From a9ed61c163b2b2839b667c87636d8ed6d95df270 Mon Sep 17 00:00:00 2001 From: Damien Dassieu Date: Sun, 10 Nov 2024 20:41:19 +0100 Subject: [PATCH] Conversion + v1beta1 --- .github/workflows/helm-chart-releaser.yml | 7 +- .gitignore | 11 +- Makefile | 13 +- PROJECT | 38 + README.md | 23 +- api/v1alpha1/remotesyncer_conversion.go | 63 + api/v1alpha1/remotesyncer_types.go | 1 + api/v1alpha1/remoteuser_conversion.go | 145 ++ api/v1alpha1/remoteuser_types.go | 1 + api/v1alpha1/remoteuserbinding_conversion.go | 46 + api/v1alpha1/remoteuserbinding_types.go | 1 + api/v1alpha2/remotesyncer_conversion.go | 67 + api/v1alpha2/remotesyncer_types.go | 1 + api/v1alpha2/remoteuser_conversion.go | 155 ++ api/v1alpha2/remoteuser_types.go | 1 + api/v1alpha2/remoteuserbinding_conversion.go | 46 + api/v1alpha2/remoteuserbinding_types.go | 1 + api/v1alpha3/remotesyncer_conversion.go | 69 + api/v1alpha3/remotesyncer_types.go | 1 + api/v1alpha3/remoteuser_conversion.go | 155 ++ api/v1alpha3/remoteuser_types.go | 1 + api/v1alpha3/remoteuserbinding_conversion.go | 46 + api/v1alpha3/remoteuserbinding_types.go | 1 + api/v1alpha4/remotesyncer_conversion.go | 69 + api/v1alpha4/remotesyncer_types.go | 2 +- api/v1alpha4/remotesyncer_webhook.go | 17 - api/v1alpha4/remoteuser_conversion.go | 155 ++ api/v1alpha4/remoteuser_types.go | 2 +- api/v1alpha4/remoteuser_webhook.go | 3 - api/v1alpha4/remoteuserbinding_conversion.go | 46 + api/v1alpha4/remoteuserbinding_types.go | 2 +- api/v1alpha4/remoteuserbinding_webhook.go | 34 + .../remoteuserbinding_webhook_test.go | 33 + api/v1beta1/groupversion_info.go | 36 + api/v1beta1/remotesyncer_conversion.go | 19 + api/v1beta1/remotesyncer_types.go | 236 ++ api/v1beta1/remotesyncer_webhook.go | 136 ++ api/v1beta1/remotesyncer_webhook_test.go | 47 + api/v1beta1/remoteuser_conversion.go | 19 + api/v1beta1/remoteuser_types.go | 114 + api/v1beta1/remoteuser_webhook.go | 67 + api/v1beta1/remoteuser_webhook_test.go | 47 + api/v1beta1/remoteuserbinding_conversion.go | 19 + api/v1beta1/remoteuserbinding_types.go | 92 + api/v1beta1/remoteuserbinding_webhook.go | 34 + api/v1beta1/remoteuserbinding_webhook_test.go | 33 + api/v1beta1/webhook_suite_test.go | 148 ++ api/v1beta1/zz_generated.deepcopy.go | 595 +++++ charts/{1.0.0 => 0.1.0}/Chart.yaml | 4 +- .../templates/certmanager/certificate.yaml | 0 .../controller/auth_proxy_service.yaml | 0 .../templates/controller/manager.yaml | 4 + .../crd/syngit.syngit.io_remotesyncer.yaml | 544 +---- .../crd/syngit.syngit.io_remoteuser.yaml | 321 +-- .../syngit.syngit.io_remoteuserbinding.yaml | 185 +- .../templates/monitoring/monitor.yaml | 0 .../auth_proxy_client_clusterrole.yaml | 0 .../rbac/controller/auth_proxy_role.yaml | 0 .../controller/auth_proxy_role_binding.yaml | 0 .../rbac/controller/leader_election_role.yaml | 0 .../leader_election_role_binding.yaml | 0 .../templates/rbac/controller/role.yaml | 0 .../rbac/controller/role_binding.yaml | 0 .../rbac/controller/service_account.yaml | 0 .../end-user/remotesyncer_editor_role.yaml | 0 .../end-user/remotesyncer_viewer_role.yaml | 0 .../rbac/end-user/remoteuser_editor_role.yaml | 0 .../rbac/end-user/remoteuser_viewer_role.yaml | 0 .../remoteuserbinding_editor_role.yaml | 0 .../remoteuserbinding_viewer_role.yaml | 0 .../templates/webhook/webhook-service.yaml | 0 .../templates/webhook/webhook.yaml | 14 +- charts/{1.0.1 => 0.1.0}/values.yaml | 11 +- .../config/bitbucket-configuration.yaml | 8 - .../config/github-configuration.yaml | 8 - .../config/gitlab-configuration.yaml | 8 - charts/1.0.0/values.yaml | 68 - charts/1.0.1/Chart.yaml | 11 - .../templates/certmanager/certificate.yaml | 36 - .../config/bitbucket-configuration.yaml | 8 - .../config/github-configuration.yaml | 8 - .../config/gitlab-configuration.yaml | 8 - .../controller/auth_proxy_service.yaml | 22 - .../1.0.1/templates/controller/manager.yaml | 92 - .../crd/syngit.syngit.io_remotesyncer.yaml | 2144 ----------------- .../crd/syngit.syngit.io_remoteuser.yaml | 899 ------- .../syngit.syngit.io_remoteuserbinding.yaml | 683 ------ .../1.0.1/templates/monitoring/monitor.yaml | 25 - .../auth_proxy_client_clusterrole.yaml | 18 - .../rbac/controller/auth_proxy_role.yaml | 26 - .../controller/auth_proxy_role_binding.yaml | 21 - .../rbac/controller/leader_election_role.yaml | 43 - .../leader_election_role_binding.yaml | 19 - .../1.0.1/templates/rbac/controller/role.yaml | 105 - .../rbac/controller/role_binding.yaml | 19 - .../rbac/controller/service_account.yaml | 11 - .../end-user/remotesyncer_editor_role.yaml | 30 - .../end-user/remotesyncer_viewer_role.yaml | 26 - .../rbac/end-user/remoteuser_editor_role.yaml | 30 - .../rbac/end-user/remoteuser_viewer_role.yaml | 26 - .../remoteuserbinding_editor_role.yaml | 30 - .../remoteuserbinding_viewer_role.yaml | 26 - .../templates/webhook/webhook-service.yaml | 35 - charts/1.0.1/templates/webhook/webhook.yaml | 70 - cmd/main.go | 22 +- .../bases/syngit.syngit.io_remotesyncers.yaml | 572 ++++- .../syngit.syngit.io_remoteuserbindings.yaml | 172 +- .../bases/syngit.syngit.io_remoteusers.yaml | 151 +- config/crd/kustomization.yaml | 7 +- .../cainjection_in_remoteuserbindings.yaml | 7 + .../webhook_in_remoteuserbindings.yaml | 16 + config/manager/manager.yaml | 2 +- config/rbac/role.yaml | 9 + config/samples/kustomization.yaml | 9 +- .../samples/syngit_v1beta1_remotesyncer.yaml | 12 + ...er.yaml => syngit_v1beta1_remoteuser.yaml} | 10 +- .../syngit_v1beta1_remoteuserbinding.yaml | 12 + .../syngit_v2alpha2_remotesyncer2.yaml | 12 + .../syngit_v2alpha2_remoteuser2.yaml | 6 - .../syngit_v2alpha2_remoteuserbinding.yaml | 7 - .../syngit_v3alpha3_remotesyncer.yaml | 0 .../syngit_v3alpha3_remoteuser.yaml | 0 .../syngit_v3alpha3_remoteuserbinding.yaml | 0 .../syngit_v2alpha2_remotesyncer.yaml | 39 - .../syngit_v2alpha2_remotesyncer2.yaml | 34 - config/webhook/cert-injector.sh | 46 +- config/webhook/cleanup-injector.sh | 17 + config/webhook/manifests.yaml | 18 +- .../controller/dynamic_webhook_handlers.go | 2 +- internal/controller/git_pusher.go | 43 +- .../controller/reconcile_remoteuser_owner.go | 46 +- .../controller/remotesyncer_controller.go | 3 +- .../remotesyncer_controller_test.go | 161 +- internal/controller/remoteuser_controller.go | 352 +-- .../controller/remoteuser_controller_test.go | 205 +- .../remoteuserbinding_controller.go | 2 +- .../remoteuserbinding_controller_test.go | 184 +- internal/controller/suite_test.go | 12 +- .../controller/webhook_request_checker.go | 151 +- 139 files changed, 4416 insertions(+), 6469 deletions(-) create mode 100644 api/v1alpha1/remotesyncer_conversion.go create mode 100644 api/v1alpha1/remoteuser_conversion.go create mode 100644 api/v1alpha1/remoteuserbinding_conversion.go create mode 100644 api/v1alpha2/remotesyncer_conversion.go create mode 100644 api/v1alpha2/remoteuser_conversion.go create mode 100644 api/v1alpha2/remoteuserbinding_conversion.go create mode 100644 api/v1alpha3/remotesyncer_conversion.go create mode 100644 api/v1alpha3/remoteuser_conversion.go create mode 100644 api/v1alpha3/remoteuserbinding_conversion.go create mode 100644 api/v1alpha4/remotesyncer_conversion.go create mode 100644 api/v1alpha4/remoteuser_conversion.go create mode 100644 api/v1alpha4/remoteuserbinding_conversion.go create mode 100644 api/v1alpha4/remoteuserbinding_webhook.go create mode 100644 api/v1alpha4/remoteuserbinding_webhook_test.go create mode 100644 api/v1beta1/groupversion_info.go create mode 100644 api/v1beta1/remotesyncer_conversion.go create mode 100644 api/v1beta1/remotesyncer_types.go create mode 100644 api/v1beta1/remotesyncer_webhook.go create mode 100644 api/v1beta1/remotesyncer_webhook_test.go create mode 100644 api/v1beta1/remoteuser_conversion.go create mode 100644 api/v1beta1/remoteuser_types.go create mode 100644 api/v1beta1/remoteuser_webhook.go create mode 100644 api/v1beta1/remoteuser_webhook_test.go create mode 100644 api/v1beta1/remoteuserbinding_conversion.go create mode 100644 api/v1beta1/remoteuserbinding_types.go create mode 100644 api/v1beta1/remoteuserbinding_webhook.go create mode 100644 api/v1beta1/remoteuserbinding_webhook_test.go create mode 100644 api/v1beta1/webhook_suite_test.go create mode 100644 api/v1beta1/zz_generated.deepcopy.go rename charts/{1.0.0 => 0.1.0}/Chart.yaml (89%) rename charts/{1.0.0 => 0.1.0}/templates/certmanager/certificate.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/controller/auth_proxy_service.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/controller/manager.yaml (94%) rename charts/{1.0.0 => 0.1.0}/templates/crd/syngit.syngit.io_remotesyncer.yaml (70%) rename charts/{1.0.0 => 0.1.0}/templates/crd/syngit.syngit.io_remoteuser.yaml (53%) rename charts/{1.0.0 => 0.1.0}/templates/crd/syngit.syngit.io_remoteuserbinding.yaml (66%) rename charts/{1.0.0 => 0.1.0}/templates/monitoring/monitor.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/controller/auth_proxy_client_clusterrole.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/controller/auth_proxy_role.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/controller/auth_proxy_role_binding.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/controller/leader_election_role.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/controller/leader_election_role_binding.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/controller/role.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/controller/role_binding.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/controller/service_account.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/end-user/remotesyncer_editor_role.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/end-user/remotesyncer_viewer_role.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/end-user/remoteuser_editor_role.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/end-user/remoteuser_viewer_role.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/end-user/remoteuserbinding_editor_role.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/rbac/end-user/remoteuserbinding_viewer_role.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/webhook/webhook-service.yaml (100%) rename charts/{1.0.0 => 0.1.0}/templates/webhook/webhook.yaml (83%) rename charts/{1.0.1 => 0.1.0}/values.yaml (91%) delete mode 100644 charts/1.0.0/templates/config/bitbucket-configuration.yaml delete mode 100644 charts/1.0.0/templates/config/github-configuration.yaml delete mode 100644 charts/1.0.0/templates/config/gitlab-configuration.yaml delete mode 100644 charts/1.0.0/values.yaml delete mode 100644 charts/1.0.1/Chart.yaml delete mode 100644 charts/1.0.1/templates/certmanager/certificate.yaml delete mode 100644 charts/1.0.1/templates/config/bitbucket-configuration.yaml delete mode 100644 charts/1.0.1/templates/config/github-configuration.yaml delete mode 100644 charts/1.0.1/templates/config/gitlab-configuration.yaml delete mode 100644 charts/1.0.1/templates/controller/auth_proxy_service.yaml delete mode 100644 charts/1.0.1/templates/controller/manager.yaml delete mode 100644 charts/1.0.1/templates/crd/syngit.syngit.io_remotesyncer.yaml delete mode 100644 charts/1.0.1/templates/crd/syngit.syngit.io_remoteuser.yaml delete mode 100644 charts/1.0.1/templates/crd/syngit.syngit.io_remoteuserbinding.yaml delete mode 100644 charts/1.0.1/templates/monitoring/monitor.yaml delete mode 100644 charts/1.0.1/templates/rbac/controller/auth_proxy_client_clusterrole.yaml delete mode 100644 charts/1.0.1/templates/rbac/controller/auth_proxy_role.yaml delete mode 100644 charts/1.0.1/templates/rbac/controller/auth_proxy_role_binding.yaml delete mode 100644 charts/1.0.1/templates/rbac/controller/leader_election_role.yaml delete mode 100644 charts/1.0.1/templates/rbac/controller/leader_election_role_binding.yaml delete mode 100644 charts/1.0.1/templates/rbac/controller/role.yaml delete mode 100644 charts/1.0.1/templates/rbac/controller/role_binding.yaml delete mode 100644 charts/1.0.1/templates/rbac/controller/service_account.yaml delete mode 100644 charts/1.0.1/templates/rbac/end-user/remotesyncer_editor_role.yaml delete mode 100644 charts/1.0.1/templates/rbac/end-user/remotesyncer_viewer_role.yaml delete mode 100644 charts/1.0.1/templates/rbac/end-user/remoteuser_editor_role.yaml delete mode 100644 charts/1.0.1/templates/rbac/end-user/remoteuser_viewer_role.yaml delete mode 100644 charts/1.0.1/templates/rbac/end-user/remoteuserbinding_editor_role.yaml delete mode 100644 charts/1.0.1/templates/rbac/end-user/remoteuserbinding_viewer_role.yaml delete mode 100644 charts/1.0.1/templates/webhook/webhook-service.yaml delete mode 100644 charts/1.0.1/templates/webhook/webhook.yaml create mode 100644 config/crd/patches/cainjection_in_remoteuserbindings.yaml create mode 100644 config/crd/patches/webhook_in_remoteuserbindings.yaml create mode 100644 config/samples/syngit_v1beta1_remotesyncer.yaml rename config/samples/{v2alpha2/syngit_v2alpha2_remoteuser.yaml => syngit_v1beta1_remoteuser.yaml} (58%) create mode 100644 config/samples/syngit_v1beta1_remoteuserbinding.yaml create mode 100644 config/samples/v1alpha2/syngit_v2alpha2_remotesyncer2.yaml rename config/samples/{v2alpha2 => v1alpha2}/syngit_v2alpha2_remoteuser2.yaml (70%) rename config/samples/{v2alpha2 => v1alpha2}/syngit_v2alpha2_remoteuserbinding.yaml (70%) rename config/samples/{v3alpha3 => v1alpha3}/syngit_v3alpha3_remotesyncer.yaml (100%) rename config/samples/{v3alpha3 => v1alpha3}/syngit_v3alpha3_remoteuser.yaml (100%) rename config/samples/{v3alpha3 => v1alpha3}/syngit_v3alpha3_remoteuserbinding.yaml (100%) delete mode 100644 config/samples/v2alpha2/syngit_v2alpha2_remotesyncer.yaml delete mode 100644 config/samples/v2alpha2/syngit_v2alpha2_remotesyncer2.yaml create mode 100755 config/webhook/cleanup-injector.sh diff --git a/.github/workflows/helm-chart-releaser.yml b/.github/workflows/helm-chart-releaser.yml index 1cdc36c..7a1d2ae 100644 --- a/.github/workflows/helm-chart-releaser.yml +++ b/.github/workflows/helm-chart-releaser.yml @@ -2,18 +2,14 @@ name: Release charts on: push: - branches: - - dev tags: - '*' jobs: release: + if: startsWith(github.ref, 'refs/tags/') # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token - if: | - (github.event.repository.fork == true && github.ref == 'refs/heads/dev') || - (github.event.repository.fork == false && startsWith(github.ref, 'refs/tags/')) permissions: contents: write runs-on: ubuntu-latest @@ -39,5 +35,6 @@ jobs: charts_dir: charts config: charts/release_config.yml skip_existing: true + mark_as_latest: true env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file diff --git a/.gitignore b/.gitignore index 9b6f371..3afc715 100644 --- a/.gitignore +++ b/.gitignore @@ -7,11 +7,6 @@ *.dylib bin/* Dockerfile.cross -config/samples/test -config/webhook/manifests.yaml -config/webhook/secret.yaml -config/webhook/manifests.yaml.temp -config/webhook/secret.yaml.temp # Test binary, built with `go test -c` *.test @@ -31,3 +26,9 @@ go.work *.swp *.swo *~ + +# cert-injector on manifests +**/*.bak + +# developer's specific tests +config/samples/test \ No newline at end of file diff --git a/Makefile b/Makefile index 76afbf1..07e8037 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,10 @@ # Image URL to use all building/pushing image targets IMG ?= syngit-controller:latest -DEV_CLUSTER ?= dev-cluster +DEV_CLUSTER ?= syngit-dev-cluster # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.29.0 +CRD_OPTIONS ?= "crd" # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -49,10 +50,9 @@ WEBHOOK_PATH ?= config/webhook IMAGE ?= syngit.io/op:dev .PHONY: dev-deploy dev-deploy: # Launch dev env on the cluster + kind create cluster --name $(DEV_CLUSTER) 2>/dev/null || true make docker-build IMG=$(IMAGE) - kind load docker-image $(IMAGE) --name dev-cluster - cd $(WEBHOOK_PATH) && cp manifests.yaml manifests.yaml.temp - cd $(WEBHOOK_PATH) && cp secret.yaml secret.yaml.temp + kind load docker-image $(IMAGE) --name $(DEV_CLUSTER) make deploy IMG=$(IMAGE) # .PHONY: dev-run @@ -68,8 +68,7 @@ dev-deploy: # Launch dev env on the cluster .PHONY: cleanup-deploy cleanup-deploy: # Cleanup - cd $(WEBHOOK_PATH) && mv secret.yaml.temp secret.yaml - cd $(WEBHOOK_PATH) && mv manifests.yaml.temp manifests.yaml + cd $(WEBHOOK_PATH) && ./cleanup-injector.sh make undeploy # .PHONY: cleanup-run @@ -182,7 +181,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified .PHONY: deploy deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} - cd $(WEBHOOK_PATH) && ./cert-injector.sh manifests.yaml + cd $(WEBHOOK_PATH) && ./cert-injector.sh manifests.yaml ../crd/patches $(KUSTOMIZE) build config/default | $(KUBECTL) apply -f - .PHONY: undeploy diff --git a/PROJECT b/PROJECT index 33ab785..3c41328 100644 --- a/PROJECT +++ b/PROJECT @@ -109,6 +109,9 @@ resources: kind: RemoteUserBinding path: syngit.io/syngit/api/v1alpha4 version: v1alpha4 + webhooks: + conversion: true + webhookVersion: v1 - api: crdVersion: v1 namespaced: true @@ -131,4 +134,39 @@ resources: webhooks: validation: true webhookVersion: v1 +- api: + crdVersion: v1 + namespaced: true + domain: syngit.io + group: syngit + kind: RemoteUser + path: syngit.io/syngit/api/v1beta1 + version: v1beta1 + webhooks: + conversion: true + validation: true + webhookVersion: v1 +- api: + crdVersion: v1 + namespaced: true + domain: syngit.io + group: syngit + kind: RemoteUserBinding + path: syngit.io/syngit/api/v1beta1 + version: v1beta1 + webhooks: + conversion: true + webhookVersion: v1 +- api: + crdVersion: v1 + namespaced: true + domain: syngit.io + group: syngit + kind: RemoteSyncer + path: syngit.io/syngit/api/v1beta1 + version: v1beta1 + webhooks: + conversion: true + validation: true + webhookVersion: v1 version: "3" diff --git a/README.md b/README.md index 8673c34..792ec84 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ helm repo add syngit https://syngit-org.github.io/syngit 1. Install the operator You can customize the values before installing the Helm chart. ```sh -helm install syngit syngit/syngit --version 1.0.1 -n syngit --create-namespace +helm install syngit syngit/syngit --version 0.1.0 -n syngit --create-namespace ``` syngit is now installed on your cluster! @@ -70,34 +70,33 @@ stringData: ``` ```yaml -apiVersion: syngit.syngit.io/v1alpha4 +apiVersion: syngit.syngit.io/v1beta1 kind: RemoteUser metadata: name: remoteuser-sample spec: gitBaseDomainFQDN: "github.com" - testAuthentication: true email: your@email.com - ownRemoteUserBinding: true + associatedRemoteUserBinding: true secretRef: name: git-server-my_git_username-auth ``` -Now, if you look at the status of the object, the user should be connected to the git server. +Now, if you look at the status of the object, the secret should be correctly bound. ```sh -kubectl get remoteuser remoteuser-sample -o=jsonpath='{.status.connexionStatus}' +kubectl get remoteuser remoteuser-sample -o=jsonpath='{.status.secretBoundStatus}' ``` ### RemoteUserBinding The RemoteUserBinding bind the Kubernetes user with the remote git user. This is used by syngit when the user apply changes on the cluster. syngit will push on the git server with the associated git user. -By default, the `ownRemoteUserBinding` field of the RemoteUser object automatically creates a RemoteUserBinding. The name of the object is `owned-rub-`. +By default, the `associatedRemoteUserBinding` field of the RemoteUser object automatically creates a RemoteUserBinding. The name of the object is `associated-rub-`. To get the associated RemoteUserBinding object, run : ```sh -kubectl get remoteuserbinding owned-rub-$(kubectl auth whoami -o=jsonpath='{.status.userInfo.username}') +kubectl get remoteuserbinding associated-rub-$(kubectl auth whoami -o=jsonpath='{.status.userInfo.username}') ``` ### RemoteSyncer @@ -107,15 +106,17 @@ The RemoteSyncer object contains the whole logic part of the operator. In this example, the RemoteSyncer will intercept all the *configmaps*. It will push them to *https://github.com/my_repo_path.git* in the branch *main* under the path `my_configmaps/`. Because the `commitProcess` is set to `CommitApply`, the changes will be pushed and then applied to the cluster. `CommitOnly` will only push the resource on the git server without applying it on the cluster. ```yaml -apiVersion: syngit.syngit.io/v1alpha4 +apiVersion: syngit.syngit.io/v1beta1 kind: RemoteSyncer metadata: name: remotesyncer-sample spec: remoteRepository: https://github.com/my_repo_path.git - branch: main - commitProcess: CommitApply + defaultBranch: main + processMode: CommitApply + pushMode: SameBranch defaultUnauthorizedUserMode: Block + rootPath: "my_configmaps" excludedFields: - metadata.managedFields - metadata.creationTimestamp diff --git a/api/v1alpha1/remotesyncer_conversion.go b/api/v1alpha1/remotesyncer_conversion.go new file mode 100644 index 0000000..67b92fd --- /dev/null +++ b/api/v1alpha1/remotesyncer_conversion.go @@ -0,0 +1,63 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "sigs.k8s.io/controller-runtime/pkg/conversion" + v1beta1 "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteSyncer) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteSyncer) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.DefaultBranch = src.Spec.Branch + dst.Spec.BypassInterceptionSubjects = src.Spec.BypassInterceptionSubjects + dst.Spec.DefaultBlockAppliedMessage = src.Spec.DefaultBlockAppliedMessage + dst.Spec.DefaultUnauthorizedUserMode = v1beta1.DefaultUnauthorizedUserMode(src.Spec.DefaultUnauthorizedUserMode) + dst.Spec.DefaultRemoteUserRef = src.Spec.DefaultUserBind + dst.Spec.ExcludedFields = src.Spec.ExcludedFields + dst.Spec.RemoteRepository = src.Spec.RemoteRepository + + // Breaking changes + dst.Spec.ProcessMode = v1beta1.ProcessMode(src.Spec.CommitProcess) + dst.Spec.PushMode = v1beta1.SameBranch + + return nil +} + +func (dst *RemoteSyncer) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteSyncer) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Branch = src.Spec.DefaultBranch + dst.Spec.BypassInterceptionSubjects = src.Spec.BypassInterceptionSubjects + dst.Spec.DefaultBlockAppliedMessage = src.Spec.DefaultBlockAppliedMessage + dst.Spec.DefaultUnauthorizedUserMode = DefaultUnauthorizedUserMode(src.Spec.DefaultUnauthorizedUserMode) + dst.Spec.DefaultUserBind = src.Spec.DefaultRemoteUserRef + dst.Spec.ExcludedFields = src.Spec.ExcludedFields + dst.Spec.RemoteRepository = src.Spec.RemoteRepository + + // Breaking changes + dst.Spec.CommitProcess = CommitProcess(src.Spec.ProcessMode) + + return nil +} diff --git a/api/v1alpha1/remotesyncer_types.go b/api/v1alpha1/remotesyncer_types.go index 6cb465e..249e0ef 100644 --- a/api/v1alpha1/remotesyncer_types.go +++ b/api/v1alpha1/remotesyncer_types.go @@ -83,6 +83,7 @@ type RemoteSyncerStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status // RemoteSyncer is the Schema for the remotesyncers API diff --git a/api/v1alpha1/remoteuser_conversion.go b/api/v1alpha1/remoteuser_conversion.go new file mode 100644 index 0000000..664227a --- /dev/null +++ b/api/v1alpha1/remoteuser_conversion.go @@ -0,0 +1,145 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "strconv" + + "sigs.k8s.io/controller-runtime/pkg/conversion" + "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteUser) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteUser) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Email = src.Spec.Email + gitBaseDomainFQDN := src.Spec.GitBaseDomainFQDN + dst.Spec.GitBaseDomainFQDN = gitBaseDomainFQDN + dst.Spec.SecretRef = src.Spec.SecretRef + + dst.Status.Conditions = src.Status.Conditions + dst.Status.ConnexionStatus.Details = src.Status.ConnexionStatus.Details + dst.Status.ConnexionStatus.Status = v1beta1.RemoteUserConnexionStatusReason(src.Status.ConnexionStatus.Status) + dst.Status.GitUser = src.Status.GitUser + dst.Status.LastAuthTime = src.Status.LastAuthTime + dst.Status.SecretBoundStatus = v1beta1.SecretBoundStatus(src.Status.SecretBoundStatus) + + // Breaking changes + if gitBaseDomainFQDN == "github.com" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/github.api.auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/github.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + if gitBaseDomainFQDN == "gitlab.com" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/gitlab.api.auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/gitlab.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + if gitBaseDomainFQDN == "bitbucket.org" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/bitbucket.api-auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/bitbucket.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + + return nil +} + +func (dst *RemoteUser) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteUser) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Email = src.Spec.Email + gitBaseDomainFQDN := src.Spec.GitBaseDomainFQDN + dst.Spec.GitBaseDomainFQDN = gitBaseDomainFQDN + dst.Spec.SecretRef = src.Spec.SecretRef + + dst.Status.Conditions = src.Status.Conditions + dst.Status.ConnexionStatus.Details = src.Status.ConnexionStatus.Details + dst.Status.ConnexionStatus.Status = RemoteUserConnexionStatusReason(src.Status.ConnexionStatus.Status) + dst.Status.GitUser = src.Status.GitUser + dst.Status.LastAuthTime = src.Status.LastAuthTime + dst.Status.SecretBoundStatus = SecretBoundStatus(src.Status.SecretBoundStatus) + + // Breaking changes + if gitBaseDomainFQDN == "github.com" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(insecureSkipTlsAnnotation) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(testAuthAnnotation) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + if gitBaseDomainFQDN == "gitlab.com" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/gitlab.api-auth.insecure-skip-tls-verify"]) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/gitlab.api-auth.test"]) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + if gitBaseDomainFQDN == "bitbucket.org" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/bitbucket.api-auth.insecure-skip-tls-verify"]) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/bitbucket.api-auth.test"]) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + + return nil +} diff --git a/api/v1alpha1/remoteuser_types.go b/api/v1alpha1/remoteuser_types.go index d4947bd..ef280c0 100644 --- a/api/v1alpha1/remoteuser_types.go +++ b/api/v1alpha1/remoteuser_types.go @@ -64,6 +64,7 @@ type RemoteUserStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status // RemoteUser is the Schema for the remoteusers API diff --git a/api/v1alpha1/remoteuserbinding_conversion.go b/api/v1alpha1/remoteuserbinding_conversion.go new file mode 100644 index 0000000..b511309 --- /dev/null +++ b/api/v1alpha1/remoteuserbinding_conversion.go @@ -0,0 +1,46 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "sigs.k8s.io/controller-runtime/pkg/conversion" + "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteUserBinding) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteUserBinding) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.RemoteRefs = src.Spec.RemoteRefs + dst.Spec.Subject = src.Spec.Subject + + return nil +} + +func (dst *RemoteUserBinding) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteUserBinding) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.RemoteRefs = src.Spec.RemoteRefs + dst.Spec.Subject = src.Spec.Subject + + return nil +} diff --git a/api/v1alpha1/remoteuserbinding_types.go b/api/v1alpha1/remoteuserbinding_types.go index bfeb333..9818bae 100644 --- a/api/v1alpha1/remoteuserbinding_types.go +++ b/api/v1alpha1/remoteuserbinding_types.go @@ -42,6 +42,7 @@ type RemoteUserBindingStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status // RemoteUserBinding is the Schema for the remoteuserbindings API diff --git a/api/v1alpha2/remotesyncer_conversion.go b/api/v1alpha2/remotesyncer_conversion.go new file mode 100644 index 0000000..4ef7a8c --- /dev/null +++ b/api/v1alpha2/remotesyncer_conversion.go @@ -0,0 +1,67 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha2 + +import ( + "sigs.k8s.io/controller-runtime/pkg/conversion" + v1beta1 "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteSyncer) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteSyncer) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.DefaultBranch = src.Spec.Branch + dst.Spec.BypassInterceptionSubjects = src.Spec.BypassInterceptionSubjects + dst.Spec.DefaultBlockAppliedMessage = src.Spec.DefaultBlockAppliedMessage + dst.Spec.DefaultUnauthorizedUserMode = v1beta1.DefaultUnauthorizedUserMode(src.Spec.DefaultUnauthorizedUserMode) + dst.Spec.DefaultRemoteUserRef = src.Spec.DefaultUserBind + dst.Spec.ExcludedFields = src.Spec.ExcludedFields + dst.Spec.RemoteRepository = src.Spec.RemoteRepository + dst.Spec.RootPath = src.Spec.RootPath + dst.Spec.ScopedResources = v1beta1.ScopedResources(src.Spec.ScopedResources) + + // Breaking changes + dst.Spec.ProcessMode = v1beta1.ProcessMode(src.Spec.CommitProcess) + dst.Spec.PushMode = v1beta1.SameBranch + + return nil +} + +func (dst *RemoteSyncer) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteSyncer) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Branch = src.Spec.DefaultBranch + dst.Spec.BypassInterceptionSubjects = src.Spec.BypassInterceptionSubjects + dst.Spec.DefaultBlockAppliedMessage = src.Spec.DefaultBlockAppliedMessage + dst.Spec.DefaultUnauthorizedUserMode = DefaultUnauthorizedUserMode(src.Spec.DefaultUnauthorizedUserMode) + dst.Spec.DefaultUserBind = src.Spec.DefaultRemoteUserRef + dst.Spec.ExcludedFields = src.Spec.ExcludedFields + dst.Spec.RemoteRepository = src.Spec.RemoteRepository + dst.Spec.RootPath = src.Spec.RootPath + dst.Spec.ScopedResources = ScopedResources(src.Spec.ScopedResources) + + // Breaking changes + dst.Spec.CommitProcess = CommitProcess(src.Spec.ProcessMode) + + return nil +} diff --git a/api/v1alpha2/remotesyncer_types.go b/api/v1alpha2/remotesyncer_types.go index 1f8ca5e..9d337c8 100644 --- a/api/v1alpha2/remotesyncer_types.go +++ b/api/v1alpha2/remotesyncer_types.go @@ -77,6 +77,7 @@ type RemoteSyncerStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status // RemoteSyncer is the Schema for the remotesyncers API diff --git a/api/v1alpha2/remoteuser_conversion.go b/api/v1alpha2/remoteuser_conversion.go new file mode 100644 index 0000000..3e8d34e --- /dev/null +++ b/api/v1alpha2/remoteuser_conversion.go @@ -0,0 +1,155 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha2 + +import ( + "strconv" + + "sigs.k8s.io/controller-runtime/pkg/conversion" + "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteUser) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteUser) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Email = src.Spec.Email + gitBaseDomainFQDN := src.Spec.GitBaseDomainFQDN + dst.Spec.GitBaseDomainFQDN = gitBaseDomainFQDN + dst.Spec.SecretRef = src.Spec.SecretRef + + dst.Status.Conditions = src.Status.Conditions + dst.Status.ConnexionStatus.Details = src.Status.ConnexionStatus.Details + dst.Status.ConnexionStatus.Status = v1beta1.RemoteUserConnexionStatusReason(src.Status.ConnexionStatus.Status) + dst.Status.GitUser = src.Status.GitUser + dst.Status.LastAuthTime = src.Status.LastAuthTime + dst.Status.SecretBoundStatus = v1beta1.SecretBoundStatus(src.Status.SecretBoundStatus) + + // Breaking changes + if gitBaseDomainFQDN == "github.com" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/github.api.auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/github.