sign up without having to go through the phone verification process. This is useful when running labs or workshops, as it lets attendees to get up and run it quickly without having to fulfill all the requirements of the standard sign up process. Social Events are temporary in nature; creating an event will produce a unique activation code that may be used for a predefined period of time, after which the code will no longer work. @@ -197,6 +197,17 @@ serviceAccounts: For each ServiceAccount defined in this section, the `ksctl generate cli-configs` generates a separate `ksctl.yaml` file with the corresponding cluster configuration and tokens. As an administrator of the clusters, run this command and distribute securely the generated `ksctl.yaml` files to other team members. +====== Testing the `ksctl generate cli-configs` command locally +1. Run `make install` +2. Create `kubesaw-admins.yaml` (as an example, check link:test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml[kubesaw-admins.yaml]) +3. Run `ksctl generate admin-manifests --kubesaw-admins /kubesaw-admins.yaml --out-dir ` +4. Create resources from the `` of the previous command. Please, note that you will need to create some namespaces manually (`oc create ns `), such as `sandbox-sre-host`, `first-component`, `second-component`, `some-component`, `sandbox-sre-member`, and `crw`, for example. +- Run `oc apply -k /host` +- Run `oc apply -k /member` +- Run `oc apply -k /member-3` +5. Run `ksctl generate cli-configs -k -c /kubesaw-admins.yaml` + + ==== Users The `ksctl` command can generate The `users` section contains definition for users, identities, and the permissions granted to them. diff --git a/cmd/user-identity-mapper/user_identity_mapper.go b/cmd/user-identity-mapper/user_identity_mapper.go index 51b779a..20a64af 100644 --- a/cmd/user-identity-mapper/user_identity_mapper.go +++ b/cmd/user-identity-mapper/user_identity_mapper.go @@ -16,7 +16,7 @@ func CreateUserIdentityMappings(ctx context.Context, logger *log.Logger, cl runt logger.Info("listing users...") users := &userv1.UserList{} if err := cl.List(ctx, users, runtimeclient.MatchingLabels{ - "provider": "sandbox-sre", + "provider": "ksctl", }); err != nil { return fmt.Errorf("unable to list users: %w", err) } @@ -24,7 +24,7 @@ func CreateUserIdentityMappings(ctx context.Context, logger *log.Logger, cl runt logger.Info("listing identities", "username", user.Name) identities := userv1.IdentityList{} if err := cl.List(ctx, &identities, runtimeclient.MatchingLabels{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": user.Name, }); err != nil { return fmt.Errorf("unable to list identities: %w", err) diff --git a/cmd/user-identity-mapper/user_identity_mapper_test.go b/cmd/user-identity-mapper/user_identity_mapper_test.go index 1ca8a8d..52cfa0d 100644 --- a/cmd/user-identity-mapper/user_identity_mapper_test.go +++ b/cmd/user-identity-mapper/user_identity_mapper_test.go @@ -29,7 +29,7 @@ func TestUserIdentityMapper(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "user1", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", }, }, } @@ -37,7 +37,7 @@ func TestUserIdentityMapper(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "identity1", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "user1", }, }, @@ -46,7 +46,7 @@ func TestUserIdentityMapper(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "user2", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", }, }, } @@ -54,7 +54,7 @@ func TestUserIdentityMapper(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "identity2", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "user2", }, }, @@ -62,14 +62,14 @@ func TestUserIdentityMapper(t *testing.T) { user3 := &userv1.User{ ObjectMeta: metav1.ObjectMeta{ Name: "user3", - // not managed by sandbox-sre + // not managed by ksctl }, } identity3 := &userv1.Identity{ ObjectMeta: metav1.ObjectMeta{ Name: "identity3", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "user3", }, }, @@ -88,7 +88,7 @@ func TestUserIdentityMapper(t *testing.T) { require.NoError(t, err) assert.NotContains(t, out.String(), "unable to list identities") uim := &userv1.UserIdentityMapping{} - // `user1` and `user2` are not managed by sandbox (ie, labelled with `provider: sandbox-sre`), hence the `UserIdentityMappings` exist + // `user1` and `user2` are not managed by ksctl (ie, labelled with `provider: ksctl`), hence the `UserIdentityMappings` exist require.NoError(t, cl.Get(context.TODO(), types.NamespacedName{Name: identity1.Name}, uim)) assert.Equal(t, identity1.Name, uim.Identity.Name) assert.Equal(t, user1.Name, uim.User.Name) @@ -111,7 +111,7 @@ func TestUserIdentityMapper(t *testing.T) { // then require.NoError(t, err) assert.NotContains(t, out.String(), "unable to list identities") - // `user3` is not managed by sandbox (ie, not labelled with `provider: sandbox-sre`), , hence the `UserIdentityMappings` does not exist + // `user3` is not managed by ksctl (ie, not labelled with `provider: ksctl`), , hence the `UserIdentityMappings` does not exist require.EqualError(t, cl.Get(context.TODO(), types.NamespacedName{Name: identity3.Name}, &userv1.UserIdentityMapping{}), `useridentitymappings.user.openshift.io "identity3" not found`) }) diff --git a/go.mod b/go.mod index 89cfa55..4e67d6e 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/kubesaw/ksctl go 1.20 require ( - github.com/codeready-toolchain/api v0.0.0-20240815232340-d0c164a83d27 - github.com/codeready-toolchain/toolchain-common v0.0.0-20240816011540-2184e6268b4a + github.com/codeready-toolchain/api v0.0.0-20240909145803-3b27dcfb3ded + github.com/codeready-toolchain/toolchain-common v0.0.0-20240911094752-38ba816bff59 github.com/ghodss/yaml v1.0.0 github.com/mitchellh/go-homedir v1.1.0 // using latest commit from 'github.com/openshift/api branch release-4.12' diff --git a/go.sum b/go.sum index 0ace6cd..aefe228 100644 --- a/go.sum +++ b/go.sum @@ -133,10 +133,10 @@ github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:z github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= -github.com/codeready-toolchain/api v0.0.0-20240815232340-d0c164a83d27 h1:uEH8HAM81QZBccuqQpGKJUoJQe28+DFSYi/mRKZDYrA= -github.com/codeready-toolchain/api v0.0.0-20240815232340-d0c164a83d27/go.mod h1:ie9p4LenCCS0LsnbWp6/xwpFDdCWYE0KWzUO6Sk1g0E= -github.com/codeready-toolchain/toolchain-common v0.0.0-20240816011540-2184e6268b4a h1:o18wLp3eT4HdH8TvDqtLWiC47WY/kaTp9p54exux/MU= -github.com/codeready-toolchain/toolchain-common v0.0.0-20240816011540-2184e6268b4a/go.mod h1:aIbki5CFsykeqZn2/ZwvUb3Krx2f2Tbq58R6MGnk6H8= +github.com/codeready-toolchain/api v0.0.0-20240909145803-3b27dcfb3ded h1:AZdMwBPoT96Sze2AMR7N10dXIAMVxuM8CMuCSZxjQOY= +github.com/codeready-toolchain/api v0.0.0-20240909145803-3b27dcfb3ded/go.mod h1:ie9p4LenCCS0LsnbWp6/xwpFDdCWYE0KWzUO6Sk1g0E= +github.com/codeready-toolchain/toolchain-common v0.0.0-20240911094752-38ba816bff59 h1:/Z5NNPZvHKg0Zzyj6fdQjQNtKrgXkY91tWiHr7XgAEQ= +github.com/codeready-toolchain/toolchain-common v0.0.0-20240911094752-38ba816bff59/go.mod h1:kENp9EMqJaoZNvM3BLTk/i+CEteHKrJRAAm0H7L8Z+A= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= diff --git a/pkg/assets/assets_test.go b/pkg/assets/assets_test.go index f9b4c90..601fe4b 100644 --- a/pkg/assets/assets_test.go +++ b/pkg/assets/assets_test.go @@ -28,7 +28,7 @@ objects: metadata: name: get-catalogsources labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - operators.coreos.com @@ -47,7 +47,7 @@ objects: metadata: name: get-deployments labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - apps @@ -110,6 +110,9 @@ func TestGetKubeSawAdmins(t *testing.T) { assert.NotEmpty(t, member.API) } + assert.Equal(t, "host-sre-namespace", kubeSawAdmins.DefaultServiceAccountsNamespace.Host) + assert.Equal(t, "member-sre-namespace", kubeSawAdmins.DefaultServiceAccountsNamespace.Member) + assert.NotEmpty(t, kubeSawAdmins.ServiceAccounts) for _, sa := range kubeSawAdmins.ServiceAccounts { assert.NotEmpty(t, sa.Name) diff --git a/pkg/assets/sandbox_config.go b/pkg/assets/kubesaw-admins.go similarity index 76% rename from pkg/assets/sandbox_config.go rename to pkg/assets/kubesaw-admins.go index 556acb2..734043d 100644 --- a/pkg/assets/sandbox_config.go +++ b/pkg/assets/kubesaw-admins.go @@ -1,9 +1,10 @@ package assets type KubeSawAdmins struct { - Clusters Clusters `yaml:"clusters"` - ServiceAccounts []ServiceAccount `yaml:"serviceAccounts"` - Users []User `yaml:"users"` + Clusters Clusters `yaml:"clusters"` + ServiceAccounts []ServiceAccount `yaml:"serviceAccounts"` + Users []User `yaml:"users"` + DefaultServiceAccountsNamespace DefaultServiceAccountsNamespace `yaml:"defaultServiceAccountsNamespace"` } type Clusters struct { @@ -24,6 +25,13 @@ type ClusterConfig struct { API string `yaml:"api"` } +// DefaultServiceAccountsNamespace defines the names of the default namespaces where the ksctl SAs should be created. +// If not specified, then the names kubesaw-admins-host and kubesaw-admins-member are used. +type DefaultServiceAccountsNamespace struct { + Host string `yaml:"host"` + Member string `yaml:"member"` +} + type ServiceAccount struct { Name string `yaml:"name"` Namespace string `yaml:"namespace,omitempty"` diff --git a/pkg/client/client_test.go b/pkg/client/client_test.go index d7c5ecc..7c2a2ea 100644 --- a/pkg/client/client_test.go +++ b/pkg/client/client_test.go @@ -350,14 +350,14 @@ func TestCreate(t *testing.T) { namespacedName := commontest.NamespacedName("openshift-customer-monitoring", "openshift-customer-monitoring") fakeClient := commontest.NewFakeClient(t) term := NewFakeTerminalWithResponse("Y") - operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "sandbox-sre"}) + operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "ksctl"}) // when err := client.Create(term, fakeClient, operatorGroup) // then require.NoError(t, err) - AssertOperatorGroupHasLabels(t, fakeClient, namespacedName, map[string]string{"provider": "sandbox-sre"}) + AssertOperatorGroupHasLabels(t, fakeClient, namespacedName, map[string]string{"provider": "ksctl"}) output := term.Output() assert.Contains(t, output, "The 'openshift-customer-monitoring/openshift-customer-monitoring' OperatorGroup has been created") }) @@ -370,7 +370,7 @@ func TestCreate(t *testing.T) { namespacedName := commontest.NamespacedName("openshift-customer-monitoring", "openshift-customer-monitoring") fakeClient := commontest.NewFakeClient(t, newOperatorGroup(namespacedName, map[string]string{"provider": "osd"})) term := NewFakeTerminalWithResponse("Y") - operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "sandbox-sre"}) + operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "ksctl"}) // when err := client.Create(term, fakeClient, operatorGroup) @@ -390,7 +390,7 @@ func TestCreate(t *testing.T) { } term := NewFakeTerminalWithResponse("Y") namespacedName := commontest.NamespacedName("openshift-customer-monitoring", "openshift-customer-monitoring") - operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "sandbox-sre"}) + operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "ksctl"}) // when err := client.Create(term, fakeClient, operatorGroup) @@ -408,7 +408,7 @@ func TestCreate(t *testing.T) { } term := NewFakeTerminalWithResponse("Y") namespacedName := commontest.NamespacedName("openshift-customer-monitoring", "openshift-customer-monitoring") - operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "sandbox-sre"}) + operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "ksctl"}) // when err := client.Create(term, fakeClient, operatorGroup) diff --git a/pkg/client/sandbox_config_file.go b/pkg/client/ksctl_config_file.go similarity index 100% rename from pkg/client/sandbox_config_file.go rename to pkg/client/ksctl_config_file.go diff --git a/pkg/cmd/adm/must_gather_namespace_test.go b/pkg/cmd/adm/must_gather_namespace_test.go index 9137be7..b2ecdc7 100644 --- a/pkg/cmd/adm/must_gather_namespace_test.go +++ b/pkg/cmd/adm/must_gather_namespace_test.go @@ -36,7 +36,7 @@ func TestMustGatherNamespaceCmd(t *testing.T) { t.Run("ok", func(t *testing.T) { t.Run("create the dest-dir on-the-fly", func(t *testing.T) { // given - baseDir, err := os.MkdirTemp("", "sandbox-sre-out-") + baseDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) destDir := filepath.Join(baseDir, "test-dev") @@ -51,7 +51,7 @@ func TestMustGatherNamespaceCmd(t *testing.T) { t.Run("dest-dir already exists and is empty", func(t *testing.T) { // given - baseDir, err := os.MkdirTemp("", "sandbox-sre-out-") + baseDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) destDir := filepath.Join(baseDir, "test-dev") err = os.Mkdir(destDir, 0755) @@ -71,7 +71,7 @@ func TestMustGatherNamespaceCmd(t *testing.T) { t.Run("dest-dir already exists but is not empty", func(t *testing.T) { // given - baseDir, err := os.MkdirTemp("", "sandbox-sre-out-") + baseDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) destDir := filepath.Join(baseDir, "test-dev") err = os.Mkdir(destDir, 0755) diff --git a/pkg/cmd/ban.go b/pkg/cmd/ban.go index 4e12f81..354bb8f 100644 --- a/pkg/cmd/ban.go +++ b/pkg/cmd/ban.go @@ -15,11 +15,12 @@ import ( func NewBanCmd() *cobra.Command { return &cobra.Command{ - Use: "ban ", - Short: "Ban a user for the given UserSignup resource", + Use: "ban ", + Short: "Ban a user for the given UserSignup resource and reason of the ban", Long: `Ban the given UserSignup resource. There is expected -only one parameter which is the name of the UserSignup to be used for banning`, - Args: cobra.ExactArgs(1), +only two parameters which the first one is the name of the UserSignup to be used for banning +and the second one the reason of the ban`, + Args: cobra.ExactArgs(2), RunE: func(cmd *cobra.Command, args []string) error { term := ioutils.NewTerminal(cmd.InOrStdin, cmd.OutOrStdout) ctx := clicontext.NewCommandContext(term, client.DefaultNewClient) @@ -29,7 +30,7 @@ only one parameter which is the name of the UserSignup to be used for banning`, } func Ban(ctx *clicontext.CommandContext, args ...string) error { - return CreateBannedUser(ctx, args[0], func(userSignup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + return CreateBannedUser(ctx, args[0], args[1], func(userSignup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { if _, exists := bannedUser.Labels[toolchainv1alpha1.BannedUserPhoneNumberHashLabelKey]; !exists { ctx.Printlnf("\nINFO: The UserSignup doesn't have the label '%s' set, so the resulting BannedUser resource won't have this label either.