diff --git a/.golangci.yaml b/.golangci.yaml index e067158c2..3219728ad 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -121,6 +121,20 @@ linters-settings: alias: clientsecretv1alpha1 - pkg: go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1 alias: supervisorconfigv1alpha1 + - pkg: go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1 + alias: conciergeconfigv1alpha1 + - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned + alias: conciergeclientset + - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme + alias: conciergeclientsetscheme +# - pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake +# alias: conciergefake + - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned + alias: supervisorclientset + - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme + alias: supervisorclientsetscheme +# - pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake +# alias: supervisorfake - pkg: go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1 alias: idpv1alpha1 # Pinniped internal diff --git a/cmd/pinniped/cmd/flag_types.go b/cmd/pinniped/cmd/flag_types.go index 18dacb632..61c731d58 100644 --- a/cmd/pinniped/cmd/flag_types.go +++ b/cmd/pinniped/cmd/flag_types.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package cmd @@ -13,7 +13,7 @@ import ( "github.com/spf13/pflag" - configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" ) // conciergeModeFlag represents the method by which we should connect to the Concierge on a cluster during login. @@ -62,12 +62,12 @@ func (f *conciergeModeFlag) Type() string { } // MatchesFrontend returns true iff the flag matches the type of the provided frontend. -func (f *conciergeModeFlag) MatchesFrontend(frontend *configv1alpha1.CredentialIssuerFrontend) bool { +func (f *conciergeModeFlag) MatchesFrontend(frontend *conciergeconfigv1alpha1.CredentialIssuerFrontend) bool { switch *f { case modeImpersonationProxy: - return frontend.Type == configv1alpha1.ImpersonationProxyFrontendType + return frontend.Type == conciergeconfigv1alpha1.ImpersonationProxyFrontendType case modeTokenCredentialRequestAPI: - return frontend.Type == configv1alpha1.TokenCredentialRequestAPIFrontendType + return frontend.Type == conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType case modeUnknown: fallthrough default: diff --git a/cmd/pinniped/cmd/flag_types_test.go b/cmd/pinniped/cmd/flag_types_test.go index 255ad2a8d..d962eb812 100644 --- a/cmd/pinniped/cmd/flag_types_test.go +++ b/cmd/pinniped/cmd/flag_types_test.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package cmd @@ -13,7 +13,7 @@ import ( "github.com/stretchr/testify/require" - configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" "go.pinniped.dev/internal/certauthority" ) @@ -24,14 +24,14 @@ func TestConciergeModeFlag(t *testing.T) { require.NoError(t, f.Set("")) require.Equal(t, modeUnknown, f) require.EqualError(t, f.Set("foo"), `invalid mode "foo", valid modes are TokenCredentialRequestAPI and ImpersonationProxy`) - require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType})) - require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType})) + require.True(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType})) + require.True(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType})) require.NoError(t, f.Set("TokenCredentialRequestAPI")) require.Equal(t, modeTokenCredentialRequestAPI, f) require.Equal(t, "TokenCredentialRequestAPI", f.String()) - require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType})) - require.False(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType})) + require.True(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType})) + require.False(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType})) require.NoError(t, f.Set("tokencredentialrequestapi")) require.Equal(t, modeTokenCredentialRequestAPI, f) @@ -40,8 +40,8 @@ func TestConciergeModeFlag(t *testing.T) { require.NoError(t, f.Set("ImpersonationProxy")) require.Equal(t, modeImpersonationProxy, f) require.Equal(t, "ImpersonationProxy", f.String()) - require.False(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.TokenCredentialRequestAPIFrontendType})) - require.True(t, f.MatchesFrontend(&configv1alpha1.CredentialIssuerFrontend{Type: configv1alpha1.ImpersonationProxyFrontendType})) + require.False(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType})) + require.True(t, f.MatchesFrontend(&conciergeconfigv1alpha1.CredentialIssuerFrontend{Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType})) require.NoError(t, f.Set("impersonationproxy")) require.Equal(t, modeImpersonationProxy, f) diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go index 85c04bbbc..f3651bc1d 100644 --- a/cmd/pinniped/cmd/kubeconfig.go +++ b/cmd/pinniped/cmd/kubeconfig.go @@ -26,7 +26,7 @@ import ( "k8s.io/utils/strings/slices" authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" - configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1" oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" @@ -380,7 +380,7 @@ func getCurrentContext(currentKubeConfig clientcmdapi.Config, flags getKubeconfi return &kubeconfigNames{ContextName: contextName, UserName: ctx.AuthInfo, ClusterName: ctx.Cluster}, nil } -func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.Interface, flags getKubeconfigParams, deps