Manage configuration inheritance + refactor GitRemote configuration s…

…pecification

Makefile

@@ -53,7 +53,7 @@ dev-deploy: # Launch dev env on the cluster
 	kind load docker-image $(IMAGE) --name dev-cluster
 	cd $(WEBHOOK_PATH) && cp manifests.yaml manifests.yaml.temp
 	cd $(WEBHOOK_PATH) && cp secret.yaml secret.yaml.temp
-	make deploy-dev-nr IMG=$(IMAGE)
+	make deploy IMG=$(IMAGE)
 
 # .PHONY: dev-run
 # dev-run: # Deploy fake webhook & launch dev env in cli
@@ -121,7 +121,7 @@ build: manifests generate fmt vet ## Build manager binary.
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
-	export MANAGER_NAMESPACE=system DEV=true && go run ./cmd/main.go
+	export MANAGER_NAMESPACE=operator-system DEV=true && go run ./cmd/main.go
 
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.
@@ -179,15 +179,10 @@ install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~
 uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
 	$(KUSTOMIZE) build config/crd | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
 
-.PHONY: deploy-dev-nr
-deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	cd $(WEBHOOK_PATH) && ./cert-injector.sh manifests.yaml
-	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f -
-
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd $(WEBHOOK_PATH) && ./cert-injector.sh manifests.yaml
 	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f -
 
 .PHONY: undeploy

api/v1/gitremote_types.go

@@ -30,40 +30,50 @@ type GitRemoteSpec struct {
 	GitBaseDomainFQDN string `json:"gitBaseDomainFQDN"`
 
 	// +optional
-	TestAuthentication bool `json:"testAuthentication,omitempty"`
+	CustomGitProviderConfigRef corev1.ObjectReference `json:"customGitProviderConfigRef,omitempty"`
 
 	// +optional
-	GitProvider string `json:"gitProvider,omitempty"`
+	TestAuthentication bool `json:"testAuthentication,omitempty"`
+}
 
+type GitProviderConfiguration struct {
 	// +optional
-	CustomGitProvider GitProvider `json:"customGitProvider,omitempty"`
-
+	Inherited bool `json:"inherited,omitempty" yaml:"inherited,omitempty"`
+	//+ optional
+	AuthenticationEndpoint string `json:"authenticationEndpoint,omitempty" yaml:"authenticationEndpoint,omitempty"`
 	// +optional
-	RemoteConfiguration RemoteConfiguration `json:"remoteConfiguration,omitempty"`
+	CaBundle string `json:"caBundle,omitempty" yaml:"caBundle,omitempty"`
+	// +optional
+	InsecureSkipTlsVerify bool `json:"insecureSkipTlsVerify,omitempty" yaml:"insecureSkipTlsVerify,omitempty"`
 }
 
-type RemoteConfiguration struct {
-	// +optional
-	CaBundle string `json:"caBundle,omitempty"`
+type GitRemoteConnexionStatus struct {
+	Status GitRemoteConnexionStatusReason `json:"status,omitempty"`
 	// +optional
-	InsecureSkipTlsVerify bool `json:"insecureSkipTlsVerify,omitempty"`
+	Details string `json:"details,omitempty"`
 }
 
-type GitProvider struct {
-	FQDN           string `json:"fqdn"`
-	Authentication string `json:"authentication"`
-}
+type GitRemoteConnexionStatusReason string
 
-type GitRemoteConnexionStatus string
+const (
+	GitConnected        GitRemoteConnexionStatusReason = "Connected"
+	GitUnauthorized     GitRemoteConnexionStatusReason = "Unauthorized: bad credentials"
+	GitForbidden        GitRemoteConnexionStatusReason = "Forbidden : Not enough permission"
+	GitNotFound         GitRemoteConnexionStatusReason = "Not found: the git server is not found"
+	GitServerError      GitRemoteConnexionStatusReason = "Server error: a server error happened"
+	GitUnexpectedStatus GitRemoteConnexionStatusReason = "Unexpected response status code"
+	GitNotConnected     GitRemoteConnexionStatusReason = "Not Connected"
+	GitUnsupported      GitRemoteConnexionStatusReason = "Unsupported Git provider"
+	GitConfigNotFound   GitRemoteConnexionStatusReason = "Git provider ConfigMap not found"
+	GitConfigParseError GitRemoteConnexionStatusReason = "Failed to parse the git provider ConfigMap"
+)
+
+type SecretBoundStatus string
 