\n", toolchainv1alpha1.BannedUserPhoneNumberHashLabelKey) @@ -46,7 +47,7 @@ func Ban(ctx *clicontext.CommandContext, args ...string) error { }) } -func CreateBannedUser(ctx *clicontext.CommandContext, userSignupName string, confirm func(*toolchainv1alpha1.UserSignup, *toolchainv1alpha1.BannedUser) (bool, error)) error { +func CreateBannedUser(ctx *clicontext.CommandContext, userSignupName, banReason string, confirm func(*toolchainv1alpha1.UserSignup, *toolchainv1alpha1.BannedUser) (bool, error)) error { cfg, err := configuration.LoadClusterConfig(ctx, configuration.HostName) if err != nil { return err @@ -66,7 +67,7 @@ func CreateBannedUser(ctx *clicontext.CommandContext, userSignupName string, con return err } - bannedUser, err := banneduser.NewBannedUser(userSignup, ksctlConfig.Name) + bannedUser, err := banneduser.NewBannedUser(userSignup, ksctlConfig.Name, banReason) if err != nil { return err } diff --git a/pkg/cmd/ban_test.go b/pkg/cmd/ban_test.go index d3b59a5..fd86194 100644 --- a/pkg/cmd/ban_test.go +++ b/pkg/cmd/ban_test.go @@ -14,10 +14,11 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "sigs.k8s.io/controller-runtime/pkg/client" runtimeclient "sigs.k8s.io/controller-runtime/pkg/client" ) +const banReason = "ban reason" + func TestBanCmdWhenAnswerIsY(t *testing.T) { // given userSignup := NewUserSignup() @@ -27,11 +28,11 @@ func TestBanCmdWhenAnswerIsY(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.Ban(ctx, userSignup.Name) + err := cmd.Ban(ctx, userSignup.Name, banReason) // then require.NoError(t, err) - AssertBannedUser(t, fakeClient, userSignup) + AssertBannedUser(t, fakeClient, userSignup, banReason) assert.Contains(t, term.Output(), "!!! DANGER ZONE !!!") assert.Contains(t, term.Output(), "Are you sure that you want to ban the user with the UserSignup by creating BannedUser resource that are both above?") assert.Contains(t, term.Output(), "UserSignup has been banned") @@ -43,11 +44,11 @@ func TestBanCmdWhenAnswerIsY(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.Ban(ctx, userSignup.Name) + err := cmd.Ban(ctx, userSignup.Name, banReason) // then require.NoError(t, err) - AssertBannedUser(t, fakeClient, userSignup) + AssertBannedUser(t, fakeClient, userSignup, banReason) assert.NotContains(t, term.Output(), "!!! DANGER ZONE !!!") assert.Contains(t, term.Output(), "The user was already banned - there is a BannedUser resource with the same labels already present") }) @@ -62,7 +63,7 @@ func TestBanCmdWhenAnswerIsN(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.Ban(ctx, userSignup.Name) + err := cmd.Ban(ctx, userSignup.Name, banReason) // then require.NoError(t, err) @@ -82,7 +83,7 @@ func TestBanCmdWhenNotFound(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.Ban(ctx, "some") + err := cmd.Ban(ctx, "some", banReason) // then require.EqualError(t, err, "usersignups.toolchain.dev.openshift.com \"some\" not found") @@ -105,13 +106,13 @@ func TestCreateBannedUser(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.CreateBannedUser(ctx, userSignup.Name, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + err := cmd.CreateBannedUser(ctx, userSignup.Name, banReason, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { return true, nil }) // then require.NoError(t, err) - AssertBannedUser(t, fakeClient, userSignup) + AssertBannedUser(t, fakeClient, userSignup, banReason) }) t.Run("BannedUser should not be created", func(t *testing.T) { @@ -122,7 +123,7 @@ func TestCreateBannedUser(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.CreateBannedUser(ctx, userSignup.Name, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + err := cmd.CreateBannedUser(ctx, userSignup.Name, banReason, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { return false, nil }) @@ -139,7 +140,7 @@ func TestCreateBannedUser(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.CreateBannedUser(ctx, userSignup.Name, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + err := cmd.CreateBannedUser(ctx, userSignup.Name, banReason, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { return false, fmt.Errorf("some error") }) @@ -159,7 +160,7 @@ func TestCreateBannedUser(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.CreateBannedUser(ctx, userSignup.Name, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + err := cmd.CreateBannedUser(ctx, userSignup.Name, banReason, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { return true, nil }) @@ -179,7 +180,7 @@ func TestCreateBannedUser(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.CreateBannedUser(ctx, userSignup.Name, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + err := cmd.CreateBannedUser(ctx, userSignup.Name, banReason, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { return true, nil }) @@ -199,7 +200,7 @@ func TestCreateBannedUser(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.CreateBannedUser(ctx, userSignup.Name, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + err := cmd.CreateBannedUser(ctx, userSignup.Name, banReason, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { return true, nil }) @@ -215,12 +216,12 @@ func TestCreateBannedUser(t *testing.T) { term := NewFakeTerminal() ctx := clicontext.NewCommandContext(term, newClient) - fakeClient.MockList = func(ctx context.Context, list runtimeclient.ObjectList, opts ...client.ListOption) error { + fakeClient.MockList = func(ctx context.Context, list runtimeclient.ObjectList, opts ...runtimeclient.ListOption) error { return errors.New("something went wrong listing the banned users") } // when - err := cmd.CreateBannedUser(ctx, userSignup.Name, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + err := cmd.CreateBannedUser(ctx, userSignup.Name, banReason, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { return true, nil }) @@ -236,7 +237,7 @@ func TestCreateBannedUser(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.CreateBannedUser(ctx, userSignup.Name, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + err := cmd.CreateBannedUser(ctx, userSignup.Name, banReason, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { return true, nil }) @@ -256,7 +257,7 @@ func TestCreateBannedUserLacksPermissions(t *testing.T) { ctx := clicontext.NewCommandContext(term, newClient) // when - err := cmd.CreateBannedUser(ctx, userSignup.Name, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { + err := cmd.CreateBannedUser(ctx, userSignup.Name, banReason, func(signup *toolchainv1alpha1.UserSignup, bannedUser *toolchainv1alpha1.BannedUser) (bool, error) { return true, nil }) diff --git a/pkg/cmd/generate/admin-manifests.go b/pkg/cmd/generate/admin-manifests.go index aee7893..1ac5c41 100644 --- a/pkg/cmd/generate/admin-manifests.go +++ b/pkg/cmd/generate/admin-manifests.go @@ -68,6 +68,10 @@ func adminManifests(term ioutils.Terminal, files assets.FS, flags adminManifests } } } + + if defaultSAsNamespace(kubeSawAdmins, configuration.Host) == defaultSAsNamespace(kubeSawAdmins, configuration.Member) { + return fmt.Errorf("the default ServiceAccounts namespace has the same name for host cluster as for the member clusters (%s), they have to be different", defaultSAsNamespace(kubeSawAdmins, configuration.Host)) + } err = os.RemoveAll(flags.outDir) if err != nil { return err diff --git a/pkg/cmd/generate/admin-manifests_test.go b/pkg/cmd/generate/admin-manifests_test.go index 744d1a6..e6bfc84 100644 --- a/pkg/cmd/generate/admin-manifests_test.go +++ b/pkg/cmd/generate/admin-manifests_test.go @@ -43,7 +43,7 @@ func TestAdminManifests(t *testing.T) { User("bob-crtadmin", []string{"67890"}, false, "crtadmins-exec", HostRoleBindings("toolchain-host-operator", Role("restart-deployment"), ClusterRole("admin")), MemberRoleBindings("toolchain-member-operator", Role("restart-deployment"), ClusterRole("admin"))))) - + kubeSawAdmins.DefaultServiceAccountsNamespace.Host = "kubesaw-sre-host" kubeSawAdminsContent, err := yaml.Marshal(kubeSawAdmins) require.NoError(t, err) @@ -85,6 +85,9 @@ func TestAdminManifests(t *testing.T) { t.Run("without separateKustomizeComponent set for member2", func(t *testing.T) { // given kubeSawAdmins.Clusters.Members[1].SeparateKustomizeComponent = false + t.Cleanup(func() { + kubeSawAdmins.Clusters.Members[1].SeparateKustomizeComponent = true + }) kubeSawAdminsContent, err := yaml.Marshal(kubeSawAdmins) require.NoError(t, err) @@ -184,6 +187,34 @@ func TestAdminManifests(t *testing.T) { // then require.Error(t, err) }) + + t.Run("when default SAs namespace names are the same, then fail", func(t *testing.T) { + // given + kubeSawAdmins.DefaultServiceAccountsNamespace.Host = "kubesaw-sre" + kubeSawAdmins.DefaultServiceAccountsNamespace.Member = "kubesaw-sre" + t.Cleanup(func() { + kubeSawAdmins.DefaultServiceAccountsNamespace.Host = "kubesaw-sre-host" + kubeSawAdmins.DefaultServiceAccountsNamespace.Member = "" + }) + kubeSawAdminsContent, err := yaml.Marshal(kubeSawAdmins) + require.NoError(t, err) + + configFile := createKubeSawAdminsFile(t, "kubesaw.host.openshiftapps.com", kubeSawAdminsContent) + files := newDefaultFiles(t) + + outTempDir, err := os.MkdirTemp("", "admin-manifests-cli-test-") + require.NoError(t, err) + term := NewFakeTerminalWithResponse("Y") + term.Tee(os.Stdout) + flags := newAdminManifestsFlags(outDir(outTempDir), kubeSawAdminsFile(configFile)) + + // when + err = adminManifests(term, files, flags) + + // then + require.EqualError(t, err, "the default ServiceAccounts namespace has the same name for host cluster as for the member clusters (kubesaw-sre), they have to be different") + }) + } func storeDummySA(t *testing.T, outDir string) { @@ -232,7 +263,10 @@ func verifyFiles(t *testing.T, flags adminManifestsFlags) { } func verifyServiceAccounts(t *testing.T, outDir, expectedRootDir string, clusterType configuration.ClusterType, roleNs string) { - saNs := fmt.Sprintf("sandbox-sre-%s", clusterType) + saNs := "kubesaw-sre-host" + if clusterType == configuration.Member { + saNs = "kubesaw-admins-member" + } if expectedRootDir != "member2" { // john is skipped for member2 (when generated as a separate kustomize component) @@ -283,7 +317,7 @@ func verifyUsers(t *testing.T, outDir, expectedRootDir string, clusterType confi func createKubeconfigFiles(t *testing.T, contents ...string) []string { var fileNames []string for _, content := range contents { - tempFile, err := os.CreateTemp("", "sandbox-sre-kubeconfig-") + tempFile, err := os.CreateTemp("", "ksctl-kubeconfig-") require.NoError(t, err) err = os.WriteFile(tempFile.Name(), []byte(content), os.FileMode(0755)) @@ -299,19 +333,19 @@ const ksctlKubeconfigContent = ` apiVersion: v1 clusters: - cluster: - server: https://api.sandbox.host.openshiftapps.com:6443 - name: api-sandbox-host-openshiftapps-com:6443 + server: https://api.kubesaw.host.openshiftapps.com:6443 + name: api-kubesaw-host-openshiftapps-com:6443 - cluster: - server: https://api.sandbox.member1.openshiftapps.com:6443 - name: api-sandbox-member1-openshiftapps-com:6443 + server: https://api.kubesaw.member1.openshiftapps.com:6443 + name: api-kubesaw-member1-openshiftapps-com:6443 contexts: - context: - cluster: api-sandbox-host-openshiftapps-com:6443 + cluster: api-kubesaw-host-openshiftapps-com:6443 namespace: toolchain-host-operator user: dedicatedadmin name: host - context: - cluster: api-sandbox-member1-openshiftapps-com:6443 + cluster: api-kubesaw-member1-openshiftapps-com:6443 namespace: toolchain-member-operator user: dedicatedadmin name: member1 @@ -328,11 +362,11 @@ const ksctlKubeconfigContentMember2 = ` apiVersion: v1 clusters: - cluster: - server: https://api.sandbox.member2.openshiftapps.com:6443 - name: api-sandbox-member2-openshiftapps-com:6443 + server: https://api.kubesaw.member2.openshiftapps.com:6443 + name: api-kubesaw-member2-openshiftapps-com:6443 contexts: - context: - cluster: api-sandbox-member2-openshiftapps-com:6443 + cluster: api-kubesaw-member2-openshiftapps-com:6443 namespace: toolchain-member-operator user: dedicatedadmin name: member2 diff --git a/pkg/cmd/generate/assertion_test.go b/pkg/cmd/generate/assertion_test.go index ac4bfa6..fd27446 100644 --- a/pkg/cmd/generate/assertion_test.go +++ b/pkg/cmd/generate/assertion_test.go @@ -258,7 +258,7 @@ func newPermissionAssertion(storageAssertion *storageAssertionImpl, subjNamespac Namespace: subjNamespace, }, expLabels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", }, } } @@ -269,7 +269,7 @@ func (a *storageAssertionImpl) assertSa(namespace, name string) permissionAssert sa := &corev1.ServiceAccount{} a.assertObject(namespace, name, sa, func() { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": splitName[len(splitName)-1], } assert.Equal(a.t, expLabels, sa.Labels) @@ -287,7 +287,7 @@ type userAssertion struct { func (a *storageAssertionImpl) assertUser(name string) userAssertion { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": name, } @@ -343,7 +343,7 @@ func (a userAssertion) belongsToGroups(groups groupsUserBelongsTo, extraGroups e for _, groupObj := range presentGroups { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", } assert.Equal(a.t, expLabels, groupObj.GetLabels()) group := groupObj.(*userv1.Group) @@ -360,7 +360,7 @@ func (a *storageAssertionImpl) assertThatGroupHasUsers(name string, usernames .. group := &userv1.Group{} a.assertObject("", name, group, func() { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", } assert.Equal(a.t, expLabels, group.Labels) sort.Strings(group.Users) @@ -427,7 +427,7 @@ func (a *storageAssertionImpl) assertRole(namespace, roleName string, contentAss role := &rbacv1.Role{} a.assertObject(namespace, roleName, role, func() { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", } assert.Equal(a.t, expLabels, role.Labels) for _, assertContent := range contentAssertion { diff --git a/pkg/cmd/generate/cli_configs.go b/pkg/cmd/generate/cli_configs.go index 607f6a2..4e39fb0 100644 --- a/pkg/cmd/generate/cli_configs.go +++ b/pkg/cmd/generate/cli_configs.go @@ -133,7 +133,7 @@ func serverName(API string) string { return strings.Split(strings.Split(API, "api.")[1], ":")[0] } -// writeKsctlConfigs marshals the given KsctlConfig objects and stored them in sandbox-sre/out/config// directories +// writeKsctlConfigs marshals the given KsctlConfig objects and stored them in ksctl/out/config// directories func writeKsctlConfigs(term ioutils.Terminal, configDirPath string, ksctlConfigsPerName map[string]configuration.KsctlConfig) error { if err := os.RemoveAll(configDirPath); err != nil { return err @@ -171,7 +171,7 @@ func generateForCluster(ctx *generateContext, clusterType configuration.ClusterT ctx.PrintContextSeparatorf("Generating the content of the ksctl.yaml files for %s cluster running at %s", clusterName, clusterSpec.API) // find config we can build client for the cluster from - externalClient, err := buildClientFromKubeconfigFiles(ctx, clusterSpec.API, ctx.kubeconfigPaths, sandboxSRENamespace(clusterType)) + externalClient, err := buildClientFromKubeconfigFiles(ctx, clusterSpec.API, ctx.kubeconfigPaths, defaultSAsNamespace(ctx.kubeSawAdmins, clusterType)) if err != nil { return err } @@ -192,7 +192,7 @@ func generateForCluster(ctx *generateContext, clusterType configuration.ClusterT if saClusterType != clusterType.String() { continue } - saNamespace := sandboxSRENamespace(clusterType) + saNamespace := defaultSAsNamespace(ctx.kubeSawAdmins, clusterType) if sa.Namespace != "" { saNamespace = sa.Namespace } diff --git a/pkg/cmd/generate/cli_configs_test.go b/pkg/cmd/generate/cli_configs_test.go index 1c27eb0..a42727e 100644 --- a/pkg/cmd/generate/cli_configs_test.go +++ b/pkg/cmd/generate/cli_configs_test.go @@ -10,6 +10,7 @@ import ( "testing" "github.com/h2non/gock" + "github.com/kubesaw/ksctl/pkg/assets" "github.com/kubesaw/ksctl/pkg/client" "github.com/kubesaw/ksctl/pkg/configuration" . "github.com/kubesaw/ksctl/pkg/test" @@ -40,25 +41,26 @@ func TestGenerateCliConfigs(t *testing.T) { HostRoleBindings("toolchain-host-operator", Role("restart=restart-deployment"), ClusterRole("restart=edit")), MemberRoleBindings("toolchain-member-operator", Role("restart=restart-deployment"), ClusterRole("restart=edit")))), Users()) + kubeSawAdmins.DefaultServiceAccountsNamespace.Host = "kubesaw-sre-host" kubeSawAdminsContent, err := yaml.Marshal(kubeSawAdmins) require.NoError(t, err) kubeconfigFiles := createKubeconfigFiles(t, ksctlKubeconfigContent, ksctlKubeconfigContentMember2) - setupGockForListServiceAccounts(t, HostServerAPI, configuration.Host) - setupGockForListServiceAccounts(t, Member1ServerAPI, configuration.Member) - setupGockForListServiceAccounts(t, Member2ServerAPI, configuration.Member) + setupGockForListServiceAccounts(t, kubeSawAdmins, HostServerAPI, configuration.Host) + setupGockForListServiceAccounts(t, kubeSawAdmins, Member1ServerAPI, configuration.Member) + setupGockForListServiceAccounts(t, kubeSawAdmins, Member2ServerAPI, configuration.Member) setupGockForServiceAccounts(t, HostServerAPI, 50, - newServiceAccount("sandbox-sre-host", "john"), - newServiceAccount("sandbox-sre-host", "bob"), + newServiceAccount("kubesaw-sre-host", "john"), + newServiceAccount("kubesaw-sre-host", "bob"), ) setupGockForServiceAccounts(t, Member1ServerAPI, 50, - newServiceAccount("sandbox-sre-member", "john"), - newServiceAccount("sandbox-sre-member", "bob"), + newServiceAccount("kubesaw-admins-member", "john"), + newServiceAccount("kubesaw-admins-member", "bob"), ) setupGockForServiceAccounts(t, Member2ServerAPI, 50, - newServiceAccount("sandbox-sre-member", "bob"), + newServiceAccount("kubesaw-admins-member", "bob"), ) t.Cleanup(gock.OffAll) @@ -73,7 +75,7 @@ func TestGenerateCliConfigs(t *testing.T) { t.Run("successful", func(t *testing.T) { t.Run("when there is host and two members", func(t *testing.T) { // given - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: configFile, outDir: tempDir, tokenExpirationDays: 50} @@ -100,10 +102,11 @@ func TestGenerateCliConfigs(t *testing.T) { Sa("bob", "", HostRoleBindings("toolchain-host-operator", Role("restart=restart-deployment"), ClusterRole("restart=edit")))), Users()) + saInHostOnly.DefaultServiceAccountsNamespace.Host = "kubesaw-sre-host" kubeSawAdminsContent, err := yaml.Marshal(saInHostOnly) require.NoError(t, err) configFile := createKubeSawAdminsFile(t, "kubesaw.host.openshiftapps.com", kubeSawAdminsContent) - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: configFile, outDir: tempDir, tokenExpirationDays: 50} @@ -120,12 +123,12 @@ func TestGenerateCliConfigs(t *testing.T) { t.Run("in dev mode", func(t *testing.T) { // given - setupGockForListServiceAccounts(t, HostServerAPI, configuration.Member) + setupGockForListServiceAccounts(t, kubeSawAdmins, HostServerAPI, configuration.Member) setupGockForServiceAccounts(t, HostServerAPI, 50, - newServiceAccount("sandbox-sre-member", "john"), - newServiceAccount("sandbox-sre-member", "bob"), + newServiceAccount("kubesaw-admins-member", "john"), + newServiceAccount("kubesaw-admins-member", "bob"), ) - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) kubeconfigFiles := createKubeconfigFiles(t, ksctlKubeconfigContent) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: configFile, outDir: tempDir, dev: true, tokenExpirationDays: 50} @@ -153,7 +156,7 @@ func TestGenerateCliConfigs(t *testing.T) { } // when - _, err := buildClientFromKubeconfigFiles(ctx, "https://dummy.openshift.com", kubeconfigFiles, sandboxSRENamespace(configuration.Host)) + _, err := buildClientFromKubeconfigFiles(ctx, "https://dummy.openshift.com", kubeconfigFiles, defaultSAsNamespace(kubeSawAdmins, configuration.Host)) // then require.Error(t, err) @@ -162,7 +165,7 @@ func TestGenerateCliConfigs(t *testing.T) { t.Run("test buildClientFromKubeconfigFiles cannot list service accounts", func(t *testing.T) { // given - path := fmt.Sprintf("api/v1/namespaces/%s/serviceaccounts/", sandboxSRENamespace(configuration.Host)) + path := fmt.Sprintf("api/v1/namespaces/%s/serviceaccounts/", defaultSAsNamespace(kubeSawAdmins, configuration.Host)) gock.New("https://dummy.openshift.com").Get(path).Persist().Reply(403) ctx := &generateContext{ Terminal: term, @@ -173,7 +176,7 @@ func TestGenerateCliConfigs(t *testing.T) { } // when - _, err := buildClientFromKubeconfigFiles(ctx, "https://dummy.openshift.com", kubeconfigFiles, sandboxSRENamespace(configuration.Host)) + _, err := buildClientFromKubeconfigFiles(ctx, "https://dummy.openshift.com", kubeconfigFiles, defaultSAsNamespace(kubeSawAdmins, configuration.Host)) // then require.Error(t, err) @@ -182,7 +185,7 @@ func TestGenerateCliConfigs(t *testing.T) { t.Run("wrong kubesaw-admins.yaml file path", func(t *testing.T) { // given - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: "does/not/exist", outDir: tempDir} @@ -196,7 +199,7 @@ func TestGenerateCliConfigs(t *testing.T) { t.Run("wrong kubeconfig file path", func(t *testing.T) { // given - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: []string{"does/not/exist"}, kubeSawAdminsFile: configFile, outDir: tempDir} @@ -216,10 +219,11 @@ func TestGenerateCliConfigs(t *testing.T) { Sa("notmocked", "", HostRoleBindings("toolchain-host-operator", Role("install-operator"), ClusterRole("admin")))), Users()) + saInHostOnly.DefaultServiceAccountsNamespace.Host = "kubesaw-sre-host" kubeSawAdminsContent, err := yaml.Marshal(saInHostOnly) require.NoError(t, err) - configFile := createKubeSawAdminsFile(t, "sandbox.host.openshiftapps.com", kubeSawAdminsContent) - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + configFile := createKubeSawAdminsFile(t, "kubesaw.host.openshiftapps.com", kubeSawAdminsContent) + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: configFile, outDir: tempDir} @@ -341,20 +345,20 @@ func (a *ksctlConfigAssertion) hasCluster(clusterName, subDomain string, cluster assert.NotNil(a.t, a.ksctlConfig.ClusterAccessDefinitions[clusterName]) assert.Equal(a.t, clusterType, a.ksctlConfig.ClusterAccessDefinitions[clusterName].ClusterType) - assert.Equal(a.t, fmt.Sprintf("sandbox.%s.openshiftapps.com", subDomain), a.ksctlConfig.ClusterAccessDefinitions[clusterName].ServerName) - assert.Equal(a.t, fmt.Sprintf("https://api.sandbox.%s.openshiftapps.com:6443", subDomain), a.ksctlConfig.ClusterAccessDefinitions[clusterName].ServerAPI) + assert.Equal(a.t, fmt.Sprintf("kubesaw.%s.openshiftapps.com", subDomain), a.ksctlConfig.ClusterAccessDefinitions[clusterName].ServerName) + assert.Equal(a.t, fmt.Sprintf("https://api.kubesaw.%s.openshiftapps.com:6443", subDomain), a.ksctlConfig.ClusterAccessDefinitions[clusterName].ServerAPI) assert.Equal(a.t, fmt.Sprintf("token-secret-for-%s", a.saBaseName), a.ksctlConfig.ClusterAccessDefinitions[clusterName].Token) } -func setupGockForListServiceAccounts(t *testing.T, apiEndpoint string, clusterType configuration.ClusterType) { +func setupGockForListServiceAccounts(t *testing.T, kubeSawAdmins *assets.KubeSawAdmins, apiEndpoint string, clusterType configuration.ClusterType) { resultServiceAccounts := &corev1.ServiceAccountList{ TypeMeta: metav1.TypeMeta{}, ListMeta: metav1.ListMeta{}, Items: []corev1.ServiceAccount{ { ObjectMeta: metav1.ObjectMeta{ - Namespace: sandboxSRENamespace(clusterType), + Namespace: defaultSAsNamespace(kubeSawAdmins, clusterType), Name: clusterType.String(), }, }, @@ -362,7 +366,7 @@ func setupGockForListServiceAccounts(t *testing.T, apiEndpoint string, clusterTy } resultServiceAccountsStr, err := json.Marshal(resultServiceAccounts) require.NoError(t, err) - path := fmt.Sprintf("api/v1/namespaces/%s/serviceaccounts/", sandboxSRENamespace(clusterType)) + path := fmt.Sprintf("api/v1/namespaces/%s/serviceaccounts/", defaultSAsNamespace(kubeSawAdmins, clusterType)) t.Logf("mocking access to List %s/%s", apiEndpoint, path) gock.New(apiEndpoint). Get(path). diff --git a/pkg/cmd/generate/cluster.go b/pkg/cmd/generate/cluster.go index 96fbced..e32d836 100644 --- a/pkg/cmd/generate/cluster.go +++ b/pkg/cmd/generate/cluster.go @@ -57,7 +57,7 @@ func ensureUsers(ctx *clusterContext, objsCache objectsCache) error { } // create the subject if explicitly requested (even if there is no specific permissions) if