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + if gitBaseDomainFQDN == "gitlab.com" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/gitlab.api.auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/gitlab.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + if gitBaseDomainFQDN == "bitbucket.org" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/bitbucket.api-auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/bitbucket.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + + // Renaming + + associatedRemoteUserBinding := src.Spec.OwnRemoteUserBinding + dst.Spec.AssociatedRemoteUserBinding = associatedRemoteUserBinding + + return nil +} + +func (dst *RemoteUser) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteUser) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Email = src.Spec.Email + gitBaseDomainFQDN := src.Spec.GitBaseDomainFQDN + dst.Spec.GitBaseDomainFQDN = gitBaseDomainFQDN + dst.Spec.SecretRef = src.Spec.SecretRef + + dst.Status.Conditions = src.Status.Conditions + dst.Status.ConnexionStatus.Details = src.Status.ConnexionStatus.Details + dst.Status.ConnexionStatus.Status = RemoteUserConnexionStatusReason(src.Status.ConnexionStatus.Status) + dst.Status.GitUser = src.Status.GitUser + dst.Status.LastAuthTime = src.Status.LastAuthTime + dst.Status.SecretBoundStatus = SecretBoundStatus(src.Status.SecretBoundStatus) + + // Breaking changes + if gitBaseDomainFQDN == "github.com" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(insecureSkipTlsAnnotation) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(testAuthAnnotation) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + if gitBaseDomainFQDN == "gitlab.com" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/gitlab.api-auth.insecure-skip-tls-verify"]) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/gitlab.api-auth.test"]) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + if gitBaseDomainFQDN == "bitbucket.org" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/bitbucket.api-auth.insecure-skip-tls-verify"]) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/bitbucket.api-auth.test"]) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + + // Renaming + + associatedRemoteUserBinding := src.Spec.AssociatedRemoteUserBinding + dst.Spec.OwnRemoteUserBinding = associatedRemoteUserBinding + + return nil +} diff --git a/api/v1alpha2/remoteuser_types.go b/api/v1alpha2/remoteuser_types.go index 2e88df4..a517eef 100644 --- a/api/v1alpha2/remoteuser_types.go +++ b/api/v1alpha2/remoteuser_types.go @@ -66,6 +66,7 @@ type RemoteUserStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status // RemoteUser is the Schema for the remoteusers API diff --git a/api/v1alpha2/remoteuserbinding_conversion.go b/api/v1alpha2/remoteuserbinding_conversion.go new file mode 100644 index 0000000..9423dd0 --- /dev/null +++ b/api/v1alpha2/remoteuserbinding_conversion.go @@ -0,0 +1,46 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha2 + +import ( + "sigs.k8s.io/controller-runtime/pkg/conversion" + "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteUserBinding) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteUserBinding) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.RemoteRefs = src.Spec.RemoteRefs + dst.Spec.Subject = src.Spec.Subject + + return nil +} + +func (dst *RemoteUserBinding) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteUserBinding) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.RemoteRefs = src.Spec.RemoteRefs + dst.Spec.Subject = src.Spec.Subject + + return nil +} diff --git a/api/v1alpha2/remoteuserbinding_types.go b/api/v1alpha2/remoteuserbinding_types.go index a85058b..d76f4df 100644 --- a/api/v1alpha2/remoteuserbinding_types.go +++ b/api/v1alpha2/remoteuserbinding_types.go @@ -46,6 +46,7 @@ type RemoteUserBindingStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status // RemoteUserBinding is the Schema for the remoteuserbindings API diff --git a/api/v1alpha3/remotesyncer_conversion.go b/api/v1alpha3/remotesyncer_conversion.go new file mode 100644 index 0000000..7d7e021 --- /dev/null +++ b/api/v1alpha3/remotesyncer_conversion.go @@ -0,0 +1,69 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha3 + +import ( + "sigs.k8s.io/controller-runtime/pkg/conversion" + v1beta1 "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteSyncer) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteSyncer) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.DefaultBranch = src.Spec.Branch + dst.Spec.BypassInterceptionSubjects = src.Spec.BypassInterceptionSubjects + dst.Spec.DefaultBlockAppliedMessage = src.Spec.DefaultBlockAppliedMessage + dst.Spec.DefaultUnauthorizedUserMode = v1beta1.DefaultUnauthorizedUserMode(src.Spec.DefaultUnauthorizedUserMode) + dst.Spec.DefaultRemoteUserRef = src.Spec.DefaultUser + dst.Spec.ExcludedFields = src.Spec.ExcludedFields + dst.Spec.ExcludedFieldsConfigMapRef = src.Spec.ExcludedFieldsConfig + dst.Spec.RemoteRepository = src.Spec.RemoteRepository + dst.Spec.RootPath = src.Spec.RootPath + dst.Spec.ScopedResources = v1beta1.ScopedResources(src.Spec.ScopedResources) + + // Breaking changes + dst.Spec.ProcessMode = v1beta1.ProcessMode(src.Spec.CommitProcess) + dst.Spec.PushMode = v1beta1.SameBranch + + return nil +} + +func (dst *RemoteSyncer) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteSyncer) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Branch = src.Spec.DefaultBranch + dst.Spec.BypassInterceptionSubjects = src.Spec.BypassInterceptionSubjects + dst.Spec.DefaultBlockAppliedMessage = src.Spec.DefaultBlockAppliedMessage + dst.Spec.DefaultUnauthorizedUserMode = DefaultUnauthorizedUserMode(src.Spec.DefaultUnauthorizedUserMode) + dst.Spec.DefaultUser = src.Spec.DefaultRemoteUserRef + dst.Spec.ExcludedFields = src.Spec.ExcludedFields + dst.Spec.ExcludedFieldsConfig = src.Spec.ExcludedFieldsConfigMapRef + dst.Spec.RemoteRepository = src.Spec.RemoteRepository + dst.Spec.RootPath = src.Spec.RootPath + dst.Spec.ScopedResources = ScopedResources(src.Spec.ScopedResources) + + // Breaking changes + dst.Spec.CommitProcess = CommitProcess(src.Spec.ProcessMode) + + return nil +} diff --git a/api/v1alpha3/remotesyncer_types.go b/api/v1alpha3/remotesyncer_types.go index dc87e7c..57a8de9 100644 --- a/api/v1alpha3/remotesyncer_types.go +++ b/api/v1alpha3/remotesyncer_types.go @@ -77,6 +77,7 @@ type RemoteSyncerStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status // RemoteSyncer is the Schema for the remotesyncers API diff --git a/api/v1alpha3/remoteuser_conversion.go b/api/v1alpha3/remoteuser_conversion.go new file mode 100644 index 0000000..2381af1 --- /dev/null +++ b/api/v1alpha3/remoteuser_conversion.go @@ -0,0 +1,155 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha3 + +import ( + "strconv" + + "sigs.k8s.io/controller-runtime/pkg/conversion" + "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteUser) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteUser) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Email = src.Spec.Email + gitBaseDomainFQDN := src.Spec.GitBaseDomainFQDN + dst.Spec.GitBaseDomainFQDN = gitBaseDomainFQDN + dst.Spec.SecretRef = src.Spec.SecretRef + + dst.Status.Conditions = src.Status.Conditions + dst.Status.ConnexionStatus.Details = src.Status.ConnexionStatus.Details + dst.Status.ConnexionStatus.Status = v1beta1.RemoteUserConnexionStatusReason(src.Status.ConnexionStatus.Status) + dst.Status.GitUser = src.Status.GitUser + dst.Status.LastAuthTime = src.Status.LastAuthTime + dst.Status.SecretBoundStatus = v1beta1.SecretBoundStatus(src.Status.SecretBoundStatus) + + // Breaking changes + if gitBaseDomainFQDN == "github.com" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/github.api.auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/github.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + if gitBaseDomainFQDN == "gitlab.com" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/gitlab.api.auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/gitlab.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + if gitBaseDomainFQDN == "bitbucket.org" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/bitbucket.api-auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/bitbucket.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + + // Renaming + + associatedRemoteUserBinding := src.Spec.OwnRemoteUserBinding + dst.Spec.AssociatedRemoteUserBinding = associatedRemoteUserBinding + + return nil +} + +func (dst *RemoteUser) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteUser) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Email = src.Spec.Email + gitBaseDomainFQDN := src.Spec.GitBaseDomainFQDN + dst.Spec.GitBaseDomainFQDN = gitBaseDomainFQDN + dst.Spec.SecretRef = src.Spec.SecretRef + + dst.Status.Conditions = src.Status.Conditions + dst.Status.ConnexionStatus.Details = src.Status.ConnexionStatus.Details + dst.Status.ConnexionStatus.Status = RemoteUserConnexionStatusReason(src.Status.ConnexionStatus.Status) + dst.Status.GitUser = src.Status.GitUser + dst.Status.LastAuthTime = src.Status.LastAuthTime + dst.Status.SecretBoundStatus = SecretBoundStatus(src.Status.SecretBoundStatus) + + // Breaking changes + if gitBaseDomainFQDN == "github.com" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(insecureSkipTlsAnnotation) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(testAuthAnnotation) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + if gitBaseDomainFQDN == "gitlab.com" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/gitlab.api-auth.insecure-skip-tls-verify"]) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/gitlab.api-auth.test"]) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + if gitBaseDomainFQDN == "bitbucket.org" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/bitbucket.api-auth.insecure-skip-tls-verify"]) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/bitbucket.api-auth.test"]) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + + // Renaming + + associatedRemoteUserBinding := src.Spec.AssociatedRemoteUserBinding + dst.Spec.OwnRemoteUserBinding = associatedRemoteUserBinding + + return nil +} diff --git a/api/v1alpha3/remoteuser_types.go b/api/v1alpha3/remoteuser_types.go index 18874e2..49d70d1 100644 --- a/api/v1alpha3/remoteuser_types.go +++ b/api/v1alpha3/remoteuser_types.go @@ -66,6 +66,7 @@ type RemoteUserStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status // RemoteUser is the Schema for the remoteusers API diff --git a/api/v1alpha3/remoteuserbinding_conversion.go b/api/v1alpha3/remoteuserbinding_conversion.go new file mode 100644 index 0000000..7a92f8b --- /dev/null +++ b/api/v1alpha3/remoteuserbinding_conversion.go @@ -0,0 +1,46 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha3 + +import ( + "sigs.k8s.io/controller-runtime/pkg/conversion" + "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteUserBinding) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteUserBinding) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.RemoteRefs = src.Spec.RemoteRefs + dst.Spec.Subject = src.Spec.Subject + + return nil +} + +func (dst *RemoteUserBinding) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteUserBinding) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.RemoteRefs = src.Spec.RemoteRefs + dst.Spec.Subject = src.Spec.Subject + + return nil +} diff --git a/api/v1alpha3/remoteuserbinding_types.go b/api/v1alpha3/remoteuserbinding_types.go index 3d39df7..938c7ed 100644 --- a/api/v1alpha3/remoteuserbinding_types.go +++ b/api/v1alpha3/remoteuserbinding_types.go @@ -46,6 +46,7 @@ type RemoteUserBindingStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status // RemoteUserBinding is the Schema for the remoteuserbindings API diff --git a/api/v1alpha4/remotesyncer_conversion.go b/api/v1alpha4/remotesyncer_conversion.go new file mode 100644 index 0000000..6ae22e0 --- /dev/null +++ b/api/v1alpha4/remotesyncer_conversion.go @@ -0,0 +1,69 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha4 + +import ( + "sigs.k8s.io/controller-runtime/pkg/conversion" + v1beta1 "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteSyncer) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteSyncer) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.DefaultBranch = src.Spec.Branch + dst.Spec.BypassInterceptionSubjects = src.Spec.BypassInterceptionSubjects + dst.Spec.DefaultBlockAppliedMessage = src.Spec.DefaultBlockAppliedMessage + dst.Spec.DefaultUnauthorizedUserMode = v1beta1.DefaultUnauthorizedUserMode(src.Spec.DefaultUnauthorizedUserMode) + dst.Spec.DefaultRemoteUserRef = src.Spec.DefaultUser + dst.Spec.ExcludedFields = src.Spec.ExcludedFields + dst.Spec.ExcludedFieldsConfigMapRef = src.Spec.ExcludedFieldsConfig + dst.Spec.RemoteRepository = src.Spec.RemoteRepository + dst.Spec.RootPath = src.Spec.RootPath + dst.Spec.ScopedResources = v1beta1.ScopedResources(src.Spec.ScopedResources) + + // Breaking changes + dst.Spec.ProcessMode = v1beta1.ProcessMode(src.Spec.CommitProcess) + dst.Spec.PushMode = v1beta1.SameBranch + + return nil +} + +func (dst *RemoteSyncer) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteSyncer) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Branch = src.Spec.DefaultBranch + dst.Spec.BypassInterceptionSubjects = src.Spec.BypassInterceptionSubjects + dst.Spec.DefaultBlockAppliedMessage = src.Spec.DefaultBlockAppliedMessage + dst.Spec.DefaultUnauthorizedUserMode = DefaultUnauthorizedUserMode(src.Spec.DefaultUnauthorizedUserMode) + dst.Spec.DefaultUser = src.Spec.DefaultRemoteUserRef + dst.Spec.ExcludedFields = src.Spec.ExcludedFields + dst.Spec.ExcludedFieldsConfig = src.Spec.ExcludedFieldsConfigMapRef + dst.Spec.RemoteRepository = src.Spec.RemoteRepository + dst.Spec.RootPath = src.Spec.RootPath + dst.Spec.ScopedResources = ScopedResources(src.Spec.ScopedResources) + + // Breaking changes + dst.Spec.CommitProcess = CommitProcess(src.Spec.ProcessMode) + + return nil +} diff --git a/api/v1alpha4/remotesyncer_types.go b/api/v1alpha4/remotesyncer_types.go index 24a0126..8819b69 100644 --- a/api/v1alpha4/remotesyncer_types.go +++ b/api/v1alpha4/remotesyncer_types.go @@ -77,8 +77,8 @@ type RemoteSyncerStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status -//+kubebuilder:storageversion // RemoteSyncer is the Schema for the remotesyncers API type RemoteSyncer struct { diff --git a/api/v1alpha4/remotesyncer_webhook.go b/api/v1alpha4/remotesyncer_webhook.go index 9741b02..4dbf834 100644 --- a/api/v1alpha4/remotesyncer_webhook.go +++ b/api/v1alpha4/remotesyncer_webhook.go @@ -21,7 +21,6 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/validation/field" ctrl "sigs.k8s.io/controller-runtime" logf "sigs.k8s.io/controller-runtime/pkg/log" @@ -39,8 +38,6 @@ func (r *RemoteSyncer) SetupWebhookWithManager(mgr ctrl.Manager) error { Complete() } -//+kubebuilder:webhook:path=/validate-syngit-syngit-io-v1alpha4-remotesyncer,mutating=false,failurePolicy=fail,sideEffects=None,groups=syngit.syngit.io,resources=remotesyncers,verbs=create;update,versions=v1alpha4,name=vremotesyncer.kb.io,admissionReviewVersions=v1 - var _ webhook.Validator = &RemoteSyncer{} // Validate validates the RemoteSyncerSpec @@ -87,20 +84,6 @@ func isValidYAMLPath(path string) bool { return yamlPathRegex.MatchString(path) } -func (r *RemoteSyncerSpec) searchForDuplicates(gvrns []GroupVersionResourceName) []*schema.GroupVersionResource { - seen := make(map[string]bool) - duplicates := make([]*schema.GroupVersionResource, 0) - - for _, item := range gvrns { - if _, ok := seen[item.GroupVersionResource.String()]; ok { - duplicates = append(duplicates, item.GroupVersionResource) - } - seen[item.GroupVersionResource.String()] = true - } - - return duplicates -} - func (r *RemoteSyncer) ValidateRemoteSyncer() error { var allErrs field.ErrorList if err := r.Spec.ValidateRemoteSyncerSpec(); err != nil { diff --git a/api/v1alpha4/remoteuser_conversion.go b/api/v1alpha4/remoteuser_conversion.go new file mode 100644 index 0000000..d90e7d7 --- /dev/null +++ b/api/v1alpha4/remoteuser_conversion.go @@ -0,0 +1,155 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha4 + +import ( + "strconv" + + "sigs.k8s.io/controller-runtime/pkg/conversion" + "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteUser) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteUser) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Email = src.Spec.Email + gitBaseDomainFQDN := src.Spec.GitBaseDomainFQDN + dst.Spec.GitBaseDomainFQDN = gitBaseDomainFQDN + dst.Spec.SecretRef = src.Spec.SecretRef + + dst.Status.Conditions = src.Status.Conditions + dst.Status.ConnexionStatus.Details = src.Status.ConnexionStatus.Details + dst.Status.ConnexionStatus.Status = v1beta1.RemoteUserConnexionStatusReason(src.Status.ConnexionStatus.Status) + dst.Status.GitUser = src.Status.GitUser + dst.Status.LastAuthTime = src.Status.LastAuthTime + dst.Status.SecretBoundStatus = v1beta1.SecretBoundStatus(src.Status.SecretBoundStatus) + + // Breaking changes + if gitBaseDomainFQDN == "github.com" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/github.api.auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/github.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + if gitBaseDomainFQDN == "gitlab.com" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/gitlab.api.auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/gitlab.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + if gitBaseDomainFQDN == "bitbucket.org" { + insecureSkipTlsVerify := src.Spec.InsecureSkipTlsVerify + dst.Annotations["syngit.syngit.io/bitbucket.api-auth.insecure-skip-tls-verify"] = strconv.FormatBool(insecureSkipTlsVerify) + + testAuthentication := src.Spec.TestAuthentication + dst.Annotations["syngit.syngit.io/bitbucket.api-auth.test"] = strconv.FormatBool(testAuthentication) + } + + // Renaming + + associatedRemoteUserBinding := src.Spec.OwnRemoteUserBinding + dst.Spec.AssociatedRemoteUserBinding = associatedRemoteUserBinding + + return nil +} + +func (dst *RemoteUser) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteUser) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.Email = src.Spec.Email + gitBaseDomainFQDN := src.Spec.GitBaseDomainFQDN + dst.Spec.GitBaseDomainFQDN = gitBaseDomainFQDN + dst.Spec.SecretRef = src.Spec.SecretRef + + dst.Status.Conditions = src.Status.Conditions + dst.Status.ConnexionStatus.Details = src.Status.ConnexionStatus.Details + dst.Status.ConnexionStatus.Status = RemoteUserConnexionStatusReason(src.Status.ConnexionStatus.Status) + dst.Status.GitUser = src.Status.GitUser + dst.Status.LastAuthTime = src.Status.LastAuthTime + dst.Status.SecretBoundStatus = SecretBoundStatus(src.Status.SecretBoundStatus) + + // Breaking changes + if gitBaseDomainFQDN == "github.com" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(insecureSkipTlsAnnotation) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(testAuthAnnotation) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + if gitBaseDomainFQDN == "gitlab.com" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/gitlab.api-auth.insecure-skip-tls-verify"]) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/gitlab.api-auth.test"]) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + if gitBaseDomainFQDN == "bitbucket.org" { + insecureSkipTlsAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.insecure-skip-tls-verify"] + if insecureSkipTlsAnnotation != "" { + insecureSkipTlsVerify, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/bitbucket.api-auth.insecure-skip-tls-verify"]) + dst.Spec.InsecureSkipTlsVerify = insecureSkipTlsVerify + if err != nil { + return err + } + } + testAuthAnnotation := src.Annotations["syngit.syngit.io/github.api-auth.test"] + if testAuthAnnotation != "" { + testAuthentication, err := strconv.ParseBool(src.Annotations["syngit.syngit.io/bitbucket.api-auth.test"]) + dst.Spec.TestAuthentication = testAuthentication + if err != nil { + return err + } + } + } + + // Renaming + + associatedRemoteUserBinding := src.Spec.AssociatedRemoteUserBinding + dst.Spec.OwnRemoteUserBinding = associatedRemoteUserBinding + + return nil +} diff --git a/api/v1alpha4/remoteuser_types.go b/api/v1alpha4/remoteuser_types.go index 40ebf18..2e5534e 100644 --- a/api/v1alpha4/remoteuser_types.go +++ b/api/v1alpha4/remoteuser_types.go @@ -66,8 +66,8 @@ type RemoteUserStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status -//+kubebuilder:storageversion // RemoteUser is the Schema for the remoteusers API type RemoteUser struct { diff --git a/api/v1alpha4/remoteuser_webhook.go b/api/v1alpha4/remoteuser_webhook.go index 99bcd06..3dfebba 100644 --- a/api/v1alpha4/remoteuser_webhook.go +++ b/api/v1alpha4/remoteuser_webhook.go @@ -36,9 +36,6 @@ func (r *RemoteUser) SetupWebhookWithManager(mgr ctrl.Manager) error { Complete() } -//+kubebuilder:webhook:path=/validate-syngit-syngit-io-v1alpha4-remoteuser,mutating=false,failurePolicy=fail,sideEffects=None,groups=syngit.syngit.io,resources=remoteusers,verbs=create;update,versions=v1alpha4,name=vremoteuser.kb.io,admissionReviewVersions=v1 -//+kubebuilder:webhook:path=/reconcile-syngit-remoteuser-owner,mutating=false,failurePolicy=fail,sideEffects=None,groups=syngit.syngit.io,resources=remoteusers,verbs=create;delete,versions=v1alpha4,admissionReviewVersions=v1,name=vremoteusers-owner.kb.io - var _ webhook.Validator = &RemoteUser{} // Validate validates the RemoteUserSpec diff --git a/api/v1alpha4/remoteuserbinding_conversion.go b/api/v1alpha4/remoteuserbinding_conversion.go new file mode 100644 index 0000000..3dfc5fc --- /dev/null +++ b/api/v1alpha4/remoteuserbinding_conversion.go @@ -0,0 +1,46 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha4 + +import ( + "sigs.k8s.io/controller-runtime/pkg/conversion" + "syngit.io/syngit/api/v1beta1" +) + +func (src *RemoteUserBinding) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta1.RemoteUserBinding) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.RemoteRefs = src.Spec.RemoteRefs + dst.Spec.Subject = src.Spec.Subject + + return nil +} + +func (dst *RemoteUserBinding) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta1.RemoteUserBinding) + + // Common conversion + dst.ObjectMeta = src.ObjectMeta + + dst.Spec.RemoteRefs = src.Spec.RemoteRefs + dst.Spec.Subject = src.Spec.Subject + + return nil +} diff --git a/api/v1alpha4/remoteuserbinding_types.go b/api/v1alpha4/remoteuserbinding_types.go index 54d07d5..33eed60 100644 --- a/api/v1alpha4/remoteuserbinding_types.go +++ b/api/v1alpha4/remoteuserbinding_types.go @@ -46,8 +46,8 @@ type RemoteUserBindingStatus struct { } //+kubebuilder:object:root=true +//+kubebuilder:unservedversion //+kubebuilder:subresource:status -//+kubebuilder:storageversion // RemoteUserBinding is the Schema for the remoteuserbindings API type RemoteUserBinding struct { diff --git a/api/v1alpha4/remoteuserbinding_webhook.go b/api/v1alpha4/remoteuserbinding_webhook.go new file mode 100644 index 0000000..f647198 --- /dev/null +++ b/api/v1alpha4/remoteuserbinding_webhook.go @@ -0,0 +1,34 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha4 + +import ( + ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" +) + +// log is for logging in this package. +var remoteuserbindinglog = logf.Log.WithName("remoteuserbinding-resource") + +// SetupWebhookWithManager will setup the manager to manage the webhooks +func (r *RemoteUserBinding) SetupWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr). + For(r). + Complete() +} + +// TODO(user): EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! diff --git a/api/v1alpha4/remoteuserbinding_webhook_test.go b/api/v1alpha4/remoteuserbinding_webhook_test.go new file mode 100644 index 0000000..f029eeb --- /dev/null +++ b/api/v1alpha4/remoteuserbinding_webhook_test.go @@ -0,0 +1,33 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha4 + +import ( + . "github.com/onsi/ginkgo/v2" +) + +var _ = Describe("RemoteUserBinding Webhook", func() { + + Context("When creating RemoteUserBinding under Conversion Webhook", func() { + It("Should get the converted version of RemoteUserBinding", func() { + + // TODO(user): Add your logic here + + }) + }) + +}) diff --git a/api/v1beta1/groupversion_info.go b/api/v1beta1/groupversion_info.go new file mode 100644 index 0000000..77e535c --- /dev/null +++ b/api/v1beta1/groupversion_info.go @@ -0,0 +1,36 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package v1beta1 contains API Schema definitions for the syngit v1beta1 API group +// +kubebuilder:object:generate=true +// +groupName=syngit.syngit.io +package v1beta1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +var ( + // GroupVersion is group version used to register these objects + GroupVersion = schema.GroupVersion{Group: "syngit.syngit.io", Version: "v1beta1"} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/api/v1beta1/remotesyncer_conversion.go b/api/v1beta1/remotesyncer_conversion.go new file mode 100644 index 0000000..cded69e --- /dev/null +++ b/api/v1beta1/remotesyncer_conversion.go @@ -0,0 +1,19 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +func (*RemoteSyncer) Hub() {} diff --git a/api/v1beta1/remotesyncer_types.go b/api/v1beta1/remotesyncer_types.go new file mode 100644 index 0000000..679a999 --- /dev/null +++ b/api/v1beta1/remotesyncer_types.go @@ -0,0 +1,236 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + admissionv1 "k8s.io/api/admissionregistration/v1" + authenticationv1 "k8s.io/api/authentication/v1" + corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// RemoteSyncerSpec defines the desired state of RemoteSyncer +type RemoteSyncerSpec struct { + PushMode PushMode `json:"pushMode"` + + ProcessMode ProcessMode `json:"processMode"` + + // +optional + DefaultBlockAppliedMessage string `json:"defaultBlockAppliedMessage,omitempty"` + + // +kubebuilder:validation:Format=uri + RemoteRepository string `json:"remoteRepository"` + + // +optional + DefaultBranch string `json:"defaultBranch,omitempty"` + + // +optional + BypassInterceptionSubjects []rbacv1.Subject `json:"bypassInterceptionSubjects,omitempty"` + + DefaultUnauthorizedUserMode DefaultUnauthorizedUserMode `json:"defaultUnauthorizedUserMode"` + + // +optional + DefaultRemoteUserRef *corev1.ObjectReference `json:"defaultUser,omitempty"` // Ref to a RemoteUser object + + // +optional + ScopedResources ScopedResources `json:"scopedResources,omitempty"` + + // +optional + RootPath string `json:"rootPath,omitempty"` + + // +optional + ExcludedFields []string `json:"excludedFields,omitempty"` + + // +optional + ExcludedFieldsConfigMapRef *corev1.ObjectReference `json:"excludedFieldsConfig,omitempty"` // Ref to a ConfigMap + + // +optional + InsecureSkipTlsVerify bool `json:"insecureSkipTlsVerify,omitempty"` + + // +optional + CABundleSecretRef corev1.SecretReference `json:"caBundle,omitempty"` +} + +type RemoteSyncerStatus struct { + + // +listType=map + // +listMapKey=type + // +patchStrategy=merge + // +patchMergeKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + // +optional + LastBypassedObjectState LastBypassedObjectState `json:"lastBypassedObjectState,omitempty"` + + // +optional + LastObservedObjectState LastObservedObjectState `json:"lastObservedObjectState,omitempty"` + + // +optional + LastPushedObjectState LastPushedObjectState `json:"lastPushedObjectState,omitempty"` +} + +//+kubebuilder:object:root=true +//+kubebuilder:subresource:status +//+kubebuilder:storageversion + +// RemoteSyncer is the Schema for the remotesyncers API +type RemoteSyncer struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec RemoteSyncerSpec `json:"spec,omitempty"` + Status RemoteSyncerStatus `json:"status,omitempty"` +} + +//+kubebuilder:object:root=true + +// RemoteSyncerList contains a list of RemoteSyncer +type RemoteSyncerList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []RemoteSyncer `json:"items"` +} + +func init() { + SchemeBuilder.Register(&RemoteSyncer{}, &RemoteSyncerList{}) +} + +/* + SPEC EXTENSION +*/ + +type PushMode string + +const ( + SameBranch PushMode = "SameBranch" + MultipleBranch PushMode = "MultipleBranch" + MergeRequest PushMode = "MergeRequest" +) + +type ProcessMode string + +const ( + CommitOnly ProcessMode = "CommitOnly" + CommitApply ProcessMode = "CommitApply" +) + +type DefaultUnauthorizedUserMode string + +const ( + Block DefaultUnauthorizedUserMode = "Block" + UseDefaultUser DefaultUnauthorizedUserMode = "UseDefaultUser" +) + +type ScopedResources struct { + + // +optional + MatchPolicy *admissionv1.MatchPolicyType `json:"matchPolicy,omitempty" protobuf:"bytes,9,opt,name=matchPolicy,casttype=MatchPolicyType"` + + // +optional + ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,10,opt,name=objectSelector"` + + Rules []admissionv1.RuleWithOperations `json:"rules,omitempty" protobuf:"bytes,3,rep,name=rules"` +} + +type NamespaceScopedResources struct { + APIGroups []string `json:"apiGroups"` + APIVersions []string `json:"apiVersions"` + Resources []string `json:"resources"` + // +optional + Names []string `json:"names"` +} + +type NamespaceScopedKinds struct { + APIGroups []string `json:"apiGroups"` + APIVersions []string `json:"apiVersions"` + Kinds []string `json:"kinds"` + // +optional + Names []string `json:"names"` +} + +/* + SPEC CONVERTION EXTENSION +*/ + +type GroupVersionKindName struct { + *schema.GroupVersionKind + Name string +} + +type GroupVersionResourceName struct { + *schema.GroupVersionResource + Name string +} + +/* +STATUS EXTENSION +*/ + +type JsonGVRN struct { + Group string `json:"group"` + Version string `json:"version"` + Resource string `json:"resource"` + Name string `json:"name"` +} + +type LastBypassedObjectState struct { + // +optional + LastBypassedObjectTime metav1.Time `json:"lastBypassObjectTime,omitempty"` + + // +optional + LastBypassedObjectUserInfo authenticationv1.UserInfo `json:"lastBypassObjectUserInfo,omitempty"` + + // +optional + LastBypassedObject JsonGVRN `json:"lastBypassObject,omitempty"` +} + +type LastObservedObjectState struct { + // +optional + LastObservedObjectTime metav1.Time `json:"lastObservedObjectTime,omitempty"` + + // +optional + LastObservedObjectUserInfo authenticationv1.UserInfo `json:"lastObservedObjectUserInfo,omitempty"` + + // +optional + LastObservedObject JsonGVRN `json:"lastObservedObject,omitempty"` +} + +type LastPushedObjectState struct { + // +optional + LastPushedObjectTime metav1.Time `json:"lastPushedObjectTime,omitempty"` + + // +optional + LastPushedGitUser string `json:"lastPushedGitUser,omitempty"` + + // +optional + LastPushedObjectGitRepo string `json:"lastPushedObjectGitRepo,omitempty"` + + // +optional + LastPushedObjectGitPath string `json:"lastPushedObjectGitPath,omitempty"` + + // +optional + LastPushedObjectGitCommitHash string `json:"lastPushedObjectCommitHash,omitempty"` + + // +optional + LastPushedObject JsonGVRN `json:"lastPushedObject,omitempty"` + + // +optional + LastPushedObjectStatus string `json:"lastPushedObjectState,omitempty"` +} diff --git a/api/v1beta1/remotesyncer_webhook.go b/api/v1beta1/remotesyncer_webhook.go new file mode 100644 index 0000000..b6eb728 --- /dev/null +++ b/api/v1beta1/remotesyncer_webhook.go @@ -0,0 +1,136 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + "regexp" + + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/validation/field" + ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +// log is for logging in this package. +var remotesyncerlog = logf.Log.WithName("remotesyncer-resource") + +// SetupWebhookWithManager will setup the manager to manage the webhooks +func (r *RemoteSyncer) SetupWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr). + For(r). + Complete() +} + +// TODO(user): EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! + +// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation. +//+kubebuilder:webhook:path=/validate-syngit-syngit-io-v1beta1-remotesyncer,mutating=false,failurePolicy=fail,sideEffects=None,groups=syngit.syngit.io,resources=remotesyncers,verbs=create;update,versions=v1beta1,name=vremotesyncer.v1beta1.syngit.io,admissionReviewVersions=v1 + +var _ webhook.Validator = &RemoteSyncer{} + +// Validate validates the RemoteSyncerSpec +func (r *RemoteSyncerSpec) ValidateRemoteSyncerSpec() field.ErrorList { + var errors field.ErrorList + + // Validate DefaultUserBind based on DefaultUnauthorizedUserMode + if r.DefaultUnauthorizedUserMode == Block && r.DefaultRemoteUserRef != nil { + errors = append(errors, field.Invalid(field.NewPath("spec").Child("defaultUser"), r.DefaultRemoteUserRef, "should not be set when defaultUnauthorizedUserMode is set to \"Block\"")) + } else if r.DefaultUnauthorizedUserMode == UseDefaultUser && r.DefaultRemoteUserRef == nil { + errors = append(errors, field.Required(field.NewPath("spec").Child("defaultUser"), "must be set when defaultUnauthorizedUserMode is set to \"UseDefaultUser\"")) + } + + // Validate DefaultBlockAppliedMessage only exists if ProcessMode is set to CommitOnly + if r.DefaultBlockAppliedMessage != "" && r.ProcessMode != "CommitOnly" { + errors = append(errors, field.Forbidden(field.NewPath("spec").Child("defaultBlockAppliedMessage"), "should not be set if processMode is not set to \"CommitOnly\"")) + } + + // Validate that ProcessMode is either CommitApply or CommitOnly + if r.ProcessMode != "CommitOnly" && r.ProcessMode != "CommitApply" { + errors = append(errors, field.Invalid(field.NewPath("spec").Child("processMode"), r.ProcessMode, "must be set to \"CommitApply\" or \"CommitOnly\"")) + } + + // Validate Git URI + gitURIPattern := regexp.MustCompile(`^(https?