 const (
-	Connected        GitRemoteConnexionStatus = "Connected"
-	Unauthorized     GitRemoteConnexionStatus = "Unauthorized: bad credentials"
-	Forbidden        GitRemoteConnexionStatus = "Forbidden : Not enough permission"
-	NotFound         GitRemoteConnexionStatus = "Not found: the git repository is not found"
-	ServerError      GitRemoteConnexionStatus = "Server error: a server error happened"
-	UnexpectedStatus GitRemoteConnexionStatus = "Unexpected response status code"
-	Disconnected     GitRemoteConnexionStatus = "Disconnected: The secret has been deleted"
+	SecretBound     SecretBoundStatus = "Secret bound"
+	SecretNotFound  SecretBoundStatus = "Secret not found"
+	SecretWrongType SecretBoundStatus = "Secret type is not set to BasicAuth"
 )
 
 // GitRemoteStatus defines the observed state of GitRemote
@@ -72,10 +82,16 @@ type GitRemoteStatus struct {
 	ConnexionStatus GitRemoteConnexionStatus `json:"connexionStatus,omitempty"`
 
 	// +optional
-	GitUserID string `json:"gitUserID,omitempty"`
+	GitUser string `json:"gitUser,omitempty"`
 
 	// +optional
 	LastAuthTime metav1.Time `json:"lastAuthTime,omitempty"`
+
+	// +optional
+	SecretBoundStatus SecretBoundStatus `json:"secretBoundStatus,omitempty"`
+
+	// +optional
+	GitProviderConfiguration GitProviderConfiguration `json:"gitProviderConfiguration,omitempty"`
 }
 
 //+kubebuilder:object:root=true

api/v1/gitremote_webhook.go

@@ -44,11 +44,6 @@ var _ webhook.Validator = &GitRemote{}
 func (r *GitRemoteSpec) ValidateGitRemoteSpec() field.ErrorList {
 	var errors field.ErrorList
 
-	// The GitProvider must be set if the TestAuthentication field is setted to true
-	if r.TestAuthentication && r.GitProvider == "" {
-		errors = append(errors, field.Required(field.NewPath("gitProvider"), "should be set when testAuthentication is set to true"))
-	}
-
 	return errors
 }
 

api/v1/resourcesinterceptor_types.go

@@ -20,6 +20,7 @@ import (
 	"strings"
 
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -136,52 +137,65 @@ type NamespaceScopedObject struct {
 	Name        string          `json:"name"`
 }
 
+type JsonGVRN struct {
+	Group    string `json:"group"`
+	Version  string `json:"version"`
+	Resource string `json:"resource"`
+	Name     string `json:"name"`
+}
+
 type LastBypassedObjectState struct {
 	// +optional
 	LastBypassedObjectTime metav1.Time `json:"lastBypassObjectTime,omitempty"`
 
 	// +optional
-	LastBypassedObjectSubject rbacv1.Subject `json:"lastBypassObjectSubject,omitempty"`
+	LastBypassedObjectUserInfo authenticationv1.UserInfo `json:"lastBypassObjectUserInfo,omitempty"`
 
 	// +optional
-	LastBypassedObject NamespaceScopedObject `json:"lastBypassObject,omitempty"`
+	LastBypassedObject JsonGVRN `json:"lastBypassObject,omitempty"`
 }
 
 type LastInterceptedObjectState struct {
 	// +optional
 	LastInterceptedObjectTime metav1.Time `json:"lastInterceptedObjectTime,omitempty"`
 
 	// +optional
-	LastInterceptedObjectKubernetesUser rbacv1.Subject `json:"lastInterceptedObjectKubernetesUser,omitempty"`
+	LastInterceptedObjectUserInfo authenticationv1.UserInfo `json:"lastInterceptedObjectUserInfo,omitempty"`
 
 	// +optional
-	LastInterceptedObject NamespaceScopedObject `json:"lastInterceptedObject,omitempty"`
+	LastInterceptedObject JsonGVRN `json:"lastInterceptedObject,omitempty"`
 }
 
 type LastPushedObjectState struct {
 	// +optional
 	LastPushedObjectTime metav1.Time `json:"lastPushedObjectTime,omitempty"`
 
 	// +optional
-	LastPushedGitUserID string `json:"lastPushedGitUserID,omitempty"`
+	LastPushedGitUser string `json:"lastPushedGitUser,omitempty"`
+
+	// +optional
+	LastPushedObjectGitRepo string `json:"lastPushedObjectGitRepo,omitempty"`
 
 	// +optional
 	LastPushedObjectGitPath string `json:"lastPushedObjectGitPath,omitempty"`
 
 	// +optional
-	LastPushedObject NamespaceScopedObject `json:"lastPushedObject,omitempty"`
+	LastPushedObjectGitCommitHash string `json:"lastPushedObjectCommitHash,omitempty"`
 
 	// +optional
-	LastPushedObjectStatus PushedObjectStatus `json:"lastPushedObjectState,omitempty"`
+	LastPushedObject JsonGVRN `json:"lastPushedObject,omitempty"`
+
+	// +optional
+	LastPushedObjectStatus string `json:"lastPushedObjectState,omitempty"`
 }
 
-type PushedObjectStatus string
+// type PushedObjectStatus string
 
-const (
-	Pushed         PushedObjectStatus = "Resource correctly pushed"
-	PushNotAllowed PushedObjectStatus = "Error: Push permission is not allowed on this git repository for this user"
-	NetworkError   PushedObjectStatus = "Error: A network error occured"
-)
+// const (
+// 	Pushed         PushedObjectStatus = "Resource correctly pushed"
+// 	PushNotAllowed PushedObjectStatus = "Error: Push permission is not allowed on this git repository for this user"
+// 	NetworkError   PushedObjectStatus = "Error: A network error occured"
+// )
 
 // ResourcesInterceptorStatus defines the observed state of ResourcesInterceptor
 type ResourcesInterceptorStatus struct {

api/v1/resourcesinterceptor_webhook.go

@@ -54,14 +54,19 @@ func (r *ResourcesInterceptorSpec) ValidateResourcesInterceptorSpec() field.Erro
 		errors = append(errors, field.Required(field.NewPath("defaultUserBind"), "should be set when defaultUnauthorizedUserMode is set to \"UseDefaultUserBind\""))
 	}
 
-	// Validate DefaultBlockAppliedMessage only exists if CommitProcess is set to CommitApply
+	// Validate DefaultBlockAppliedMessage only exists if CommitProcess is set to ApplyCommit
 	if r.DefaultBlockAppliedMessage != "" && r.CommitProcess != "CommitApply" {
 		errors = append(errors, field.Forbidden(field.NewPath("defaultBlockAppliedMessage"), "should not be set if .spec.commitApply is not set to \"CommitApply\""))
 	}
 
+	// Validate that CommitProcess is either CommitApply or CommitOnly
+	if r.CommitProcess != "CommitOnly" && r.CommitProcess != "CommitApply" {
+		errors = append(errors, field.Forbidden(field.NewPath("commitProcess"), "should be set to \"CommitApply\" or \"CommitOnly\""))
+	}
+
 	// For Included and Excluded Resources. Validate that if a name is specified for a resource, then the concerned resource is not referenced without the name
-	errors = append(errors, r.validateFineGrainedIncludedResources(ParsegvrnList(NSRPstoNSRs(r.IncludedResources)))...)
-	errors = append(errors, r.validateFineGrainedExcludedResources(ParsegvrnList(r.ExcludedResources))...)
+	// errors = append(errors, r.validateFineGrainedIncludedResources(ParsegvrnList(NSRPstoNSRs(r.IncludedResources)))...)
+	// errors = append(errors, r.validateFineGrainedExcludedResources(ParsegvrnList(r.ExcludedResources))...)
 
 	// Validate the ExcludedFields to ensure that it is a YAML path
 	for _, fieldPath := range r.ExcludedFields {

chart/0.0.1/templates/controller/git-providers-configuration.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: git-providers-configuration
+data:
+  bitbucket.org: |
+    authenticationEndpoint: https://api.bitbucket.org/2.0/user
+  github.com: |
+    authenticationEndpoint: https://api.github.com/user
+  gitlab.com: |
+    authenticationEndpoint: https://gitlab.com/api/v4/user