From 5b6d49528ab508dc4ba7c6666994ce7d2c4dce53 Mon Sep 17 00:00:00 2001 From: Matous Jobanek Date: Thu, 12 Sep 2024 10:18:52 +0200 Subject: [PATCH] replace most of the sandbox occurences (#69) --- .../user_identity_mapper.go | 4 +- .../user_identity_mapper_test.go | 16 +- pkg/assets/assets_test.go | 4 +- .../{sandbox_config.go => kubesaw-admins.go} | 0 pkg/client/client_test.go | 10 +- ...ox_config_file.go => ksctl_config_file.go} | 0 pkg/cmd/adm/must_gather_namespace_test.go | 6 +- pkg/cmd/generate/admin-manifests_test.go | 20 +- pkg/cmd/generate/assertion_test.go | 12 +- pkg/cmd/generate/cli_configs.go | 2 +- pkg/cmd/generate/cli_configs_test.go | 18 +- pkg/cmd/generate/cluster.go | 2 +- pkg/cmd/generate/mock_test.go | 6 +- pkg/cmd/generate/permissions.go | 8 +- pkg/cmd/generate/permissions_test.go | 4 +- pkg/cmd/generate/roles_manager.go | 2 +- pkg/cmd/generate/util.go | 8 +- pkg/utils/util_test.go | 8 +- resources/roles/host.yaml | 26 +-- resources/roles/member.yaml | 10 +- .../kubesaw-admins.yaml | 18 +- .../sandbox-config.yaml | 216 ------------------ 22 files changed, 92 insertions(+), 308 deletions(-) rename pkg/assets/{sandbox_config.go => kubesaw-admins.go} (100%) rename pkg/client/{sandbox_config_file.go => ksctl_config_file.go} (100%) delete mode 100644 test-resources/dummy.openshiftapps.com/sandbox-config.yaml diff --git a/cmd/user-identity-mapper/user_identity_mapper.go b/cmd/user-identity-mapper/user_identity_mapper.go index 51b779a..20a64af 100644 --- a/cmd/user-identity-mapper/user_identity_mapper.go +++ b/cmd/user-identity-mapper/user_identity_mapper.go @@ -16,7 +16,7 @@ func CreateUserIdentityMappings(ctx context.Context, logger *log.Logger, cl runt logger.Info("listing users...") users := &userv1.UserList{} if err := cl.List(ctx, users, runtimeclient.MatchingLabels{ - "provider": "sandbox-sre", + "provider": "ksctl", }); err != nil { return fmt.Errorf("unable to list users: %w", err) } @@ -24,7 +24,7 @@ func CreateUserIdentityMappings(ctx context.Context, logger *log.Logger, cl runt logger.Info("listing identities", "username", user.Name) identities := userv1.IdentityList{} if err := cl.List(ctx, &identities, runtimeclient.MatchingLabels{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": user.Name, }); err != nil { return fmt.Errorf("unable to list identities: %w", err) diff --git a/cmd/user-identity-mapper/user_identity_mapper_test.go b/cmd/user-identity-mapper/user_identity_mapper_test.go index 1ca8a8d..52cfa0d 100644 --- a/cmd/user-identity-mapper/user_identity_mapper_test.go +++ b/cmd/user-identity-mapper/user_identity_mapper_test.go @@ -29,7 +29,7 @@ func TestUserIdentityMapper(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "user1", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", }, }, } @@ -37,7 +37,7 @@ func TestUserIdentityMapper(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "identity1", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "user1", }, }, @@ -46,7 +46,7 @@ func TestUserIdentityMapper(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "user2", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", }, }, } @@ -54,7 +54,7 @@ func TestUserIdentityMapper(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "identity2", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "user2", }, }, @@ -62,14 +62,14 @@ func TestUserIdentityMapper(t *testing.T) { user3 := &userv1.User{ ObjectMeta: metav1.ObjectMeta{ Name: "user3", - // not managed by sandbox-sre + // not managed by ksctl }, } identity3 := &userv1.Identity{ ObjectMeta: metav1.ObjectMeta{ Name: "identity3", Labels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "user3", }, }, @@ -88,7 +88,7 @@ func TestUserIdentityMapper(t *testing.T) { require.NoError(t, err) assert.NotContains(t, out.String(), "unable to list identities") uim := &userv1.UserIdentityMapping{} - // `user1` and `user2` are not managed by sandbox (ie, labelled with `provider: sandbox-sre`), hence the `UserIdentityMappings` exist + // `user1` and `user2` are not managed by ksctl (ie, labelled with `provider: ksctl`), hence the `UserIdentityMappings` exist require.NoError(t, cl.Get(context.TODO(), types.NamespacedName{Name: identity1.Name}, uim)) assert.Equal(t, identity1.Name, uim.Identity.Name) assert.Equal(t, user1.Name, uim.User.Name) @@ -111,7 +111,7 @@ func TestUserIdentityMapper(t *testing.T) { // then require.NoError(t, err) assert.NotContains(t, out.String(), "unable to list identities") - // `user3` is not managed by sandbox (ie, not labelled with `provider: sandbox-sre`), , hence the `UserIdentityMappings` does not exist + // `user3` is not managed by ksctl (ie, not labelled with `provider: ksctl`), , hence the `UserIdentityMappings` does not exist require.EqualError(t, cl.Get(context.TODO(), types.NamespacedName{Name: identity3.Name}, &userv1.UserIdentityMapping{}), `useridentitymappings.user.openshift.io "identity3" not found`) }) diff --git a/pkg/assets/assets_test.go b/pkg/assets/assets_test.go index f9b4c90..4181bed 100644 --- a/pkg/assets/assets_test.go +++ b/pkg/assets/assets_test.go @@ -28,7 +28,7 @@ objects: metadata: name: get-catalogsources labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - operators.coreos.com @@ -47,7 +47,7 @@ objects: metadata: name: get-deployments labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - apps diff --git a/pkg/assets/sandbox_config.go b/pkg/assets/kubesaw-admins.go similarity index 100% rename from pkg/assets/sandbox_config.go rename to pkg/assets/kubesaw-admins.go diff --git a/pkg/client/client_test.go b/pkg/client/client_test.go index d7c5ecc..7c2a2ea 100644 --- a/pkg/client/client_test.go +++ b/pkg/client/client_test.go @@ -350,14 +350,14 @@ func TestCreate(t *testing.T) { namespacedName := commontest.NamespacedName("openshift-customer-monitoring", "openshift-customer-monitoring") fakeClient := commontest.NewFakeClient(t) term := NewFakeTerminalWithResponse("Y") - operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "sandbox-sre"}) + operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "ksctl"}) // when err := client.Create(term, fakeClient, operatorGroup) // then require.NoError(t, err) - AssertOperatorGroupHasLabels(t, fakeClient, namespacedName, map[string]string{"provider": "sandbox-sre"}) + AssertOperatorGroupHasLabels(t, fakeClient, namespacedName, map[string]string{"provider": "ksctl"}) output := term.Output() assert.Contains(t, output, "The 'openshift-customer-monitoring/openshift-customer-monitoring' OperatorGroup has been created") }) @@ -370,7 +370,7 @@ func TestCreate(t *testing.T) { namespacedName := commontest.NamespacedName("openshift-customer-monitoring", "openshift-customer-monitoring") fakeClient := commontest.NewFakeClient(t, newOperatorGroup(namespacedName, map[string]string{"provider": "osd"})) term := NewFakeTerminalWithResponse("Y") - operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "sandbox-sre"}) + operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "ksctl"}) // when err := client.Create(term, fakeClient, operatorGroup) @@ -390,7 +390,7 @@ func TestCreate(t *testing.T) { } term := NewFakeTerminalWithResponse("Y") namespacedName := commontest.NamespacedName("openshift-customer-monitoring", "openshift-customer-monitoring") - operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "sandbox-sre"}) + operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "ksctl"}) // when err := client.Create(term, fakeClient, operatorGroup) @@ -408,7 +408,7 @@ func TestCreate(t *testing.T) { } term := NewFakeTerminalWithResponse("Y") namespacedName := commontest.NamespacedName("openshift-customer-monitoring", "openshift-customer-monitoring") - operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "sandbox-sre"}) + operatorGroup := newOperatorGroup(namespacedName, map[string]string{"provider": "ksctl"}) // when err := client.Create(term, fakeClient, operatorGroup) diff --git a/pkg/client/sandbox_config_file.go b/pkg/client/ksctl_config_file.go similarity index 100% rename from pkg/client/sandbox_config_file.go rename to pkg/client/ksctl_config_file.go diff --git a/pkg/cmd/adm/must_gather_namespace_test.go b/pkg/cmd/adm/must_gather_namespace_test.go index 9137be7..b2ecdc7 100644 --- a/pkg/cmd/adm/must_gather_namespace_test.go +++ b/pkg/cmd/adm/must_gather_namespace_test.go @@ -36,7 +36,7 @@ func TestMustGatherNamespaceCmd(t *testing.T) { t.Run("ok", func(t *testing.T) { t.Run("create the dest-dir on-the-fly", func(t *testing.T) { // given - baseDir, err := os.MkdirTemp("", "sandbox-sre-out-") + baseDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) destDir := filepath.Join(baseDir, "test-dev") @@ -51,7 +51,7 @@ func TestMustGatherNamespaceCmd(t *testing.T) { t.Run("dest-dir already exists and is empty", func(t *testing.T) { // given - baseDir, err := os.MkdirTemp("", "sandbox-sre-out-") + baseDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) destDir := filepath.Join(baseDir, "test-dev") err = os.Mkdir(destDir, 0755) @@ -71,7 +71,7 @@ func TestMustGatherNamespaceCmd(t *testing.T) { t.Run("dest-dir already exists but is not empty", func(t *testing.T) { // given - baseDir, err := os.MkdirTemp("", "sandbox-sre-out-") + baseDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) destDir := filepath.Join(baseDir, "test-dev") err = os.Mkdir(destDir, 0755) diff --git a/pkg/cmd/generate/admin-manifests_test.go b/pkg/cmd/generate/admin-manifests_test.go index 744d1a6..3eb2f8f 100644 --- a/pkg/cmd/generate/admin-manifests_test.go +++ b/pkg/cmd/generate/admin-manifests_test.go @@ -283,7 +283,7 @@ func verifyUsers(t *testing.T, outDir, expectedRootDir string, clusterType confi func createKubeconfigFiles(t *testing.T, contents ...string) []string { var fileNames []string for _, content := range contents { - tempFile, err := os.CreateTemp("", "sandbox-sre-kubeconfig-") + tempFile, err := os.CreateTemp("", "ksctl-kubeconfig-") require.NoError(t, err) err = os.WriteFile(tempFile.Name(), []byte(content), os.FileMode(0755)) @@ -299,19 +299,19 @@ const ksctlKubeconfigContent = ` apiVersion: v1 clusters: - cluster: - server: https://api.sandbox.host.openshiftapps.com:6443 - name: api-sandbox-host-openshiftapps-com:6443 + server: https://api.kubesaw.host.openshiftapps.com:6443 + name: api-kubesaw-host-openshiftapps-com:6443 - cluster: - server: https://api.sandbox.member1.openshiftapps.com:6443 - name: api-sandbox-member1-openshiftapps-com:6443 + server: https://api.kubesaw.member1.openshiftapps.com:6443 + name: api-kubesaw-member1-openshiftapps-com:6443 contexts: - context: - cluster: api-sandbox-host-openshiftapps-com:6443 + cluster: api-kubesaw-host-openshiftapps-com:6443 namespace: toolchain-host-operator user: dedicatedadmin name: host - context: - cluster: api-sandbox-member1-openshiftapps-com:6443 + cluster: api-kubesaw-member1-openshiftapps-com:6443 namespace: toolchain-member-operator user: dedicatedadmin name: member1 @@ -328,11 +328,11 @@ const ksctlKubeconfigContentMember2 = ` apiVersion: v1 clusters: - cluster: - server: https://api.sandbox.member2.openshiftapps.com:6443 - name: api-sandbox-member2-openshiftapps-com:6443 + server: https://api.kubesaw.member2.openshiftapps.com:6443 + name: api-kubesaw-member2-openshiftapps-com:6443 contexts: - context: - cluster: api-sandbox-member2-openshiftapps-com:6443 + cluster: api-kubesaw-member2-openshiftapps-com:6443 namespace: toolchain-member-operator user: dedicatedadmin name: member2 diff --git a/pkg/cmd/generate/assertion_test.go b/pkg/cmd/generate/assertion_test.go index ac4bfa6..fd27446 100644 --- a/pkg/cmd/generate/assertion_test.go +++ b/pkg/cmd/generate/assertion_test.go @@ -258,7 +258,7 @@ func newPermissionAssertion(storageAssertion *storageAssertionImpl, subjNamespac Namespace: subjNamespace, }, expLabels: map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", }, } } @@ -269,7 +269,7 @@ func (a *storageAssertionImpl) assertSa(namespace, name string) permissionAssert sa := &corev1.ServiceAccount{} a.assertObject(namespace, name, sa, func() { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": splitName[len(splitName)-1], } assert.Equal(a.t, expLabels, sa.Labels) @@ -287,7 +287,7 @@ type userAssertion struct { func (a *storageAssertionImpl) assertUser(name string) userAssertion { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": name, } @@ -343,7 +343,7 @@ func (a userAssertion) belongsToGroups(groups groupsUserBelongsTo, extraGroups e for _, groupObj := range presentGroups { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", } assert.Equal(a.t, expLabels, groupObj.GetLabels()) group := groupObj.(*userv1.Group) @@ -360,7 +360,7 @@ func (a *storageAssertionImpl) assertThatGroupHasUsers(name string, usernames .. group := &userv1.Group{} a.assertObject("", name, group, func() { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", } assert.Equal(a.t, expLabels, group.Labels) sort.Strings(group.Users) @@ -427,7 +427,7 @@ func (a *storageAssertionImpl) assertRole(namespace, roleName string, contentAss role := &rbacv1.Role{} a.assertObject(namespace, roleName, role, func() { expLabels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", } assert.Equal(a.t, expLabels, role.Labels) for _, assertContent := range contentAssertion { diff --git a/pkg/cmd/generate/cli_configs.go b/pkg/cmd/generate/cli_configs.go index 607f6a2..64e4ddf 100644 --- a/pkg/cmd/generate/cli_configs.go +++ b/pkg/cmd/generate/cli_configs.go @@ -133,7 +133,7 @@ func serverName(API string) string { return strings.Split(strings.Split(API, "api.")[1], ":")[0] } -// writeKsctlConfigs marshals the given KsctlConfig objects and stored them in sandbox-sre/out/config// directories +// writeKsctlConfigs marshals the given KsctlConfig objects and stored them in ksctl/out/config// directories func writeKsctlConfigs(term ioutils.Terminal, configDirPath string, ksctlConfigsPerName map[string]configuration.KsctlConfig) error { if err := os.RemoveAll(configDirPath); err != nil { return err diff --git a/pkg/cmd/generate/cli_configs_test.go b/pkg/cmd/generate/cli_configs_test.go index 1c27eb0..b8b8563 100644 --- a/pkg/cmd/generate/cli_configs_test.go +++ b/pkg/cmd/generate/cli_configs_test.go @@ -73,7 +73,7 @@ func TestGenerateCliConfigs(t *testing.T) { t.Run("successful", func(t *testing.T) { t.Run("when there is host and two members", func(t *testing.T) { // given - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: configFile, outDir: tempDir, tokenExpirationDays: 50} @@ -103,7 +103,7 @@ func TestGenerateCliConfigs(t *testing.T) { kubeSawAdminsContent, err := yaml.Marshal(saInHostOnly) require.NoError(t, err) configFile := createKubeSawAdminsFile(t, "kubesaw.host.openshiftapps.com", kubeSawAdminsContent) - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: configFile, outDir: tempDir, tokenExpirationDays: 50} @@ -125,7 +125,7 @@ func TestGenerateCliConfigs(t *testing.T) { newServiceAccount("sandbox-sre-member", "john"), newServiceAccount("sandbox-sre-member", "bob"), ) - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) kubeconfigFiles := createKubeconfigFiles(t, ksctlKubeconfigContent) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: configFile, outDir: tempDir, dev: true, tokenExpirationDays: 50} @@ -182,7 +182,7 @@ func