|git)\://[^ ]+$`) + if !gitURIPattern.MatchString(r.RemoteRepository) { + errors = append(errors, field.Invalid(field.NewPath("spec").Child("remoteRepository"), r.RemoteRepository, "invalid Git URI")) + } + + // Validate the ExcludedFields to ensure that it is a YAML path + for _, fieldPath := range r.ExcludedFields { + if !isValidYAMLPath(fieldPath) { + errors = append(errors, field.Invalid(field.NewPath("spec").Child("excludedFields"), fieldPath, "must be a valid YAML path. Regex : "+`^([a-zA-Z0-9_./:-]*(\[[a-zA-Z0-9_*./:-]*\])?)*$`)) + } + } + + // Validate that DefaultBranch exists if PushMode is set to "SameBranch" + if r.PushMode == SameBranch && r.DefaultBranch == "" { + errors = append(errors, field.Required(field.NewPath("spec").Child("defaultBranch"), "must be set when defaultBranch is set to \"SameBranch\"")) + } + + // Validate that DefaultBranch exists if DefaultUnauthorizedUser uses a default user + if r.DefaultUnauthorizedUserMode != Block && r.DefaultBranch == "" { + errors = append(errors, field.Required(field.NewPath("spec").Child("defaultBranch"), "must be set when the defaultUnauthorizedUserMode is set to UseDefaultUser")) + } + + return errors +} + +// isValidYAMLPath checks if the given string is a valid YAML path +func isValidYAMLPath(path string) bool { + // Regular expression to match a valid YAML path + yamlPathRegex := regexp.MustCompile(`^([a-zA-Z0-9_./:-]*(\[[a-zA-Z0-9_*./:-]*\])?)*$`) + return yamlPathRegex.MatchString(path) +} + +func (r *RemoteSyncer) ValidateRemoteSyncer() error { + var allErrs field.ErrorList + if err := r.Spec.ValidateRemoteSyncerSpec(); err != nil { + allErrs = append(allErrs, err...) + } + if len(allErrs) == 0 { + return nil + } + + return apierrors.NewInvalid( + r.GroupVersionKind().GroupKind(), + r.Name, allErrs) +} + +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type +func (r *RemoteSyncer) ValidateCreate() (admission.Warnings, error) { + remotesyncerlog.Info("validate create", "name", r.Name) + + return nil, r.ValidateRemoteSyncer() +} + +// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type +func (r *RemoteSyncer) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { + remotesyncerlog.Info("validate update", "name", r.Name) + + return nil, r.ValidateRemoteSyncer() +} + +// ValidateDelete implements webhook.Validator so a webhook will be registered for the type +func (r *RemoteSyncer) ValidateDelete() (admission.Warnings, error) { + remotesyncerlog.Info("validate delete", "name", r.Name) + + // Nothing to validate + return nil, nil +} diff --git a/api/v1beta1/remotesyncer_webhook_test.go b/api/v1beta1/remotesyncer_webhook_test.go new file mode 100644 index 0000000..0453107 --- /dev/null +++ b/api/v1beta1/remotesyncer_webhook_test.go @@ -0,0 +1,47 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + . "github.com/onsi/ginkgo/v2" +) + +var _ = Describe("RemoteSyncer Webhook", func() { + + Context("When creating RemoteSyncer under Validating Webhook", func() { + It("Should deny if a required field is empty", func() { + + // TODO(user): Add your logic here + + }) + + It("Should admit if all required fields are provided", func() { + + // TODO(user): Add your logic here + + }) + }) + + Context("When creating RemoteSyncer under Conversion Webhook", func() { + It("Should get the converted version of RemoteSyncer", func() { + + // TODO(user): Add your logic here + + }) + }) + +}) diff --git a/api/v1beta1/remoteuser_conversion.go b/api/v1beta1/remoteuser_conversion.go new file mode 100644 index 0000000..2eb5cce --- /dev/null +++ b/api/v1beta1/remoteuser_conversion.go @@ -0,0 +1,19 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +func (*RemoteUser) Hub() {} diff --git a/api/v1beta1/remoteuser_types.go b/api/v1beta1/remoteuser_types.go new file mode 100644 index 0000000..df5a07b --- /dev/null +++ b/api/v1beta1/remoteuser_types.go @@ -0,0 +1,114 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type RemoteUserSpec struct { + SecretRef corev1.SecretReference `json:"secretRef"` + + Email string `json:"email"` + + GitBaseDomainFQDN string `json:"gitBaseDomainFQDN"` + + AssociatedRemoteUserBinding bool `json:"associatedRemoteUserBinding"` +} + +type RemoteUserStatus struct { + + // +listType=map + // +listMapKey=type + // +patchStrategy=merge + // +patchMergeKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + // +optional + ConnexionStatus RemoteUserConnexionStatus `json:"connexionStatus,omitempty"` + + // +optional + GitUser string `json:"gitUser,omitempty"` + + // +optional + LastAuthTime metav1.Time `json:"lastAuthTime,omitempty"` + + // +optional + SecretBoundStatus SecretBoundStatus `json:"secretBoundStatus,omitempty"` +} + +//+kubebuilder:object:root=true +//+kubebuilder:subresource:status +//+kubebuilder:storageversion + +// RemoteUser is the Schema for the remoteusers API +type RemoteUser struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec RemoteUserSpec `json:"spec,omitempty"` + Status RemoteUserStatus `json:"status,omitempty"` +} + +//+kubebuilder:object:root=true + +// RemoteUserList contains a list of RemoteUser +type RemoteUserList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []RemoteUser `json:"items"` +} + +func init() { + SchemeBuilder.Register(&RemoteUser{}, &RemoteUserList{}) +} + +/* + STATUS EXTENSION +*/ + +type RemoteUserConnexionStatus struct { + Status RemoteUserConnexionStatusReason `json:"status,omitempty"` + // +optional + Details string `json:"details,omitempty"` +} + +type RemoteUserConnexionStatusReason string + +const ( + GitConnected RemoteUserConnexionStatusReason = "Connected" + GitUnauthorized RemoteUserConnexionStatusReason = "Unauthorized: bad credentials" + GitForbidden RemoteUserConnexionStatusReason = "Forbidden : Not enough permission" + GitNotFound RemoteUserConnexionStatusReason = "Not found: the git server is not found" + GitServerError RemoteUserConnexionStatusReason = "Server error: a server error happened" + GitUnexpectedStatus RemoteUserConnexionStatusReason = "Unexpected response status code" + GitNotConnected RemoteUserConnexionStatusReason = "Not Connected" + GitUnsupported RemoteUserConnexionStatusReason = "Unsupported Git provider" + GitConfigNotFound RemoteUserConnexionStatusReason = "Git provider ConfigMap not found" + GitConfigParseError RemoteUserConnexionStatusReason = "Failed to parse the git provider ConfigMap" +) + +type SecretBoundStatus string + +const ( + SecretBound SecretBoundStatus = "Secret bound" + SecretFound SecretBoundStatus = "Secret found" + SecretNotFound SecretBoundStatus = "Secret not found" + SecretWrongType SecretBoundStatus = "Secret type is not set to BasicAuth" +) diff --git a/api/v1beta1/remoteuser_webhook.go b/api/v1beta1/remoteuser_webhook.go new file mode 100644 index 0000000..22a43a7 --- /dev/null +++ b/api/v1beta1/remoteuser_webhook.go @@ -0,0 +1,67 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +// log is for logging in this package. +var remoteuserlog = logf.Log.WithName("remoteuser-resource") + +// SetupWebhookWithManager will setup the manager to manage the webhooks +func (r *RemoteUser) SetupWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr). + For(r). + Complete() +} + +// TODO(user): EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! + +// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation. +//+kubebuilder:webhook:path=/validate-syngit-syngit-io-v1beta1-remoteuser,mutating=false,failurePolicy=fail,sideEffects=None,groups=syngit.syngit.io,resources=remoteusers,verbs=create;update,versions=v1beta1,name=vremoteuser.v1beta1.syngit.io,admissionReviewVersions=v1 +//+kubebuilder:webhook:path=/syngit-v1beta1-remoteuser-association,mutating=false,failurePolicy=fail,sideEffects=None,groups=syngit.syngit.io,resources=remoteusers,verbs=create;delete,versions=v1beta1,admissionReviewVersions=v1,name=vremoteusers-association.v1beta1.syngit.io + +var _ webhook.Validator = &RemoteUser{} + +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type +func (r *RemoteUser) ValidateCreate() (admission.Warnings, error) { + remoteuserlog.Info("validate create", "name", r.Name) + + // TODO(user): fill in your validation logic upon object creation. + return nil, nil +} + +// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type +func (r *RemoteUser) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { + remoteuserlog.Info("validate update", "name", r.Name) + + // TODO(user): fill in your validation logic upon object update. + return nil, nil +} + +// ValidateDelete implements webhook.Validator so a webhook will be registered for the type +func (r *RemoteUser) ValidateDelete() (admission.Warnings, error) { + remoteuserlog.Info("validate delete", "name", r.Name) + + // TODO(user): fill in your validation logic upon object deletion. + return nil, nil +} diff --git a/api/v1beta1/remoteuser_webhook_test.go b/api/v1beta1/remoteuser_webhook_test.go new file mode 100644 index 0000000..deefcb9 --- /dev/null +++ b/api/v1beta1/remoteuser_webhook_test.go @@ -0,0 +1,47 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + . "github.com/onsi/ginkgo/v2" +) + +var _ = Describe("RemoteUser Webhook", func() { + + Context("When creating RemoteUser under Validating Webhook", func() { + It("Should deny if a required field is empty", func() { + + // TODO(user): Add your logic here + + }) + + It("Should admit if all required fields are provided", func() { + + // TODO(user): Add your logic here + + }) + }) + + Context("When creating RemoteUser under Conversion Webhook", func() { + It("Should get the converted version of RemoteUser", func() { + + // TODO(user): Add your logic here + + }) + }) + +}) diff --git a/api/v1beta1/remoteuserbinding_conversion.go b/api/v1beta1/remoteuserbinding_conversion.go new file mode 100644 index 0000000..4e0f0fe --- /dev/null +++ b/api/v1beta1/remoteuserbinding_conversion.go @@ -0,0 +1,19 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +func (*RemoteUserBinding) Hub() {} diff --git a/api/v1beta1/remoteuserbinding_types.go b/api/v1beta1/remoteuserbinding_types.go new file mode 100644 index 0000000..def056e --- /dev/null +++ b/api/v1beta1/remoteuserbinding_types.go @@ -0,0 +1,92 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + RubPrefix = "associated-rub-" +) + +type RemoteUserBindingSpec struct { + Subject rbacv1.Subject `json:"subject"` + RemoteRefs []corev1.ObjectReference `json:"remoteRefs"` // Ref to the listed RemoteUser objects +} + +type RemoteUserBindingStatus struct { + // +optional + GlobalState GitUserBindingState `json:"state,omitempty"` + + // +optional + GitUserHosts []GitUserHost `json:"gitUserHosts"` + + // +optional + UserKubernetesID string `json:"userKubernetesID,omitempty"` + + // +optional + LastUsedTime metav1.Time `json:"lastUsedTime,omitempty"` +} + +//+kubebuilder:object:root=true +//+kubebuilder:subresource:status +//+kubebuilder:storageversion + +// RemoteUserBinding is the Schema for the remoteuserbindings API +type RemoteUserBinding struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec RemoteUserBindingSpec `json:"spec,omitempty"` + Status RemoteUserBindingStatus `json:"status,omitempty"` +} + +//+kubebuilder:object:root=true + +// RemoteUserBindingList contains a list of RemoteUserBinding +type RemoteUserBindingList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []RemoteUserBinding `json:"items"` +} + +func init() { + SchemeBuilder.Register(&RemoteUserBinding{}, &RemoteUserBindingList{}) +} + +/* + STATUS EXTENSION +*/ + +type GitUserBindingState string + +const ( + Bound GitUserBindingState = "Bound" + PartiallyBound GitUserBindingState = "PartiallyBound" + NotBound GitUserBindingState = "NotBound" +) + +type GitUserHost struct { + RemoteUserUsed string `json:"remoteUserUsed,omitempty"` + SecretRef corev1.SecretReference `json:"secretRef"` + GitFQDN string `json:"gitFQDN,omitempty"` + State GitUserBindingState `json:"state,omitempty"` + LastUsedTime metav1.Time `json:"lastUsedTime,omitempty"` +} diff --git a/api/v1beta1/remoteuserbinding_webhook.go b/api/v1beta1/remoteuserbinding_webhook.go new file mode 100644 index 0000000..b12cb0b --- /dev/null +++ b/api/v1beta1/remoteuserbinding_webhook.go @@ -0,0 +1,34 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" +) + +// log is for logging in this package. +var remoteuserbindinglog = logf.Log.WithName("remoteuserbinding-resource") + +// SetupWebhookWithManager will setup the manager to manage the webhooks +func (r *RemoteUserBinding) SetupWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr). + For(r). + Complete() +} + +// TODO(user): EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! diff --git a/api/v1beta1/remoteuserbinding_webhook_test.go b/api/v1beta1/remoteuserbinding_webhook_test.go new file mode 100644 index 0000000..7a2a254 --- /dev/null +++ b/api/v1beta1/remoteuserbinding_webhook_test.go @@ -0,0 +1,33 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + . "github.com/onsi/ginkgo/v2" +) + +var _ = Describe("RemoteUserBinding Webhook", func() { + + Context("When creating RemoteUserBinding under Conversion Webhook", func() { + It("Should get the converted version of RemoteUserBinding", func() { + + // TODO(user): Add your logic here + + }) + }) + +}) diff --git a/api/v1beta1/webhook_suite_test.go b/api/v1beta1/webhook_suite_test.go new file mode 100644 index 0000000..8d1ae16 --- /dev/null +++ b/api/v1beta1/webhook_suite_test.go @@ -0,0 +1,148 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + "context" + "crypto/tls" + "fmt" + "net" + "path/filepath" + "runtime" + "testing" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + admissionv1 "k8s.io/api/admission/v1" + //+kubebuilder:scaffold:imports + apimachineryruntime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/rest" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var cfg *rest.Config +var k8sClient client.Client +var testEnv *envtest.Environment +var ctx context.Context +var cancel context.CancelFunc + +func TestAPIs(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecs(t, "Webhook Suite") +} + +var _ = BeforeSuite(func() { + logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + + ctx, cancel = context.WithCancel(context.TODO()) + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, + ErrorIfCRDPathMissing: false, + + // The BinaryAssetsDirectory is only required if you want to run the tests directly + // without call the makefile target test. If not informed it will look for the + // default path defined in controller-runtime which is /usr/local/kubebuilder/. + // Note that you must have the required binaries setup under the bin directory to perform + // the tests directly. When we run make test it will be setup and used automatically. + BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s", + fmt.Sprintf("1.29.0-%s-%s", runtime.GOOS, runtime.GOARCH)), + + WebhookInstallOptions: envtest.WebhookInstallOptions{ + Paths: []string{filepath.Join("..", "..", "config", "webhook")}, + }, + } + + var err error + // cfg is defined in this file globally. + cfg, err = testEnv.Start() + Expect(err).NotTo(HaveOccurred()) + Expect(cfg).NotTo(BeNil()) + + scheme := apimachineryruntime.NewScheme() + err = AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + err = admissionv1.AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + //+kubebuilder:scaffold:scheme + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) + Expect(err).NotTo(HaveOccurred()) + Expect(k8sClient).NotTo(BeNil()) + + // start webhook server using Manager + webhookInstallOptions := &testEnv.WebhookInstallOptions + mgr, err := ctrl.NewManager(cfg, ctrl.Options{ + Scheme: scheme, + WebhookServer: webhook.NewServer(webhook.Options{ + Host: webhookInstallOptions.LocalServingHost, + Port: webhookInstallOptions.LocalServingPort, + CertDir: webhookInstallOptions.LocalServingCertDir, + }), + LeaderElection: false, + Metrics: metricsserver.Options{BindAddress: "0"}, + }) + Expect(err).NotTo(HaveOccurred()) + + err = (&RemoteUser{}).SetupWebhookWithManager(mgr) + Expect(err).NotTo(HaveOccurred()) + + err = (&RemoteSyncer{}).SetupWebhookWithManager(mgr) + Expect(err).NotTo(HaveOccurred()) + + //+kubebuilder:scaffold:webhook + + go func() { + defer GinkgoRecover() + err = mgr.Start(ctx) + Expect(err).NotTo(HaveOccurred()) + }() + + // wait for the webhook server to get ready + dialer := &net.Dialer{Timeout: time.Second} + addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) + Eventually(func() error { + conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) + if err != nil { + return err + } + return conn.Close() + }).Should(Succeed()) + +}) + +var _ = AfterSuite(func() { + cancel() + By("tearing down the test environment") + err := testEnv.Stop() + Expect(err).NotTo(HaveOccurred()) +}) diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go new file mode 100644 index 0000000..61f4d1e --- /dev/null +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -0,0 +1,595 @@ +//go:build !ignore_autogenerated + +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1beta1 + +import ( + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitUserHost) DeepCopyInto(out *GitUserHost) { + *out = *in + out.SecretRef = in.SecretRef + in.LastUsedTime.DeepCopyInto(&out.LastUsedTime) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitUserHost. +func (in *GitUserHost) DeepCopy() *GitUserHost { + if in == nil { + return nil + } + out := new(GitUserHost) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GroupVersionKindName) DeepCopyInto(out *GroupVersionKindName) { + *out = *in + if in.GroupVersionKind != nil { + in, out := &in.GroupVersionKind, &out.GroupVersionKind + *out = new(schema.GroupVersionKind) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupVersionKindName. +func (in *GroupVersionKindName) DeepCopy() *GroupVersionKindName { + if in == nil { + return nil + } + out := new(GroupVersionKindName) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GroupVersionResourceName) DeepCopyInto(out *GroupVersionResourceName) { + *out = *in + if in.GroupVersionResource != nil { + in, out := &in.GroupVersionResource, &out.GroupVersionResource + *out = new(schema.GroupVersionResource) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupVersionResourceName. +func (in *GroupVersionResourceName) DeepCopy() *GroupVersionResourceName { + if in == nil { + return nil + } + out := new(GroupVersionResourceName) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *JsonGVRN) DeepCopyInto(out *JsonGVRN) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JsonGVRN. +func (in *JsonGVRN) DeepCopy() *JsonGVRN { + if in == nil { + return nil + } + out := new(JsonGVRN) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LastBypassedObjectState) DeepCopyInto(out *LastBypassedObjectState) { + *out = *in + in.LastBypassedObjectTime.DeepCopyInto(&out.LastBypassedObjectTime) + in.LastBypassedObjectUserInfo.DeepCopyInto(&out.LastBypassedObjectUserInfo) + out.LastBypassedObject = in.LastBypassedObject +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LastBypassedObjectState. +func (in *LastBypassedObjectState) DeepCopy() *LastBypassedObjectState { + if in == nil { + return nil + } + out := new(LastBypassedObjectState) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LastObservedObjectState) DeepCopyInto(out *LastObservedObjectState) { + *out = *in + in.LastObservedObjectTime.DeepCopyInto(&out.LastObservedObjectTime) + in.LastObservedObjectUserInfo.DeepCopyInto(&out.LastObservedObjectUserInfo) + out.LastObservedObject = in.LastObservedObject +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LastObservedObjectState. +func (in *LastObservedObjectState) DeepCopy() *LastObservedObjectState { + if in == nil { + return nil + } + out := new(LastObservedObjectState) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LastPushedObjectState) DeepCopyInto(out *LastPushedObjectState) { + *out = *in + in.LastPushedObjectTime.DeepCopyInto(&out.LastPushedObjectTime) + out.LastPushedObject = in.LastPushedObject +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LastPushedObjectState. +func (in *LastPushedObjectState) DeepCopy() *LastPushedObjectState { + if in == nil { + return nil + } + out := new(LastPushedObjectState) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NamespaceScopedKinds) DeepCopyInto(out *NamespaceScopedKinds) { + *out = *in + if in.APIGroups != nil { + in, out := &in.APIGroups, &out.APIGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.APIVersions != nil { + in, out := &in.APIVersions, &out.APIVersions + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Kinds != nil { + in, out := &in.Kinds, &out.Kinds + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Names != nil { + in, out := &in.Names, &out.Names + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceScopedKinds. +func (in *NamespaceScopedKinds) DeepCopy() *NamespaceScopedKinds { + if in == nil { + return nil + } + out := new(NamespaceScopedKinds) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NamespaceScopedResources) DeepCopyInto(out *NamespaceScopedResources) { + *out = *in + if in.APIGroups != nil { + in, out := &in.APIGroups, &out.APIGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.APIVersions != nil { + in, out := &in.APIVersions, &out.APIVersions + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Names != nil { + in, out := &in.Names, &out.Names + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceScopedResources. +func (in *NamespaceScopedResources) DeepCopy() *NamespaceScopedResources { + if in == nil { + return nil + } + out := new(NamespaceScopedResources) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteSyncer) DeepCopyInto(out *RemoteSyncer) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteSyncer. +func (in *RemoteSyncer) DeepCopy() *RemoteSyncer { + if in == nil { + return nil + } + out := new(RemoteSyncer) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RemoteSyncer) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteSyncerList) DeepCopyInto(out *RemoteSyncerList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]RemoteSyncer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteSyncerList. +func (in *RemoteSyncerList) DeepCopy() *RemoteSyncerList { + if in == nil { + return nil + } + out := new(RemoteSyncerList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RemoteSyncerList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteSyncerSpec) DeepCopyInto(out *RemoteSyncerSpec) { + *out = *in + if in.BypassInterceptionSubjects != nil { + in, out := &in.BypassInterceptionSubjects, &out.BypassInterceptionSubjects + *out = make([]v1.Subject, len(*in)) + copy(*out, *in) + } + if in.DefaultRemoteUserRef != nil { + in, out := &in.DefaultRemoteUserRef, &out.DefaultRemoteUserRef + *out = new(corev1.ObjectReference) + **out = **in + } + in.ScopedResources.DeepCopyInto(&out.ScopedResources) + if in.ExcludedFields != nil { + in, out := &in.ExcludedFields, &out.ExcludedFields + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ExcludedFieldsConfigMapRef != nil { + in, out := &in.ExcludedFieldsConfigMapRef, &out.ExcludedFieldsConfigMapRef + *out = new(corev1.ObjectReference) + **out = **in + } + out.CABundleSecretRef = in.CABundleSecretRef +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteSyncerSpec. +func (in *RemoteSyncerSpec) DeepCopy() *RemoteSyncerSpec { + if in == nil { + return nil + } + out := new(RemoteSyncerSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteSyncerStatus) DeepCopyInto(out *RemoteSyncerStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + in.LastBypassedObjectState.DeepCopyInto(&out.LastBypassedObjectState) + in.LastObservedObjectState.DeepCopyInto(&out.LastObservedObjectState) + in.LastPushedObjectState.DeepCopyInto(&out.LastPushedObjectState) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteSyncerStatus. +func (in *RemoteSyncerStatus) DeepCopy() *RemoteSyncerStatus { + if in == nil { + return nil + } + out := new(RemoteSyncerStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteUser) DeepCopyInto(out *RemoteUser) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteUser. +func (in *RemoteUser) DeepCopy() *RemoteUser { + if in == nil { + return nil + } + out := new(RemoteUser) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RemoteUser) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteUserBinding) DeepCopyInto(out *RemoteUserBinding) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteUserBinding. +func (in *RemoteUserBinding) DeepCopy() *RemoteUserBinding { + if in == nil { + return nil + } + out := new(RemoteUserBinding) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RemoteUserBinding) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteUserBindingList) DeepCopyInto(out *RemoteUserBindingList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]RemoteUserBinding, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteUserBindingList. +func (in *RemoteUserBindingList) DeepCopy() *RemoteUserBindingList { + if in == nil { + return nil + } + out := new(RemoteUserBindingList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RemoteUserBindingList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteUserBindingSpec) DeepCopyInto(out *RemoteUserBindingSpec) { + *out = *in + out.Subject = in.Subject + if in.RemoteRefs != nil { + in, out := &in.RemoteRefs, &out.RemoteRefs + *out = make([]corev1.ObjectReference, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteUserBindingSpec. +func (in *RemoteUserBindingSpec) DeepCopy() *RemoteUserBindingSpec { + if in == nil { + return nil + } + out := new(RemoteUserBindingSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteUserBindingStatus) DeepCopyInto(out *RemoteUserBindingStatus) { + *out = *in + if in.GitUserHosts != nil { + in, out := &in.GitUserHosts, &out.GitUserHosts + *out = make([]GitUserHost, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + in.LastUsedTime.DeepCopyInto(&out.LastUsedTime) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteUserBindingStatus. +func (in *RemoteUserBindingStatus) DeepCopy() *RemoteUserBindingStatus { + if in == nil { + return nil + } + out := new(RemoteUserBindingStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteUserConnexionStatus) DeepCopyInto(out *RemoteUserConnexionStatus) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteUserConnexionStatus. +func (in *RemoteUserConnexionStatus) DeepCopy() *RemoteUserConnexionStatus { + if in == nil { + return nil + } + out := new(RemoteUserConnexionStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteUserList) DeepCopyInto(out *RemoteUserList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]RemoteUser, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteUserList. +func (in *RemoteUserList) DeepCopy() *RemoteUserList { + if in == nil { + return nil + } + out := new(RemoteUserList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RemoteUserList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteUserSpec) DeepCopyInto(out *RemoteUserSpec) { + *out = *in + out.SecretRef = in.SecretRef +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteUserSpec. +func (in *RemoteUserSpec) DeepCopy() *RemoteUserSpec { + if in == nil { + return nil + } + out := new(RemoteUserSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RemoteUserStatus) DeepCopyInto(out *RemoteUserStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + out.ConnexionStatus = in.ConnexionStatus + in.LastAuthTime.DeepCopyInto(&out.LastAuthTime) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteUserStatus. +func (in *RemoteUserStatus) DeepCopy() *RemoteUserStatus { + if in == nil { + return nil + } + out := new(RemoteUserStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ScopedResources) DeepCopyInto(out *ScopedResources) { + *out = *in + if in.MatchPolicy != nil { + in, out := &in.MatchPolicy, &out.MatchPolicy + *out = new(admissionregistrationv1.MatchPolicyType) + **out = **in + } + if in.ObjectSelector != nil { + in, out := &in.ObjectSelector, &out.ObjectSelector + *out = new(metav1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.Rules != nil { + in, out := &in.Rules, &out.Rules + *out = make([]admissionregistrationv1.RuleWithOperations, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopedResources. +func (in *ScopedResources) DeepCopy() *ScopedResources { + if in == nil { + return nil + } + out := new(ScopedResources) + in.DeepCopyInto(out) + return out +} diff --git a/charts/1.0.0/Chart.yaml b/charts/0.1.0/Chart.yaml similarity index 89% rename from charts/1.0.0/Chart.yaml rename to charts/0.1.0/Chart.yaml index d31045b..dfdb4b7 100644 --- a/charts/1.0.0/Chart.yaml +++ b/charts/0.1.0/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: syngit description: An operator to push resources onto git type: application -version: 1.0.0 -appVersion: 1.0.0 +version: 0.1.0 +appVersion: 0.1.0 home: https://github.com/syngit-org/syngit icon: https://raw.githubusercontent.com/syngit-org/syngit/main/img/icon.png maintainers: diff --git a/charts/1.0.0/templates/certmanager/certificate.yaml b/charts/0.1.0/templates/certmanager/certificate.yaml similarity index 100% rename from charts/1.0.0/templates/certmanager/certificate.yaml rename to charts/0.1.0/templates/certmanager/certificate.yaml diff --git a/charts/1.0.0/templates/controller/auth_proxy_service.yaml b/charts/0.1.0/templates/controller/auth_proxy_service.yaml similarity index 100% rename from charts/1.0.0/templates/controller/auth_proxy_service.yaml rename to charts/0.1.0/templates/controller/auth_proxy_service.yaml diff --git a/charts/1.0.0/templates/controller/manager.yaml b/charts/0.1.0/templates/controller/manager.yaml similarity index 94% rename from charts/1.0.0/templates/controller/manager.yaml rename to charts/0.1.0/templates/controller/manager.yaml index 94ce511..d3aacde 100644 --- a/charts/1.0.0/templates/controller/manager.yaml +++ b/charts/0.1.0/templates/controller/manager.yaml @@ -22,6 +22,10 @@ spec: labels: control-plane: controller-manager spec: + {{- if .Values.controller.image.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.controller.image.imagePullSecrets | nindent 8 }} + {{- end }} containers: {{- if eq .Values.controller.metrics.enable true }} - name: kube-rbac-proxy diff --git a/charts/1.0.0/templates/crd/syngit.syngit.io_remotesyncer.yaml b/charts/0.1.0/templates/crd/syngit.syngit.io_remotesyncer.yaml similarity index 70% rename from charts/1.0.0/templates/crd/syngit.syngit.io_remotesyncer.yaml rename to charts/0.1.0/templates/crd/syngit.syngit.io_remotesyncer.yaml index 57161de..f4f6f99 100644 --- a/charts/1.0.0/templates/crd/syngit.syngit.io_remotesyncer.yaml +++ b/charts/0.1.0/templates/crd/syngit.syngit.io_remotesyncer.yaml @@ -5,8 +5,21 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 + {{- if eq .Values.webhook.certmanager.enable true }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/operator-webhook-cert + {{- end }} name: remotesyncers.syngit.syngit.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: webhook-crd-service + path: /convert + conversionReviewVersions: + - v1 group: syngit.syngit.io names: kind: RemoteSyncer @@ -15,7 +28,7 @@ spec: singular: remotesyncer scope: Namespaced versions: - - name: v1alpha1 + - name: v1alpha4 schema: openAPIV3Schema: description: RemoteSyncer is the Schema for the remotesyncers API @@ -39,70 +52,6 @@ spec: type: object spec: properties: - authorizedUsers: - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - minItems: 1 - type: array branch: type: string bypassInterceptionSubjects: @@ -136,15 +85,13 @@ spec: type: object x-kubernetes-map-type: atomic type: array - commitMode: - type: string commitProcess: type: string defaultBlockAppliedMessage: type: string defaultUnauthorizedUserMode: type: string - defaultUserBind: + defaultUser: description: |- ObjectReference contains enough information to let you inspect or modify the referred object. --- @@ -209,423 +156,7 @@ spec: items: type: string type: array - excludedResources: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - names: - items: - type: string - type: array - resources: - items: - type: string - type: array - required: - - apiGroups - - apiVersions - - resources - type: object - type: array - includedResources: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - names: - items: - type: string - type: array - repoPath: - type: string - resources: - items: - type: string - type: array - required: - - apiGroups - - apiVersions - - resources - type: object - type: array - operations: - items: - description: OperationType specifies an operation for a request. - type: string - maxItems: 3 - minItems: 1 - type: array - remoteRepository: - format: uri - type: string - required: - - authorizedUsers - - branch - - commitMode - - commitProcess - - defaultUnauthorizedUserMode - - operations - - remoteRepository - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastBypassedObjectState: - properties: - lastBypassObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastBypassObjectTime: - format: date-time - type: string - lastBypassObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastObservedObjectState: - properties: - lastObservedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastObservedObjectTime: - format: date-time - type: string - lastObservedObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastPushedObjectState: - properties: - lastPushedGitUser: - type: string - lastPushedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastPushedObjectCommitHash: - type: string - lastPushedObjectGitPath: - type: string - lastPushedObjectGitRepo: - type: string - lastPushedObjectState: - type: string - lastPushedObjectTime: - format: date-time - type: string - type: object - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v2alpha2 - schema: - openAPIV3Schema: - description: RemoteSyncer is the Schema for the remotesyncers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - authorizedUsers: - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - minItems: 1 - type: array - branch: - type: string - bypassInterceptionSubjects: - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - commitProcess: - type: string - defaultBlockAppliedMessage: - type: string - defaultUnauthorizedUserMode: - type: string - defaultUserBind: + excludedFieldsConfig: description: |- ObjectReference contains enough information to let you inspect or modify the referred object. --- @@ -686,10 +217,6 @@ spec: type: string type: object x-kubernetes-map-type: atomic - excludedFields: - items: - type: string - type: array remoteRepository: format: uri type: string @@ -824,7 +351,6 @@ spec: type: array type: object required: - - authorizedUsers - branch - commitProcess - defaultUnauthorizedUserMode @@ -1044,11 +570,11 @@ spec: type: object type: object type: object - served: true + served: false storage: false subresources: status: {} - - name: v3alpha3 + - name: v1beta1 schema: openAPIV3Schema: description: RemoteSyncer is the Schema for the remotesyncers API @@ -1071,9 +597,8 @@ spec: metadata: type: object spec: + description: RemoteSyncerSpec defines the desired state of RemoteSyncer properties: - branch: - type: string bypassInterceptionSubjects: items: description: |- @@ -1105,10 +630,25 @@ spec: type: object x-kubernetes-map-type: atomic type: array - commitProcess: - type: string + caBundle: + description: |- + SecretReference represents a Secret Reference. It has enough information to retrieve secret + in any namespace + properties: + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic defaultBlockAppliedMessage: type: string + defaultBranch: + type: string defaultUnauthorizedUserMode: type: string defaultUser: @@ -1237,6 +777,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + insecureSkipTlsVerify: + type: boolean + processMode: + type: string + pushMode: + type: string remoteRepository: format: uri type: string @@ -1371,9 +917,9 @@ spec: type: array type: object required: - - branch - - commitProcess - defaultUnauthorizedUserMode + - processMode + - pushMode - remoteRepository type: object status: @@ -1595,4 +1141,4 @@ spec: subresources: status: {} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/1.0.0/templates/crd/syngit.syngit.io_remoteuser.yaml b/charts/0.1.0/templates/crd/syngit.syngit.io_remoteuser.yaml similarity index 53% rename from charts/1.0.0/templates/crd/syngit.syngit.io_remoteuser.yaml rename to charts/0.1.0/templates/crd/syngit.syngit.io_remoteuser.yaml index 2e490fb..1e966bb 100644 --- a/charts/1.0.0/templates/crd/syngit.syngit.io_remoteuser.yaml +++ b/charts/0.1.0/templates/crd/syngit.syngit.io_remoteuser.yaml @@ -5,8 +5,21 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 + {{- if eq .Values.webhook.certmanager.enable true }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/operator-webhook-cert + {{- end }} name: remoteusers.syngit.syngit.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: webhook-crd-service + path: /convert + conversionReviewVersions: + - v1 group: syngit.syngit.io names: kind: RemoteUser @@ -15,225 +28,7 @@ spec: singular: remoteuser scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RemoteUser is the Schema for the remoteusers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - customGitServerConfigRef: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - email: - type: string - gitBaseDomainFQDN: - type: string - insecureSkipTlsVerify: - type: boolean - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference a - secret resource. - type: string - namespace: - description: namespace defines the space within which the secret - name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - testAuthentication: - type: boolean - required: - - email - - gitBaseDomainFQDN - - secretRef - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - connexionStatus: - properties: - details: - type: string - status: - type: string - type: object - gitServerConfiguration: - properties: - authenticationEndpoint: - type: string - caBundle: - type: string - inherited: - type: boolean - insecureSkipTlsVerify: - type: boolean - type: object - gitUser: - type: string - lastAuthTime: - format: date-time - type: string - secretBoundStatus: - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v2alpha2 + - name: v1alpha4 schema: openAPIV3Schema: description: RemoteUser is the Schema for the remoteusers API @@ -450,11 +245,11 @@ spec: type: string type: object type: object - served: true + served: false storage: false subresources: status: {} - - name: v3alpha3 + - name: v1beta1 schema: openAPIV3Schema: description: RemoteUser is the Schema for the remoteusers API @@ -478,75 +273,12 @@ spec: type: object spec: properties: - customGitServerConfigRef: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic + associatedRemoteUserBinding: + type: boolean email: type: string gitBaseDomainFQDN: type: string - insecureSkipTlsVerify: - type: boolean - ownRemoteUserBinding: - type: boolean secretRef: description: |- SecretReference represents a Secret Reference. It has enough information to retrieve secret @@ -562,12 +294,10 @@ spec: type: string type: object x-kubernetes-map-type: atomic - testAuthentication: - type: boolean required: + - associatedRemoteUserBinding - email - gitBaseDomainFQDN - - ownRemoteUserBinding - secretRef type: object status: @@ -651,17 +381,6 @@ spec: status: type: string type: object - gitServerConfiguration: - properties: - authenticationEndpoint: - type: string - caBundle: - type: string - inherited: - type: boolean - insecureSkipTlsVerify: - type: boolean - type: object gitUser: type: string lastAuthTime: @@ -676,4 +395,4 @@ spec: subresources: status: {} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/1.0.0/templates/crd/syngit.syngit.io_remoteuserbinding.yaml b/charts/0.1.0/templates/crd/syngit.syngit.io_remoteuserbinding.yaml similarity index 66% rename from charts/1.0.0/templates/crd/syngit.syngit.io_remoteuserbinding.yaml rename to charts/0.1.0/templates/crd/syngit.syngit.io_remoteuserbinding.yaml index 8e94fee..9ef67f4 100644 --- a/charts/1.0.0/templates/crd/syngit.syngit.io_remoteuserbinding.yaml +++ b/charts/0.1.0/templates/crd/syngit.syngit.io_remoteuserbinding.yaml @@ -5,8 +5,21 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 + {{- if eq .Values.webhook.certmanager.enable true }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/operator-webhook-cert + {{- end }} name: remoteuserbindings.syngit.syngit.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: webhook-crd-service + path: /convert + conversionReviewVersions: + - v1 group: syngit.syngit.io names: kind: RemoteUserBinding @@ -15,7 +28,7 @@ spec: singular: remoteuserbinding scope: Namespaced versions: - - name: v1alpha1 + - name: v1alpha4 schema: openAPIV3Schema: description: RemoteUserBinding is the Schema for the remoteuserbindings API @@ -177,177 +190,11 @@ spec: type: string type: object type: object - served: true - storage: false - subresources: - status: {} - - name: v2alpha2 - schema: - openAPIV3Schema: - description: RemoteUserBinding is the Schema for the remoteuserbindings API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - remoteRefs: - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - subject: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - required: - - remoteRefs - - subject - type: object - status: - properties: - gitUserHosts: - items: - properties: - gitFQDN: - type: string - lastUsedTime: - format: date-time - type: string - remoteUserUsed: - type: string - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: namespace defines the space within which the - secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - state: - type: string - required: - - secretRef - type: object - type: array - lastUsedTime: - format: date-time - type: string - state: - type: string - userKubernetesID: - type: string - type: object - type: object - served: true + served: false storage: false subresources: status: {} - - name: v3alpha3 + - name: v1beta1 schema: openAPIV3Schema: description: RemoteUserBinding is the Schema for the remoteuserbindings API diff --git a/charts/1.0.0/templates/monitoring/monitor.yaml b/charts/0.1.0/templates/monitoring/monitor.yaml similarity index 100% rename from charts/1.0.0/templates/monitoring/monitor.yaml rename to charts/0.1.0/templates/monitoring/monitor.yaml diff --git a/charts/1.0.0/templates/rbac/controller/auth_proxy_client_clusterrole.yaml b/charts/0.1.0/templates/rbac/controller/auth_proxy_client_clusterrole.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/controller/auth_proxy_client_clusterrole.yaml rename to charts/0.1.0/templates/rbac/controller/auth_proxy_client_clusterrole.yaml diff --git a/charts/1.0.0/templates/rbac/controller/auth_proxy_role.yaml b/charts/0.1.0/templates/rbac/controller/auth_proxy_role.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/controller/auth_proxy_role.yaml rename to charts/0.1.0/templates/rbac/controller/auth_proxy_role.yaml diff --git a/charts/1.0.0/templates/rbac/controller/auth_proxy_role_binding.yaml b/charts/0.1.0/templates/rbac/controller/auth_proxy_role_binding.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/controller/auth_proxy_role_binding.yaml rename to charts/0.1.0/templates/rbac/controller/auth_proxy_role_binding.yaml diff --git a/charts/1.0.0/templates/rbac/controller/leader_election_role.yaml b/charts/0.1.0/templates/rbac/controller/leader_election_role.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/controller/leader_election_role.yaml rename to charts/0.1.0/templates/rbac/controller/leader_election_role.yaml diff --git a/charts/1.0.0/templates/rbac/controller/leader_election_role_binding.yaml b/charts/0.1.0/templates/rbac/controller/leader_election_role_binding.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/controller/leader_election_role_binding.yaml rename to charts/0.1.0/templates/rbac/controller/leader_election_role_binding.yaml diff --git a/charts/1.0.0/templates/rbac/controller/role.yaml b/charts/0.1.0/templates/rbac/controller/role.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/controller/role.yaml rename to charts/0.1.0/templates/rbac/controller/role.yaml diff --git a/charts/1.0.0/templates/rbac/controller/role_binding.yaml b/charts/0.1.0/templates/rbac/controller/role_binding.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/controller/role_binding.yaml rename to charts/0.1.0/templates/rbac/controller/role_binding.yaml diff --git a/charts/1.0.0/templates/rbac/controller/service_account.yaml b/charts/0.1.0/templates/rbac/controller/service_account.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/controller/service_account.yaml rename to charts/0.1.0/templates/rbac/controller/service_account.yaml diff --git a/charts/1.0.0/templates/rbac/end-user/remotesyncer_editor_role.yaml b/charts/0.1.0/templates/rbac/end-user/remotesyncer_editor_role.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/end-user/remotesyncer_editor_role.yaml rename to charts/0.1.0/templates/rbac/end-user/remotesyncer_editor_role.yaml diff --git a/charts/1.0.0/templates/rbac/end-user/remotesyncer_viewer_role.yaml b/charts/0.1.0/templates/rbac/end-user/remotesyncer_viewer_role.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/end-user/remotesyncer_viewer_role.yaml rename to charts/0.1.0/templates/rbac/end-user/remotesyncer_viewer_role.yaml diff --git a/charts/1.0.0/templates/rbac/end-user/remoteuser_editor_role.yaml b/charts/0.1.0/templates/rbac/end-user/remoteuser_editor_role.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/end-user/remoteuser_editor_role.yaml rename to charts/0.1.0/templates/rbac/end-user/remoteuser_editor_role.yaml diff --git a/charts/1.0.0/templates/rbac/end-user/remoteuser_viewer_role.yaml b/charts/0.1.0/templates/rbac/end-user/remoteuser_viewer_role.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/end-user/remoteuser_viewer_role.yaml rename to charts/0.1.0/templates/rbac/end-user/remoteuser_viewer_role.yaml diff --git a/charts/1.0.0/templates/rbac/end-user/remoteuserbinding_editor_role.yaml b/charts/0.1.0/templates/rbac/end-user/remoteuserbinding_editor_role.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/end-user/remoteuserbinding_editor_role.yaml rename to charts/0.1.0/templates/rbac/end-user/remoteuserbinding_editor_role.yaml diff --git a/charts/1.0.0/templates/rbac/end-user/remoteuserbinding_viewer_role.yaml b/charts/0.1.0/templates/rbac/end-user/remoteuserbinding_viewer_role.yaml similarity index 100% rename from charts/1.0.0/templates/rbac/end-user/remoteuserbinding_viewer_role.yaml rename to charts/0.1.0/templates/rbac/end-user/remoteuserbinding_viewer_role.yaml diff --git a/charts/1.0.0/templates/webhook/webhook-service.yaml b/charts/0.1.0/templates/webhook/webhook-service.yaml similarity index 100% rename from charts/1.0.0/templates/webhook/webhook-service.yaml rename to charts/0.1.0/templates/webhook/webhook-service.yaml diff --git a/charts/1.0.0/templates/webhook/webhook.yaml b/charts/0.1.0/templates/webhook/webhook.yaml similarity index 83% rename from charts/1.0.0/templates/webhook/webhook.yaml rename to charts/0.1.0/templates/webhook/webhook.yaml index 05b5879..15f55ec 100644 --- a/charts/1.0.0/templates/webhook/webhook.yaml +++ b/charts/0.1.0/templates/webhook/webhook.yaml @@ -14,14 +14,14 @@ webhooks: service: name: webhook-crd-service namespace: {{ .Release.Namespace }} - path: /validate-syngit-syngit-io-v3alpha3-remoteuser + path: /validate-syngit-syngit-io-v1beta1-remoteuser failurePolicy: Fail name: vremoteuser.kb.io rules: - apiGroups: - syngit.syngit.io apiVersions: - - v3alpha3 + - v1beta1 operations: - CREATE - UPDATE @@ -34,14 +34,14 @@ webhooks: service: name: webhook-crd-service namespace: {{ .Release.Namespace }} - path: /validate-syngit-syngit-io-v3alpha3-remotesyncer + path: /validate-syngit-syngit-io-v1beta1-remotesyncer failurePolicy: Fail name: vremotesyncer.kb.io rules: - apiGroups: - syngit.syngit.io apiVersions: - - v3alpha3 + - v1beta1 operations: - CREATE - UPDATE @@ -54,14 +54,14 @@ webhooks: service: name: webhook-crd-service namespace: {{ .Release.Namespace }} - path: /reconcile-syngit-remoteuser-owner + path: /syngit-v1beta1-remoteuser-association failurePolicy: Fail - name: vremoteusers-owner.kb.io + name: vremoteusers-association.v1beta1.syngit.io rules: - apiGroups: - syngit.syngit.io apiVersions: - - v3alpha3 + - v1beta1 operations: - CREATE - DELETE diff --git a/charts/1.0.1/values.yaml b/charts/0.1.0/values.yaml similarity index 91% rename from charts/1.0.1/values.yaml rename to charts/0.1.0/values.yaml index 43452f8..5346775 100644 --- a/charts/1.0.1/values.yaml +++ b/charts/0.1.0/values.yaml @@ -9,7 +9,8 @@ controller: image: prefix: ghcr.io/syngit-org name: syngit - tag: 1.0.1 + tag: 0.1.0 + # imagePullSecrets: securityContext: runAsUser: 1000 @@ -62,7 +63,7 @@ monitoring: installCRD: true -configuration: - gitlab: true - github: true - bitbucket: true +providers: + gitlab: false + github: false + bitbucket: false diff --git a/charts/1.0.0/templates/config/bitbucket-configuration.yaml b/charts/1.0.0/templates/config/bitbucket-configuration.yaml deleted file mode 100644 index b3f5434..0000000 --- a/charts/1.0.0/templates/config/bitbucket-configuration.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if eq .Values.configuration.bitbucket true }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: bitbucket.org -data: - authenticationEndpoint: https://api.bitbucket.org/2.0/user -{{- end }} \ No newline at end of file diff --git a/charts/1.0.0/templates/config/github-configuration.yaml b/charts/1.0.0/templates/config/github-configuration.yaml deleted file mode 100644 index 9b1600a..0000000 --- a/charts/1.0.0/templates/config/github-configuration.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if eq .Values.configuration.github true }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: github.com -data: - authenticationEndpoint: https://api.github.com/user -{{- end }} \ No newline at end of file diff --git a/charts/1.0.0/templates/config/gitlab-configuration.yaml b/charts/1.0.0/templates/config/gitlab-configuration.yaml deleted file mode 100644 index 258ed8f..0000000 --- a/charts/1.0.0/templates/config/gitlab-configuration.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if eq .Values.configuration.gitlab true }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: gitlab.com -data: - authenticationEndpoint: https://gitlab.com/api/v4/user -{{- end }} \ No newline at end of file diff --git a/charts/1.0.0/values.yaml b/charts/1.0.0/values.yaml deleted file mode 100644 index 00fda44..0000000 --- a/charts/1.0.0/values.yaml +++ /dev/null @@ -1,68 +0,0 @@ -webhook: - certmanager: - enable: true - certificate: - name: webhook-cert - secret: webhook-server-cert - -controller: - image: - prefix: ghcr.io/syngit-org - name: syngit - tag: 1.0.0 - - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - privileged: false - runAsNonRoot: true - seccompProfile: - type: "RuntimeDefault" - capabilities: - drop: - - "ALL" - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - tolerations: [] - - metrics: - enable: false - bindAddress: 127.0.0.1:8080 - - rbacProxy: - enable: false - upstreamAddress: http://127.0.0.1:8080/ - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - privileged: false - runAsNonRoot: true - seccompProfile: - type: "RuntimeDefault" - capabilities: - drop: - - "ALL" - - dynamicWebhookName: "remotesyncer.syngit.io" - -monitoring: - enable: false - -installCRD: true - -configuration: - gitlab: true - github: true - bitbucket: true diff --git a/charts/1.0.1/Chart.yaml b/charts/1.0.1/Chart.yaml deleted file mode 100644 index d761ca6..0000000 --- a/charts/1.0.1/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: syngit -description: An operator to push resources onto git -type: application -version: 1.0.1 -appVersion: 1.0.1 -home: https://github.com/syngit-org/syngit -icon: https://raw.githubusercontent.com/syngit-org/syngit/main/img/icon.png -maintainers: - - email: dassieu.damien@gmail.com - name: Damien diff --git a/charts/1.0.1/templates/certmanager/certificate.yaml b/charts/1.0.1/templates/certmanager/certificate.yaml deleted file mode 100644 index 4a8574d..0000000 --- a/charts/1.0.1/templates/certmanager/certificate.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- if eq .Values.webhook.certmanager.enable true }} ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - app.kubernetes.io/name: certificate - app.kubernetes.io/instance: serving-cert - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-selfsigned-issuer -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - app.kubernetes.io/name: certificate - app.kubernetes.io/instance: serving-cert - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: operator-webhook-cert -spec: - dnsNames: - - webhook-crd-service.{{ .Release.Namespace }}.svc - - webhook-crd-service.{{ .Release.Namespace }}.svc.local - - syngit-remote-syncer-webhook-service.{{ .Release.Namespace }}.svc - - syngit-remote-syncer-webhook-service.{{ .Release.Namespace }}.svc.local - issuerRef: - kind: Issuer - name: {{ .Release.Name }}-selfsigned-issuer - secretName: {{ .Values.webhook.certmanager.certificate.secret }} -{{- end }} \ No newline at end of file diff --git a/charts/1.0.1/templates/config/bitbucket-configuration.yaml b/charts/1.0.1/templates/config/bitbucket-configuration.yaml deleted file mode 100644 index b3f5434..0000000 --- a/charts/1.0.1/templates/config/bitbucket-configuration.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if eq .Values.configuration.bitbucket true }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: bitbucket.org -data: - authenticationEndpoint: https://api.bitbucket.org/2.0/user -{{- end }} \ No newline at end of file diff --git a/charts/1.0.1/templates/config/github-configuration.yaml b/charts/1.0.1/templates/config/github-configuration.yaml deleted file mode 100644 index 9b1600a..0000000 --- a/charts/1.0.1/templates/config/github-configuration.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if eq .Values.configuration.github true }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: github.com -data: - authenticationEndpoint: https://api.github.com/user -{{- end }} \ No newline at end of file diff --git a/charts/1.0.1/templates/config/gitlab-configuration.yaml b/charts/1.0.1/templates/config/gitlab-configuration.yaml deleted file mode 100644 index 258ed8f..0000000 --- a/charts/1.0.1/templates/config/gitlab-configuration.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if eq .Values.configuration.gitlab true }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: gitlab.com -data: - authenticationEndpoint: https://gitlab.com/api/v4/user -{{- end }} \ No newline at end of file diff --git a/charts/1.0.1/templates/controller/auth_proxy_service.yaml b/charts/1.0.1/templates/controller/auth_proxy_service.yaml deleted file mode 100644 index c09041c..0000000 --- a/charts/1.0.1/templates/controller/auth_proxy_service.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if eq .Values.controller.rbacProxy.enable true }} ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: service - app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-controller-manager-metrics-service -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager -{{- end }} diff --git a/charts/1.0.1/templates/controller/manager.yaml b/charts/1.0.1/templates/controller/manager.yaml deleted file mode 100644 index 94ce511..0000000 --- a/charts/1.0.1/templates/controller/manager.yaml +++ /dev/null @@ -1,92 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - labels: - control-plane: controller-manager - app.kubernetes.io/name: deployment - app.kubernetes.io/instance: controller-manager - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - selector: - matchLabels: - control-plane: controller-manager - replicas: 1 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: controller-manager - spec: - containers: - {{- if eq .Values.controller.metrics.enable true }} - - name: kube-rbac-proxy - securityContext: {{ toYaml .Values.controller.rbacProxy.securityContext | nindent 10 }} - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream={{ .Values.controller.rbacProxy.upstreamAddress }}" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: {{ toYaml .Values.controller.rbacProxy.resources | nindent 10 }} - {{- end }} - - command: - - /manager - args: - - "--leader-elect" - {{- if eq .Values.controller.metrics.enable true }} - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address={{ .Values.controller.metrics.bindAddress }}" - {{- end }} - image: {{ .Values.controller.image.prefix }}/{{ .Values.controller.image.name }}:{{ .Values.controller.image.tag }} - env: - - name: MANAGER_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: DYNAMIC_WEBHOOK_NAME - value: {{ .Values.controller.dynamicWebhookName }} - name: manager - securityContext: {{ toYaml .Values.controller.securityContext | nindent 10 }} - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: {{ toYaml .Values.controller.resources | nindent 10 }} - ports: - - containerPort: 9443 - name: wbhk-crd-srv - protocol: TCP - - containerPort: 9444 - name: wbhk-pusher-srv - protocol: TCP - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - serviceAccountName: {{ .Release.Name }}-controller-manager - terminationGracePeriodSeconds: 10 - {{- if .Values.controller.tolerations }} - tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} - {{- end }} - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: {{ .Values.webhook.certmanager.certificate.secret }} \ No newline at end of file diff --git a/charts/1.0.1/templates/crd/syngit.syngit.io_remotesyncer.yaml b/charts/1.0.1/templates/crd/syngit.syngit.io_remotesyncer.yaml deleted file mode 100644 index 91de0ea..0000000 --- a/charts/1.0.1/templates/crd/syngit.syngit.io_remotesyncer.yaml +++ /dev/null @@ -1,2144 +0,0 @@ -{{- if eq .Values.installCRD true }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: remotesyncers.syngit.syngit.io -spec: - group: syngit.syngit.io - names: - kind: RemoteSyncer - listKind: RemoteSyncerList - plural: remotesyncers - singular: remotesyncer - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RemoteSyncer is the Schema for the remotesyncers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - authorizedUsers: - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - minItems: 1 - type: array - branch: - type: string - bypassInterceptionSubjects: - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - commitMode: - type: string - commitProcess: - type: string - defaultBlockAppliedMessage: - type: string - defaultUnauthorizedUserMode: - type: string - defaultUserBind: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - excludedFields: - items: - type: string - type: array - excludedResources: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - names: - items: - type: string - type: array - resources: - items: - type: string - type: array - required: - - apiGroups - - apiVersions - - resources - type: object - type: array - includedResources: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - names: - items: - type: string - type: array - repoPath: - type: string - resources: - items: - type: string - type: array - required: - - apiGroups - - apiVersions - - resources - type: object - type: array - operations: - items: - description: OperationType specifies an operation for a request. - type: string - maxItems: 3 - minItems: 1 - type: array - remoteRepository: - format: uri - type: string - required: - - authorizedUsers - - branch - - commitMode - - commitProcess - - defaultUnauthorizedUserMode - - operations - - remoteRepository - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastBypassedObjectState: - properties: - lastBypassObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastBypassObjectTime: - format: date-time - type: string - lastBypassObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastObservedObjectState: - properties: - lastObservedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastObservedObjectTime: - format: date-time - type: string - lastObservedObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastPushedObjectState: - properties: - lastPushedGitUser: - type: string - lastPushedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastPushedObjectCommitHash: - type: string - lastPushedObjectGitPath: - type: string - lastPushedObjectGitRepo: - type: string - lastPushedObjectState: - type: string - lastPushedObjectTime: - format: date-time - type: string - type: object - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha2 - schema: - openAPIV3Schema: - description: RemoteSyncer is the Schema for the remotesyncers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - authorizedUsers: - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - minItems: 1 - type: array - branch: - type: string - bypassInterceptionSubjects: - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - commitProcess: - type: string - defaultBlockAppliedMessage: - type: string - defaultUnauthorizedUserMode: - type: string - defaultUserBind: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - excludedFields: - items: - type: string - type: array - remoteRepository: - format: uri - type: string - rootPath: - type: string - scopedResources: - properties: - matchPolicy: - description: MatchPolicyType specifies the type of match policy. - type: string - objectSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - rules: - items: - description: |- - RuleWithOperations is a tuple of Operations and Resources. It is recommended to make - sure that all the tuple expansions are valid. - properties: - apiGroups: - description: |- - APIGroups is the API groups the resources belong to. '*' is all groups. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - apiVersions: - description: |- - APIVersions is the API versions the resources belong to. '*' is all versions. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - operations: - description: |- - Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * - for all of those operations and any future admission operations that are added. - If '*' is present, the length of the slice must be one. - Required. - items: - description: OperationType specifies an operation for - a request. - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Resources is a list of resources this rule applies to. - - - For example: - 'pods' means pods. - 'pods/log' means the log subresource of pods. - '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. - '*/scale' means all scale subresources. - '*/*' means all resources and their subresources. - - - If wildcard is present, the validation rule will ensure resources do not - overlap with each other. - - - Depending on the enclosing object, subresources might not be allowed. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - scope: - description: |- - scope specifies the scope of this rule. - Valid values are "Cluster", "Namespaced", and "*" - "Cluster" means that only cluster-scoped resources will match this rule. - Namespace API objects are cluster-scoped. - "Namespaced" means that only namespaced resources will match this rule. - "*" means that there are no scope restrictions. - Subresources match the scope of their parent resource. - Default is "*". - type: string - type: object - type: array - type: object - required: - - authorizedUsers - - branch - - commitProcess - - defaultUnauthorizedUserMode - - remoteRepository - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastBypassedObjectState: - properties: - lastBypassObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastBypassObjectTime: - format: date-time - type: string - lastBypassObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastObservedObjectState: - properties: - lastObservedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastObservedObjectTime: - format: date-time - type: string - lastObservedObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastPushedObjectState: - properties: - lastPushedGitUser: - type: string - lastPushedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastPushedObjectCommitHash: - type: string - lastPushedObjectGitPath: - type: string - lastPushedObjectGitRepo: - type: string - lastPushedObjectState: - type: string - lastPushedObjectTime: - format: date-time - type: string - type: object - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - description: RemoteSyncer is the Schema for the remotesyncers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - branch: - type: string - bypassInterceptionSubjects: - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - commitProcess: - type: string - defaultBlockAppliedMessage: - type: string - defaultUnauthorizedUserMode: - type: string - defaultUser: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - excludedFields: - items: - type: string - type: array - excludedFieldsConfig: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - remoteRepository: - format: uri - type: string - rootPath: - type: string - scopedResources: - properties: - matchPolicy: - description: MatchPolicyType specifies the type of match policy. - type: string - objectSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - rules: - items: - description: |- - RuleWithOperations is a tuple of Operations and Resources. It is recommended to make - sure that all the tuple expansions are valid. - properties: - apiGroups: - description: |- - APIGroups is the API groups the resources belong to. '*' is all groups. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - apiVersions: - description: |- - APIVersions is the API versions the resources belong to. '*' is all versions. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - operations: - description: |- - Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * - for all of those operations and any future admission operations that are added. - If '*' is present, the length of the slice must be one. - Required. - items: - description: OperationType specifies an operation for - a request. - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Resources is a list of resources this rule applies to. - - - For example: - 'pods' means pods. - 'pods/log' means the log subresource of pods. - '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. - '*/scale' means all scale subresources. - '*/*' means all resources and their subresources. - - - If wildcard is present, the validation rule will ensure resources do not - overlap with each other. - - - Depending on the enclosing object, subresources might not be allowed. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - scope: - description: |- - scope specifies the scope of this rule. - Valid values are "Cluster", "Namespaced", and "*" - "Cluster" means that only cluster-scoped resources will match this rule. - Namespace API objects are cluster-scoped. - "Namespaced" means that only namespaced resources will match this rule. - "*" means that there are no scope restrictions. - Subresources match the scope of their parent resource. - Default is "*". - type: string - type: object - type: array - type: object - required: - - branch - - commitProcess - - defaultUnauthorizedUserMode - - remoteRepository - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastBypassedObjectState: - properties: - lastBypassObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastBypassObjectTime: - format: date-time - type: string - lastBypassObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastObservedObjectState: - properties: - lastObservedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastObservedObjectTime: - format: date-time - type: string - lastObservedObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastPushedObjectState: - properties: - lastPushedGitUser: - type: string - lastPushedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastPushedObjectCommitHash: - type: string - lastPushedObjectGitPath: - type: string - lastPushedObjectGitRepo: - type: string - lastPushedObjectState: - type: string - lastPushedObjectTime: - format: date-time - type: string - type: object - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha4 - schema: - openAPIV3Schema: - description: RemoteSyncer is the Schema for the remotesyncers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - branch: - type: string - bypassInterceptionSubjects: - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - commitProcess: - type: string - defaultBlockAppliedMessage: - type: string - defaultUnauthorizedUserMode: - type: string - defaultUser: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - excludedFields: - items: - type: string - type: array - excludedFieldsConfig: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - remoteRepository: - format: uri - type: string - rootPath: - type: string - scopedResources: - properties: - matchPolicy: - description: MatchPolicyType specifies the type of match policy. - type: string - objectSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - rules: - items: - description: |- - RuleWithOperations is a tuple of Operations and Resources. It is recommended to make - sure that all the tuple expansions are valid. - properties: - apiGroups: - description: |- - APIGroups is the API groups the resources belong to. '*' is all groups. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - apiVersions: - description: |- - APIVersions is the API versions the resources belong to. '*' is all versions. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - operations: - description: |- - Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * - for all of those operations and any future admission operations that are added. - If '*' is present, the length of the slice must be one. - Required. - items: - description: OperationType specifies an operation for - a request. - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Resources is a list of resources this rule applies to. - - - For example: - 'pods' means pods. - 'pods/log' means the log subresource of pods. - '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. - '*/scale' means all scale subresources. - '*/*' means all resources and their subresources. - - - If wildcard is present, the validation rule will ensure resources do not - overlap with each other. - - - Depending on the enclosing object, subresources might not be allowed. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - scope: - description: |- - scope specifies the scope of this rule. - Valid values are "Cluster", "Namespaced", and "*" - "Cluster" means that only cluster-scoped resources will match this rule. - Namespace API objects are cluster-scoped. - "Namespaced" means that only namespaced resources will match this rule. - "*" means that there are no scope restrictions. - Subresources match the scope of their parent resource. - Default is "*". - type: string - type: object - type: array - type: object - required: - - branch - - commitProcess - - defaultUnauthorizedUserMode - - remoteRepository - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastBypassedObjectState: - properties: - lastBypassObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastBypassObjectTime: - format: date-time - type: string - lastBypassObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastObservedObjectState: - properties: - lastObservedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastObservedObjectTime: - format: date-time - type: string - lastObservedObjectUserInfo: - description: |- - UserInfo holds the information about the user needed to implement the - user.Info interface. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf can - generate - items: - type: string - type: array - description: Any additional information provided by the authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user among - all active users. - type: string - type: object - type: object - lastPushedObjectState: - properties: - lastPushedGitUser: - type: string - lastPushedObject: - properties: - group: - type: string - name: - type: string - resource: - type: string - version: - type: string - required: - - group - - name - - resource - - version - type: object - lastPushedObjectCommitHash: - type: string - lastPushedObjectGitPath: - type: string - lastPushedObjectGitRepo: - type: string - lastPushedObjectState: - type: string - lastPushedObjectTime: - format: date-time - type: string - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - -{{- end }} diff --git a/charts/1.0.1/templates/crd/syngit.syngit.io_remoteuser.yaml b/charts/1.0.1/templates/crd/syngit.syngit.io_remoteuser.yaml deleted file mode 100644 index a78651c..0000000 --- a/charts/1.0.1/templates/crd/syngit.syngit.io_remoteuser.yaml +++ /dev/null @@ -1,899 +0,0 @@ -{{- if eq .Values.installCRD true }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: remoteusers.syngit.syngit.io -spec: - group: syngit.syngit.io - names: - kind: RemoteUser - listKind: RemoteUserList - plural: remoteusers - singular: remoteuser - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RemoteUser is the Schema for the remoteusers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - customGitServerConfigRef: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - email: - type: string - gitBaseDomainFQDN: - type: string - insecureSkipTlsVerify: - type: boolean - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference a - secret resource. - type: string - namespace: - description: namespace defines the space within which the secret - name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - testAuthentication: - type: boolean - required: - - email - - gitBaseDomainFQDN - - secretRef - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - connexionStatus: - properties: - details: - type: string - status: - type: string - type: object - gitServerConfiguration: - properties: - authenticationEndpoint: - type: string - caBundle: - type: string - inherited: - type: boolean - insecureSkipTlsVerify: - type: boolean - type: object - gitUser: - type: string - lastAuthTime: - format: date-time - type: string - secretBoundStatus: - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha2 - schema: - openAPIV3Schema: - description: RemoteUser is the Schema for the remoteusers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - customGitServerConfigRef: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - email: - type: string - gitBaseDomainFQDN: - type: string - insecureSkipTlsVerify: - type: boolean - ownRemoteUserBinding: - type: boolean - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference a - secret resource. - type: string - namespace: - description: namespace defines the space within which the secret - name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - testAuthentication: - type: boolean - required: - - email - - gitBaseDomainFQDN - - ownRemoteUserBinding - - secretRef - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - connexionStatus: - properties: - details: - type: string - status: - type: string - type: object - gitServerConfiguration: - properties: - authenticationEndpoint: - type: string - caBundle: - type: string - inherited: - type: boolean - insecureSkipTlsVerify: - type: boolean - type: object - gitUser: - type: string - lastAuthTime: - format: date-time - type: string - secretBoundStatus: - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - description: RemoteUser is the Schema for the remoteusers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - customGitServerConfigRef: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - email: - type: string - gitBaseDomainFQDN: - type: string - insecureSkipTlsVerify: - type: boolean - ownRemoteUserBinding: - type: boolean - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference a - secret resource. - type: string - namespace: - description: namespace defines the space within which the secret - name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - testAuthentication: - type: boolean - required: - - email - - gitBaseDomainFQDN - - ownRemoteUserBinding - - secretRef - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - connexionStatus: - properties: - details: - type: string - status: - type: string - type: object - gitServerConfiguration: - properties: - authenticationEndpoint: - type: string - caBundle: - type: string - inherited: - type: boolean - insecureSkipTlsVerify: - type: boolean - type: object - gitUser: - type: string - lastAuthTime: - format: date-time - type: string - secretBoundStatus: - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha4 - schema: - openAPIV3Schema: - description: RemoteUser is the Schema for the remoteusers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - customGitServerConfigRef: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - email: - type: string - gitBaseDomainFQDN: - type: string - insecureSkipTlsVerify: - type: boolean - ownRemoteUserBinding: - type: boolean - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference a - secret resource. - type: string - namespace: - description: namespace defines the space within which the secret - name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - testAuthentication: - type: boolean - required: - - email - - gitBaseDomainFQDN - - ownRemoteUserBinding - - secretRef - type: object - status: - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - connexionStatus: - properties: - details: - type: string - status: - type: string - type: object - gitServerConfiguration: - properties: - authenticationEndpoint: - type: string - caBundle: - type: string - inherited: - type: boolean - insecureSkipTlsVerify: - type: boolean - type: object - gitUser: - type: string - lastAuthTime: - format: date-time - type: string - secretBoundStatus: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/charts/1.0.1/templates/crd/syngit.syngit.io_remoteuserbinding.yaml b/charts/1.0.1/templates/crd/syngit.syngit.io_remoteuserbinding.yaml deleted file mode 100644 index c134b11..0000000 --- a/charts/1.0.1/templates/crd/syngit.syngit.io_remoteuserbinding.yaml +++ /dev/null @@ -1,683 +0,0 @@ -{{- if eq .Values.installCRD true }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: remoteuserbindings.syngit.syngit.io -spec: - group: syngit.syngit.io - names: - kind: RemoteUserBinding - listKind: RemoteUserBindingList - plural: remoteuserbindings - singular: remoteuserbinding - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RemoteUserBinding is the Schema for the remoteuserbindings API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - remoteRefs: - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - subject: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - required: - - remoteRefs - - subject - type: object - status: - properties: - gitUserHosts: - items: - properties: - gitFQDN: - type: string - lastUsedTime: - format: date-time - type: string - remoteUserUsed: - type: string - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: namespace defines the space within which the - secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - state: - type: string - required: - - secretRef - type: object - type: array - lastUsedTime: - format: date-time - type: string - state: - type: string - userKubernetesID: - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha2 - schema: - openAPIV3Schema: - description: RemoteUserBinding is the Schema for the remoteuserbindings API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - remoteRefs: - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - subject: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - required: - - remoteRefs - - subject - type: object - status: - properties: - gitUserHosts: - items: - properties: - gitFQDN: - type: string - lastUsedTime: - format: date-time - type: string - remoteUserUsed: - type: string - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: namespace defines the space within which the - secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - state: - type: string - required: - - secretRef - type: object - type: array - lastUsedTime: - format: date-time - type: string - state: - type: string - userKubernetesID: - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - description: RemoteUserBinding is the Schema for the remoteuserbindings API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - remoteRefs: - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - subject: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - required: - - remoteRefs - - subject - type: object - status: - properties: - gitUserHosts: - items: - properties: - gitFQDN: - type: string - lastUsedTime: - format: date-time - type: string - remoteUserUsed: - type: string - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: namespace defines the space within which the - secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - state: - type: string - required: - - secretRef - type: object - type: array - lastUsedTime: - format: date-time - type: string - state: - type: string - userKubernetesID: - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha4 - schema: - openAPIV3Schema: - description: RemoteUserBinding is the Schema for the remoteuserbindings API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - remoteRefs: - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - subject: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - required: - - remoteRefs - - subject - type: object - status: - properties: - gitUserHosts: - items: - properties: - gitFQDN: - type: string - lastUsedTime: - format: date-time - type: string - remoteUserUsed: - type: string - secretRef: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: namespace defines the space within which the - secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - state: - type: string - required: - - secretRef - type: object - type: array - lastUsedTime: - format: date-time - type: string - state: - type: string - userKubernetesID: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - -{{- end }} diff --git a/charts/1.0.1/templates/monitoring/monitor.yaml b/charts/1.0.1/templates/monitoring/monitor.yaml deleted file mode 100644 index 32037d9..0000000 --- a/charts/1.0.1/templates/monitoring/monitor.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if eq .Values.monitoring.enable true }} ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: servicemonitor - app.kubernetes.io/instance: controller-manager-metrics-monitor - app.kubernetes.io/component: metrics - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-controller-manager-metrics-monitor -spec: - endpoints: - - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true - selector: - matchLabels: - control-plane: controller-manager -{{- end }} \ No newline at end of file diff --git a/charts/1.0.1/templates/rbac/controller/auth_proxy_client_clusterrole.yaml b/charts/1.0.1/templates/rbac/controller/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index 1015170..0000000 --- a/charts/1.0.1/templates/rbac/controller/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# {{- if eq .Values.controller.rbacProxy.enable true }} -# --- -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: ClusterRole -# metadata: -# labels: -# app.kubernetes.io/name: clusterrole -# app.kubernetes.io/instance: metrics-reader -# app.kubernetes.io/component: kube-rbac-proxy -# app.kubernetes.io/created-by: {{ .Release.Name }} -# app.kubernetes.io/part-of: {{ .Release.Name }} -# name: {{ .Release.Name }}-metrics-reader -# rules: -# - nonResourceURLs: -# - "/metrics" -# verbs: -# - get -# {{- end }} diff --git a/charts/1.0.1/templates/rbac/controller/auth_proxy_role.yaml b/charts/1.0.1/templates/rbac/controller/auth_proxy_role.yaml deleted file mode 100644 index 8f7cad3..0000000 --- a/charts/1.0.1/templates/rbac/controller/auth_proxy_role.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if eq .Values.controller.rbacProxy.enable true }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -{{- end }} diff --git a/charts/1.0.1/templates/rbac/controller/auth_proxy_role_binding.yaml b/charts/1.0.1/templates/rbac/controller/auth_proxy_role_binding.yaml deleted file mode 100644 index a874a2c..0000000 --- a/charts/1.0.1/templates/rbac/controller/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if eq .Values.controller.rbacProxy.enable true }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Release.Name }}-proxy-role -subjects: -- kind: ServiceAccount - name: {{ .Release.Name }}-controller-manager - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/1.0.1/templates/rbac/controller/leader_election_role.yaml b/charts/1.0.1/templates/rbac/controller/leader_election_role.yaml deleted file mode 100644 index b579d48..0000000 --- a/charts/1.0.1/templates/rbac/controller/leader_election_role.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/name: role - app.kubernetes.io/instance: leader-election-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-leader-election-role -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/charts/1.0.1/templates/rbac/controller/leader_election_role_binding.yaml b/charts/1.0.1/templates/rbac/controller/leader_election_role_binding.yaml deleted file mode 100644 index 80f5c15..0000000 --- a/charts/1.0.1/templates/rbac/controller/leader_election_role_binding.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/name: rolebinding - app.kubernetes.io/instance: leader-election-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-leader-election-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Release.Name }}-leader-election-role -subjects: -- kind: ServiceAccount - name: {{ .Release.Name }}-controller-manager - namespace: {{ .Release.Namespace }} diff --git a/charts/1.0.1/templates/rbac/controller/role.yaml b/charts/1.0.1/templates/rbac/controller/role.yaml deleted file mode 100644 index 2973ce3..0000000 --- a/charts/1.0.1/templates/rbac/controller/role.yaml +++ /dev/null @@ -1,105 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Release.Name }}-manager-role -rules: -# Any resources can be pushed to the git repo. -# The scope depends but the controller -# needs to be able to get,list,watch any of them -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch -# Create and patch events related to kgio objects in any namespace -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remoteusers - verbs: - - get - - list - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remoteusers/status - verbs: - - get - - patch - - update -- apiGroups: - - syngit.syngit.io - resources: - - remoteuserbindings - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remoteuserbindings/finalizers - verbs: - - update -- apiGroups: - - syngit.syngit.io - resources: - - remoteuserbindings/status - verbs: - - get - - patch - - update -- apiGroups: - - syngit.syngit.io - resources: - - remotesyncers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remotesyncers/finalizers - verbs: - - update -- apiGroups: - - syngit.syngit.io - resources: - - remotesyncers/status - verbs: - - get - - patch - - update diff --git a/charts/1.0.1/templates/rbac/controller/role_binding.yaml b/charts/1.0.1/templates/rbac/controller/role_binding.yaml deleted file mode 100644 index 6fea6d6..0000000 --- a/charts/1.0.1/templates/rbac/controller/role_binding.