-
Notifications
You must be signed in to change notification settings - Fork 162
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
observeAuthMode: drop authorization-mode from default config and spec…
…ify strictly with observer Signed-off-by: Peter Hunt <[email protected]>
- Loading branch information
1 parent
0c32bfb
commit f51e26e
Showing
6 changed files
with
166 additions
and
148 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69 changes: 69 additions & 0 deletions
69
pkg/operator/configobservation/node/observe_authorization_mode.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
package node | ||
|
||
import ( | ||
"sort" | ||
|
||
"github.com/openshift/api/features" | ||
"github.com/openshift/library-go/pkg/operator/configobserver" | ||
"github.com/openshift/library-go/pkg/operator/configobserver/featuregates" | ||
"github.com/openshift/library-go/pkg/operator/events" | ||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" | ||
) | ||
|
||
var defaultAuthenticationModes = []string{ | ||
"Node", | ||
"RBAC", | ||
"Scope", | ||
"SystemMasters", | ||
} | ||
|
||
type authorizationModeObserver struct { | ||
featureGateAccessor featuregates.FeatureGateAccess | ||
authModes []string | ||
} | ||
|
||
func NewAuthorizationModeObserver(featureGateAccessor featuregates.FeatureGateAccess) configobserver.ObserveConfigFunc { | ||
return (&authorizationModeObserver{ | ||
featureGateAccessor: featureGateAccessor, | ||
}).ObserveAuthorizationMode | ||
} | ||
|
||
// ObserveAuthorizationMode watches the featuregate configuration and generates the apiServerArguments.authorization-mode | ||
// It currently hardcodes the default set and adds MinimumKubeletVersion if the feature is set to on. | ||
func (o *authorizationModeObserver) ObserveAuthorizationMode(genericListers configobserver.Listers, _ events.Recorder, existingConfig map[string]interface{}) (ret map[string]interface{}, errs []error) { | ||
defer func() { | ||
// Prune the observed config so that it only contains minimumKubeletVersion field. | ||
ret = configobserver.Pruned(ret, authModePath) | ||
}() | ||
|
||
ret = map[string]interface{}{} | ||
if !o.featureGateAccessor.AreInitialFeatureGatesObserved() { | ||
return existingConfig, nil | ||
} | ||
|
||
featureGates, err := o.featureGateAccessor.CurrentFeatureGates() | ||
if err != nil { | ||
return existingConfig, append(errs, err) | ||
} | ||
|
||
if err := AddAuthorizationModes(ret, featureGates.Enabled(features.FeatureGateMinimumKubeletVersion)); err != nil { | ||
return existingConfig, append(errs, err) | ||
} | ||
return ret, nil | ||
} | ||
|
||
// AddAuthorizationModes modifies the passed in config | ||
// to add the "authorization-mode": "MinimumKubeletVersion" if the feature is on. If it's off, it | ||
// removes it instead. | ||
// This function assumes MinimumKubeletVersion auth mode isn't present by default, | ||
// and should likely be removed when it is. | ||
func AddAuthorizationModes(newConfig map[string]interface{}, on bool) error { | ||
modes := defaultAuthenticationModes | ||
if on { | ||
modes = append(modes, ModeMinimumKubeletVersion) | ||
} | ||
sort.Sort(sort.StringSlice(modes)) | ||
|
||
unstructured.RemoveNestedField(newConfig, authModePath...) | ||
return unstructured.SetNestedStringSlice(newConfig, modes, authModePath...) | ||
} |
85 changes: 85 additions & 0 deletions
85
pkg/operator/configobservation/node/observe_authorization_mode_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
package node | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/google/go-cmp/cmp" | ||
) | ||
|
||
func TestAddAuthorizationModes(t *testing.T) { | ||
for _, on := range []bool{false, true} { | ||
expectedSet := []any{"Node", "RBAC", "Scope", "SystemMasters"} | ||
if on { | ||
expectedSet = append([]any{ModeMinimumKubeletVersion}, expectedSet...) | ||
} | ||
for _, tc := range []struct { | ||
name string | ||
existingConfig map[string]interface{} | ||
expectedConfig map[string]interface{} | ||
}{ | ||
{ | ||
name: "should not fail if apiServerArguments not present", | ||
existingConfig: map[string]interface{}{ | ||
"fakeconfig": "fake", | ||
}, | ||
expectedConfig: map[string]interface{}{ | ||
"fakeconfig": "fake", | ||
"apiServerArguments": map[string]any{"authorization-mode": expectedSet}, | ||
}, | ||
}, | ||
{ | ||
name: "should not fail if authorization-mode not present", | ||
existingConfig: map[string]interface{}{ | ||
"apiServerArguments": map[string]any{"fake": []any{"fake"}}, | ||
}, | ||
expectedConfig: map[string]interface{}{ | ||
"apiServerArguments": map[string]any{"fake": []any{"fake"}, "authorization-mode": expectedSet}, | ||
}, | ||
}, | ||
{ | ||
name: "should clobber value if not expected", | ||
existingConfig: map[string]interface{}{ | ||
"apiServerArguments": map[string]any{"authorization-mode": []any{"fake"}}, | ||
}, | ||
expectedConfig: map[string]interface{}{ | ||
"apiServerArguments": map[string]any{"authorization-mode": expectedSet}, | ||
}, | ||
}, | ||
{ | ||
name: "should not fail if MinimumKubeletVersion already present", | ||
existingConfig: map[string]interface{}{ | ||
"apiServerArguments": map[string]any{"authorization-mode": []any{"MinimumKubeletVersion"}}, | ||
}, | ||
expectedConfig: map[string]interface{}{ | ||
"apiServerArguments": map[string]any{"authorization-mode": expectedSet}, | ||
}, | ||
}, | ||
{ | ||
name: "should not fail if apiServerArguments not present", | ||
existingConfig: map[string]interface{}{ | ||
"fakeconfig": "fake", | ||
}, | ||
expectedConfig: map[string]interface{}{ | ||
"fakeconfig": "fake", | ||
"apiServerArguments": map[string]any{"authorization-mode": expectedSet}, | ||
}, | ||
}, | ||
} { | ||
name := tc.name + " when feature is " | ||
if on { | ||
name += "on" | ||
} else { | ||
name += "off" | ||
} | ||
t.Run(name, func(t *testing.T) { | ||
if err := AddAuthorizationModes(tc.existingConfig, on); err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
if diff := cmp.Diff(tc.expectedConfig, tc.existingConfig); diff != "" { | ||
t.Errorf("unexpected config:\n%s", diff) | ||
} | ||
}) | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters