Merge branch 'master' into fix-codecov-ignore

kubesaw · Apr 3, 2024 · 40c458d · 40c458d
2 parents e902f5b + f971092
commit 40c458d
Show file tree

Hide file tree

Showing 9 changed files with 453 additions and 12 deletions.
diff --git a/.github/workflows/user-identity-mapper.yml b/.github/workflows/user-identity-mapper.yml
@@ -0,0 +1,62 @@
+name: user-identity-mapper
+on:
+  push:
+    branches:
+    - master
+    tags-ignore:
+    - '*.*'
+
+env:
+  GOPATH: /tmp/go
+  GO_VERSION: 1.20.x
+  IMAGE_REGISTRY: quay.io
+  REGISTRY_USER: "codeready-toolchain+push"
+  REGISTRY_PASSWORD: ${{ secrets.QUAY_PASSWORD }}
+
+jobs:
+  image:
+    name: Build and push to quay.io
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles ('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Buildah Action
+        id: build-image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: codeready-toolchain/user-identity-mapper
+          tags: latest
+          containerfiles: |
+            cmd/user-identity-mapper/Dockerfile
+
+      - name: Log into quay.io
+        uses: redhat-actions/podman-login@v1
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+
+      - name: Push to quay.io
+        id: push-to-quay
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: ${{ steps.build-image.outputs.tags }}
+          registry: quay.io
diff --git a/cmd/user-identity-mapper/Dockerfile b/cmd/user-identity-mapper/Dockerfile
@@ -0,0 +1,32 @@
+################################################################################################
+# Builder image
+# See https://hub.docker.com/_/golang/
+################################################################################################
+FROM golang:1.20 as builder
+
+ARG OS=linux
+ARG ARCH=amd64
+
+WORKDIR /usr/src/app
+
+# pre-copy/cache parent go.mod for pre-downloading dependencies and only redownloading them in subsequent builds if they change
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+
+COPY pkg  ./pkg
+COPY cmd/user-identity-mapper ./cmd/user-identity-mapper
+
+RUN go build -v -o user-identity-mapper cmd/user-identity-mapper/*.go
+
+################################################################################################
+# user-identity-mapper image to be run by the job on OpenShift
+################################################################################################
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest as user-identity-mapper
+
+# Copy the generated binary into the $PATH so it can be invoked
+COPY --from=builder /usr/src/app/user-identity-mapper /usr/local/bin/
+
+# Run as non-root user
+USER 1001
+
+CMD ["/usr/local/bin/user-identity-mapper"]
diff --git a/cmd/user-identity-mapper/main.go b/cmd/user-identity-mapper/main.go
@@ -0,0 +1,62 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/charmbracelet/log"
+	userv1 "github.com/openshift/api/user/v1"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/runtime"
+	runtimeclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+)
+
+func main() {
+	// cmd the command that maps an identity to its parent user
+	cmd := &cobra.Command{
+		Use: "user-identity-mapper",
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			logger := log.New(cmd.OutOrStderr())
+			// Get a config to talk to the apiserver
+			cfg, err := config.GetConfig()
+			if err != nil {
+				logger.Error("unable to load config", "error", err)
+				os.Exit(1)
+			}
+
+			// create client that will be used for retrieving the host operator secret & ToolchainCluster CRs
+			scheme := runtime.NewScheme()
+			if err := userv1.Install(scheme); err != nil {
+				logger.Error("unable to install scheme", "error", err)
+				os.Exit(1)
+			}
+			cl, err := runtimeclient.New(cfg, runtimeclient.Options{
+				Scheme: scheme,
+			})
+			if err != nil {
+				logger.Error("unable to create a client", "error", err)
+				os.Exit(1)
+			}
+			return CreateUserIdentityMappings(cmd.Context(), logger, cl)
+		},
+	}
+
+	if err := cmd.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}
diff --git a/cmd/user-identity-mapper/user_identity_mapper.go b/cmd/user-identity-mapper/user_identity_mapper.go
@@ -0,0 +1,54 @@
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/charmbracelet/log"
+	userv1 "github.com/openshift/api/user/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtimeclient "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func CreateUserIdentityMappings(ctx context.Context, logger *log.Logger, cl runtimeclient.Client) error {
+	logger.Info("listing users...")
+	users := &userv1.UserList{}
+	if err := cl.List(ctx, users, runtimeclient.MatchingLabels{
+		"provider": "sandbox-sre",
+	}); err != nil {
+		return fmt.Errorf("unable to list users: %w", err)
+	}
+	for _, user := range users.Items {
+		logger.Info("listing identities", "username", user.Name)
+		identities := userv1.IdentityList{}
+		if err := cl.List(ctx, &identities, runtimeclient.MatchingLabels{
+			"provider": "sandbox-sre",
+			"username": user.Name,
+		}); err != nil {
+			return fmt.Errorf("unable to list identities: %w", err)
+		}
+		if len(identities.Items) == 0 {
+			logger.Errorf("no identity associated with user %q", user.Name)
+			continue
+		}
+		for _, identity := range identities.Items {
+			logger.Info("creating/updating identity mapping", "user", user.Name, "identity", identity.Name)
+			if err := cl.Create(ctx, &userv1.UserIdentityMapping{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: identity.Name,
+				},
+				User: corev1.ObjectReference{
+					Name: user.Name,
+				},
+				Identity: corev1.ObjectReference{
+					Name: identity.Name,
+				},
+			}); err != nil && !errors.IsAlreadyExists(err) {
+				return fmt.Errorf("unable to create identity mapping for username %q and identity %q: %w", user.Name, identity.Name, err)
+			}
+		}
+	}
+	return nil
+}