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: manager-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Release.Name }}-manager-role -subjects: -- kind: ServiceAccount - name: {{ .Release.Name }}-controller-manager - namespace: {{ .Release.Namespace }} diff --git a/charts/1.0.1/templates/rbac/controller/service_account.yaml b/charts/1.0.1/templates/rbac/controller/service_account.yaml deleted file mode 100644 index 5e9b742..0000000 --- a/charts/1.0.1/templates/rbac/controller/service_account.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: controller-manager-sa - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-controller-manager diff --git a/charts/1.0.1/templates/rbac/end-user/remotesyncer_editor_role.yaml b/charts/1.0.1/templates/rbac/end-user/remotesyncer_editor_role.yaml deleted file mode 100644 index b2291d5..0000000 --- a/charts/1.0.1/templates/rbac/end-user/remotesyncer_editor_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: remotesyncers-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-remotesyncers-editor-role -rules: -- apiGroups: - - syngit.syngit.io - resources: - - remotesyncerss - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remotesyncerss/status - verbs: - - get diff --git a/charts/1.0.1/templates/rbac/end-user/remotesyncer_viewer_role.yaml b/charts/1.0.1/templates/rbac/end-user/remotesyncer_viewer_role.yaml deleted file mode 100644 index c15dd76..0000000 --- a/charts/1.0.1/templates/rbac/end-user/remotesyncer_viewer_role.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# permissions for end users to view remotesyncerss. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: remotesyncers-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-remotesyncers-viewer-role -rules: -- apiGroups: - - syngit.syngit.io - resources: - - remotesyncerss - verbs: - - get - - list - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remotesyncerss/status - verbs: - - get diff --git a/charts/1.0.1/templates/rbac/end-user/remoteuser_editor_role.yaml b/charts/1.0.1/templates/rbac/end-user/remoteuser_editor_role.yaml deleted file mode 100644 index f4a7af0..0000000 --- a/charts/1.0.1/templates/rbac/end-user/remoteuser_editor_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: remoteuser-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-remoteuser-editor-role -rules: -- apiGroups: - - syngit.syngit.io - resources: - - remoteusers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remoteusers/status - verbs: - - get diff --git a/charts/1.0.1/templates/rbac/end-user/remoteuser_viewer_role.yaml b/charts/1.0.1/templates/rbac/end-user/remoteuser_viewer_role.yaml deleted file mode 100644 index e8def41..0000000 --- a/charts/1.0.1/templates/rbac/end-user/remoteuser_viewer_role.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: gitremote-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-gitremote-viewer-role -rules: -- apiGroups: - - syngit.syngit.io - resources: - - remoteusers - verbs: - - get - - list - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remoteusers/status - verbs: - - get diff --git a/charts/1.0.1/templates/rbac/end-user/remoteuserbinding_editor_role.yaml b/charts/1.0.1/templates/rbac/end-user/remoteuserbinding_editor_role.yaml deleted file mode 100644 index 7f71339..0000000 --- a/charts/1.0.1/templates/rbac/end-user/remoteuserbinding_editor_role.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: remoteuserbinding-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-remoteuserbinding-editor-role -rules: -- apiGroups: - - syngit.syngit.io - resources: - - remoteuserbindings - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remoteuserbindings/status - verbs: - - get diff --git a/charts/1.0.1/templates/rbac/end-user/remoteuserbinding_viewer_role.yaml b/charts/1.0.1/templates/rbac/end-user/remoteuserbinding_viewer_role.yaml deleted file mode 100644 index 99f85ca..0000000 --- a/charts/1.0.1/templates/rbac/end-user/remoteuserbinding_viewer_role.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: remoteuserbinding-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: {{ .Release.Name }}-remoteuserbinding-viewer-role -rules: -- apiGroups: - - syngit.syngit.io - resources: - - remoteuserbindings - verbs: - - get - - list - - watch -- apiGroups: - - syngit.syngit.io - resources: - - remoteuserbindings/status - verbs: - - get diff --git a/charts/1.0.1/templates/webhook/webhook-service.yaml b/charts/1.0.1/templates/webhook/webhook-service.yaml deleted file mode 100644 index c715163..0000000 --- a/charts/1.0.1/templates/webhook/webhook-service.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: service - app.kubernetes.io/instance: webhook-crd-service - app.kubernetes.io/component: webhook - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: webhook-crd-service -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - control-plane: controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: service - app.kubernetes.io/instance: syngit-remote-syncer-webhook-service - app.kubernetes.io/component: webhook - app.kubernetes.io/created-by: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - name: syngit-remote-syncer-webhook-service -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9444 - selector: - control-plane: controller-manager \ No newline at end of file diff --git a/charts/1.0.1/templates/webhook/webhook.yaml b/charts/1.0.1/templates/webhook/webhook.yaml deleted file mode 100644 index f31a560..0000000 --- a/charts/1.0.1/templates/webhook/webhook.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ .Release.Namespace }}-validating-webhook-configuration - {{- if eq .Values.webhook.certmanager.enable true }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/operator-webhook-cert - {{- end }} -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-crd-service - namespace: {{ .Release.Namespace }} - path: /validate-syngit-syngit-io-v1alpha4-remoteuser - failurePolicy: Fail - name: vremoteuser.kb.io - rules: - - apiGroups: - - syngit.syngit.io - apiVersions: - - v1alpha4 - operations: - - CREATE - - UPDATE - resources: - - remoteusers - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-crd-service - namespace: {{ .Release.Namespace }} - path: /validate-syngit-syngit-io-v1alpha4-remotesyncer - failurePolicy: Fail - name: vremotesyncer.kb.io - rules: - - apiGroups: - - syngit.syngit.io - apiVersions: - - v1alpha4 - operations: - - CREATE - - UPDATE - resources: - - remotesyncers - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-crd-service - namespace: {{ .Release.Namespace }} - path: /reconcile-syngit-remoteuser-owner - failurePolicy: Fail - name: vremoteusers-owner.kb.io - rules: - - apiGroups: - - syngit.syngit.io - apiVersions: - - v1alpha4 - operations: - - CREATE - - DELETE - resources: - - remoteusers - sideEffects: None \ No newline at end of file diff --git a/cmd/main.go b/cmd/main.go index f4ae780..0ffa460 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -39,6 +39,7 @@ import ( syngitv1alpha2 "syngit.io/syngit/api/v1alpha2" syngitv1alpha3 "syngit.io/syngit/api/v1alpha3" syngitv1alpha4 "syngit.io/syngit/api/v1alpha4" + syngitv1beta1 "syngit.io/syngit/api/v1beta1" "syngit.io/syngit/internal/controller" //+kubebuilder:scaffold:imports ) @@ -55,6 +56,7 @@ func init() { utilruntime.Must(syngitv1alpha2.AddToScheme(scheme)) utilruntime.Must(syngitv1alpha3.AddToScheme(scheme)) utilruntime.Must(syngitv1alpha4.AddToScheme(scheme)) + utilruntime.Must(syngitv1beta1.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } @@ -137,7 +139,7 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "RemoteUser") os.Exit(1) } - mgr.GetWebhookServer().Register("/reconcile-syngit-remoteuser-owner", &webhook.Admission{Handler: &controller.RemoteUserWebhookHandler{ + mgr.GetWebhookServer().Register("/syngit-v1beta1-remoteuser-association", &webhook.Admission{Handler: &controller.RemoteUserWebhookHandler{ Client: mgr.GetClient(), Decoder: admission.NewDecoder(mgr.GetScheme()), }}) @@ -160,25 +162,15 @@ func main() { os.Exit(1) } if os.Getenv("ENABLE_WEBHOOKS") != "false" { - if err = (&syngitv1alpha3.RemoteSyncer{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "RemoteSyncer") - os.Exit(1) - } - } - if os.Getenv("ENABLE_WEBHOOKS") != "false" { - if err = (&syngitv1alpha3.RemoteUser{}).SetupWebhookWithManager(mgr); err != nil { + if err = (&syngitv1beta1.RemoteUser{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "RemoteUser") os.Exit(1) } - } - if os.Getenv("ENABLE_WEBHOOKS") != "false" { - if err = (&syngitv1alpha4.RemoteUser{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "RemoteUser") + if err = (&syngitv1beta1.RemoteUserBinding{}).SetupWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "RemoteUserBinding") os.Exit(1) } - } - if os.Getenv("ENABLE_WEBHOOKS") != "false" { - if err = (&syngitv1alpha4.RemoteSyncer{}).SetupWebhookWithManager(mgr); err != nil { + if err = (&syngitv1beta1.RemoteSyncer{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "RemoteSyncer") os.Exit(1) } diff --git a/config/crd/bases/syngit.syngit.io_remotesyncers.yaml b/config/crd/bases/syngit.syngit.io_remotesyncers.yaml index 6f9aa63..72e00d9 100644 --- a/config/crd/bases/syngit.syngit.io_remotesyncers.yaml +++ b/config/crd/bases/syngit.syngit.io_remotesyncers.yaml @@ -493,7 +493,7 @@ spec: type: object type: object type: object - served: true + served: false storage: false subresources: status: {} @@ -1043,7 +1043,7 @@ spec: type: object type: object type: object - served: true + served: false storage: false subresources: status: {} @@ -1589,7 +1589,7 @@ spec: type: object type: object type: object - served: true + served: false storage: false subresources: status: {} @@ -2135,6 +2135,572 @@ spec: type: object type: object type: object + served: false + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: RemoteSyncer is the Schema for the remotesyncers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RemoteSyncerSpec defines the desired state of RemoteSyncer + properties: + bypassInterceptionSubjects: + items: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + caBundle: + description: |- + SecretReference represents a Secret Reference. It has enough information to retrieve secret + in any namespace + properties: + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + defaultBlockAppliedMessage: + type: string + defaultBranch: + type: string + defaultUnauthorizedUserMode: + type: string + defaultUser: + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + excludedFields: + items: + type: string + type: array + excludedFieldsConfig: + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + insecureSkipTlsVerify: + type: boolean + processMode: + type: string + pushMode: + type: string + remoteRepository: + format: uri + type: string + rootPath: + type: string + scopedResources: + properties: + matchPolicy: + description: MatchPolicyType specifies the type of match policy. + type: string + objectSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + rules: + items: + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. + properties: + apiGroups: + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for + a request. + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + Resources is a list of resources this rule applies to. + + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + type: array + type: object + required: + - defaultUnauthorizedUserMode + - processMode + - pushMode + - remoteRepository + type: object + status: + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastBypassedObjectState: + properties: + lastBypassObject: + properties: + group: + type: string + name: + type: string + resource: + type: string + version: + type: string + required: + - group + - name + - resource + - version + type: object + lastBypassObjectTime: + format: date-time + type: string + lastBypassObjectUserInfo: + description: |- + UserInfo holds the information about the user needed to implement the + user.Info interface. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf can + generate + items: + type: string + type: array + description: Any additional information provided by the authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user among + all active users. + type: string + type: object + type: object + lastObservedObjectState: + properties: + lastObservedObject: + properties: + group: + type: string + name: + type: string + resource: + type: string + version: + type: string + required: + - group + - name + - resource + - version + type: object + lastObservedObjectTime: + format: date-time + type: string + lastObservedObjectUserInfo: + description: |- + UserInfo holds the information about the user needed to implement the + user.Info interface. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf can + generate + items: + type: string + type: array + description: Any additional information provided by the authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user among + all active users. + type: string + type: object + type: object + lastPushedObjectState: + properties: + lastPushedGitUser: + type: string + lastPushedObject: + properties: + group: + type: string + name: + type: string + resource: + type: string + version: + type: string + required: + - group + - name + - resource + - version + type: object + lastPushedObjectCommitHash: + type: string + lastPushedObjectGitPath: + type: string + lastPushedObjectGitRepo: + type: string + lastPushedObjectState: + type: string + lastPushedObjectTime: + format: date-time + type: string + type: object + type: object + type: object served: true storage: true subresources: diff --git a/config/crd/bases/syngit.syngit.io_remoteuserbindings.yaml b/config/crd/bases/syngit.syngit.io_remoteuserbindings.yaml index 96ad486..2f2ba2e 100644 --- a/config/crd/bases/syngit.syngit.io_remoteuserbindings.yaml +++ b/config/crd/bases/syngit.syngit.io_remoteuserbindings.yaml @@ -176,7 +176,7 @@ spec: type: string type: object type: object - served: true + served: false storage: false subresources: status: {} @@ -342,7 +342,7 @@ spec: type: string type: object type: object - served: true + served: false storage: false subresources: status: {} @@ -508,7 +508,7 @@ spec: type: string type: object type: object - served: true + served: false storage: false subresources: status: {} @@ -674,6 +674,172 @@ spec: type: string type: object type: object + served: false + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: RemoteUserBinding is the Schema for the remoteuserbindings API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + remoteRefs: + items: + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + subject: + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. + properties: + apiGroup: + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + required: + - remoteRefs + - subject + type: object + status: + properties: + gitUserHosts: + items: + properties: + gitFQDN: + type: string + lastUsedTime: + format: date-time + type: string + remoteUserUsed: + type: string + secretRef: + description: |- + SecretReference represents a Secret Reference. It has enough information to retrieve secret + in any namespace + properties: + name: + description: name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: namespace defines the space within which the + secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + state: + type: string + required: + - secretRef + type: object + type: array + lastUsedTime: + format: date-time + type: string + state: + type: string + userKubernetesID: + type: string + type: object + type: object served: true storage: true subresources: diff --git a/config/crd/bases/syngit.syngit.io_remoteusers.yaml b/config/crd/bases/syngit.syngit.io_remoteusers.yaml index 9986a1f..85af6bf 100644 --- a/config/crd/bases/syngit.syngit.io_remoteusers.yaml +++ b/config/crd/bases/syngit.syngit.io_remoteusers.yaml @@ -228,7 +228,7 @@ spec: type: string type: object type: object - served: true + served: false storage: false subresources: status: {} @@ -449,7 +449,7 @@ spec: type: string type: object type: object - served: true + served: false storage: false subresources: status: {} @@ -670,7 +670,7 @@ spec: type: string type: object type: object - served: true + served: false storage: false subresources: status: {} @@ -891,6 +891,151 @@ spec: type: string type: object type: object + served: false + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: RemoteUser is the Schema for the remoteusers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + associatedRemoteUserBinding: + type: boolean + email: + type: string + gitBaseDomainFQDN: + type: string + secretRef: + description: |- + SecretReference represents a Secret Reference. It has enough information to retrieve secret + in any namespace + properties: + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - associatedRemoteUserBinding + - email + - gitBaseDomainFQDN + - secretRef + type: object + status: + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + connexionStatus: + properties: + details: + type: string + status: + type: string + type: object + gitUser: + type: string + lastAuthTime: + format: date-time + type: string + secretBoundStatus: + type: string + type: object + type: object served: true storage: true subresources: diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 37222f9..da86a9c 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -10,21 +10,16 @@ resources: patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -# - path: patches/webhook_in_remoteusers.yaml -# - path: patches/webhook_in_remoteuserbindings.yaml - path: patches/webhook_in_remotesyncers.yaml - path: patches/webhook_in_remoteuserbindings.yaml - path: patches/webhook_in_remoteusers.yaml -#- path: patches/webhook_in_remotesyncers.yaml #+kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD # - path: patches/cainjection_in_remoteusers.yaml -#- path: patches/cainjection_in_remoteuserbindings.yaml +# - path: patches/cainjection_in_remoteuserbindings.yaml # - path: patches/cainjection_in_remotesyncers.yaml -#- path: patches/cainjection_in_remoteusers.yaml -#- path: patches/cainjection_in_remotesyncers.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch # [WEBHOOK] To enable webhook, uncomment the following section diff --git a/config/crd/patches/cainjection_in_remoteuserbindings.yaml b/config/crd/patches/cainjection_in_remoteuserbindings.yaml new file mode 100644 index 0000000..2ad3e6c --- /dev/null +++ b/config/crd/patches/cainjection_in_remoteuserbindings.yaml @@ -0,0 +1,7 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME + name: remoteuserbindings.syngit.syngit.io diff --git a/config/crd/patches/webhook_in_remoteuserbindings.yaml b/config/crd/patches/webhook_in_remoteuserbindings.yaml new file mode 100644 index 0000000..7eb3cad --- /dev/null +++ b/config/crd/patches/webhook_in_remoteuserbindings.yaml @@ -0,0 +1,16 @@ +# The following patch enables a conversion webhook for the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: remoteuserbindings.syngit.syngit.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index ba0ec9b..adb73cc 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -28,7 +28,7 @@ spec: selector: matchLabels: control-plane: controller-manager - replicas: 2 + replicas: 1 template: metadata: annotations: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7642fdc..65753d9 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -24,6 +24,15 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - list + - patch + - watch - apiGroups: - corev1 resources: diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index db40e4a..85c8480 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,12 +1,9 @@ ## Append samples of your project ## resources: -- syngit_v1alpha2_remoteuser.yaml -- syngit_v1alpha2_remoteuserbinding.yaml -- syngit_v1alpha2_remotesyncer.yaml -- syngit_v1alpha3_remotesyncer.yaml -- syngit_v1alpha3_remoteuser.yaml -- syngit_v1alpha3_remoteuserbinding.yaml - syngit_v1alpha4_remoteuserbinding.yaml - syngit_v1alpha4_remoteuser.yaml - syngit_v1alpha4_remotesyncer.yaml +- syngit_v1beta1_remoteuser.yaml +- syngit_v1beta1_remoteuserbinding.yaml +- syngit_v1beta1_remotesyncer.yaml #+kubebuilder:scaffold:manifestskustomizesamples diff --git a/config/samples/syngit_v1beta1_remotesyncer.yaml b/config/samples/syngit_v1beta1_remotesyncer.yaml new file mode 100644 index 0000000..de42d43 --- /dev/null +++ b/config/samples/syngit_v1beta1_remotesyncer.yaml @@ -0,0 +1,12 @@ +apiVersion: syngit.syngit.io/v1beta1 +kind: RemoteSyncer +metadata: + labels: + app.kubernetes.io/name: remotesyncer + app.kubernetes.io/instance: remotesyncer-sample + app.kubernetes.io/part-of: syngit + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: syngit + name: remotesyncer-sample +spec: + # TODO(user): Add fields here diff --git a/config/samples/v2alpha2/syngit_v2alpha2_remoteuser.yaml b/config/samples/syngit_v1beta1_remoteuser.yaml similarity index 58% rename from config/samples/v2alpha2/syngit_v2alpha2_remoteuser.yaml rename to config/samples/syngit_v1beta1_remoteuser.yaml index 1c09b50..d095ee1 100644 --- a/config/samples/v2alpha2/syngit_v2alpha2_remoteuser.yaml +++ b/config/samples/syngit_v1beta1_remoteuser.yaml @@ -1,4 +1,4 @@ -apiVersion: syngit.syngit.io/v1alpha2 +apiVersion: syngit.syngit.io/v1beta1 kind: RemoteUser metadata: labels: @@ -8,11 +8,5 @@ metadata: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/created-by: syngit name: remoteuser-sample - namespace: test spec: - gitBaseDomainFQDN: "gitlab.com" - testAuthentication: true - email: "" - secretRef: - name: secret-basic-auth - ownRemoteUserBinding: true + # TODO(user): Add fields here diff --git a/config/samples/syngit_v1beta1_remoteuserbinding.yaml b/config/samples/syngit_v1beta1_remoteuserbinding.yaml new file mode 100644 index 0000000..0702bcf --- /dev/null +++ b/config/samples/syngit_v1beta1_remoteuserbinding.yaml @@ -0,0 +1,12 @@ +apiVersion: syngit.syngit.io/v1beta1 +kind: RemoteUserBinding +metadata: + labels: + app.kubernetes.io/name: remoteuserbinding + app.kubernetes.io/instance: remoteuserbinding-sample + app.kubernetes.io/part-of: syngit + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: syngit + name: remoteuserbinding-sample +spec: + # TODO(user): Add fields here diff --git a/config/samples/v1alpha2/syngit_v2alpha2_remotesyncer2.yaml b/config/samples/v1alpha2/syngit_v2alpha2_remotesyncer2.yaml new file mode 100644 index 0000000..92f719e --- /dev/null +++ b/config/samples/v1alpha2/syngit_v2alpha2_remotesyncer2.yaml @@ -0,0 +1,12 @@ +apiVersion: syngit.syngit.io/v1alpha2 +kind: RemoteSyncer +metadata: + labels: + app.kubernetes.io/name: remotesyncer + app.kubernetes.io/instance: remotesyncer-sample + app.kubernetes.io/part-of: syngit + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: syngit + name: remotesyncer-sample + namespace: test +spec: diff --git a/config/samples/v2alpha2/syngit_v2alpha2_remoteuser2.yaml b/config/samples/v1alpha2/syngit_v2alpha2_remoteuser2.yaml similarity index 70% rename from config/samples/v2alpha2/syngit_v2alpha2_remoteuser2.yaml rename to config/samples/v1alpha2/syngit_v2alpha2_remoteuser2.yaml index 2bbe642..efc24fd 100644 --- a/config/samples/v2alpha2/syngit_v2alpha2_remoteuser2.yaml +++ b/config/samples/v1alpha2/syngit_v2alpha2_remoteuser2.yaml @@ -10,9 +10,3 @@ metadata: name: remoteuser-sample2 namespace: test spec: - gitBaseDomainFQDN: "gitlab.com" - testAuthentication: true - email: "" - secretRef: - name: secret-basic-auth - ownRemoteUserBinding: false diff --git a/config/samples/v2alpha2/syngit_v2alpha2_remoteuserbinding.yaml b/config/samples/v1alpha2/syngit_v2alpha2_remoteuserbinding.yaml similarity index 70% rename from config/samples/v2alpha2/syngit_v2alpha2_remoteuserbinding.yaml rename to config/samples/v1alpha2/syngit_v2alpha2_remoteuserbinding.yaml index ed9fe6a..158b3d4 100644 --- a/config/samples/v2alpha2/syngit_v2alpha2_remoteuserbinding.yaml +++ b/config/samples/v1alpha2/syngit_v2alpha2_remoteuserbinding.yaml @@ -10,10 +10,3 @@ metadata: name: remoteuserbinding-sample namespace: test spec: - subject: - kind: User - name: kubernetes-admin - remoteRefs: - - name: remoteuser-sample - #- name: another-one - #- name: remoteuser-sample2 diff --git a/config/samples/v3alpha3/syngit_v3alpha3_remotesyncer.yaml b/config/samples/v1alpha3/syngit_v3alpha3_remotesyncer.yaml similarity index 100% rename from config/samples/v3alpha3/syngit_v3alpha3_remotesyncer.yaml rename to config/samples/v1alpha3/syngit_v3alpha3_remotesyncer.yaml diff --git a/config/samples/v3alpha3/syngit_v3alpha3_remoteuser.yaml b/config/samples/v1alpha3/syngit_v3alpha3_remoteuser.yaml similarity index 100% rename from config/samples/v3alpha3/syngit_v3alpha3_remoteuser.yaml rename to config/samples/v1alpha3/syngit_v3alpha3_remoteuser.yaml diff --git a/config/samples/v3alpha3/syngit_v3alpha3_remoteuserbinding.yaml b/config/samples/v1alpha3/syngit_v3alpha3_remoteuserbinding.yaml similarity index 100% rename from config/samples/v3alpha3/syngit_v3alpha3_remoteuserbinding.yaml rename to config/samples/v1alpha3/syngit_v3alpha3_remoteuserbinding.yaml diff --git a/config/samples/v2alpha2/syngit_v2alpha2_remotesyncer.yaml b/config/samples/v2alpha2/syngit_v2alpha2_remotesyncer.yaml deleted file mode 100644 index d60474f..0000000 --- a/config/samples/v2alpha2/syngit_v2alpha2_remotesyncer.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: syngit.syngit.io/v1alpha2 -kind: RemoteSyncer -metadata: - labels: - app.kubernetes.io/name: remotesyncer - app.kubernetes.io/instance: remotesyncer-sample - app.kubernetes.io/part-of: syngit - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: syngit - name: remotesyncer-sample - namespace: test -spec: - remoteRepository: "" - branch: second-main - commitProcess: CommitApply -# bypassInterceptionSubjects: - #- name: kubernetes-admin - # kind: User - authorizedUsers: - - name: owned-rub-kubernetes-admin - defaultUnauthorizedUserMode: Block - excludedFields: - - metadata.managedFields - - metadata.creationTimestamp - - metadata.annotations.[kubectl.kubernetes.io/last-applied-configuration] - - metadata.uid - - metadata.resourceVersion - rootPath: "root-path" - includedResources: - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["configmaps", "pods"] - operations: ["CREATE", "UPDATE", "DELETE"] - - apiGroups: ["networking.k8s.io"] - apiVersions: ["v1"] - resources: ["ingresses"] - operations: ["CREATE", "UPDATE", "DELETE"] - #repoPath: "oui/config" diff --git a/config/samples/v2alpha2/syngit_v2alpha2_remotesyncer2.yaml b/config/samples/v2alpha2/syngit_v2alpha2_remotesyncer2.yaml deleted file mode 100644 index 1704448..0000000 --- a/config/samples/v2alpha2/syngit_v2alpha2_remotesyncer2.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: syngit.syngit.io/v1alpha2 -kind: RemoteSyncer -metadata: - labels: - app.kubernetes.io/name: remotesyncer - app.kubernetes.io/instance: remotesyncer-sample - app.kubernetes.io/part-of: syngit - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: syngit - name: remotesyncer-sample - namespace: test -spec: - remoteRepository: "" - branch: second-main - commitMode: Commit - commitProcess: CommitOnly -# bypassInterceptionSubjects: - #- name: kubernetes-admin - # kind: User - authorizedUsers: - - name: remoteuserbinding-sample - defaultUnauthorizedUserMode: Block - excludedFields: - - metadata.managedFields - - metadata.creationTimestamp - - metadata.annotations.[kubectl.kubernetes.io/last-applied-configuration] - - metadata.uid - - metadata.resourceVersion - includedResources: - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["configmaps", "pods"] - operations: ["CREATE", "UPDATE", "DELETE"] diff --git a/config/webhook/cert-injector.sh b/config/webhook/cert-injector.sh index 13af381..efb6b43 100755 --- a/config/webhook/cert-injector.sh +++ b/config/webhook/cert-injector.sh @@ -1,9 +1,30 @@ #!/bin/bash +# Backup files +if [ ! -f "$1.bak" ]; then + cp manifests.yaml manifests.yaml.bak + cp secret.yaml secret.yaml.bak + + for file in "$2"/*; do + # Get the base name of the file + filename=$(basename "$file") + + # Check if the filename starts with "webhook_in" + if [[ $filename != webhook_in* || $filename != *.yaml ]]; then + continue + fi + + cp "$2/$filename" "$2/$filename.bak" + done +fi + +# Generate CA + +mkdir -p /tmp/k8s-webhook-server/serving-certs tmp_path=/tmp/k8s-webhook-server/serving-certs # Generate the certificates cd ${tmp_path} -./gen-certs-serv-cli.sh > /dev/null +./gen-certs-serv-cli.sh &> /dev/null cd - # Encode certificates to base64 @@ -13,19 +34,32 @@ client_crt_base64=$(cat ${tmp_path}/client.crt | base64 | tr -d '\n') client_key_base64=$(cat ${tmp_path}/client.key | base64 | tr -d '\n') # Update the Secret -sed -i.bak -e "/server.crt:/c\ server.crt: $server_crt_base64" \ +sed -i -e "/server.crt:/c\ server.crt: $server_crt_base64" \ -e "/server.key:/c\ server.key: $server_key_base64" \ -e "/tls.crt:/c\ tls.crt: $client_crt_base64" \ -e "/tls.key:/c\ tls.key: $client_key_base64" secret.yaml # Remove existing caBundle lines if they exist -sed -i.bak '/^ *caBundle:.*/d' $1 +sed -i '/^ *caBundle:.*/d' $1 # Update the webhook configuration -sed -i.bak '/^ *clientConfig:/ { +sed -i '/^ *clientConfig:/ { N s/\(^ *clientConfig:\)/\1\n caBundle: '"$client_crt_base64"'/ }' $1 -# Clean up temporary files created by sed -rm -f secret.yaml.bak $1.bak \ No newline at end of file +# Update the conversion webhook configuration +for file in "$2"/*; do + # Get the base name of the file + filename=$(basename "$file") + + # Check if the filename starts with "webhook_in" + if [[ $filename != webhook_in* || $filename != *.yaml ]]; then + continue + fi + + sed -i '/^ *clientConfig:/ { + N + s/\(^ *clientConfig:\)/\1\n caBundle: '"$client_crt_base64"'/ + }' "$2/$filename" +done diff --git a/config/webhook/cleanup-injector.sh b/config/webhook/cleanup-injector.sh new file mode 100755 index 0000000..ca57ffa --- /dev/null +++ b/config/webhook/cleanup-injector.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +mv secret.yaml.bak secret.yaml +mv manifests.yaml.bak manifests.yaml + +conversion_path="../crd/patches" +for file in "$conversion_path"/*; do + # Get the base name of the file + filename=$(basename "$file") + + # Check if the filename starts with "webhook_in" + if [[ $filename != webhook_in* || $filename != *.yaml ]]; then + continue + fi + + mv "$conversion_path/$filename.bak" "$conversion_path/$filename" +done \ No newline at end of file diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index f5e39fb..a9827b9 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -10,14 +10,14 @@ webhooks: service: name: webhook-service namespace: system - path: /validate-syngit-syngit-io-v1alpha4-remotesyncer + path: /validate-syngit-syngit-io-v1beta1-remotesyncer failurePolicy: Fail - name: vremotesyncer.kb.io + name: vremotesyncer.v1beta1.syngit.io rules: - apiGroups: - syngit.syngit.io apiVersions: - - v1alpha4 + - v1beta1 operations: - CREATE - UPDATE @@ -30,14 +30,14 @@ webhooks: service: name: webhook-service namespace: system - path: /validate-syngit-syngit-io-v1alpha4-remoteuser + path: /validate-syngit-syngit-io-v1beta1-remoteuser failurePolicy: Fail - name: vremoteuser.kb.io + name: vremoteuser.v1beta1.syngit.io rules: - apiGroups: - syngit.syngit.io apiVersions: - - v1alpha4 + - v1beta1 operations: - CREATE - UPDATE @@ -50,14 +50,14 @@ webhooks: service: name: webhook-service namespace: system - path: /reconcile-syngit-remoteuser-owner + path: /syngit-v1beta1-remoteuser-association failurePolicy: Fail - name: vremoteusers-owner.kb.io + name: vremoteusers-association.v1beta1.syngit.io rules: - apiGroups: - syngit.syngit.io apiVersions: - - v1alpha4 + - v1beta1 operations: - CREATE - DELETE diff --git a/internal/controller/dynamic_webhook_handlers.go b/internal/controller/dynamic_webhook_handlers.go index d5ffe63..2f73f34 100644 --- a/internal/controller/dynamic_webhook_handlers.go +++ b/internal/controller/dynamic_webhook_handlers.go @@ -16,7 +16,7 @@ import ( "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" logf "sigs.k8s.io/controller-runtime/pkg/log" - syngit "syngit.io/syngit/api/v1alpha4" + syngit "syngit.io/syngit/api/v1beta1" ) type WebhookInterceptsAll struct { diff --git a/internal/controller/git_pusher.go b/internal/controller/git_pusher.go index aaf2be6..f66c69f 100644 --- a/internal/controller/git_pusher.go +++ b/internal/controller/git_pusher.go @@ -16,20 +16,21 @@ import ( admissionv1 "k8s.io/api/admission/v1" "k8s.io/apimachinery/pkg/runtime/schema" - syngit "syngit.io/syngit/api/v1alpha4" + syngit "syngit.io/syngit/api/v1beta1" ) type GitPusher struct { - remoteSyncer syngit.RemoteSyncer - interceptedYAML string - interceptedGVR schema.GroupVersionResource - interceptedName string - branch string - gitUser string - gitEmail string - gitToken string - operation admissionv1.Operation - remoteConfiguration syngit.GitServerConfiguration + remoteSyncer syngit.RemoteSyncer + interceptedYAML string + interceptedGVR schema.GroupVersionResource + interceptedName string + branch string + gitUser string + gitEmail string + gitToken string + operation admissionv1.Operation + insecureSkipTlsVerify bool + caBundle string } type GitPushResponse struct { @@ -39,7 +40,7 @@ type GitPushResponse struct { func (gp *GitPusher) Push() (GitPushResponse, error) { gpResponse := &GitPushResponse{path: "", commitHash: ""} - gp.branch = gp.remoteSyncer.Spec.Branch + gp.branch = gp.remoteSyncer.Spec.DefaultBranch // Clone the repository into memory cloneOption := &git.CloneOptions{ @@ -50,11 +51,10 @@ func (gp *GitPusher) Push() (GitPushResponse, error) { Password: gp.gitToken, }, SingleBranch: true, - InsecureSkipTLS: gp.remoteConfiguration.InsecureSkipTlsVerify, - CABundle: []byte(gp.remoteConfiguration.CaBundle), + InsecureSkipTLS: gp.insecureSkipTlsVerify, } - if gp.remoteConfiguration.CaBundle != "" { - cloneOption.CABundle = []byte(gp.remoteConfiguration.CaBundle) + if gp.caBundle != "" { + cloneOption.CABundle = []byte(gp.caBundle) } repo, err := git.Clone(memory.NewStorage(), memfs.New(), cloneOption) if err != nil { @@ -244,14 +244,17 @@ func (gp *GitPusher) commitChanges(w *git.Worktree, pathToAdd string) (string, e } func (gp *GitPusher) pushChanges(repo *git.Repository) error { - err := repo.Push(&git.PushOptions{ + pushOptions := &git.PushOptions{ Auth: &http.BasicAuth{ Username: gp.gitUser, Password: gp.gitToken, }, - InsecureSkipTLS: gp.remoteConfiguration.InsecureSkipTlsVerify, - CABundle: []byte(gp.remoteConfiguration.CaBundle), - }) + InsecureSkipTLS: gp.insecureSkipTlsVerify, + } + if gp.caBundle != "" { + pushOptions.CABundle = []byte(gp.caBundle) + } + err := repo.Push(pushOptions) if err != nil { errMsg := "failed to push changes: " + err.Error() return errors.New(errMsg) diff --git a/internal/controller/reconcile_remoteuser_owner.go b/internal/controller/reconcile_remoteuser_owner.go index 3e0a01d..f108386 100644 --- a/internal/controller/reconcile_remoteuser_owner.go +++ b/internal/controller/reconcile_remoteuser_owner.go @@ -10,7 +10,7 @@ import ( "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" - syngit "syngit.io/syngit/api/v1alpha4" + syngit "syngit.io/syngit/api/v1beta1" ) /* @@ -80,7 +80,7 @@ func (ruwh *RemoteUserWebhookHandler) Handle(ctx context.Context, req admission. } } - return admission.Allowed("This object has been removed from the " + name + " RemoteUserBinding owners") + return admission.Allowed("This object is not associated with the " + name + " RemoteUserBinding anymore") } ru := &syngit.RemoteUser{} @@ -89,8 +89,8 @@ func (ruwh *RemoteUserWebhookHandler) Handle(ctx context.Context, req admission. return admission.Errored(http.StatusBadRequest, err) } - if !ru.Spec.OwnRemoteUserBinding { - return admission.Allowed("This object does not own a RemoteUserBinding") + if !ru.Spec.AssociatedRemoteUserBinding { + return admission.Allowed("This object is not associated with any RemoteUserBinding") } objRef := corev1.ObjectReference{Name: ru.Name} @@ -107,15 +107,15 @@ func (ruwh *RemoteUserWebhookHandler) Handle(ctx context.Context, req admission. rub.Name = name rub.Namespace = req.Namespace - ownerRef := v1.OwnerReference{ - Name: ru.Name, - APIVersion: ru.APIVersion, - Kind: ru.GroupVersionKind().Kind, - UID: ru.GetUID(), - } - ownerRefs := make([]v1.OwnerReference, 0) - ownerRefs = append(ownerRefs, ownerRef) - rub.ObjectMeta.OwnerReferences = ownerRefs + // ownerRef := v1.OwnerReference{ + // Name: ru.Name, + // APIVersion: ru.APIVersion, + // Kind: ru.GroupVersionKind().Kind, + // UID: ru.GetUID(), + // } + // ownerRefs := make([]v1.OwnerReference, 0) + // ownerRefs = append(ownerRefs, ownerRef) + // rub.ObjectMeta.OwnerReferences = ownerRefs subject := &rbacv1.Subject{ Kind: "User", @@ -135,15 +135,15 @@ func (ruwh *RemoteUserWebhookHandler) Handle(ctx context.Context, req admission. // The RemoteUserBinding already exists // Update the list of the RemoteUserBinding object - ownerRef := v1.OwnerReference{ - Name: ru.Name, - APIVersion: ru.APIVersion, - Kind: ru.GroupVersionKind().Kind, - UID: ru.GetUID(), - } - ownerRefs := rub.ObjectMeta.DeepCopy().OwnerReferences - ownerRefs = append(ownerRefs, ownerRef) - rub.ObjectMeta.OwnerReferences = ownerRefs + // ownerRef := v1.OwnerReference{ + // Name: ru.Name, + // APIVersion: ru.APIVersion, + // Kind: ru.GroupVersionKind().Kind, + // UID: ru.GetUID(), + // } + // ownerRefs := rub.ObjectMeta.DeepCopy().OwnerReferences + // ownerRefs = append(ownerRefs, ownerRef) + // rub.ObjectMeta.OwnerReferences = ownerRefs remoteRefs := rub.DeepCopy().Spec.RemoteRefs remoteRefs = append(remoteRefs, objRef) @@ -156,5 +156,5 @@ func (ruwh *RemoteUserWebhookHandler) Handle(ctx context.Context, req admission. } - return admission.Allowed("This object owns the " + name + " RemoteUserBinding") + return admission.Allowed("This object is associated to the " + name + " RemoteUserBinding") } diff --git a/internal/controller/remotesyncer_controller.go b/internal/controller/remotesyncer_controller.go index 15d17a2..3d6833c 100644 --- a/internal/controller/remotesyncer_controller.go +++ b/internal/controller/remotesyncer_controller.go @@ -29,7 +29,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/reconcile" - syngit "syngit.io/syngit/api/v1alpha4" + syngit "syngit.io/syngit/api/v1beta1" ) // RemoteSyncerReconciler reconciles a RemoteSyncer object @@ -47,6 +47,7 @@ type RemoteSyncerReconciler struct { //+kubebuilder:rbac:groups=syngit.syngit.io,resources=remotesyncers/finalizers,verbs=update //+kubebuilder:rbac:groups=*,resources=*,verbs=get;list;watch //+kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=create;get;list;watch;update;patch;delete +//+kubebuilder:rbac:groups=core,resources=events,verbs=create;patch;list;watch func (r *RemoteSyncerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { _ = log.FromContext(ctx) diff --git a/internal/controller/remotesyncer_controller_test.go b/internal/controller/remotesyncer_controller_test.go index 121fbf5..28b0803 100644 --- a/internal/controller/remotesyncer_controller_test.go +++ b/internal/controller/remotesyncer_controller_test.go @@ -16,69 +16,98 @@ limitations under the License. package controller -// import ( -// "context" - -// . "github.com/onsi/ginkgo/v2" -// . "github.com/onsi/gomega" -// "k8s.io/apimachinery/pkg/api/errors" -// "k8s.io/apimachinery/pkg/types" -// "sigs.k8s.io/controller-runtime/pkg/reconcile" - -// metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// syngit "syngit.io/syngit/api/v1alpha4" -// ) - -// var _ = Describe("RemoteSyncer Controller", func() { -// Context("When reconciling a resource", func() { -// const resourceName = "test-resource" - -// ctx := context.Background() - -// typeNamespacedName := types.NamespacedName{ -// Name: resourceName, -// Namespace: "default", // TODO(user):Modify as needed -// } -// remotesyncer := &syngit.RemoteSyncer{} - -// BeforeEach(func() { -// By("creating the custom resource for the Kind RemoteSyncer") -// err := k8sClient.Get(ctx, typeNamespacedName, remotesyncer) -// if err != nil && errors.IsNotFound(err) { -// resource := &syngit.RemoteSyncer{ -// ObjectMeta: metav1.ObjectMeta{ -// Name: resourceName, -// Namespace: "default", -// }, -// // TODO(user): Specify other spec details if needed. -// } -// Expect(k8sClient.Create(ctx, resource)).To(Succeed()) -// } -// }) - -// AfterEach(func() { -// // TODO(user): Cleanup logic after each test, like removing the resource instance. -// resource := &syngit.RemoteSyncer{} -// err := k8sClient.Get(ctx, typeNamespacedName, resource) -// Expect(err).NotTo(HaveOccurred()) - -// By("Cleanup the specific resource instance RemoteSyncer") -// Expect(k8sClient.Delete(ctx, resource)).To(Succeed()) -// }) -// It("should successfully reconcile the resource", func() { -// By("Reconciling the created resource") -// controllerReconciler := &RemoteSyncerReconciler{ -// Client: k8sClient, -// Scheme: k8sClient.Scheme(), -// } - -// _, err := controllerReconciler.Reconcile(ctx, reconcile.Request{ -// NamespacedName: typeNamespacedName, -// }) -// Expect(err).NotTo(HaveOccurred()) -// // TODO(user): Add more specific assertions depending on your controller's reconciliation logic. -// // Example: If you expect a certain status condition after reconciliation, verify it here. -// }) -// }) -// }) +import ( + "context" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + + admissionv1 "k8s.io/api/admissionregistration/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + syngit "syngit.io/syngit/api/v1beta1" +) + +var _ = Describe("RemoteSyncer Controller", func() { + + const ( + timeout = time.Second * 10 + duration = time.Second * 10 + interval = time.Millisecond * 250 + + userNamespace = "default" + ) + + Context("When reconciling a resource", func() { + + const ( + remotesyncername = "test-remotesyncer" + ) + + typeNamespacedName := types.NamespacedName{ + Name: remotesyncername, + Namespace: userNamespace, + } + remotesyncer := &syngit.RemoteSyncer{} + + ctx := context.Background() + + BeforeEach(func() { + + By("Creating a RemoteSyncer with") + err := k8sClient.Get(ctx, typeNamespacedName, remotesyncer) + if err != nil && errors.IsNotFound(err) { + resource := &syngit.RemoteSyncer{ + ObjectMeta: metav1.ObjectMeta{ + Name: remotesyncername, + Namespace: userNamespace, + }, + Spec: syngit.RemoteSyncerSpec{ + DefaultBlockAppliedMessage: "test", + DefaultBranch: "main", + DefaultUnauthorizedUserMode: syngit.Block, + ExcludedFields: []string{".metadata.uid"}, + ProcessMode: syngit.CommitOnly, + PushMode: syngit.SameBranch, + RemoteRepository: "https://dummy-git-server.com", + ScopedResources: syngit.ScopedResources{ + Rules: []admissionv1.RuleWithOperations{admissionv1.RuleWithOperations{ + Operations: []admissionv1.OperationType{ + admissionv1.Create, + }, + Rule: admissionv1.Rule{ + APIGroups: []string{"v1"}, + APIVersions: []string{"v1"}, + Resources: []string{"configmaps"}, + }, + }, + }, + }, + }, + } + Expect(k8sClient.Create(ctx, resource)).To(Succeed()) + } + }) + + AfterEach(func() { + err := k8sClient.Get(ctx, typeNamespacedName, remotesyncer) + Expect(err).NotTo(HaveOccurred()) + + By("Cleanup the specific resource instance RemoteSyncer") + Expect(k8sClient.Delete(ctx, remotesyncer)).To(Succeed()) + }) + + It("should successfully reconcile the resource", func() { + ruLookupKeyRS := types.NamespacedName{Name: remotesyncername, Namespace: userNamespace} + createdRemoteSyncer := &syngit.RemoteSyncer{} + + Eventually(func() bool { + err := k8sClient.Get(ctx, ruLookupKeyRS, createdRemoteSyncer) + return err == nil + }, timeout, interval).Should(BeTrue()) + }) + }) +}) diff --git a/internal/controller/remoteuser_controller.go b/internal/controller/remoteuser_controller.go index f1a0681..ac157dd 100644 --- a/internal/controller/remoteuser_controller.go +++ b/internal/controller/remoteuser_controller.go @@ -18,14 +18,7 @@ package controller import ( "context" - "crypto/tls" - "crypto/x509" - "encoding/base64" - "errors" - "fmt" - "net/http" "os" - "strings" corev1 "k8s.io/api/core/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -36,12 +29,11 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/event" "sigs.k8s.io/controller-runtime/pkg/handler" "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/predicate" "sigs.k8s.io/controller-runtime/pkg/reconcile" - syngit "syngit.io/syngit/api/v1alpha4" + syngit "syngit.io/syngit/api/v1beta1" ) // RemoteUserReconciler reconciles a RemoteUser object @@ -52,55 +44,6 @@ type RemoteUserReconciler struct { Namespace string } -func (r *RemoteUserReconciler) setServerConfiguration(ctx context.Context, remoteUser *syngit.RemoteUser) (syngit.GitServerConfiguration, error) { - - gpc := &syngit.GitServerConfiguration{ - Inherited: false, - AuthenticationEndpoint: "", - CaBundle: "", - InsecureSkipTlsVerify: false, - } - - // STEP 1 : Check the config map ref - var cm corev1.ConfigMap - if remoteUser.Spec.CustomGitServerConfigRef.Name != "" { - // It is defined in the RemoteUser object - namespacedName := types.NamespacedName{Namespace: remoteUser.Namespace, Name: remoteUser.Spec.CustomGitServerConfigRef.Name} - if err := r.Get(ctx, namespacedName, &cm); err != nil { - remoteUser.Status.ConnexionStatus.Status = syngit.GitConfigNotFound - remoteUser.Status.ConnexionStatus.Details = "ConfigMap name: " + remoteUser.Spec.CustomGitServerConfigRef.Name - return *gpc, err - } - } else { - // It is not defined in the RemoteUser object -> look for the default configmap of the operator - namespacedName := types.NamespacedName{Namespace: r.Namespace, Name: remoteUser.Spec.GitBaseDomainFQDN} - if err := r.Get(ctx, namespacedName, &cm); err != nil { - remoteUser.Status.ConnexionStatus.Status = syngit.GitConfigNotFound - remoteUser.Status.ConnexionStatus.Details = "Configuration reference not found in the current RemoteUser; ConfigMap " + remoteUser.Spec.GitBaseDomainFQDN + " in the namespace of the operator not found as well" - return *gpc, err - } - gpc.Inherited = true - } - - // STEP 2 : Build the GitServerConfiguration - - // Parse the ConfigMap - serverConf, err := parseConfigMap(cm) - if err != nil { - remoteUser.Status.ConnexionStatus.Status = syngit.GitConfigParseError - remoteUser.Status.ConnexionStatus.Details = err.Error() - return *gpc, err - } - - if remoteUser.Spec.InsecureSkipTlsVerify && remoteUser.Spec.InsecureSkipTlsVerify != serverConf.InsecureSkipTlsVerify { - serverConf.InsecureSkipTlsVerify = remoteUser.Spec.InsecureSkipTlsVerify - } - - *gpc = serverConf - - return *gpc, nil -} - // +kubebuilder:rbac:groups=syngit.syngit.io,resources=remoteusers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=syngit.syngit.io,resources=remoteusers/status,verbs=get;update;patch // +kubebuilder:rbac:groups=syngit.syngit.io,resources=remoteusers/finalizers,verbs=update @@ -142,207 +85,37 @@ func (r *RemoteUserReconciler) Reconcile(ctx context.Context, req ctrl.Request) return ctrl.Result{}, err } - remoteUser.Status.SecretBoundStatus = syngit.SecretBound - username := string(secret.Data["username"]) - // Update configuration - gpc, err := r.setServerConfiguration(ctx, &remoteUser) - if err != nil { + remoteUser.Status.SecretBoundStatus = syngit.SecretFound + condition.Message = "Secret found but is not of type \"kubernetes.io/basic-auth\"" + condition.Type = "NotReady" + condition.Reason = "SecretFound" + condition.Status = "False" + + // Check if the referenced Secret is a basic-auth type + if secret.Type != corev1.SecretTypeBasicAuth { - condition.Reason = "RemoteUserServerConfigurationError" - condition.Message = err.Error() + remoteUser.Status.SecretBoundStatus = syngit.SecretWrongType + + condition.Reason = "SecretWrongType" + condition.Message = string(syngit.SecretWrongType) errUpdate := r.updateStatus(ctx, &remoteUser, *condition) return ctrl.Result{}, errUpdate } + remoteUser.Status.SecretBoundStatus = syngit.SecretBound + condition.Message = "Secret bound" condition.Type = "Ready" + condition.Reason = "SecretBound" condition.Status = "True" - remoteUser.Status.GitServerConfiguration = gpc - condition.Reason = "RemoteUserServerConfigurationAssigned" - condition.Message = "The git remote server configuration has been assigned to this object" - errUpdate := r.updateStatus(ctx, &remoteUser, *condition) - if errUpdate != nil { - return ctrl.Result{}, errUpdate - } - - if remoteUser.Spec.TestAuthentication { - condition.Type = "NotReady" - condition.Status = "False" - - // Check if the referenced Secret is a basic-auth type - if secret.Type != corev1.SecretTypeBasicAuth { - - remoteUser.Status.SecretBoundStatus = syngit.SecretWrongType - - condition.Reason = "SecretWrongType" - condition.Message = string(syngit.SecretWrongType) - errUpdate := r.updateStatus(ctx, &remoteUser, *condition) - - return ctrl.Result{}, errUpdate - } - - // Get the username and password from the Secret - remoteUser.Status.GitUser = username - PAToken := string(secret.Data["password"]) - - // If test auth -> the endpoint must exists - authenticationEndpoint := gpc.AuthenticationEndpoint - if authenticationEndpoint == "" { - errMsg := "" - if gpc.Inherited { - errMsg = "git provider not found in the " + remoteUser.Spec.GitBaseDomainFQDN + " ConfigMap in the namespace of the operator" - } else { - errMsg = "git provider not found in the " + remoteUser.Spec.CustomGitServerConfigRef.Name + " ConfigMap" - } - remoteUser.Status.ConnexionStatus.Status = syngit.GitUnsupported - remoteUser.Status.ConnexionStatus.Details = errMsg - - condition.Reason = "WrongRemoteUserServerConfiguration" - condition.Message = errMsg - errUpdate := r.updateStatus(ctx, &remoteUser, *condition) - - return ctrl.Result{}, errUpdate - } - - // Perform Git provider authentication check - transport := &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: gpc.InsecureSkipTlsVerify, - }, - } - if !gpc.InsecureSkipTlsVerify && gpc.CaBundle != "" { - caCertPool := x509.NewCertPool() - if ok := caCertPool.AppendCertsFromPEM([]byte(gpc.CaBundle)); !ok { - remoteUser.Status.ConnexionStatus.Status = syngit.GitConfigParseError - remoteUser.Status.ConnexionStatus.Details = "x509 cert pool maker failed" - - condition.Reason = "RemoteUserServerCertificateMalformed" - condition.Message = remoteUser.Status.ConnexionStatus.Details - errUpdate := r.updateStatus(ctx, &remoteUser, *condition) - - return ctrl.Result{}, errUpdate - } - transport.TLSClientConfig.RootCAs = caCertPool - } - httpClient := &http.Client{ - Transport: transport, - } - gitReq, err := http.NewRequest("GET", authenticationEndpoint, nil) - if err != nil { - remoteUser.Status.ConnexionStatus.Status = syngit.GitServerError - remoteUser.Status.ConnexionStatus.Details = "Internal operator error : cannot create the http request " + err.Error() - - condition.Reason = "RemoteUserServerError" - condition.Message = remoteUser.Status.ConnexionStatus.Details - errUpdate := r.updateStatus(ctx, &remoteUser, *condition) - - return ctrl.Result{}, errUpdate - } - - // For gitlab - gitReq.Header.Add("Private-Token", PAToken) - - // If needed because there is a conflict between github and bitbucket - // They both uses the same key to authenticate but not the same value - if strings.Contains(authenticationEndpoint, "github.com") { - // For github - gitReq.Header.Set("Authorization", "token "+PAToken) - } else if strings.Contains(authenticationEndpoint, "bitbucket.org") { - // For bitbucket - bitbucketAuth := base64.StdEncoding.EncodeToString([]byte(username + ":" + PAToken)) - gitReq.Header.Set("Authorization", "Basic "+bitbucketAuth) - } - - resp, err := httpClient.Do(gitReq) - if err != nil { - remoteUser.Status.ConnexionStatus.Status = syngit.GitServerError - remoteUser.Status.ConnexionStatus.Details = "Internal operator error : the request cannot be processed " + err.Error() - - condition.Reason = "RemoteUserServerError" - condition.Message = remoteUser.Status.ConnexionStatus.Details - errUpdate := r.updateStatus(ctx, &remoteUser, *condition) - - return ctrl.Result{}, errUpdate - } - defer resp.Body.Close() - - remoteUser.Status.ConnexionStatus.Details = "" - - condition.Type = "AuthFailed" - - // Check the response status code - if resp.StatusCode == http.StatusOK { - // Authentication successful - remoteUser.Status.ConnexionStatus.Status = syngit.GitConnected - remoteUser.Status.LastAuthTime = v1.Now() - - condition.Type = "AuthSucceeded" - condition.Status = "True" - condition.Reason = "RemoteUserUserConnected" - condition.Message = "Successfully logged to the remote git server with the git user specified" - r.Recorder.Event(&remoteUser, "Normal", "Connected", "Auth succeeded") - } else if resp.StatusCode == http.StatusUnauthorized { - // Unauthorized: bad credentials - remoteUser.Status.ConnexionStatus.Status = syngit.GitUnauthorized - - condition.Reason = "RemoteUserUserUnauthorized" - condition.Message = string(remoteUser.Status.ConnexionStatus.Status) - r.Recorder.Event(&remoteUser, "Warning", "AuthFailed", "Auth failed - unauthorized") - } else if resp.StatusCode == http.StatusForbidden { - // Forbidden : Not enough permission - remoteUser.Status.ConnexionStatus.Status = syngit.GitForbidden - - condition.Reason = "RemoteUserUserForbidden" - condition.Message = string(remoteUser.Status.ConnexionStatus.Status) - r.Recorder.Event(&remoteUser, "Warning", "AuthFailed", "Auth failed - forbidden") - } else if resp.StatusCode == http.StatusInternalServerError { - // Server error: a server error happened - remoteUser.Status.ConnexionStatus.Status = syngit.GitServerError - - condition.Reason = "RemoteUserServerError" - condition.Message = string(remoteUser.Status.ConnexionStatus.Status) - r.Recorder.Event(&remoteUser, "Warning", "AuthFailed", "Auth failed - server error") - } else { - // Handle other status codes if needed - remoteUser.Status.ConnexionStatus.Status = syngit.GitUnexpectedStatus - - condition.Reason = "RemoteUserServerError" - condition.Message = string(remoteUser.Status.ConnexionStatus.Status) - r.Recorder.Event(&remoteUser, "Warning", "AuthFailed", - fmt.Sprintf("Auth failed - unexpected response - %s", resp.Status)) - } - } - // Update the status of RemoteUser r.updateStatus(ctx, &remoteUser, *condition) return ctrl.Result{}, nil } -func parseConfigMap(configMap corev1.ConfigMap) (syngit.GitServerConfiguration, error) { - gitServerConf := &syngit.GitServerConfiguration{} - for key, value := range configMap.Data { - switch key { - case "authenticationEndpoint": - gitServerConf.AuthenticationEndpoint = value - case "caBundle": - gitServerConf.CaBundle = value - case "insecureSkipTlsVerify": - if value == "true" { - gitServerConf.InsecureSkipTlsVerify = true - } else { - gitServerConf.InsecureSkipTlsVerify = false - } - default: - return *gitServerConf, errors.New("wrong key " + key + " found in the git server configmap " + configMap.Namespace + "/" + configMap.Name) - } - } - - return *gitServerConf, nil -} - func (r *RemoteUserReconciler) updateConditions(remoteUser syngit.RemoteUser, condition v1.Condition) []v1.Condition { added := false var conditions []v1.Condition @@ -393,73 +166,6 @@ func (r *RemoteUserReconciler) findObjectsForSecret(ctx context.Context, secret return requests } -func (r *RemoteUserReconciler) findObjectsForGitProviderConfig(ctx context.Context, configMap client.Object) []reconcile.Request { - attachedRemoteUsers := &syngit.RemoteUserList{} - listOps := &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(gitProviderConfigRefField, configMap.GetName()), - Namespace: configMap.GetNamespace(), - } - err := r.List(ctx, attachedRemoteUsers, listOps) - if err != nil { - return []reconcile.Request{} - } - - requests := make([]reconcile.Request, len(attachedRemoteUsers.Items)) - for i, item := range attachedRemoteUsers.Items { - requests[i] = reconcile.Request{ - NamespacedName: types.NamespacedName{ - Name: item.GetName(), - Namespace: item.GetNamespace(), - }, - } - } - return requests -} - -func (r *RemoteUserReconciler) findObjectsForRootConfigMap(ctx context.Context, configMap client.Object) []reconcile.Request { - attachedRemoteUsers := &syngit.RemoteUserList{} - listOps := &client.ListOptions{} - err := r.List(ctx, attachedRemoteUsers, listOps) - if err != nil { - return []reconcile.Request{} - } - - requests := make([]reconcile.Request, len(attachedRemoteUsers.Items)) - for i, item := range attachedRemoteUsers.Items { - requests[i] = reconcile.Request{ - NamespacedName: types.NamespacedName{ - Name: item.GetName(), - Namespace: item.GetNamespace(), - }, - } - } - return requests -} - -func (r *RemoteUserReconciler) gitEndpointsConfigCreation(e event.CreateEvent) bool { - configMap, ok := e.Object.(*corev1.ConfigMap) - if !ok { - return false - } - return configMap.Namespace == r.Namespace && strings.Contains(configMap.Name, ".") -} - -func (r *RemoteUserReconciler) gitEndpointsConfigUpdate(e event.UpdateEvent) bool { - configMap, ok := e.ObjectNew.(*corev1.ConfigMap) - if !ok { - return false - } - return configMap.Namespace == r.Namespace && strings.Contains(configMap.Name, ".") -} - -func (r *RemoteUserReconciler) gitEndpointsConfigDeletion(e event.DeleteEvent) bool { - configMap, ok := e.Object.(*corev1.ConfigMap) - if !ok { - return false - } - return configMap.Namespace == r.Namespace && strings.Contains(configMap.Name, ".") -} - const ( secretRefField = ".spec.secretRef.name" gitProviderConfigRefField = ".spec.CustomGitServerConfigRef.name" @@ -477,16 +183,6 @@ func (r *RemoteUserReconciler) SetupWithManager(mgr ctrl.Manager) error { }); err != nil { return err } - if err := mgr.GetFieldIndexer().IndexField(context.Background(), &syngit.RemoteUser{}, gitProviderConfigRefField, func(rawObj client.Object) []string { - // Extract the ConfigMap name from the RemoteUser Spec, if one is provided - remoteUser := rawObj.(*syngit.RemoteUser) - if remoteUser.Spec.CustomGitServerConfigRef.Name == "" { - return nil - } - return []string{remoteUser.Spec.CustomGitServerConfigRef.Name} - }); err != nil { - return err - } // Recorder to manage events recorder := mgr.GetEventRecorderFor("remoteuser-controller") @@ -495,12 +191,6 @@ func (r *RemoteUserReconciler) SetupWithManager(mgr ctrl.Manager) error { managerNamespace := os.Getenv("MANAGER_NAMESPACE") r.Namespace = managerNamespace - configMapPredicates := predicate.Funcs{ - CreateFunc: r.gitEndpointsConfigCreation, - UpdateFunc: r.gitEndpointsConfigUpdate, - DeleteFunc: r.gitEndpointsConfigDeletion, - } - return ctrl.NewControllerManagedBy(mgr). For(&syngit.RemoteUser{}). Watches( @@ -508,15 +198,5 @@ func (r *RemoteUserReconciler) SetupWithManager(mgr ctrl.Manager) error { handler.EnqueueRequestsFromMapFunc(r.findObjectsForSecret), builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}), ). - Watches( - &corev1.ConfigMap{}, - handler.EnqueueRequestsFromMapFunc(r.findObjectsForGitProviderConfig), - builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}), - ). - Watches( - &corev1.ConfigMap{}, - handler.EnqueueRequestsFromMapFunc(r.findObjectsForRootConfigMap), - builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}, configMapPredicates), - ). Complete(r) } diff --git a/internal/controller/remoteuser_controller_test.go b/internal/controller/remoteuser_controller_test.go index f26a681..37b1fad 100644 --- a/internal/controller/remoteuser_controller_test.go +++ b/internal/controller/remoteuser_controller_test.go @@ -28,7 +28,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - syngit "syngit.io/syngit/api/v1alpha4" + syngit "syngit.io/syngit/api/v1beta1" ) var _ = Describe("RemoteUser Controller", func() { @@ -39,77 +39,33 @@ var _ = Describe("RemoteUser Controller", func() { interval = time.Millisecond * 250 userNamespace = "default" - resourceName = "test-remoteuser" ) - const remoteGitServerConfName = "sample-git-server.com-conf" - confNamespacedName := types.NamespacedName{ - Name: remoteGitServerConfName, - Namespace: userNamespace, - } - remoteGitServerConf := &corev1.ConfigMap{} - - const secretRefName = "sample-secret" - secretNamespacedName := types.NamespacedName{ - Name: secretRefName, - Namespace: userNamespace, - } - secretRef := &corev1.Secret{} - const username = "username" - const password = "password" - - defaultGitServerConfiguration := syngit.GitServerConfiguration{ - AuthenticationEndpoint: "", - InsecureSkipTlsVerify: false, - CaBundle: "", - } - customGitServerConfigiguration := syngit.GitServerConfiguration{ - AuthenticationEndpoint: "https://sample-git-server.com/api/v4/user", - InsecureSkipTlsVerify: false, - CaBundle: "CA Bundle cert", - } - const actualInsecureSkipTlsVerify = true - - const resourceNameOwned = resourceName + "-owned-by-rub" - typeNamespacedNameOwned := types.NamespacedName{ - Name: resourceNameOwned, - Namespace: userNamespace, - } - const resourceNameCustomGit = resourceName + "-custom-git-conf" - typeNamespacedNameCustomGit := types.NamespacedName{ - Name: resourceNameCustomGit, - Namespace: userNamespace, - } - Context("When reconciling a resource", func() { + const resourceName = "test-remoteuser" + + const secretRefName = "sample-secret" + secretNamespacedName := types.NamespacedName{ + Name: secretRefName, + Namespace: userNamespace, + } + secretRef := &corev1.Secret{} + const username = "username" + const password = "password" + + const resourceNameAssociated = resourceName + "-associated-to-rub" + typeNamespacedNameAssociated := types.NamespacedName{ + Name: resourceNameAssociated, + Namespace: userNamespace, + } + remoteuser := &syngit.RemoteUser{} + ctx := context.Background() BeforeEach(func() { - By("Creating the custom remote git server configuration") - err := k8sClient.Get(ctx, confNamespacedName, remoteGitServerConf) - if err != nil && errors.IsNotFound(err) { - resource := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: remoteGitServerConfName, - Namespace: userNamespace, - }, - Data: map[string]string{ - "authenticationEndpoint": customGitServerConfigiguration.AuthenticationEndpoint, - "caBundle": customGitServerConfigiguration.CaBundle, - "insecureSkipTlsVerify": func() string { - if customGitServerConfigiguration.InsecureSkipTlsVerify { - return "true" - } else { - return "false" - } - }(), - }, - } - Expect(k8sClient.Create(ctx, resource)).To(Succeed()) - } By("Creating the secret credentials") - err = k8sClient.Get(ctx, secretNamespacedName, secretRef) + err := k8sClient.Get(ctx, secretNamespacedName, secretRef) if err != nil && errors.IsNotFound(err) { resource := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ @@ -120,50 +76,23 @@ var _ = Describe("RemoteUser Controller", func() { "username": username, "password": password, }, + Type: "kubernetes.io/basic-auth", } Expect(k8sClient.Create(ctx, resource)).To(Succeed()) } - remoteuser := &syngit.RemoteUser{} - - By("Creating a RemoteUser that owns a RemoteUserBinding and is bound to a config") - err = k8sClient.Get(ctx, typeNamespacedNameOwned, remoteuser) - if err != nil && errors.IsNotFound(err) { - resource := &syngit.RemoteUser{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourceNameOwned, - Namespace: userNamespace, - }, - Spec: syngit.RemoteUserSpec{ - Email: "sample@email.com", - GitBaseDomainFQDN: "sample-git-server.com", - OwnRemoteUserBinding: true, - TestAuthentication: false, - SecretRef: corev1.SecretReference{ - Name: secretRefName, - }, - }, - } - Expect(k8sClient.Create(ctx, resource)).To(Succeed()) - } - - By("Creating a RemoteUser that inherit from a remote git sever configuration") - err = k8sClient.Get(ctx, typeNamespacedNameCustomGit, remoteuser) + By("Creating a RemoteUser that is associated to a RemoteUserBinding") + err = k8sClient.Get(ctx, typeNamespacedNameAssociated, remoteuser) if err != nil && errors.IsNotFound(err) { resource := &syngit.RemoteUser{ ObjectMeta: metav1.ObjectMeta{ - Name: resourceNameCustomGit, + Name: resourceNameAssociated, Namespace: userNamespace, }, Spec: syngit.RemoteUserSpec{ - Email: "sample@email.com", - GitBaseDomainFQDN: "sample-git-server.com", - OwnRemoteUserBinding: false, - TestAuthentication: false, - InsecureSkipTlsVerify: actualInsecureSkipTlsVerify, - CustomGitServerConfigRef: corev1.ObjectReference{ - Name: remoteGitServerConfName, - }, + Email: "sample@email.com", + GitBaseDomainFQDN: "sample-git-server.com", + AssociatedRemoteUserBinding: true, SecretRef: corev1.SecretReference{ Name: secretRefName, }, @@ -174,80 +103,46 @@ var _ = Describe("RemoteUser Controller", func() { }) AfterEach(func() { - // TODO(user): Cleanup logic after each test, like removing the resource instance. - resourceOwned := &syngit.RemoteUser{} - err := k8sClient.Get(ctx, typeNamespacedNameOwned, resourceOwned) - Expect(err).NotTo(HaveOccurred()) - - resourceGitConfig := &syngit.RemoteUser{} - err = k8sClient.Get(ctx, typeNamespacedNameCustomGit, resourceGitConfig) + err := k8sClient.Get(ctx, typeNamespacedNameAssociated, remoteuser) Expect(err).NotTo(HaveOccurred()) - resourceConf := &corev1.ConfigMap{} - err = k8sClient.Get(ctx, confNamespacedName, resourceConf) - Expect(err).NotTo(HaveOccurred()) - - resourceSecret := &corev1.Secret{} - err = k8sClient.Get(ctx, secretNamespacedName, resourceSecret) + err = k8sClient.Get(ctx, secretNamespacedName, secretRef) Expect(err).NotTo(HaveOccurred()) By("Cleanup the specific resource instance RemoteUser") - Expect(k8sClient.Delete(ctx, resourceOwned)).To(Succeed()) - - By("Cleanup the associated custom remote git server configuration") - Expect(k8sClient.Delete(ctx, resourceConf)).To(Succeed()) + Expect(k8sClient.Delete(ctx, remoteuser)).To(Succeed()) By("Cleanup the associated credentials secret reference") - Expect(k8sClient.Delete(ctx, resourceSecret)).To(Succeed()) + Expect(k8sClient.Delete(ctx, secretRef)).To(Succeed()) }) - Context("When updating a RemoteUser", func() { - - // It("Should create a RemoteUserBinding", func() { - // rubLookupKey := types.NamespacedName{Name: "owned-rub-kubernetes-admin", Namespace: userNamespace} - // createRemoteUserBinding := &syngit.RemoteUserBinding{} + // It("Should create a RemoteUserBinding", func() { + // createdRemoteUserBindings := &syngit.RemoteUserBindingList{} + // listOps := &client.ListOptions{ + // Namespace: userNamespace, + // } - // Eventually(func() bool { - // err := k8sClient.Get(ctx, rubLookupKey, createRemoteUserBinding) - // return err == nil - // }, timeout, interval).Should(BeTrue()) + // Eventually(func() bool { + // err := k8sClient.List(ctx, createdRemoteUserBindings, listOps) + // return err == nil && len(createdRemoteUserBindings.Items) > 0 + // }, timeout, interval).Should(BeTrue()) - // Expect(createRemoteUserBinding.Spec.RemoteRefs).Should(ContainElement(corev1.ObjectReference{Name: resourceName})) + // Expect(createdRemoteUserBindings.Items[0].Spec.RemoteRefs).Should(ContainElement(map[string]corev1.ObjectReference{"name": {Name: resourceName}})) - // }) - It("Should have the configuration stored in the status", func() { - ruLookupKey := types.NamespacedName{Name: resourceNameOwned, Namespace: userNamespace} - createRemoteUser := &syngit.RemoteUser{} + // }) - Eventually(func() bool { - err := k8sClient.Get(ctx, ruLookupKey, createRemoteUser) - return err == nil - }, timeout, interval).Should(BeTrue()) + It("Should correctly be bound to the secret", func() { + ruLookupKeyRu := types.NamespacedName{Name: resourceNameAssociated, Namespace: userNamespace} + createdRemoteUser := &syngit.RemoteUser{} - Expect(createRemoteUser.Status.GitServerConfiguration).Should(Equal(defaultGitServerConfiguration)) + Eventually(func() bool { + err := k8sClient.Get(ctx, ruLookupKeyRu, createdRemoteUser) + return err == nil && createdRemoteUser.Status.SecretBoundStatus != "" + }, timeout, interval).Should(BeTrue()) - Expect(createRemoteUser.Status.GitServerConfiguration.CaBundle).Should(Equal(defaultGitServerConfiguration.CaBundle)) - Expect(createRemoteUser.Status.GitServerConfiguration.InsecureSkipTlsVerify).Should(Equal(defaultGitServerConfiguration.InsecureSkipTlsVerify)) - Expect(createRemoteUser.Status.GitServerConfiguration.AuthenticationEndpoint).Should(Equal((defaultGitServerConfiguration.AuthenticationEndpoint))) - }) + Expect(createdRemoteUser.Status.SecretBoundStatus).Should(Equal(syngit.SecretBound)) }) - Context("When updating a RemoteUser", func() { - - It("Should have the top configuration propagated", func() { - ruLookupKey := types.NamespacedName{Name: resourceNameCustomGit, Namespace: userNamespace} - createRemoteUser := &syngit.RemoteUser{} - - Eventually(func() bool { - err := k8sClient.Get(ctx, ruLookupKey, createRemoteUser) - return err == nil && createRemoteUser.Status.GitServerConfiguration.CaBundle != "" - }, timeout, interval).Should(BeTrue()) - - Expect(createRemoteUser.Status.GitServerConfiguration.CaBundle).Should(Equal(customGitServerConfigiguration.CaBundle)) - Expect(createRemoteUser.Status.GitServerConfiguration.InsecureSkipTlsVerify).Should(Equal(actualInsecureSkipTlsVerify)) - Expect(createRemoteUser.Status.GitServerConfiguration.AuthenticationEndpoint).Should(Equal(customGitServerConfigiguration.AuthenticationEndpoint)) - }) - }) }) }) diff --git a/internal/controller/remoteuserbinding_controller.go b/internal/controller/remoteuserbinding_controller.go index 077179e..b08cb0e 100644 --- a/internal/controller/remoteuserbinding_controller.go +++ b/internal/controller/remoteuserbinding_controller.go @@ -31,7 +31,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/predicate" "sigs.k8s.io/controller-runtime/pkg/reconcile" - syngit "syngit.io/syngit/api/v1alpha4" + syngit "syngit.io/syngit/api/v1beta1" ) // RemoteUserBindingReconciler reconciles a RemoteUserBinding object diff --git a/internal/controller/remoteuserbinding_controller_test.go b/internal/controller/remoteuserbinding_controller_test.go index ea65cf0..5d19085 100644 --- a/internal/controller/remoteuserbinding_controller_test.go +++ b/internal/controller/remoteuserbinding_controller_test.go @@ -16,69 +16,121 @@ limitations under the License. package controller -// import ( -// "context" - -// . "github.com/onsi/ginkgo/v2" -// . "github.com/onsi/gomega" -// "k8s.io/apimachinery/pkg/api/errors" -// "k8s.io/apimachinery/pkg/types" -// "sigs.k8s.io/controller-runtime/pkg/reconcile" - -// metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// syngit "syngit.io/syngit/api/v1alpha4" -// ) - -// var _ = Describe("RemoteUserBinding Controller", func() { -// Context("When reconciling a resource", func() { -// const resourceName = "test-resource" - -// ctx := context.Background() - -// typeNamespacedName := types.NamespacedName{ -// Name: resourceName, -// Namespace: "default", // TODO(user):Modify as needed -// } -// remoteuserbinding := &syngit.RemoteUserBinding{} - -// BeforeEach(func() { -// By("creating the custom resource for the Kind RemoteUserBinding") -// err := k8sClient.Get(ctx, typeNamespacedName, remoteuserbinding) -// if err != nil && errors.IsNotFound(err) { -// resource := &syngit.RemoteUserBinding{ -// ObjectMeta: metav1.ObjectMeta{ -// Name: resourceName, -// Namespace: "default", -// }, -// // TODO(user): Specify other spec details if needed. -// } -// Expect(k8sClient.Create(ctx, resource)).To(Succeed()) -// } -// }) - -// AfterEach(func() { -// // TODO(user): Cleanup logic after each test, like removing the resource instance. -// resource := &syngit.RemoteUserBinding{} -// err := k8sClient.Get(ctx, typeNamespacedName, resource) -// Expect(err).NotTo(HaveOccurred()) - -// By("Cleanup the specific resource instance RemoteUserBinding") -// Expect(k8sClient.Delete(ctx, resource)).To(Succeed()) -// }) -// It("should successfully reconcile the resource", func() { -// By("Reconciling the created resource") -// controllerReconciler := &RemoteUserBindingReconciler{ -// Client: k8sClient, -// Scheme: k8sClient.Scheme(), -// } - -// _, err := controllerReconciler.Reconcile(ctx, reconcile.Request{ -// NamespacedName: typeNamespacedName, -// }) -// Expect(err).NotTo(HaveOccurred()) -// // TODO(user): Add more specific assertions depending on your controller's reconciliation logic. -// // Example: If you expect a certain status condition after reconciliation, verify it here. -// }) -// }) -// }) +import ( + "context" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + syngit "syngit.io/syngit/api/v1beta1" +) + +var _ = Describe("RemoteUserBinding Controller", func() { + + const ( + timeout = time.Second * 10 + duration = time.Second * 10 + interval = time.Millisecond * 250 + + userNamespace = "default" + ) + + Context("When reconciling a resource", func() { + const ( + resourceName = "test-remoteuserbinding" + dummySecret = "dummy-secret" + dummyUser = "dummy-secret" + ) + + const remoteusername = "sample-remoteuser" + remoteuserNamespacedName := types.NamespacedName{ + Name: remoteusername, + Namespace: userNamespace, + } + remoteUser := &syngit.RemoteUser{} + + typeNamespacedName := types.NamespacedName{ + Name: resourceName, + Namespace: userNamespace, + } + remoteUserBinding := &syngit.RemoteUserBinding{} + + ctx := context.Background() + + BeforeEach(func() { + + By("Creating the RemoteUser") + err := k8sClient.Get(ctx, remoteuserNamespacedName, remoteUser) + if err != nil && errors.IsNotFound(err) { + resource := &syngit.RemoteUser{ + ObjectMeta: metav1.ObjectMeta{ + Name: remoteusername, + Namespace: userNamespace, + }, + Spec: syngit.RemoteUserSpec{ + Email: "sample@email.com", + GitBaseDomainFQDN: "sample-git-server.com", + AssociatedRemoteUserBinding: true, + SecretRef: corev1.SecretReference{ + Name: dummySecret, + }, + }, + } + Expect(k8sClient.Create(ctx, resource)).To(Succeed()) + } + + By("Creating the RemoteUserBinding") + err = k8sClient.Get(ctx, typeNamespacedName, remoteUserBinding) + if err != nil && errors.IsNotFound(err) { + resource := &syngit.RemoteUserBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: resourceName, + Namespace: userNamespace, + }, + Spec: syngit.RemoteUserBindingSpec{ + RemoteRefs: []corev1.ObjectReference{{Name: remoteusername}}, + Subject: rbacv1.Subject{ + Kind: rbacv1.UserKind, + Name: dummyUser, + }, + }, + } + Expect(k8sClient.Create(ctx, resource)).To(Succeed()) + } + }) + + AfterEach(func() { + + err := k8sClient.Get(ctx, remoteuserNamespacedName, remoteUser) + Expect(err).NotTo(HaveOccurred()) + + err = k8sClient.Get(ctx, typeNamespacedName, remoteUserBinding) + Expect(err).NotTo(HaveOccurred()) + + By("Cleanup the specific resource instance RemoteUser") + Expect(k8sClient.Delete(ctx, remoteUser)).To(Succeed()) + + By("Cleanup the specific resource instance RemoteUserBinding") + Expect(k8sClient.Delete(ctx, remoteUserBinding)).To(Succeed()) + }) + + It("Should successfully reconcile the resource", func() { + ruLookupKeyRub := types.NamespacedName{Name: resourceName, Namespace: userNamespace} + createdRemoteUserBinding := &syngit.RemoteUserBinding{} + + Eventually(func() bool { + err := k8sClient.Get(ctx, ruLookupKeyRub, createdRemoteUserBinding) + return err == nil && createdRemoteUserBinding.Status.UserKubernetesID != "" + }, timeout, interval).Should(BeTrue()) + + Expect(createdRemoteUserBinding.Status.UserKubernetesID).Should(Equal(dummyUser)) + }) + }) +}) diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go index f36dbce..d16c205 100644 --- a/internal/controller/suite_test.go +++ b/internal/controller/suite_test.go @@ -35,7 +35,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" - syngit "syngit.io/syngit/api/v1alpha4" + syngit "syngit.io/syngit/api/v1beta1" //+kubebuilder:scaffold:imports ) @@ -89,17 +89,17 @@ var _ = BeforeSuite(func() { }) Expect(err).ToNot(HaveOccurred()) + k8sManager.GetWebhookServer().Register("/syngit-v1beta1-remoteuser-association", &webhook.Admission{Handler: &RemoteUserWebhookHandler{ + Client: k8sManager.GetClient(), + Decoder: admission.NewDecoder(k8sManager.GetScheme()), + }}) + err = (&RemoteUserReconciler{ Client: k8sManager.GetClient(), Scheme: k8sManager.GetScheme(), }).SetupWithManager(k8sManager) Expect(err).ToNot(HaveOccurred()) - k8sManager.GetWebhookServer().Register("/reconcile-syngit-remoteuser-owner", &webhook.Admission{Handler: &RemoteUserWebhookHandler{ - Client: k8sManager.GetClient(), - Decoder: admission.NewDecoder(k8sManager.GetScheme()), - }}) - err = (&RemoteUserBindingReconciler{ Client: k8sManager.GetClient(), Scheme: k8sManager.GetScheme(), diff --git a/internal/controller/webhook_request_checker.go b/internal/controller/webhook_request_checker.go index 7d4e24a..8f4e8e3 100644 --- a/internal/controller/webhook_request_checker.go +++ b/internal/controller/webhook_request_checker.go @@ -5,6 +5,7 @@ import ( "encoding/json" "errors" "net/url" + "os" "sync" "github.com/go-logr/logr" @@ -15,7 +16,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" - syngit "syngit.io/syngit/api/v1alpha4" + syngit "syngit.io/syngit/api/v1beta1" ) type gitUser struct { @@ -39,12 +40,17 @@ type wrcDetails struct { messageAddition string // GitPusher information - repoFQDN string - repoPath string - commitHash string - gitUser gitUser - remoteConf syngit.GitServerConfiguration - pushDetails string + repoUrl string + repoPath string + repoHost string + commitHash string + gitUser gitUser + insecureSkipTlsVerify bool + caBundle string + pushDetails string + + // Error + errorDuringProcess bool } const ( @@ -70,12 +76,14 @@ func (wrc *WebhookRequestChecker) ProcessSteps() admissionv1.AdmissionReview { // STEP 1 : Get the request details rDetails, err := wrc.retrieveRequestDetails() if err != nil { + rDetails.errorDuringProcess = true return wrc.responseConstructor(rDetails) } // STEP 2 : Check if is bypass user (SA of argo, flux, etc..) isBypassUser, err := wrc.isBypassSubject(&rDetails) if err != nil { + rDetails.errorDuringProcess = true return wrc.responseConstructor(rDetails) } if isBypassUser { @@ -86,6 +94,7 @@ func (wrc *WebhookRequestChecker) ProcessSteps() admissionv1.AdmissionReview { processAllowed, err := wrc.userAllowed(&rDetails) rDetails.processPass = processAllowed if err != nil { + rDetails.errorDuringProcess = true return wrc.responseConstructor(rDetails) } @@ -93,20 +102,29 @@ func (wrc *WebhookRequestChecker) ProcessSteps() admissionv1.AdmissionReview { if wrc.admReview.Request.Operation != admissionv1.Delete { err = wrc.convertToYaml(&rDetails) if err != nil { + rDetails.errorDuringProcess = true return wrc.responseConstructor(rDetails) } } else { rDetails.interceptedYAML = "" } - // STEP 5 : Git push + // Step 5 : TLS constructor + err = wrc.tlsContructor(&rDetails) + if err != nil { + rDetails.errorDuringProcess = true + return wrc.responseConstructor(rDetails) + } + + // STEP 6 : Git push isPushed, err := wrc.gitPush(&rDetails) wrc.gitPushPostChecker(isPushed, err, &rDetails) if err != nil { + rDetails.errorDuringProcess = true return wrc.responseConstructor(rDetails) } - // STEP 6 : Post checking + // STEP 5 : Post checking wrc.postcheck(&rDetails) return wrc.responseConstructor(rDetails) @@ -146,16 +164,13 @@ func (wrc *WebhookRequestChecker) userAllowed(details *wrcDetails) (bool, error) } fqdn := u.Host + details.repoHost = fqdn ctx := context.Background() gitUser := &gitUser{ gitUser: "", gitEmail: "", gitToken: "", } - remoteConf := &syngit.GitServerConfiguration{ - CaBundle: "", - InsecureSkipTlsVerify: false, - } var remoteUserBindings = &syngit.RemoteUserBindingList{} err = wrc.k8sClient.List(ctx, remoteUserBindings, client.InNamespace(wrc.remoteSyncer.Namespace)) @@ -171,7 +186,7 @@ func (wrc *WebhookRequestChecker) userAllowed(details *wrcDetails) (bool, error) // The subject name can not be unique -> in specific conditions, a commit can be done as another user // Need to be studied if remoteUserBinding.Spec.Subject.Name == incomingUser.Username { - remoteConf, gitUser, err = wrc.searchForGitTokenFromRemoteUserBinding(remoteUserBinding, fqdn, remoteConf) + gitUser, err = wrc.searchForGitTokenFromRemoteUserBinding(remoteUserBinding, fqdn) if err != nil { errMsg := err.Error() details.messageAddition = errMsg @@ -184,7 +199,7 @@ func (wrc *WebhookRequestChecker) userAllowed(details *wrcDetails) (bool, error) if userCountLoop == 0 { // Check if there is a default user that we can use - if wrc.remoteSyncer.Spec.DefaultUnauthorizedUserMode != syngit.UseDefaultUser || wrc.remoteSyncer.Spec.DefaultUser == nil || wrc.remoteSyncer.Spec.DefaultUser.Name == "" { + if wrc.remoteSyncer.Spec.DefaultUnauthorizedUserMode != syngit.UseDefaultUser || wrc.remoteSyncer.Spec.DefaultRemoteUserRef == nil || wrc.remoteSyncer.Spec.DefaultRemoteUserRef.Name == "" { errMsg := "no RemoteUserBinding found for the user " + incomingUser.Username details.messageAddition = errMsg return false, errors.New(errMsg) @@ -193,12 +208,12 @@ func (wrc *WebhookRequestChecker) userAllowed(details *wrcDetails) (bool, error) // Search for the default RemoteUser object namespacedName := &types.NamespacedName{ Namespace: wrc.remoteSyncer.Namespace, - Name: wrc.remoteSyncer.Spec.DefaultUser.Name, + Name: wrc.remoteSyncer.Spec.DefaultRemoteUserRef.Name, } remoteUser := &syngit.RemoteUser{} err := wrc.k8sClient.Get(ctx, *namespacedName, remoteUser) if err != nil { - errMsg := "the default user is not found : " + wrc.remoteSyncer.Spec.DefaultUser.Name + errMsg := "the default user is not found : " + wrc.remoteSyncer.Spec.DefaultRemoteUserRef.Name details.messageAddition = errMsg return false, err } @@ -208,7 +223,7 @@ func (wrc *WebhookRequestChecker) userAllowed(details *wrcDetails) (bool, error) details.messageAddition = errMsg return false, err } - remoteConf, gitUser, err = wrc.searchForGitToken(*remoteUser, remoteConf) + gitUser, err = wrc.searchForGitToken(*remoteUser) if err != nil { errMsg := err.Error() details.messageAddition = errMsg @@ -223,12 +238,11 @@ func (wrc *WebhookRequestChecker) userAllowed(details *wrcDetails) (bool, error) } details.gitUser = *gitUser - details.remoteConf = *remoteConf return true, nil } -func (wrc *WebhookRequestChecker) searchForGitToken(remoteUser syngit.RemoteUser, remoteConf *syngit.GitServerConfiguration) (*syngit.GitServerConfiguration, *gitUser, error) { +func (wrc *WebhookRequestChecker) searchForGitToken(remoteUser syngit.RemoteUser) (*gitUser, error) { userGitName := "" userGitEmail := "" userGitToken := "" @@ -249,9 +263,6 @@ func (wrc *WebhookRequestChecker) searchForGitToken(remoteUser syngit.RemoteUser secretCount++ userGitEmail = remoteUser.Spec.Email - - remoteConf.CaBundle = remoteUser.Status.GitServerConfiguration.CaBundle - remoteConf.InsecureSkipTlsVerify = remoteUser.Status.GitServerConfiguration.InsecureSkipTlsVerify } gitUser := &gitUser{ @@ -261,16 +272,16 @@ func (wrc *WebhookRequestChecker) searchForGitToken(remoteUser syngit.RemoteUser } if secretCount == 0 { - return remoteConf, gitUser, errors.New("no Secret found for the current user to log on the git repository with the RemoteUser : " + remoteUser.Name) + return gitUser, errors.New("no Secret found for the current user to log on the git repository with the RemoteUser : " + remoteUser.Name) } if userGitToken == "" { - return remoteConf, gitUser, errors.New("no token found in the secret; the token must be specified in the password field and the secret type must be kubernetes.io/basic-auth") + return gitUser, errors.New("no token found in the secret; the token must be specified in the password field and the secret type must be kubernetes.io/basic-auth") } - return remoteConf, gitUser, nil + return gitUser, nil } -func (wrc *WebhookRequestChecker) searchForGitTokenFromRemoteUserBinding(rub syngit.RemoteUserBinding, fqdn string, remoteConf *syngit.GitServerConfiguration) (*syngit.GitServerConfiguration, *gitUser, error) { +func (wrc *WebhookRequestChecker) searchForGitTokenFromRemoteUserBinding(rub syngit.RemoteUserBinding, fqdn string) (*gitUser, error) { remoteUserCount := 0 ctx := context.Background() @@ -290,24 +301,24 @@ func (wrc *WebhookRequestChecker) searchForGitTokenFromRemoteUserBinding(rub syn if remoteUser.Spec.GitBaseDomainFQDN == fqdn { remoteUserCount++ - remoteConf, gitUser, err = wrc.searchForGitToken(*remoteUser, remoteConf) + gitUser, err = wrc.searchForGitToken(*remoteUser) if err != nil { - return remoteConf, gitUser, err + return gitUser, err } } } if remoteUserCount == 0 { - return remoteConf, gitUser, errors.New("no RemoteUser found for the current user with this fqdn : " + fqdn) + return gitUser, errors.New("no RemoteUser found for the current user with this fqdn : " + fqdn) } if remoteUserCount > 1 { - return remoteConf, gitUser, errors.New("more than one RemoteUser found for the current user with this fqdn : " + fqdn) + return gitUser, errors.New("more than one RemoteUser found for the current user with this fqdn : " + fqdn) } if remoteUserCount > 1 { - return remoteConf, gitUser, errors.New("more than one Secret found for the current user to log on the git repository with this fqdn : " + fqdn) + return gitUser, errors.New("more than one Secret found for the current user to log on the git repository with this fqdn : " + fqdn) } - return remoteConf, gitUser, nil + return gitUser, nil } func (wrc *WebhookRequestChecker) isBypassSubject(details *wrcDetails) (bool, error) { @@ -361,11 +372,11 @@ func (wrc *WebhookRequestChecker) convertToYaml(details *wrcDetails) error { paths := wrc.remoteSyncer.Spec.ExcludedFields // Check if the excludedFields ConfigMap exists - if wrc.remoteSyncer.Spec.ExcludedFieldsConfig != nil && wrc.remoteSyncer.Spec.ExcludedFieldsConfig.Name != "" { + if wrc.remoteSyncer.Spec.ExcludedFieldsConfigMapRef != nil && wrc.remoteSyncer.Spec.ExcludedFieldsConfigMapRef.Name != "" { ctx := context.Background() secretNamespacedName := &types.NamespacedName{ Namespace: wrc.remoteSyncer.Namespace, - Name: wrc.remoteSyncer.Spec.ExcludedFieldsConfig.Name, + Name: wrc.remoteSyncer.Spec.ExcludedFieldsConfigMapRef.Name, } excludedFieldsConfig := &corev1.ConfigMap{} err := wrc.k8sClient.Get(ctx, *secretNamespacedName, excludedFieldsConfig) @@ -406,17 +417,55 @@ func (wrc *WebhookRequestChecker) convertToYaml(details *wrcDetails) error { return nil } +func (wrc *WebhookRequestChecker) tlsContructor(details *wrcDetails) error { + insecureSkipTlsVerify := false + caBundle := "" + + ctx := context.Background() + errMsg := "the CA bundle secret must be of type \"kubernetes.io/ts\"" + + // Step 1: Search for the global CA Bundle of the server located in the syngit namespace + globalNamespacedName := types.NamespacedName{Namespace: os.Getenv("MANAGER_NAMESPACE"), Name: details.repoHost + "-ca-bundle"} + caBundleSecret := &corev1.Secret{} + err := wrc.k8sClient.Get(ctx, globalNamespacedName, caBundleSecret) + if err == nil { + if caBundleSecret.Type != "kubernetes.io/tls" { + details.messageAddition = errMsg + return errors.New(errMsg) + } + caBundle = caBundleSecret.StringData["tls.crt"] + } + + // Step 2: Search for a specific CA Bundle located in the current namespace + caBundleSecretRef := wrc.remoteSyncer.Spec.CABundleSecretRef + namespacedName := types.NamespacedName{Namespace: caBundleSecretRef.Namespace, Name: caBundleSecretRef.Name} + err = wrc.k8sClient.Get(ctx, namespacedName, caBundleSecret) + if err == nil { + if caBundleSecret.Type != "kubernetes.io/tls" { + details.messageAddition = errMsg + return errors.New(errMsg) + } + caBundle = caBundleSecret.StringData["tls.crt"] + } + + details.insecureSkipTlsVerify = insecureSkipTlsVerify + details.caBundle = caBundle + + return nil +} + func (wrc *WebhookRequestChecker) gitPush(details *wrcDetails) (bool, error) { gitPusher := &GitPusher{ - remoteSyncer: *wrc.remoteSyncer.DeepCopy(), - interceptedYAML: details.interceptedYAML, - interceptedGVR: details.interceptedGVR, - interceptedName: details.interceptedName, - gitUser: details.gitUser.gitUser, - gitEmail: details.gitUser.gitEmail, - gitToken: details.gitUser.gitToken, - operation: wrc.admReview.Request.Operation, - remoteConfiguration: details.remoteConf, + remoteSyncer: *wrc.remoteSyncer.DeepCopy(), + interceptedYAML: details.interceptedYAML, + interceptedGVR: details.interceptedGVR, + interceptedName: details.interceptedName, + gitUser: details.gitUser.gitUser, + gitEmail: details.gitUser.gitEmail, + gitToken: details.gitUser.gitToken, + operation: wrc.admReview.Request.Operation, + insecureSkipTlsVerify: details.insecureSkipTlsVerify, + caBundle: details.caBundle, } res, err := gitPusher.Push() if err != nil { @@ -431,7 +480,7 @@ func (wrc *WebhookRequestChecker) gitPush(details *wrcDetails) (bool, error) { details.repoPath = res.path details.commitHash = res.commitHash - details.repoFQDN = wrc.remoteSyncer.Spec.RemoteRepository + details.repoUrl = wrc.remoteSyncer.Spec.RemoteRepository return true, nil } @@ -457,10 +506,10 @@ func (wrc *WebhookRequestChecker) gitPushPostChecker(isPushed bool, err error, d func (wrc *WebhookRequestChecker) postcheck(details *wrcDetails) bool { // Check the Commit Process mode - if wrc.remoteSyncer.Spec.CommitProcess == syngit.CommitOnly { + if wrc.remoteSyncer.Spec.ProcessMode == syngit.CommitOnly { details.webhookPass = false } - if wrc.remoteSyncer.Spec.CommitProcess == syngit.CommitApply { + if wrc.remoteSyncer.Spec.ProcessMode == syngit.CommitApply { details.webhookPass = true } @@ -484,7 +533,7 @@ func (wrc *WebhookRequestChecker) responseConstructor(details wrcDetails) admiss // Set the status and the message depending of the status of the webhook status := "Failure" message := defaultFailureMessage - if details.processPass { + if !details.errorDuringProcess { status = "Success" message = successMessage } else { @@ -505,8 +554,8 @@ func (wrc *WebhookRequestChecker) responseConstructor(details wrcDetails) admiss // Annotation that will be stored in the outcoming object auditAnnotation := make(map[string]string) - if details.repoFQDN != "" { - auditAnnotation["syngit-git-repo-fqdn"] = details.repoFQDN + if details.repoUrl != "" { + auditAnnotation["syngit-git-repo-fqdn"] = details.repoUrl } if details.repoPath != "" { auditAnnotation["syngit-git-repo-path"] = details.repoPath @@ -591,7 +640,7 @@ func (wrc *WebhookRequestChecker) updateStatus(kind string, details wrcDetails) LastPushedObjectTime: v1.Now(), LastPushedObject: *gvrn, LastPushedObjectGitPath: details.repoPath, - LastPushedObjectGitRepo: details.repoFQDN, + LastPushedObjectGitRepo: details.repoUrl, LastPushedObjectGitCommitHash: details.commitHash, LastPushedGitUser: details.gitUser.gitUser, LastPushedObjectStatus: details.pushDetails,