user.AllClusters { - if _, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, sandboxSRENamespace(ctx.clusterType), sreLabelsWithUsername(m.subjectBaseName)); err != nil { + if _, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), ksctlLabelsWithUsername(m.subjectBaseName)); err != nil { return err } } diff --git a/pkg/cmd/generate/cluster_test.go b/pkg/cmd/generate/cluster_test.go index 336808e..43afe19 100644 --- a/pkg/cmd/generate/cluster_test.go +++ b/pkg/cmd/generate/cluster_test.go @@ -39,7 +39,7 @@ func TestEnsureServiceAccounts(t *testing.T) { require.NoError(t, err) roleNs := fmt.Sprintf("toolchain-%s-operator", clusterType) - saNs := fmt.Sprintf("sandbox-sre-%s", clusterType) + saNs := fmt.Sprintf("kubesaw-admins-%s", clusterType) inObjectCache(t, ctx.outDir, clusterType.String(), cache). assertSa(saNs, "john"). @@ -119,7 +119,7 @@ func TestEnsureServiceAccounts(t *testing.T) { assertNumberOfRoles(1) inObjectCache(t, ctx.outDir, "member-1", cache). - assertSa("sandbox-sre-member", "bob"). + assertSa("kubesaw-admins-member", "bob"). hasRole("toolchain-member-operator", configuration.Member.AsSuffix("restart-deployment"), configuration.Member.AsSuffix("restart-deployment-bob")). hasNsClusterRole("toolchain-member-operator", "view", configuration.Member.AsSuffix("clusterrole-view-bob")) }) diff --git a/pkg/cmd/generate/mock_test.go b/pkg/cmd/generate/mock_test.go index 33e67fc..9eb01d6 100644 --- a/pkg/cmd/generate/mock_test.go +++ b/pkg/cmd/generate/mock_test.go @@ -14,21 +14,19 @@ import ( ) const ( - HostServerAPI = "https://api.sandbox.host.openshiftapps.com:6443" - Member1ServerAPI = "https://api.sandbox.member1.openshiftapps.com:6443" - Member2ServerAPI = "https://api.sandbox.member2.openshiftapps.com:6443" + HostServerAPI = "https://api.kubesaw.host.openshiftapps.com:6443" + Member1ServerAPI = "https://api.kubesaw.member1.openshiftapps.com:6443" + Member2ServerAPI = "https://api.kubesaw.member2.openshiftapps.com:6443" ) // files part -func newDefaultFiles(t *testing.T, fakeFiles ...test.FakeFileCreator) assets.FS { +func newDefaultFiles(t *testing.T) assets.FS { roles := []runtime.Object{installOperatorRole, restartDeploymentRole, editDeploymentRole, registerClusterRole} files := test.NewFakeFiles(t, - append(fakeFiles, - test.FakeTemplate("roles/host.yaml", roles...), - test.FakeTemplate("roles/member.yaml", roles...))..., - ) + test.FakeTemplate("roles/host.yaml", roles...), + test.FakeTemplate("roles/member.yaml", roles...)) return files } diff --git a/pkg/cmd/generate/permissions.go b/pkg/cmd/generate/permissions.go index 5d7cbf2..43dce40 100644 --- a/pkg/cmd/generate/permissions.go +++ b/pkg/cmd/generate/permissions.go @@ -74,20 +74,20 @@ func (m *permissionsManager) ensurePermission(ctx *clusterContext, roleName, tar roleBindingName = fmt.Sprintf("%s-%s-%s", roleName, m.subjectBaseName, ctx.clusterType) } else { - // ClusterRole is not managed by sandbox-sre and should already exist in the cluster + // ClusterRole is not managed by ksctl and should already exist in the cluster // create RoleBinding name with the prefix clusterrole- so we can avoid conflicts with RoleBindings created for Roles roleBindingName = fmt.Sprintf("clusterrole-%s-%s-%s", roleName, m.subjectBaseName, ctx.clusterType) } // ensure that the subject exists - subject, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, sandboxSRENamespace(ctx.clusterType), sreLabelsWithUsername(m.subjectBaseName)) + subject, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), ksctlLabelsWithUsername(m.subjectBaseName)) if err != nil { return err } // ensure the (Cluster)RoleBinding - binding := newBinding(targetNamespace, roleBindingName, subject, grantedRoleName, roleKind, sreLabels()) + binding := newBinding(targetNamespace, roleBindingName, subject, grantedRoleName, roleKind, ksctlLabels()) return m.storeObject(ctx, binding) } @@ -219,7 +219,7 @@ func ensureGroupsForUser(ctx *clusterContext, cache objectsCache, user string, g group := &userv1.Group{ ObjectMeta: metav1.ObjectMeta{ Name: groupName, - Labels: sreLabels(), + Labels: ksctlLabels(), }, Users: []string{user}, } diff --git a/pkg/cmd/generate/permissions_test.go b/pkg/cmd/generate/permissions_test.go index 8f1da36..9e0c136 100644 --- a/pkg/cmd/generate/permissions_test.go +++ b/pkg/cmd/generate/permissions_test.go @@ -39,7 +39,7 @@ func TestEnsurePermissionsInNamespaces(t *testing.T) { // then require.NoError(t, err) roleNs := fmt.Sprintf("toolchain-%s-operator", clusterType) - saNs := fmt.Sprintf("sandbox-sre-%s", clusterType) + saNs := fmt.Sprintf("kubesaw-admins-%s", clusterType) inObjectCache(t, ctx.outDir, clusterType.String(), permManager.objectsCache). assertSa(saNs, "john"). @@ -80,7 +80,7 @@ func TestEnsurePermissionsInNamespaces(t *testing.T) { func TestEnsureServiceAccount(t *testing.T) { labels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "john", } @@ -91,15 +91,15 @@ func TestEnsureServiceAccount(t *testing.T) { // when subject, err := ensureServiceAccount("")( - ctx, cache, "john", "sandbox-sre-host", labels) + ctx, cache, "john", "kubesaw-admins-host", labels) // then require.NoError(t, err) inObjectCache(t, ctx.outDir, "host", cache). - assertSa("sandbox-sre-host", "john") + assertSa("kubesaw-admins-host", "john") assert.Equal(t, "ServiceAccount", subject.Kind) assert.Equal(t, "john", subject.Name) - assert.Equal(t, "sandbox-sre-host", subject.Namespace) + assert.Equal(t, "kubesaw-admins-host", subject.Namespace) }) t.Run("create SA in the given namespace", func(t *testing.T) { @@ -123,7 +123,7 @@ func TestEnsureServiceAccount(t *testing.T) { func TestEnsureUserAndIdentity(t *testing.T) { labels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "john-crtadmin", } require.NoError(t, client.AddToScheme()) diff --git a/pkg/cmd/generate/roles_manager.go b/pkg/cmd/generate/roles_manager.go index a0d2318..889cda7 100644 --- a/pkg/cmd/generate/roles_manager.go +++ b/pkg/cmd/generate/roles_manager.go @@ -48,6 +48,6 @@ func ensureRole(ctx *clusterContext, cache objectsCache, roleName, namespace str roleToBeCreated := role.DeepCopy() roleToBeCreated.SetNamespace(namespace) roleToBeCreated.SetName(roleNameToBeCreated) - roleToBeCreated.SetLabels(sreLabels()) + roleToBeCreated.SetLabels(ksctlLabels()) return true, roleNameToBeCreated, cache.storeObject(ctx, roleToBeCreated) } diff --git a/pkg/cmd/generate/util.go b/pkg/cmd/generate/util.go index f19c52f..947f0c6 100644 --- a/pkg/cmd/generate/util.go +++ b/pkg/cmd/generate/util.go @@ -9,6 +9,7 @@ import ( "strings" "github.com/ghodss/yaml" + "github.com/kubesaw/ksctl/pkg/assets" "github.com/kubesaw/ksctl/pkg/configuration" "github.com/kubesaw/ksctl/pkg/utils" "k8s.io/apimachinery/pkg/api/meta" @@ -219,22 +220,27 @@ func ensureKustomization(ctx manifestStoreContext, dirPath, item string) error { return ensureKustomization(ctx, parentDir, filepath.Base(dirPath)) } -func sreLabelsWithUsername(username string) map[string]string { - labels := sreLabels() +func ksctlLabelsWithUsername(username string) map[string]string { + labels := ksctlLabels() labels["username"] = username return labels } -func sreLabels() map[string]string { +func ksctlLabels() map[string]string { return map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", } } -func sandboxSRENamespace(clusterType configuration.ClusterType) string { - sandboxSRENamespace := "sandbox-sre-host" +func defaultSAsNamespace(kubeSawAdmins *assets.KubeSawAdmins, clusterType configuration.ClusterType) string { if clusterType == configuration.Member { - sandboxSRENamespace = "sandbox-sre-member" + if kubeSawAdmins.DefaultServiceAccountsNamespace.Member != "" { + return kubeSawAdmins.DefaultServiceAccountsNamespace.Member + } + return "kubesaw-admins-member" + } + if kubeSawAdmins.DefaultServiceAccountsNamespace.Host != "" { + return kubeSawAdmins.DefaultServiceAccountsNamespace.Host } - return sandboxSRENamespace + return "kubesaw-admins-host" } diff --git a/pkg/cmd/generate/util_test.go b/pkg/cmd/generate/util_test.go index 0c1ad46..62e2d70 100644 --- a/pkg/cmd/generate/util_test.go +++ b/pkg/cmd/generate/util_test.go @@ -7,6 +7,7 @@ import ( "testing" "github.com/kubesaw/ksctl/pkg/configuration" + "github.com/kubesaw/ksctl/pkg/test" userv1 "github.com/openshift/api/user/v1" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -380,3 +381,50 @@ func TestFilePath(t *testing.T) { }) } + +func TestDefaultSAsNamespace(t *testing.T) { + var testData = map[string]struct { + hostSAsNs, expectedHostSAsNs string + memberSAsNs, expectedMemberSAsNs string + }{ + "custom host and member SAs namespaces": { + hostSAsNs: "kubesaw-host-sre", + expectedHostSAsNs: "kubesaw-host-sre", + memberSAsNs: "kubesaw-member-sre", + expectedMemberSAsNs: "kubesaw-member-sre", + }, + "custom host SAs namespace": { + hostSAsNs: "kubesaw-host-sre", + expectedHostSAsNs: "kubesaw-host-sre", + expectedMemberSAsNs: "kubesaw-admins-member", + }, + "custom member SAs namespace": { + expectedHostSAsNs: "kubesaw-admins-host", + memberSAsNs: "kubesaw-member-sre", + expectedMemberSAsNs: "kubesaw-member-sre", + }, + "no custom SAs namespace": { + expectedHostSAsNs: "kubesaw-admins-host", + expectedMemberSAsNs: "kubesaw-admins-member", + }, + } + + for testName, data := range testData { + t.Run(testName, func(t *testing.T) { + // given + kubeSawAdmins := test.NewKubeSawAdmins(test.Clusters(""), + test.ServiceAccounts(), + test.Users()) + kubeSawAdmins.DefaultServiceAccountsNamespace.Host = data.hostSAsNs + kubeSawAdmins.DefaultServiceAccountsNamespace.Member = data.memberSAsNs + + // when + defaultHostSAsNs := defaultSAsNamespace(kubeSawAdmins, configuration.Host) + defaultMemberSAsNs := defaultSAsNamespace(kubeSawAdmins, configuration.Member) + + // then + assert.Equal(t, data.expectedHostSAsNs, defaultHostSAsNs) + assert.Equal(t, data.expectedMemberSAsNs, defaultMemberSAsNs) + }) + } +} diff --git a/pkg/test/banneduser.go b/pkg/test/banneduser.go index 66bdaef..ac6b41d 100644 --- a/pkg/test/banneduser.go +++ b/pkg/test/banneduser.go @@ -12,7 +12,7 @@ import ( runtimeclient "sigs.k8s.io/controller-runtime/pkg/client" ) -func AssertBannedUser(t *testing.T, fakeClient *test.FakeClient, userSignup *toolchainv1alpha1.UserSignup) { +func AssertBannedUser(t *testing.T, fakeClient *test.FakeClient, userSignup *toolchainv1alpha1.UserSignup, banReason string) { bannedUsers := &toolchainv1alpha1.BannedUserList{} err := fakeClient.List(context.TODO(), bannedUsers, runtimeclient.InNamespace(userSignup.Namespace)) require.NoError(t, err) @@ -22,6 +22,8 @@ func AssertBannedUser(t *testing.T, fakeClient *test.FakeClient, userSignup *too assert.Equal(t, userSignup.Labels[toolchainv1alpha1.UserSignupUserEmailHashLabelKey], bannedUser.Labels[toolchainv1alpha1.BannedUserEmailHashLabelKey]) assert.Equal(t, userSignup.Labels[toolchainv1alpha1.UserSignupUserPhoneHashLabelKey], bannedUser.Labels[toolchainv1alpha1.BannedUserPhoneNumberHashLabelKey]) assert.Equal(t, "john", bannedUser.Labels[toolchainv1alpha1.LabelKeyPrefix+"banned-by"]) + assert.Equal(t, banReason, bannedUser.Spec.Reason) + } func AssertNoBannedUser(t *testing.T, fakeClient *test.FakeClient, userSignup *toolchainv1alpha1.UserSignup) { diff --git a/pkg/utils/util_test.go b/pkg/utils/util_test.go index 9b6b4a9..c12ef3c 100644 --- a/pkg/utils/util_test.go +++ b/pkg/utils/util_test.go @@ -35,13 +35,13 @@ func TestGetToolchainClusterName(t *testing.T) { Suffix string } for expectedClusterName, params := range map[string]Params{ - "host-sandbox.x7a5.a2.openshiftapps.com": { + "host-kubesaw.x7a5.a2.openshiftapps.com": { ClusterType: "host", - ServerAPI: "https://api.sandbox.x7a5.a2.openshiftapps.com:6443", + ServerAPI: "https://api.kubesaw.x7a5.a2.openshiftapps.com:6443", }, - "member-sandbox-m2.ab8k.b3.openshiftapps.com": { + "member-kubesaw-m2.ab8k.b3.openshiftapps.com": { ClusterType: "member", - ServerAPI: "https://api.sandbox-m2.ab8k.b3.openshiftapps.com:6443", + ServerAPI: "https://api.kubesaw-m2.ab8k.b3.openshiftapps.com:6443", }, "member-api-prefix-dropped": { ClusterType: "member", diff --git a/resources/roles/host.yaml b/resources/roles/host.yaml index 67ccb0e..876b5df 100644 --- a/resources/roles/host.yaml +++ b/resources/roles/host.yaml @@ -4,32 +4,12 @@ metadata: name: host-roles objects: -- kind: Role - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: install-operator - labels: - provider: sandbox-sre - rules: - - apiGroups: - - operators.coreos.com - resources: - - "catalogsources" - - "operatorgroups" - - "subscriptions" - verbs: - - "get" - - "list" - - "create" - - "patch" - - "update" - - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restart-deployment labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - apps @@ -46,7 +26,7 @@ objects: metadata: name: view-secrets labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - "" @@ -61,7 +41,7 @@ objects: metadata: name: edit-secrets labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - "" @@ -75,68 +55,12 @@ objects: - "update" - "patch" -- kind: Role - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: configure-monitoring - labels: - provider: sandbox-sre - rules: - - apiGroups: - - "" - resources: - - "configmaps" - - "secrets" - - "serviceaccounts" - - "services" - verbs: - - "create" - - "update" - - "get" - - "list" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "apps" - resources: - - "deployments" - - "statefulsets" - verbs: - - "create" - - "update" - - "get" - - "list" - - apiGroups: - - "route.openshift.io" - resources: - - "routes" - verbs: - - "create" - - "update" - - "get" - - "list" - - apiGroups: - - "monitoring.coreos.com" - resources: - - "prometheuses" - - "prometheusrules" - - "servicemonitors" - verbs: - - "create" - - "update" - - "get" - - "list" - - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: add-space-users labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -162,7 +86,7 @@ objects: metadata: name: approve-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -179,7 +103,7 @@ objects: metadata: name: ban-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -202,7 +126,7 @@ objects: metadata: name: deactivate-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -219,7 +143,7 @@ objects: metadata: name: promote-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -245,7 +169,7 @@ objects: metadata: name: disable-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -262,7 +186,7 @@ objects: metadata: name: gdpr-delete labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -278,7 +202,7 @@ objects: metadata: name: retarget-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -302,7 +226,7 @@ objects: metadata: name: create-social-event labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -319,7 +243,7 @@ objects: metadata: name: enable-feature labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com diff --git a/resources/roles/member.yaml b/resources/roles/member.yaml index 9f13b1b..7c3558e 100644 --- a/resources/roles/member.yaml +++ b/resources/roles/member.yaml @@ -4,32 +4,12 @@ metadata: name: member-roles objects: -- kind: Role - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: install-operator - labels: - provider: sandbox-sre - rules: - - apiGroups: - - operators.coreos.com - resources: - - "catalogsources" - - "operatorgroups" - - "subscriptions" - verbs: - - "get" - - "list" - - "create" - - "patch" - - "update" - - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: approve-operator-update labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - operators.coreos.com @@ -48,7 +28,7 @@ objects: metadata: name: restart-deployment labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - apps @@ -65,7 +45,7 @@ objects: metadata: name: view-secrets labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - "" @@ -80,7 +60,7 @@ objects: metadata: name: edit-secrets labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - "" @@ -94,68 +74,12 @@ objects: - "update" - "patch" -- kind: Role - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: configure-monitoring - labels: - provider: sandbox-sre - rules: - - apiGroups: - - "" - resources: - - "configmaps" - - "secrets" - - "serviceaccounts" - - "services" - verbs: - - "create" - - "update" - - "get" - - "list" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "apps" - resources: - - "deployments" - - "statefulsets" - verbs: - - "create" - - "update" - - "get" - - "list" - - apiGroups: - - "route.openshift.io" - resources: - - "routes" - verbs: - - "create" - - "update" - - "get" - - "list" - - apiGroups: - - "monitoring.coreos.com" - resources: - - "prometheuses" - - "prometheusrules" - - "servicemonitors" - verbs: - - "create" - - "update" - - "get" - - "list" - - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: edit-csv labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - operators.coreos.com diff --git a/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml b/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml index e607687..d29a72a 100644 --- a/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml +++ b/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml @@ -10,6 +10,10 @@ clusters: name: member-3 separateKustomizeComponent: true +defaultServiceAccountsNamespace: + host: host-sre-namespace + member: member-sre-namespace + serviceAccounts: - name: first-admin @@ -17,7 +21,6 @@ serviceAccounts: roleBindings: - namespace: toolchain-host-operator roles: - - install-operator - restart-deployment - approve-user - view-secrets @@ -30,50 +33,15 @@ serviceAccounts: - create-social-event - add-space-users clusterRoles: - - edit - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - roles: - - install-operator - clusterRoles: - - edit member: roleBindings: - namespace: toolchain-member-operator roles: - - install-operator - restart-deployment - view-secrets clusterRoles: - - edit - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - roles: - - install-operator - clusterRoles: - - edit - - namespace: openshift-config-managed - roles: - - configure-monitoring - clusterRoles: - - edit - clusterRoleBindings: - clusterRoles: - - manage-console-resources - name: second-admin host: @@ -115,7 +83,7 @@ serviceAccounts: - view users: -- name: standard-crtadmin +- name: standard-user-admin id: - 123456 - abc1234 @@ -130,18 +98,9 @@ users: clusterRoles: - view - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging clusterRoles: - view - - namespace: sandbox-sre-host - roles: - - view-secrets + - namespace: openshift-logging clusterRoles: - view member: @@ -156,23 +115,11 @@ users: - view-secrets clusterRoles: - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - namespace: openshift-logging clusterRoles: - view - - namespace: sandbox-sre-member - roles: - - view-secrets - clusterRoles: - - view -- name: standard-viewer-crtadmin +- name: standard-user-viewer id: - 987654 groups: @@ -189,7 +136,7 @@ users: clusterRoles: - view -- name: other-component-crtadmin +- name: other-component-admin id: - 561234287 - f:528d:some-admin @@ -204,7 +151,7 @@ users: clusterRoles: - list-operators-group -- name: other-component-viewer-crtadmin +- name: other-component-viewer id: - 5412345 member: @@ -216,6 +163,11 @@ users: clusterRoles: - view +- name: user-in-all-clusters + id: + - 1234567890 + allClusters: true + - name: editor-not-included-in-member-3 id: - 5412345 @@ -230,8 +182,3 @@ users: - namespace: second-component clusterRoles: - edit - -- name: my-clusteradmin - id: - - 1234567890 - allClusters: true \ No newline at end of file diff --git a/test-resources/dummy.openshiftapps.com/sandbox-config.yaml b/test-resources/dummy.openshiftapps.com/sandbox-config.yaml deleted file mode 100644 index 3851f00..0000000 --- a/test-resources/dummy.openshiftapps.com/sandbox-config.yaml +++ /dev/null @@ -1,216 +0,0 @@ -clusters: - host: - api: https://api.dummy-host.openshiftapps.com:6443 - members: - - api: https://api.dummy-m1.openshiftapps.com:6443 - name: member-1 - - api: https://api.dummy-m2.openshiftapps.com:6443 - name: member-2 - - api: https://api.dummy-m3.openshiftapps.com:6443 - name: member-3 - -serviceAccounts: - -- name: first-admin - host: - roleBindings: - - namespace: toolchain-host-operator - roles: - - install-operator - - restart-deployment - - approve-user - - view-secrets - - deactivate-user - - ban-user - - promote-user - - disable-user - - retarget-user - - gdpr-delete - - create-social-event - - add-space-users - clusterRoles: - - edit - - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - roles: - - install-operator - clusterRoles: - - edit - member: - roleBindings: - - namespace: toolchain-member-operator - roles: - - install-operator - - restart-deployment - - view-secrets - clusterRoles: - - edit - - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - roles: - - install-operator - clusterRoles: - - edit - - namespace: openshift-config-managed - roles: - - configure-monitoring - clusterRoles: - - edit - clusterRoleBindings: - clusterRoles: - - manage-console-resources - -- name: second-admin - host: - roleBindings: - - namespace: toolchain-host-operator - roles: - - approve-user - - view-secrets - - deactivate-user - - ban-user - - promote-user - - disable-user - - retarget-user - - gdpr-delete - - restart-deployment - - create-social-event - - add-space-users - clusterRoles: - - view - member: - roleBindings: - - namespace: toolchain-member-operator - roles: - - restart-deployment - - view-secrets - clusterRoles: - - view - -- name: viewer - host: - roleBindings: - - namespace: toolchain-host-operator - clusterRoles: - - view - member: - roleBindings: - - namespace: toolchain-member-operator - clusterRoles: - - view - -users: -- name: standard-user-admin - id: - - 123456 - - abc1234 - groups: - - crtadmin-users-view - - inspect-pods - host: - roleBindings: - - namespace: toolchain-host-operator - roles: - - edit-secrets - clusterRoles: - - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - clusterRoles: - - view - - namespace: sandbox-sre-host - roles: - - view-secrets - clusterRoles: - - view - member: - roleBindings: - - namespace: toolchain-member-operator - roles: - - edit-secrets - clusterRoles: - - view - - namespace: crw - roles: - - view-secrets - clusterRoles: - - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - clusterRoles: - - view - - namespace: sandbox-sre-member - roles: - - view-secrets - clusterRoles: - - view - -- name: standard-user-viewer - id: - - 987654 - groups: - - crtadmin-users-view - - kubesaw-team - host: - roleBindings: - - namespace: toolchain-host-operator - clusterRoles: - - view - member: - roleBindings: - - namespace: toolchain-member-operator - clusterRoles: - - view - -- name: other-component-admin - id: - - 561234287 - - f:528d:some-admin - member: - roleBindings: - - namespace: some-component - roles: - - approve-operator-update - clusterRoles: - - edit - clusterRoleBindings: - clusterRoles: - - list-operators-group - -- name: other-component-viewer - id: - - 5412345 - member: - roleBindings: - - namespace: first-component - clusterRoles: - - view - - namespace: second-component - clusterRoles: - - view