kubeconfigDeps) (*configv1alpha1.CredentialIssuer, error) { +func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.Interface, flags getKubeconfigParams, deps kubeconfigDeps) (*conciergeconfigv1alpha1.CredentialIssuer, error) { credentialIssuer, err := lookupCredentialIssuer(clientset, flags.concierge.credentialIssuer, deps.log) if err != nil { return nil, err @@ -416,7 +416,7 @@ func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.I return credentialIssuer, nil } -func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer, flags *getKubeconfigParams, v1Cluster *clientcmdapi.Cluster, log plog.MinLogger) error { +func discoverConciergeParams(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, flags *getKubeconfigParams, v1Cluster *clientcmdapi.Cluster, log plog.MinLogger) error { // Autodiscover the --concierge-mode. frontend, err := getConciergeFrontend(credentialIssuer, flags.concierge.mode) if err != nil { @@ -427,10 +427,10 @@ func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer, // Auto-set --concierge-mode if it wasn't explicitly set. if flags.concierge.mode == modeUnknown { switch frontend.Type { - case configv1alpha1.TokenCredentialRequestAPIFrontendType: + case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType: log.Info("discovered Concierge operating in TokenCredentialRequest API mode") flags.concierge.mode = modeTokenCredentialRequestAPI - case configv1alpha1.ImpersonationProxyFrontendType: + case conciergeconfigv1alpha1.ImpersonationProxyFrontendType: log.Info("discovered Concierge operating in impersonation proxy mode") flags.concierge.mode = modeImpersonationProxy } @@ -439,9 +439,9 @@ func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer, // Auto-set --concierge-endpoint if it wasn't explicitly set. if flags.concierge.endpoint == "" { switch frontend.Type { - case configv1alpha1.TokenCredentialRequestAPIFrontendType: + case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType: flags.concierge.endpoint = v1Cluster.Server - case configv1alpha1.ImpersonationProxyFrontendType: + case conciergeconfigv1alpha1.ImpersonationProxyFrontendType: flags.concierge.endpoint = frontend.ImpersonationProxyInfo.Endpoint } log.Info("discovered Concierge endpoint", "endpoint", flags.concierge.endpoint) @@ -450,9 +450,9 @@ func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer, // Auto-set --concierge-ca-bundle if it wasn't explicitly set.. if len(flags.concierge.caBundle) == 0 { switch frontend.Type { - case configv1alpha1.TokenCredentialRequestAPIFrontendType: + case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType: flags.concierge.caBundle = v1Cluster.CertificateAuthorityData - case configv1alpha1.ImpersonationProxyFrontendType: + case conciergeconfigv1alpha1.ImpersonationProxyFrontendType: data, err := base64.StdEncoding.DecodeString(frontend.ImpersonationProxyInfo.CertificateAuthorityData) if err != nil { return fmt.Errorf("autodiscovered Concierge CA bundle is invalid: %w", err) @@ -464,7 +464,7 @@ func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer, return nil } -func logStrategies(credentialIssuer *configv1alpha1.CredentialIssuer, log plog.MinLogger) { +func logStrategies(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, log plog.MinLogger) { for _, strategy := range credentialIssuer.Status.Strategies { log.Info("found CredentialIssuer strategy", "type", strategy.Type, @@ -520,19 +520,19 @@ func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconf return nil } -func getConciergeFrontend(credentialIssuer *configv1alpha1.CredentialIssuer, mode conciergeModeFlag) (*configv1alpha1.CredentialIssuerFrontend, error) { +func getConciergeFrontend(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, mode conciergeModeFlag) (*conciergeconfigv1alpha1.CredentialIssuerFrontend, error) { for _, strategy := range credentialIssuer.Status.Strategies { // Skip unhealthy strategies. - if strategy.Status != configv1alpha1.SuccessStrategyStatus { + if strategy.Status != conciergeconfigv1alpha1.SuccessStrategyStatus { continue } // Backfill the .status.strategies[].frontend field from .status.kubeConfigInfo for backwards compatibility. - if strategy.Type == configv1alpha1.KubeClusterSigningCertificateStrategyType && strategy.Frontend == nil && credentialIssuer.Status.KubeConfigInfo != nil { + if strategy.Type == conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType && strategy.Frontend == nil && credentialIssuer.Status.KubeConfigInfo != nil { strategy = *strategy.DeepCopy() - strategy.Frontend = &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.TokenCredentialRequestAPIFrontendType, - TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{ + strategy.Frontend = &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, + TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: credentialIssuer.Status.KubeConfigInfo.Server, CertificateAuthorityData: credentialIssuer.Status.KubeConfigInfo.CertificateAuthorityData, }, @@ -546,7 +546,7 @@ func getConciergeFrontend(credentialIssuer *configv1alpha1.CredentialIssuer, mod // Skip any unknown frontend types. switch strategy.Frontend.Type { - case configv1alpha1.TokenCredentialRequestAPIFrontendType, configv1alpha1.ImpersonationProxyFrontendType: + case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, conciergeconfigv1alpha1.ImpersonationProxyFrontendType: default: continue } @@ -574,7 +574,7 @@ func newExecKubeconfig(cluster *clientcmdapi.Cluster, execConfig *clientcmdapi.E } } -func lookupCredentialIssuer(clientset conciergeclientset.Interface, name string, log plog.MinLogger) (*configv1alpha1.CredentialIssuer, error) { +func lookupCredentialIssuer(clientset conciergeclientset.Interface, name string, log plog.MinLogger) (*conciergeconfigv1alpha1.CredentialIssuer, error) { ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20) defer cancelFunc() @@ -736,9 +736,9 @@ func countCACerts(pemData []byte) int { return len(pool.Subjects()) } -func hasPendingStrategy(credentialIssuer *configv1alpha1.CredentialIssuer) bool { +func hasPendingStrategy(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer) bool { for _, strategy := range credentialIssuer.Status.Strategies { - if strategy.Reason == configv1alpha1.PendingStrategyReason { + if strategy.Reason == conciergeconfigv1alpha1.PendingStrategyReason { return true } } diff --git a/cmd/pinniped/cmd/kubeconfig_test.go b/cmd/pinniped/cmd/kubeconfig_test.go index 7a791c44f..035060472 100644 --- a/cmd/pinniped/cmd/kubeconfig_test.go +++ b/cmd/pinniped/cmd/kubeconfig_test.go @@ -21,7 +21,7 @@ import ( "k8s.io/utils/ptr" authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" - configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" fakeconciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake" "go.pinniped.dev/internal/certauthority" @@ -44,16 +44,16 @@ func TestGetKubeconfig(t *testing.T) { require.NoError(t, os.WriteFile(testConciergeCABundlePath, testConciergeCA.Bundle(), 0600)) credentialIssuer := func() runtime.Object { - return &configv1alpha1.CredentialIssuer{ + return &conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}, - Status: configv1alpha1.CredentialIssuerStatus{ - Strategies: []configv1alpha1.CredentialIssuerStrategy{{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.SuccessStrategyStatus, - Reason: configv1alpha1.FetchedKeyStrategyReason, - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.TokenCredentialRequestAPIFrontendType, - TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{ + Status: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, + Reason: conciergeconfigv1alpha1.FetchedKeyStrategyReason, + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, + TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: "https://concierge-endpoint.example.com", CertificateAuthorityData: base64.StdEncoding.EncodeToString(testConciergeCA.Bundle()), }, @@ -271,7 +271,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, + &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, } }, wantError: true, @@ -290,7 +290,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, + &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -314,7 +314,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, + &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -338,7 +338,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, + &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -360,7 +360,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, + &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -391,7 +391,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, + &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, } }, conciergeReactions: []kubetesting.Reactor{ @@ -422,7 +422,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, + &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -444,7 +444,7 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, + &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, &authenticationv1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1"}}, &authenticationv1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2"}}, &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3"}}, @@ -474,12 +474,12 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ + &conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}, - Status: configv1alpha1.CredentialIssuerStatus{ - Strategies: []configv1alpha1.CredentialIssuerStrategy{{ + Status: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{{ Type: "SomeType", - Status: configv1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "SomeReason", Message: "Some message", }}, @@ -508,36 +508,36 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ + &conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}, - Status: configv1alpha1.CredentialIssuerStatus{ - Strategies: []configv1alpha1.CredentialIssuerStrategy{ + Status: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "SomeBrokenType", - Status: configv1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "SomeFailureReason", Message: "Some error message", LastUpdateTime: metav1.Now(), }, { Type: "SomeUnknownType", - Status: configv1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "SomeReason", Message: "Some error message", LastUpdateTime: metav1.Now(), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ Type: "SomeUnknownFrontendType", }, }, { Type: "SomeType", - Status: configv1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "SomeReason", Message: "Some message", LastUpdateTime: metav1.Now(), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.ImpersonationProxyFrontendType, - ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType, + ImpersonationProxyInfo: &conciergeconfigv1alpha1.ImpersonationProxyInfo{ Endpoint: "https://impersonation-endpoint", CertificateAuthorityData: "invalid-base-64", }, @@ -597,17 +597,17 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ + &conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}, - Status: configv1alpha1.CredentialIssuerStatus{ - KubeConfigInfo: &configv1alpha1.CredentialIssuerKubeConfigInfo{ + Status: conciergeconfigv1alpha1.CredentialIssuerStatus{ + KubeConfigInfo: &conciergeconfigv1alpha1.CredentialIssuerKubeConfigInfo{ Server: "https://concierge-endpoint", CertificateAuthorityData: "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==", }, - Strategies: []configv1alpha1.CredentialIssuerStrategy{{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.SuccessStrategyStatus, - Reason: configv1alpha1.FetchedKeyStrategyReason, + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, + Reason: conciergeconfigv1alpha1.FetchedKeyStrategyReason, Message: "Successfully fetched key", LastUpdateTime: metav1.Now(), // Simulate a previous version of CredentialIssuer that's missing this Frontend field. @@ -1686,21 +1686,21 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ + &conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}, - Status: configv1alpha1.CredentialIssuerStatus{ - Strategies: []configv1alpha1.CredentialIssuerStrategy{ + Status: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ // This TokenCredentialRequestAPI strategy would normally be chosen, but // --concierge-mode=ImpersonationProxy should force it to be skipped. { Type: "SomeType", - Status: configv1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "SomeReason", Message: "Some message", LastUpdateTime: metav1.Now(), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.TokenCredentialRequestAPIFrontendType, - TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, + TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: "https://token-credential-request-api-endpoint.test", CertificateAuthorityData: "dGVzdC10Y3ItYXBpLWNh", }, @@ -1709,13 +1709,13 @@ func TestGetKubeconfig(t *testing.T) { // The endpoint and CA from this impersonation proxy strategy should be autodiscovered. { Type: "SomeOtherType", - Status: configv1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "SomeOtherReason", Message: "Some other message", LastUpdateTime: metav1.Now(), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.ImpersonationProxyFrontendType, - ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType, + ImpersonationProxyInfo: &conciergeconfigv1alpha1.ImpersonationProxyInfo{ Endpoint: "https://impersonation-proxy-endpoint.test", CertificateAuthorityData: base64.StdEncoding.EncodeToString(testConciergeCA.Bundle()), }, @@ -1797,19 +1797,19 @@ func TestGetKubeconfig(t *testing.T) { }, conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ - &configv1alpha1.CredentialIssuer{ + &conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}, - Status: configv1alpha1.CredentialIssuerStatus{ - Strategies: []configv1alpha1.CredentialIssuerStrategy{ + Status: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "SomeType", - Status: configv1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "SomeReason", Message: "Some message", LastUpdateTime: metav1.Now(), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.ImpersonationProxyFrontendType, - ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType, + ImpersonationProxyInfo: &conciergeconfigv1alpha1.ImpersonationProxyInfo{ Endpoint: "https://impersonation-proxy-endpoint.test", CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=", }, @@ -1817,13 +1817,13 @@ func TestGetKubeconfig(t *testing.T) { }, { Type: "SomeOtherType", - Status: configv1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "SomeOtherReason", Message: "Some other message", LastUpdateTime: metav1.Now(), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.ImpersonationProxyFrontendType, - ImpersonationProxyInfo: &configv1alpha1.ImpersonationProxyInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType, + ImpersonationProxyInfo: &conciergeconfigv1alpha1.ImpersonationProxyInfo{ Endpoint: "https://some-other-impersonation-endpoint", CertificateAuthorityData: "dGVzdC1jb25jaWVyZ2UtY2E=", }, diff --git a/internal/controller/impersonatorconfig/impersonator_config.go b/internal/controller/impersonatorconfig/impersonator_config.go index 6edbfa82c..12e63768f 100644 --- a/internal/controller/impersonatorconfig/impersonator_config.go +++ b/internal/controller/impersonatorconfig/impersonator_config.go @@ -32,7 +32,7 @@ import ( "k8s.io/klog/v2" "k8s.io/utils/clock" - "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" conciergeconfiginformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/config/v1alpha1" "go.pinniped.dev/internal/certauthority" @@ -193,9 +193,9 @@ func (c *impersonatorConfigController) Sync(syncCtx controllerlib.Context) error strategy, err := c.doSync(syncCtx, credIssuer) if err != nil { - strategy = &v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.ImpersonationProxyStrategyType, - Status: v1alpha1.ErrorStrategyStatus, + strategy = &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: strategyReasonForError(err), Message: err.Error(), LastUpdateTime: metav1.NewTime(c.clock.Now()), @@ -218,12 +218,12 @@ func (c *impersonatorConfigController) Sync(syncCtx controllerlib.Context) error // strategyReasonForError returns the proper v1alpha1.StrategyReason for a sync error. Some errors are