ASC-402: Copy the SA token of sub-spaces only for specific tiers #902
Conversation
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Kartikey-star The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Kartikey Mamgain <kmamgain@redhat.com>
Kartikey-star
force-pushed
the
sa_token_copy
branch
from
b83f02c to
de3c499
Compare
| @@ -237,9 +239,9 @@ func (r *Reconciler) updateExistingSubSpace(ctx context.Context, spaceRequest *t | |||
| } | |||
|
|
|||
| // validateNSTemplateTier checks if the provided tierName in the spaceRequest exists and is valid | |||
| func (r *Reconciler) validateNSTemplateTier(ctx context.Context, tierName string) error { | |||
| func (r *Reconciler) validateNSTemplateTier(ctx context.Context, tierName string) (toolchainv1alpha1.NSTemplateTier, error) { | |||
There was a problem hiding this comment.
how about returning a pointer? This way you could return tier or nil.
| func (r *Reconciler) validateNSTemplateTier(ctx context.Context, tierName string) (toolchainv1alpha1.NSTemplateTier, error) { | |
| func (r *Reconciler) validateNSTemplateTier(ctx context.Context, tierName string) (*toolchainv1alpha1.NSTemplateTier, error) { |
| @@ -25,7 +25,7 @@ objects: | |||
| kind: ServiceAccount | |||
| metadata: | |||
| namespace: ${SPACE_NAME}-env | |||
| name: namespace-manager | |||
| name: ${SERVICE_ACCOUNT_NAME} | |||
There was a problem hiding this comment.
i think it is fine to hard code the name here and in the tier.yaml. Also because unless I'm missing something, you are not populating this variable SERVICE_ACCOUNT_NAME right now.
| @@ -20,10 +20,13 @@ objects: | |||
| templateRef: ${MAINTAINER_TEMPL_REF} | |||
| contributor: | |||
| templateRef: ${CONTRIBUTOR_TEMPL_REF} | |||
| spaceRequestConfig: | |||
| serviceAccountName: ${SERVICE_ACCOUNT_NAME} | |||
There was a problem hiding this comment.
see comment above, we could hard code the name here I guess.
Signed-off-by: Kartikey Mamgain <kmamgain@redhat.com>
Kartikey-star
requested review from
MatousJobanek,
xcoulon,
alexeykazakov,
rajivnathan,
ranakan19 and
sbryzak
as code owners
| // create a token request for the admin service account | ||
| token, err := restclient.CreateTokenRequest(subSpaceTargetCluster.RESTClient, types.NamespacedName{ | ||
| Namespace: namespace, | ||
| Name: toolchainv1alpha1.AdminServiceAccountName, | ||
| Name: serviceAccountName, |
There was a problem hiding this comment.
I see there are few other occurrences to be replaced, line 508 and 511. Could you please replace those as well?
| if tierName == "" { | ||
| return fmt.Errorf("tierName cannot be blank") | ||
| return &toolchainv1alpha1.NSTemplateTier{}, fmt.Errorf("tierName cannot be blank") |
There was a problem hiding this comment.
minor, but we could just return nil here
| return &toolchainv1alpha1.NSTemplateTier{}, fmt.Errorf("tierName cannot be blank") | |
| return nil, fmt.Errorf("tierName cannot be blank") |
| appstudioTier.Spec.SpaceRequestConfig.ServiceAccountName = "manager" | ||
| t.Run("failure service account not present", func(t *testing.T) { |
There was a problem hiding this comment.
this is testing the case in which the service account doesn't exist. For this I would rather create a new tier that has a service account which doesn't exist or just configure gock at line 403 to return a different SA name, something like:
commontest.SetupGockForServiceAccounts(t, member1.APIEndpoint, types.NamespacedName{
Name: "another-sa-name",
Namespace: "jane-env",
})
Also, unless I'm missing something, I don't see a test that:
- uses a tier which has
.Spec.SpaceRequestConfigunset - verifies that spacerequest is provisioned with namespace access and no secretRef
- the subspace is ready with the given tiername from the spacerequest
|
Kudos, SonarCloud Quality Gate passed!
|
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #902 +/- ##
==========================================
+ Coverage 83.70% 83.81% +0.11%
==========================================
Files 53 53
Lines 6178 6183 +5
==========================================
+ Hits 5171 5182 +11
+ Misses 822 818 -4
+ Partials 185 183 -2
|
|
@Kartikey-star since you were assigned to work on new effort, I took the liberty to fetch the changes from your PR here and open a new PR #972 which has:
I'll work on doing the same for the toolchain-e2e tests PR |
Acceptance Criteria
The SpaceRequest_controller copies the secret only for specific tiers like appstudio-env one
It is possible to create a sub-space using any other tier like appstudio or base1ns
If the SA token copy part is not supported for the provisioned tier, then the SpaceRequest.Status has corresponding information about it