Use different white/blacklists for sync/prune jobs

appuio · Sep 25, 2024 · f22a34c · f22a34c
1 parent 85455bc
commit f22a34c
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 59 deletions.
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -21,7 +21,6 @@ parameters:
 
     ldapSync:
       schedule: '%d * * * *'
-      customCommand: {}
 
     secrets: {}
       # my-secret-example:

diff --git a/component/ldap.libsonnet b/component/ldap.libsonnet
@@ -14,8 +14,10 @@ local syncConfig(namespace, idp, sa) =
   local files = {
     caBundle: 'ca-bundle.crt',
     config: 'config.yaml',
-    blacklist: 'blacklist.txt',
-    whitelist: 'whitelist.txt',
+    blacklist_sync: 'blacklist-sync.txt',
+    blacklist_prune: 'blacklist-prune.txt',
+    whitelist_sync: 'whitelist-sync.txt',
+    whitelist_prune: 'whitelist-prune.txt',
   };
   local syncCfg = {
     kind: 'LDAPSyncConfig',
@@ -61,9 +63,11 @@ local syncConfig(namespace, idp, sa) =
     )),
     com.namespaced(namespace, kube.Secret(name) {
       stringData: {
-        [files.blacklist]: if std.objectHas(idp.ldap.sync, 'blacklist') then idp.ldap.sync.blacklist else '',
         [files.config]: std.manifestYamlDoc(syncCfg),
-        [files.whitelist]: if std.objectHas(idp.ldap.sync, 'whitelist') then idp.ldap.sync.whitelist else '',
+        [files.blacklist_sync]: if std.objectHas(idp.ldap.sync, 'blacklist-sync') then idp.ldap.sync.blacklist_sync else '',
+        [files.blacklist_prune]: if std.objectHas(idp.ldap.sync, 'blacklist-prune') then idp.ldap.sync.blacklist_prune else '',
+        [files.whitelist_sync]: if std.objectHas(idp.ldap.sync, 'whitelist-sync') then idp.ldap.sync.whitelist_sync else '',
+        [files.whitelist_prune]: if std.objectHas(idp.ldap.sync, 'whitelist-prune') then idp.ldap.sync.whitelist_prune else '',
       },
     }),
 
@@ -93,16 +97,16 @@ local syncConfig(namespace, idp, sa) =
                 local container(command) = kube.Container(command) {
                   image: std.join(':', std.prune([ params.images.sync.image, params.images.sync.tag ])),
                   securityContext: security_context,
-                  command: std.get(params.ldapSync.command, command, [
+                  command: [
                     'oc',
                     'adm',
                     'groups',
                     command,
                     '--sync-config=' + config_mount + files.config,
                     '--confirm',
-                    '--blacklist=' + config_mount + files.blacklist,
-                    '--whitelist=' + config_mount + files.whitelist,
-                  ]),
+                    '--blacklist=' + config_mount + std.get(files, 'blacklist_%s' % command),
+                    '--whitelist=' + config_mount + std.get(files, 'whitelist_%s' % command),
+                  ],
                   volumeMounts_+: {
                     [config_volume]: { mountPath: config_mount },
                     [ca_volume]: { mountPath: ca_mount },

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -130,18 +130,6 @@ See the upstream documentation on https://docs.openshift.com/container-platform/
 
 == `ldapSync`
 
-[horizontal]
-type:: dict
-default::
-+
-[source,yaml]
-----
-schedule: '%d * * * *'
-command: {}
-----
-
-=== `ldapSync.schedule`
-
 [horizontal]
 type:: string
 default::
@@ -158,21 +146,6 @@ The component will apply the logic documented in the Project Syn Jsonnet best pr
 
 NOTE: The component may break if you specify a schedule which doesn't contain exactly one `%d` format specifier.
 
-=== `ldapSync.command`
-
-[horizontal]
-type:: dict
-default::
-+
-[source,yaml]
-----
-command: {}
-----
-
-This parameter allows overwriting the commands used for `sync` and `prune`.
-
-NOTE: The command defined here will apply to all LDAP idedtity providers.
-
 == `secrets`
 
 [horizontal]

diff --git a/tests/defaults.yml b/tests/defaults.yml
@@ -114,12 +114,3 @@ parameters:
           clientSecret:
             name: oidc-client
           issuer: https://sso.company.tld/auth/realms/master
-
-    ldapSync:
-      command:
-        prune:
-          - oc
-          - adm
-          - do
-          - something
-          - else
diff --git a/tests/golden/defaults/openshift4-authentication/openshift4-authentication/20_ldap_sync.yaml b/tests/golden/defaults/openshift4-authentication/openshift4-authentication/20_ldap_sync.yaml
@@ -66,7 +66,8 @@ metadata:
   name: ldap-sync-company-ldap
   namespace: openshift-config
 stringData:
-  blacklist.txt: ''
+  blacklist-prune.txt: ''
+  blacklist-sync.txt: ''
   config.yaml: |-
     "apiVersion": "v1"
     "bindDN": "uid=service,ou=idp,dc=company,dc=tld"
@@ -96,7 +97,8 @@ stringData:
         "pageSize": 0
         "scope": "sub"
     "url": "ldaps://ldap.company.tld:636/ou=services,dc=company,dc=tld?uid"
-  whitelist.txt: ''
+  whitelist-prune.txt: ''
+  whitelist-sync.txt: ''
 type: Opaque
 ---
 apiVersion: batch/v1
@@ -128,8 +130,8 @@ spec:
                 - sync
                 - --sync-config=/etc/sync-config/config.yaml
                 - --confirm
-                - --blacklist=/etc/sync-config/blacklist.txt
-                - --whitelist=/etc/sync-config/whitelist.txt
+                - --blacklist=/etc/sync-config/blacklist-sync.txt
+                - --whitelist=/etc/sync-config/whitelist-sync.txt
               env: []
               image: image-registry.openshift-image-registry.svc:5000/openshift/cli
               imagePullPolicy: IfNotPresent
@@ -155,9 +157,12 @@ spec:
               command:
                 - oc
                 - adm
-                - do
-                - something
-                - else
+                - groups
+                - prune
+                - --sync-config=/etc/sync-config/config.yaml
+                - --confirm
+                - --blacklist=/etc/sync-config/blacklist-prune.txt
+                - --whitelist=/etc/sync-config/whitelist-prune.txt
               env: []
               image: image-registry.openshift-image-registry.svc:5000/openshift/cli
               imagePullPolicy: IfNotPresent
@@ -226,7 +231,8 @@ metadata:
   name: ldap-sync-other-ldap
   namespace: openshift-config
 stringData:
-  blacklist.txt: ''
+  blacklist-prune.txt: ''
+  blacklist-sync.txt: ''
   config.yaml: |-
     "apiVersion": "v1"
     "bindDN": "uid=service,ou=idp,dc=company,dc=tld"
@@ -256,7 +262,8 @@ stringData:
         "pageSize": 0
         "scope": "sub"
     "url": "ldaps://ldap.company.tld:636/ou=services,dc=company,dc=tld?uid"
-  whitelist.txt: ''
+  whitelist-prune.txt: ''
+  whitelist-sync.txt: ''
 type: Opaque
 ---
 apiVersion: batch/v1
@@ -288,8 +295,8 @@ spec:
                 - sync
                 - --sync-config=/etc/sync-config/config.yaml
                 - --confirm
-                - --blacklist=/etc/sync-config/blacklist.txt
-                - --whitelist=/etc/sync-config/whitelist.txt
+                - --blacklist=/etc/sync-config/blacklist-sync.txt
+                - --whitelist=/etc/sync-config/whitelist-sync.txt
               env: []
               image: image-registry.openshift-image-registry.svc:5000/openshift/cli
               imagePullPolicy: IfNotPresent
@@ -315,9 +322,12 @@ spec:
               command:
                 - oc
                 - adm
-                - do
-                - something
-                - else
+                - groups
+                - prune
+                - --sync-config=/etc/sync-config/config.yaml
+                - --confirm
+                - --blacklist=/etc/sync-config/blacklist-prune.txt
+                - --whitelist=/etc/sync-config/whitelist-prune.txt
               env: []
               image: image-registry.openshift-image-registry.svc:5000/openshift/cli
               imagePullPolicy: IfNotPresent