TestGenerateCliConfigs(t *testing.T) { t.Run("wrong kubesaw-admins.yaml file path", func(t *testing.T) { // given - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: "does/not/exist", outDir: tempDir} @@ -196,7 +196,7 @@ func TestGenerateCliConfigs(t *testing.T) { t.Run("wrong kubeconfig file path", func(t *testing.T) { // given - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: []string{"does/not/exist"}, kubeSawAdminsFile: configFile, outDir: tempDir} @@ -218,8 +218,8 @@ func TestGenerateCliConfigs(t *testing.T) { Users()) kubeSawAdminsContent, err := yaml.Marshal(saInHostOnly) require.NoError(t, err) - configFile := createKubeSawAdminsFile(t, "sandbox.host.openshiftapps.com", kubeSawAdminsContent) - tempDir, err := os.MkdirTemp("", "sandbox-sre-out-") + configFile := createKubeSawAdminsFile(t, "kubesaw.host.openshiftapps.com", kubeSawAdminsContent) + tempDir, err := os.MkdirTemp("", "ksctl-out-") require.NoError(t, err) flags := generateFlags{kubeconfigs: kubeconfigFiles, kubeSawAdminsFile: configFile, outDir: tempDir} @@ -341,8 +341,8 @@ func (a *ksctlConfigAssertion) hasCluster(clusterName, subDomain string, cluster assert.NotNil(a.t, a.ksctlConfig.ClusterAccessDefinitions[clusterName]) assert.Equal(a.t, clusterType, a.ksctlConfig.ClusterAccessDefinitions[clusterName].ClusterType) - assert.Equal(a.t, fmt.Sprintf("sandbox.%s.openshiftapps.com", subDomain), a.ksctlConfig.ClusterAccessDefinitions[clusterName].ServerName) - assert.Equal(a.t, fmt.Sprintf("https://api.sandbox.%s.openshiftapps.com:6443", subDomain), a.ksctlConfig.ClusterAccessDefinitions[clusterName].ServerAPI) + assert.Equal(a.t, fmt.Sprintf("kubesaw.%s.openshiftapps.com", subDomain), a.ksctlConfig.ClusterAccessDefinitions[clusterName].ServerName) + assert.Equal(a.t, fmt.Sprintf("https://api.kubesaw.%s.openshiftapps.com:6443", subDomain), a.ksctlConfig.ClusterAccessDefinitions[clusterName].ServerAPI) assert.Equal(a.t, fmt.Sprintf("token-secret-for-%s", a.saBaseName), a.ksctlConfig.ClusterAccessDefinitions[clusterName].Token) } diff --git a/pkg/cmd/generate/cluster.go b/pkg/cmd/generate/cluster.go index 96fbced..db21b9c 100644 --- a/pkg/cmd/generate/cluster.go +++ b/pkg/cmd/generate/cluster.go @@ -57,7 +57,7 @@ func ensureUsers(ctx *clusterContext, objsCache objectsCache) error { } // create the subject if explicitly requested (even if there is no specific permissions) if user.AllClusters { - if _, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, sandboxSRENamespace(ctx.clusterType), sreLabelsWithUsername(m.subjectBaseName)); err != nil { + if _, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, sandboxSRENamespace(ctx.clusterType), ksctlLabelsWithUsername(m.subjectBaseName)); err != nil { return err } } diff --git a/pkg/cmd/generate/mock_test.go b/pkg/cmd/generate/mock_test.go index 33e67fc..2d76af4 100644 --- a/pkg/cmd/generate/mock_test.go +++ b/pkg/cmd/generate/mock_test.go @@ -14,9 +14,9 @@ import ( ) const ( - HostServerAPI = "https://api.sandbox.host.openshiftapps.com:6443" - Member1ServerAPI = "https://api.sandbox.member1.openshiftapps.com:6443" - Member2ServerAPI = "https://api.sandbox.member2.openshiftapps.com:6443" + HostServerAPI = "https://api.kubesaw.host.openshiftapps.com:6443" + Member1ServerAPI = "https://api.kubesaw.member1.openshiftapps.com:6443" + Member2ServerAPI = "https://api.kubesaw.member2.openshiftapps.com:6443" ) // files part diff --git a/pkg/cmd/generate/permissions.go b/pkg/cmd/generate/permissions.go index 5d7cbf2..a8f19d9 100644 --- a/pkg/cmd/generate/permissions.go +++ b/pkg/cmd/generate/permissions.go @@ -74,20 +74,20 @@ func (m *permissionsManager) ensurePermission(ctx *clusterContext, roleName, tar roleBindingName = fmt.Sprintf("%s-%s-%s", roleName, m.subjectBaseName, ctx.clusterType) } else { - // ClusterRole is not managed by sandbox-sre and should already exist in the cluster + // ClusterRole is not managed by ksctl and should already exist in the cluster // create RoleBinding name with the prefix clusterrole- so we can avoid conflicts with RoleBindings created for Roles roleBindingName = fmt.Sprintf("clusterrole-%s-%s-%s", roleName, m.subjectBaseName, ctx.clusterType) } // ensure that the subject exists - subject, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, sandboxSRENamespace(ctx.clusterType), sreLabelsWithUsername(m.subjectBaseName)) + subject, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, sandboxSRENamespace(ctx.clusterType), ksctlLabelsWithUsername(m.subjectBaseName)) if err != nil { return err } // ensure the (Cluster)RoleBinding - binding := newBinding(targetNamespace, roleBindingName, subject, grantedRoleName, roleKind, sreLabels()) + binding := newBinding(targetNamespace, roleBindingName, subject, grantedRoleName, roleKind, ksctlLabels()) return m.storeObject(ctx, binding) } @@ -219,7 +219,7 @@ func ensureGroupsForUser(ctx *clusterContext, cache objectsCache, user string, g group := &userv1.Group{ ObjectMeta: metav1.ObjectMeta{ Name: groupName, - Labels: sreLabels(), + Labels: ksctlLabels(), }, Users: []string{user}, } diff --git a/pkg/cmd/generate/permissions_test.go b/pkg/cmd/generate/permissions_test.go index 8f1da36..3fc8019 100644 --- a/pkg/cmd/generate/permissions_test.go +++ b/pkg/cmd/generate/permissions_test.go @@ -80,7 +80,7 @@ func TestEnsurePermissionsInNamespaces(t *testing.T) { func TestEnsureServiceAccount(t *testing.T) { labels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "john", } @@ -123,7 +123,7 @@ func TestEnsureServiceAccount(t *testing.T) { func TestEnsureUserAndIdentity(t *testing.T) { labels := map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", "username": "john-crtadmin", } require.NoError(t, client.AddToScheme()) diff --git a/pkg/cmd/generate/roles_manager.go b/pkg/cmd/generate/roles_manager.go index a0d2318..889cda7 100644 --- a/pkg/cmd/generate/roles_manager.go +++ b/pkg/cmd/generate/roles_manager.go @@ -48,6 +48,6 @@ func ensureRole(ctx *clusterContext, cache objectsCache, roleName, namespace str roleToBeCreated := role.DeepCopy() roleToBeCreated.SetNamespace(namespace) roleToBeCreated.SetName(roleNameToBeCreated) - roleToBeCreated.SetLabels(sreLabels()) + roleToBeCreated.SetLabels(ksctlLabels()) return true, roleNameToBeCreated, cache.storeObject(ctx, roleToBeCreated) } diff --git a/pkg/cmd/generate/util.go b/pkg/cmd/generate/util.go index f19c52f..e80b2b6 100644 --- a/pkg/cmd/generate/util.go +++ b/pkg/cmd/generate/util.go @@ -219,15 +219,15 @@ func ensureKustomization(ctx manifestStoreContext, dirPath, item string) error { return ensureKustomization(ctx, parentDir, filepath.Base(dirPath)) } -func sreLabelsWithUsername(username string) map[string]string { - labels := sreLabels() +func ksctlLabelsWithUsername(username string) map[string]string { + labels := ksctlLabels() labels["username"] = username return labels } -func sreLabels() map[string]string { +func ksctlLabels() map[string]string { return map[string]string{ - "provider": "sandbox-sre", + "provider": "ksctl", } } diff --git a/pkg/utils/util_test.go b/pkg/utils/util_test.go index 9b6b4a9..c12ef3c 100644 --- a/pkg/utils/util_test.go +++ b/pkg/utils/util_test.go @@ -35,13 +35,13 @@ func TestGetToolchainClusterName(t *testing.T) { Suffix string } for expectedClusterName, params := range map[string]Params{ - "host-sandbox.x7a5.a2.openshiftapps.com": { + "host-kubesaw.x7a5.a2.openshiftapps.com": { ClusterType: "host", - ServerAPI: "https://api.sandbox.x7a5.a2.openshiftapps.com:6443", + ServerAPI: "https://api.kubesaw.x7a5.a2.openshiftapps.com:6443", }, - "member-sandbox-m2.ab8k.b3.openshiftapps.com": { + "member-kubesaw-m2.ab8k.b3.openshiftapps.com": { ClusterType: "member", - ServerAPI: "https://api.sandbox-m2.ab8k.b3.openshiftapps.com:6443", + ServerAPI: "https://api.kubesaw-m2.ab8k.b3.openshiftapps.com:6443", }, "member-api-prefix-dropped": { ClusterType: "member", diff --git a/resources/roles/host.yaml b/resources/roles/host.yaml index e5787e3..876b5df 100644 --- a/resources/roles/host.yaml +++ b/resources/roles/host.yaml @@ -9,7 +9,7 @@ objects: metadata: name: restart-deployment labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - apps @@ -26,7 +26,7 @@ objects: metadata: name: view-secrets labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - "" @@ -41,7 +41,7 @@ objects: metadata: name: edit-secrets labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - "" @@ -60,7 +60,7 @@ objects: metadata: name: add-space-users labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -86,7 +86,7 @@ objects: metadata: name: approve-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -103,7 +103,7 @@ objects: metadata: name: ban-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -126,7 +126,7 @@ objects: metadata: name: deactivate-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -143,7 +143,7 @@ objects: metadata: name: promote-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -169,7 +169,7 @@ objects: metadata: name: disable-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -186,7 +186,7 @@ objects: metadata: name: gdpr-delete labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -202,7 +202,7 @@ objects: metadata: name: retarget-user labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -226,7 +226,7 @@ objects: metadata: name: create-social-event labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com @@ -243,7 +243,7 @@ objects: metadata: name: enable-feature labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - toolchain.dev.openshift.com diff --git a/resources/roles/member.yaml b/resources/roles/member.yaml index e43767e..7c3558e 100644 --- a/resources/roles/member.yaml +++ b/resources/roles/member.yaml @@ -9,7 +9,7 @@ objects: metadata: name: approve-operator-update labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - operators.coreos.com @@ -28,7 +28,7 @@ objects: metadata: name: restart-deployment labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - apps @@ -45,7 +45,7 @@ objects: metadata: name: view-secrets labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - "" @@ -60,7 +60,7 @@ objects: metadata: name: edit-secrets labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - "" @@ -79,7 +79,7 @@ objects: metadata: name: edit-csv labels: - provider: sandbox-sre + provider: ksctl rules: - apiGroups: - operators.coreos.com diff --git a/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml b/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml index c65103b..215a480 100644 --- a/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml +++ b/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml @@ -79,7 +79,7 @@ serviceAccounts: - view users: -- name: standard-crtadmin +- name: standard-user-admin id: - 123456 - abc1234 @@ -122,7 +122,7 @@ users: clusterRoles: - view -- name: standard-viewer-crtadmin +- name: standard-user-viewer id: - 987654 groups: @@ -139,7 +139,7 @@ users: clusterRoles: - view -- name: other-component-crtadmin +- name: other-component-admin id: - 561234287 - f:528d:some-admin @@ -154,7 +154,7 @@ users: clusterRoles: - list-operators-group -- name: other-component-viewer-crtadmin +- name: other-component-viewer id: - 5412345 member: @@ -166,6 +166,11 @@ users: clusterRoles: - view +- name: user-in-all-clusters + id: + - 1234567890 + allClusters: true + - name: editor-not-included-in-member-3 id: - 5412345 @@ -180,8 +185,3 @@ users: - namespace: second-component clusterRoles: - edit - -- name: my-clusteradmin - id: - - 1234567890 - allClusters: true \ No newline at end of file diff --git a/test-resources/dummy.openshiftapps.com/sandbox-config.yaml b/test-resources/dummy.openshiftapps.com/sandbox-config.yaml deleted file mode 100644 index 3851f00..0000000 --- a/test-resources/dummy.openshiftapps.com/sandbox-config.yaml +++ /dev/null @@ -1,216 +0,0 @@ -clusters: - host: - api: https://api.dummy-host.openshiftapps.com:6443 - members: - - api: https://api.dummy-m1.openshiftapps.com:6443 - name: member-1 - - api: https://api.dummy-m2.openshiftapps.com:6443 - name: member-2 - - api: https://api.dummy-m3.openshiftapps.com:6443 - name: member-3 - -serviceAccounts: - -- name: first-admin - host: - roleBindings: - - namespace: toolchain-host-operator - roles: - - install-operator - - restart-deployment - - approve-user - - view-secrets - - deactivate-user - - ban-user - - promote-user - - disable-user - - retarget-user - - gdpr-delete - - create-social-event - - add-space-users - clusterRoles: - - edit - - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - roles: - - install-operator - clusterRoles: - - edit - member: - roleBindings: - - namespace: toolchain-member-operator - roles: - - install-operator - - restart-deployment - - view-secrets - clusterRoles: - - edit - - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - roles: - - install-operator - clusterRoles: - - edit - - namespace: openshift-config-managed - roles: - - configure-monitoring - clusterRoles: - - edit - clusterRoleBindings: - clusterRoles: - - manage-console-resources - -- name: second-admin - host: - roleBindings: - - namespace: toolchain-host-operator - roles: - - approve-user - - view-secrets - - deactivate-user - - ban-user - - promote-user - - disable-user - - retarget-user - - gdpr-delete - - restart-deployment - - create-social-event - - add-space-users - clusterRoles: - - view - member: - roleBindings: - - namespace: toolchain-member-operator - roles: - - restart-deployment - - view-secrets - clusterRoles: - - view - -- name: viewer - host: - roleBindings: - - namespace: toolchain-host-operator - clusterRoles: - - view - member: - roleBindings: - - namespace: toolchain-member-operator - clusterRoles: - - view - -users: -- name: standard-user-admin - id: - - 123456 - - abc1234 - groups: - - crtadmin-users-view - - inspect-pods - host: - roleBindings: - - namespace: toolchain-host-operator - roles: - - edit-secrets - clusterRoles: - - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - clusterRoles: - - view - - namespace: sandbox-sre-host - roles: - - view-secrets - clusterRoles: - - view - member: - roleBindings: - - namespace: toolchain-member-operator - roles: - - edit-secrets - clusterRoles: - - view - - namespace: crw - roles: - - view-secrets - clusterRoles: - - view - - namespace: openshift-customer-monitoring - roles: - - install-operator - - view-secrets - - configure-monitoring - clusterRoles: - - edit - - namespace: openshift-logging - clusterRoles: - - view - - namespace: sandbox-sre-member - roles: - - view-secrets - clusterRoles: - - view - -- name: standard-user-viewer - id: - - 987654 - groups: - - crtadmin-users-view - - kubesaw-team - host: - roleBindings: - - namespace: toolchain-host-operator - clusterRoles: - - view - member: - roleBindings: - - namespace: toolchain-member-operator - clusterRoles: - - view - -- name: other-component-admin - id: - - 561234287 - - f:528d:some-admin - member: - roleBindings: - - namespace: some-component - roles: - - approve-operator-update - clusterRoles: - - edit - clusterRoleBindings: - clusterRoles: - - list-operators-group - -- name: other-component-viewer - id: - - 5412345 - member: - roleBindings: - - namespace: first-component - clusterRoles: - - view - - namespace: second-component - clusterRoles: - - view