occasionally // expected because there are multiple pods running, in these cases we should report a Pending reason and we'll // recover on a following sync. -func strategyReasonForError(err error) v1alpha1.StrategyReason { +func strategyReasonForError(err error) conciergeconfigv1alpha1.StrategyReason { switch { case apierrors.IsConflict(err), apierrors.IsAlreadyExists(err): - return v1alpha1.PendingStrategyReason + return conciergeconfigv1alpha1.PendingStrategyReason default: - return v1alpha1.ErrorDuringSetupStrategyReason + return conciergeconfigv1alpha1.ErrorDuringSetupStrategyReason } } @@ -243,7 +243,7 @@ type certNameInfo struct { clientEndpoint string } -func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, credIssuer *v1alpha1.CredentialIssuer) (*v1alpha1.CredentialIssuerStrategy, error) { +func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, credIssuer *conciergeconfigv1alpha1.CredentialIssuer) (*conciergeconfigv1alpha1.CredentialIssuerStrategy, error) { ctx := syncCtx.Context impersonationSpec, err := c.loadImpersonationProxyConfiguration(credIssuer) @@ -354,7 +354,7 @@ func (c *impersonatorConfigController) ensureCAAndTLSSecrets( func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret( ctx context.Context, - tlsSpec *v1alpha1.ImpersonationProxyTLSSpec, + tlsSpec *conciergeconfigv1alpha1.ImpersonationProxyTLSSpec, ) ([]byte, error) { if tlsSpec.SecretName == "" { return nil, fmt.Errorf("must provide impersonationSpec.TLS.secretName if impersonationSpec.TLS is provided") @@ -396,7 +396,7 @@ func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret( return caBundle, nil } -func (c *impersonatorConfigController) loadImpersonationProxyConfiguration(credIssuer *v1alpha1.CredentialIssuer) (*v1alpha1.ImpersonationProxySpec, error) { +func (c *impersonatorConfigController) loadImpersonationProxyConfiguration(credIssuer *conciergeconfigv1alpha1.CredentialIssuer) (*conciergeconfigv1alpha1.ImpersonationProxySpec, error) { // Make a copy of the spec since we got this object from informer cache. spec := credIssuer.Spec.DeepCopy().ImpersonationProxy if spec == nil { @@ -405,7 +405,7 @@ func (c *impersonatorConfigController) loadImpersonationProxyConfiguration(credI // Default service type to LoadBalancer (this is normally already done via CRD defaulting). if spec.Service.Type == "" { - spec.Service.Type = v1alpha1.ImpersonationProxyServiceTypeLoadBalancer + spec.Service.Type = conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer } if err := validateCredentialIssuerSpec(spec); err != nil { @@ -415,28 +415,28 @@ func (c *impersonatorConfigController) loadImpersonationProxyConfiguration(credI return spec, nil } -func (c *impersonatorConfigController) shouldHaveImpersonator(config *v1alpha1.ImpersonationProxySpec) bool { - return c.enabledByAutoMode(config) || config.Mode == v1alpha1.ImpersonationProxyModeEnabled +func (c *impersonatorConfigController) shouldHaveImpersonator(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool { + return c.enabledByAutoMode(config) || config.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeEnabled } -func (c *impersonatorConfigController) enabledByAutoMode(config *v1alpha1.ImpersonationProxySpec) bool { - return config.Mode == v1alpha1.ImpersonationProxyModeAuto && !*c.hasControlPlaneNodes +func (c *impersonatorConfigController) enabledByAutoMode(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool { + return config.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeAuto && !*c.hasControlPlaneNodes } -func (c *impersonatorConfigController) disabledByAutoMode(config *v1alpha1.ImpersonationProxySpec) bool { - return config.Mode == v1alpha1.ImpersonationProxyModeAuto && *c.hasControlPlaneNodes +func (c *impersonatorConfigController) disabledByAutoMode(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool { + return config.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeAuto && *c.hasControlPlaneNodes } -func (c *impersonatorConfigController) disabledExplicitly(config *v1alpha1.ImpersonationProxySpec) bool { - return config.Mode == v1alpha1.ImpersonationProxyModeDisabled +func (c *impersonatorConfigController) disabledExplicitly(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool { + return config.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeDisabled } -func (c *impersonatorConfigController) shouldHaveLoadBalancer(config *v1alpha1.ImpersonationProxySpec) bool { - return c.shouldHaveImpersonator(config) && config.Service.Type == v1alpha1.ImpersonationProxyServiceTypeLoadBalancer +func (c *impersonatorConfigController) shouldHaveLoadBalancer(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool { + return c.shouldHaveImpersonator(config) && config.Service.Type == conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer } -func (c *impersonatorConfigController) shouldHaveClusterIPService(config *v1alpha1.ImpersonationProxySpec) bool { - return c.shouldHaveImpersonator(config) && config.Service.Type == v1alpha1.ImpersonationProxyServiceTypeClusterIP +func (c *impersonatorConfigController) shouldHaveClusterIPService(config *conciergeconfigv1alpha1.ImpersonationProxySpec) bool { + return c.shouldHaveImpersonator(config) && config.Service.Type == conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP } func (c *impersonatorConfigController) serviceExists(serviceName string) (bool, *corev1.Service, error) { @@ -537,7 +537,7 @@ func (c *impersonatorConfigController) ensureImpersonatorIsStopped(shouldCloseEr return stopErr } -func (c *impersonatorConfigController) ensureLoadBalancerIsStarted(ctx context.Context, config *v1alpha1.ImpersonationProxySpec) error { +func (c *impersonatorConfigController) ensureLoadBalancerIsStarted(ctx context.Context, config *conciergeconfigv1alpha1.ImpersonationProxySpec) error { appNameLabel := c.labels[appLabelKey] loadBalancer := corev1.Service{ Spec: corev1.ServiceSpec{ @@ -583,7 +583,7 @@ func (c *impersonatorConfigController) ensureLoadBalancerIsStopped(ctx context.C return utilerrors.FilterOut(err, apierrors.IsNotFound) } -func (c *impersonatorConfigController) ensureClusterIPServiceIsStarted(ctx context.Context, config *v1alpha1.ImpersonationProxySpec) error { +func (c *impersonatorConfigController) ensureClusterIPServiceIsStarted(ctx context.Context, config *conciergeconfigv1alpha1.ImpersonationProxySpec) error { appNameLabel := c.labels[appLabelKey] clusterIP := corev1.Service{ Spec: corev1.ServiceSpec{ @@ -950,16 +950,16 @@ func (c *impersonatorConfigController) createCASecret(ctx context.Context) (*cer return impersonationCA, nil } -func (c *impersonatorConfigController) findDesiredTLSCertificateName(config *v1alpha1.ImpersonationProxySpec) (*certNameInfo, error) { +func (c *impersonatorConfigController) findDesiredTLSCertificateName(config *conciergeconfigv1alpha1.ImpersonationProxySpec) (*certNameInfo, error) { if config.ExternalEndpoint != "" { return c.findTLSCertificateNameFromEndpointConfig(config), nil - } else if config.Service.Type == v1alpha1.ImpersonationProxyServiceTypeClusterIP { + } else if config.Service.Type == conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP { return c.findTLSCertificateNameFromClusterIPService() } return c.findTLSCertificateNameFromLoadBalancer() } -func (c *impersonatorConfigController) findTLSCertificateNameFromEndpointConfig(config *v1alpha1.ImpersonationProxySpec) *certNameInfo { +func (c *impersonatorConfigController) findTLSCertificateNameFromEndpointConfig(config *conciergeconfigv1alpha1.ImpersonationProxySpec) *certNameInfo { addr, _ := endpointaddr.Parse(config.ExternalEndpoint, 443) endpoint := strings.TrimSuffix(addr.Endpoint(), ":443") @@ -1136,42 +1136,42 @@ func (c *impersonatorConfigController) clearSignerCA() { c.impersonationSigningCertProvider.UnsetCertKeyContent() } -func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, config *v1alpha1.ImpersonationProxySpec, caBundle []byte) *v1alpha1.CredentialIssuerStrategy { +func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, config *conciergeconfigv1alpha1.ImpersonationProxySpec, caBundle []byte) *conciergeconfigv1alpha1.CredentialIssuerStrategy { switch { case c.disabledExplicitly(config): - return &v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.ImpersonationProxyStrategyType, - Status: v1alpha1.ErrorStrategyStatus, - Reason: v1alpha1.DisabledStrategyReason, + return &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.DisabledStrategyReason, Message: "impersonation proxy was explicitly disabled by configuration", LastUpdateTime: metav1.NewTime(c.clock.Now()), } case c.disabledByAutoMode(config): - return &v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.ImpersonationProxyStrategyType, - Status: v1alpha1.ErrorStrategyStatus, - Reason: v1alpha1.DisabledStrategyReason, + return &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.DisabledStrategyReason, Message: "automatically determined that impersonation proxy should be disabled", LastUpdateTime: metav1.NewTime(c.clock.Now()), } case !nameInfo.ready: - return &v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.ImpersonationProxyStrategyType, - Status: v1alpha1.ErrorStrategyStatus, - Reason: v1alpha1.PendingStrategyReason, + return &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.PendingStrategyReason, Message: "waiting for load balancer Service to be assigned IP or hostname", LastUpdateTime: metav1.NewTime(c.clock.Now()), } default: - return &v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.ImpersonationProxyStrategyType, - Status: v1alpha1.SuccessStrategyStatus, - Reason: v1alpha1.ListeningStrategyReason, + return &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, + Reason: conciergeconfigv1alpha1.ListeningStrategyReason, Message: "impersonation proxy is ready to accept client connections", LastUpdateTime: metav1.NewTime(c.clock.Now()), - Frontend: &v1alpha1.CredentialIssuerFrontend{ - Type: v1alpha1.ImpersonationProxyFrontendType, - ImpersonationProxyInfo: &v1alpha1.ImpersonationProxyInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType, + ImpersonationProxyInfo: &conciergeconfigv1alpha1.ImpersonationProxyInfo{ Endpoint: "https://" + nameInfo.clientEndpoint, CertificateAuthorityData: base64.StdEncoding.EncodeToString(caBundle), }, @@ -1180,26 +1180,26 @@ func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, conf } } -func validateCredentialIssuerSpec(spec *v1alpha1.ImpersonationProxySpec) error { +func validateCredentialIssuerSpec(spec *conciergeconfigv1alpha1.ImpersonationProxySpec) error { // Validate that the mode is one of our known values. switch spec.Mode { - case v1alpha1.ImpersonationProxyModeDisabled: - case v1alpha1.ImpersonationProxyModeAuto: - case v1alpha1.ImpersonationProxyModeEnabled: + case conciergeconfigv1alpha1.ImpersonationProxyModeDisabled: + case conciergeconfigv1alpha1.ImpersonationProxyModeAuto: + case conciergeconfigv1alpha1.ImpersonationProxyModeEnabled: default: return fmt.Errorf("invalid proxy mode %q (expected auto, disabled, or enabled)", spec.Mode) } // If disabled, ignore all other fields and consider the configuration valid. - if spec.Mode == v1alpha1.ImpersonationProxyModeDisabled { + if spec.Mode == conciergeconfigv1alpha1.ImpersonationProxyModeDisabled { return nil } // Validate that the service type is one of our known values. switch spec.Service.Type { - case v1alpha1.ImpersonationProxyServiceTypeNone: - case v1alpha1.ImpersonationProxyServiceTypeLoadBalancer: - case v1alpha1.ImpersonationProxyServiceTypeClusterIP: + case conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone: + case conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer: + case conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP: default: return fmt.Errorf("invalid service type %q (expected None, LoadBalancer, or ClusterIP)", spec.Service.Type) } @@ -1210,7 +1210,7 @@ func validateCredentialIssuerSpec(spec *v1alpha1.ImpersonationProxySpec) error { } // If service is type "None", a non-empty external endpoint must be specified. - if spec.ExternalEndpoint == "" && spec.Service.Type == v1alpha1.ImpersonationProxyServiceTypeNone { + if spec.ExternalEndpoint == "" && spec.Service.Type == conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone { return fmt.Errorf("externalEndpoint must be set when service.type is None") } diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go index f012ff9b2..ae40ee11e 100644 --- a/internal/controller/impersonatorconfig/impersonator_config_test.go +++ b/internal/controller/impersonatorconfig/impersonator_config_test.go @@ -35,7 +35,7 @@ import ( coretesting "k8s.io/client-go/testing" clocktesting "k8s.io/utils/clock/testing" - "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake" pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions" "go.pinniped.dev/internal/certauthority" @@ -103,13 +103,13 @@ func TestImpersonatorConfigControllerOptions(t *testing.T) { when("watching CredentialIssuer objects", func() { var subject controllerlib.Filter - var target, wrongName, otherWrongName *v1alpha1.CredentialIssuer + var target, wrongName, otherWrongName *conciergeconfigv1alpha1.CredentialIssuer it.Before(func() { subject = credIssuerInformerFilter - target = &v1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}} - wrongName = &v1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "wrong-name"}} - otherWrongName = &v1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "other-wrong-name"}} + target = &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}} + wrongName = &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "wrong-name"}} + otherWrongName = &conciergeconfigv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "other-wrong-name"}} }) when("the target CredentialIssuer changes", func() { @@ -609,7 +609,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { controllerlib.TestRunSynchronously(t, subject) } - var addCredentialIssuerToTrackers = func(credIssuer v1alpha1.CredentialIssuer, informerClient *pinnipedfake.Clientset, mainClient *pinnipedfake.Clientset) { + var addCredentialIssuerToTrackers = func(credIssuer conciergeconfigv1alpha1.CredentialIssuer, informerClient *pinnipedfake.Clientset, mainClient *pinnipedfake.Clientset) { t.Logf("adding CredentialIssuer %s to informer and main clientsets", credIssuer.Name) r.NoError(informerClient.Tracker().Add(&credIssuer)) r.NoError(mainClient.Tracker().Add(&credIssuer)) @@ -772,12 +772,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addObjectToKubeInformerAndWait(createdObject, informer) } - var updateCredentialIssuerInInformerAndWait = func(resourceName string, credIssuerSpec v1alpha1.CredentialIssuerSpec, informer controllerlib.InformerGetter) { - credIssuersGVR := v1alpha1.Resource("credentialissuers").WithVersion("v1alpha1") + var updateCredentialIssuerInInformerAndWait = func(resourceName string, credIssuerSpec conciergeconfigv1alpha1.CredentialIssuerSpec, informer controllerlib.InformerGetter) { + credIssuersGVR := conciergeconfigv1alpha1.Resource("credentialissuers").WithVersion("v1alpha1") credIssuerObj, err := pinnipedInformerClient.Tracker().Get(credIssuersGVR, "", resourceName) r.NoError(err, "could not find CredentialIssuer to update for test") - credIssuer := credIssuerObj.(*v1alpha1.CredentialIssuer) + credIssuer := credIssuerObj.(*conciergeconfigv1alpha1.CredentialIssuer) credIssuer = credIssuer.DeepCopy() // don't edit the original from the tracker credIssuer.Spec = credIssuerSpec r.NoError(pinnipedInformerClient.Tracker().Update(credIssuersGVR, credIssuer, "")) @@ -899,16 +899,16 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { ) } - var newSuccessStrategy = func(endpoint string, ca []byte) v1alpha1.CredentialIssuerStrategy { - return v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.ImpersonationProxyStrategyType, - Status: v1alpha1.SuccessStrategyStatus, - Reason: v1alpha1.ListeningStrategyReason, + var newSuccessStrategy = func(endpoint string, ca []byte) conciergeconfigv1alpha1.CredentialIssuerStrategy { + return conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, + Reason: conciergeconfigv1alpha1.ListeningStrategyReason, Message: "impersonation proxy is ready to accept client connections", LastUpdateTime: metav1.NewTime(frozenNow), - Frontend: &v1alpha1.CredentialIssuerFrontend{ - Type: v1alpha1.ImpersonationProxyFrontendType, - ImpersonationProxyInfo: &v1alpha1.ImpersonationProxyInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.ImpersonationProxyFrontendType, + ImpersonationProxyInfo: &conciergeconfigv1alpha1.ImpersonationProxyInfo{ Endpoint: "https://" + endpoint, CertificateAuthorityData: base64.StdEncoding.EncodeToString(ca), }, @@ -916,64 +916,64 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { } } - var newAutoDisabledStrategy = func() v1alpha1.CredentialIssuerStrategy { - return v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.ImpersonationProxyStrategyType, - Status: v1alpha1.ErrorStrategyStatus, - Reason: v1alpha1.DisabledStrategyReason, + var newAutoDisabledStrategy = func() conciergeconfigv1alpha1.CredentialIssuerStrategy { + return conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.DisabledStrategyReason, Message: "automatically determined that impersonation proxy should be disabled", LastUpdateTime: metav1.NewTime(frozenNow), Frontend: nil, } } - var newManuallyDisabledStrategy = func() v1alpha1.CredentialIssuerStrategy { + var newManuallyDisabledStrategy = func() conciergeconfigv1alpha1.CredentialIssuerStrategy { s := newAutoDisabledStrategy() s.Message = "impersonation proxy was explicitly disabled by configuration" return s } - var newPendingStrategy = func(msg string) v1alpha1.CredentialIssuerStrategy { - return v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.ImpersonationProxyStrategyType, - Status: v1alpha1.ErrorStrategyStatus, - Reason: v1alpha1.PendingStrategyReason, + var newPendingStrategy = func(msg string) conciergeconfigv1alpha1.CredentialIssuerStrategy { + return conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.PendingStrategyReason, Message: msg, LastUpdateTime: metav1.NewTime(frozenNow), Frontend: nil, } } - var newPendingStrategyWaitingForLB = func() v1alpha1.CredentialIssuerStrategy { + var newPendingStrategyWaitingForLB = func() conciergeconfigv1alpha1.CredentialIssuerStrategy { return newPendingStrategy("waiting for load balancer Service to be assigned IP or hostname") } - var newErrorStrategy = func(msg string) v1alpha1.CredentialIssuerStrategy { - return v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.ImpersonationProxyStrategyType, - Status: v1alpha1.ErrorStrategyStatus, - Reason: v1alpha1.ErrorDuringSetupStrategyReason, + var newErrorStrategy = func(msg string) conciergeconfigv1alpha1.CredentialIssuerStrategy { + return conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.ErrorDuringSetupStrategyReason, Message: msg, LastUpdateTime: metav1.NewTime(frozenNow), Frontend: nil, } } - var getCredentialIssuer = func() *v1alpha1.CredentialIssuer { + var getCredentialIssuer = func() *conciergeconfigv1alpha1.CredentialIssuer { credentialIssuerObj, err := pinnipedAPIClient.Tracker().Get( schema.GroupVersionResource{ - Group: v1alpha1.SchemeGroupVersion.Group, - Version: v1alpha1.SchemeGroupVersion.Version, + Group: conciergeconfigv1alpha1.SchemeGroupVersion.Group, + Version: conciergeconfigv1alpha1.SchemeGroupVersion.Version, Resource: "credentialissuers", }, "", credentialIssuerResourceName, ) r.NoError(err) - credentialIssuer, ok := credentialIssuerObj.(*v1alpha1.CredentialIssuer) + credentialIssuer, ok := credentialIssuerObj.(*conciergeconfigv1alpha1.CredentialIssuer) r.True(ok, "should have been able to cast this obj to CredentialIssuer: %v", credentialIssuerObj) return credentialIssuer } - var requireCredentialIssuer = func(expectedStrategy v1alpha1.CredentialIssuerStrategy) { + var requireCredentialIssuer = func(expectedStrategy conciergeconfigv1alpha1.CredentialIssuerStrategy) { // Rather than looking at the specific API actions on pinnipedAPIClient, we just look // at the final result here. // This is because the implementation is using a helper from another package to create @@ -982,7 +982,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { // As long as we get the final result that we wanted then we are happy for the purposes // of this test. credentialIssuer := getCredentialIssuer() - r.Equal([]v1alpha1.CredentialIssuerStrategy{expectedStrategy}, credentialIssuer.Status.Strategies) + r.Equal([]conciergeconfigv1alpha1.CredentialIssuerStrategy{expectedStrategy}, credentialIssuer.Status.Strategies) } var requireServiceWasDeleted = func(action coretesting.Action, serviceName string) { @@ -1178,14 +1178,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the configuration is auto mode with an endpoint and service type none", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -1232,16 +1232,16 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) addSecretToTrackers(externalTLSSecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, - TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + TLS: &conciergeconfigv1alpha1.ImpersonationProxyTLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(externalCA.Bundle()), SecretName: externallyProvidedTLSSecretName, }, @@ -1293,16 +1293,16 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) addSecretToTrackers(externalTLSSecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, - TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + TLS: &conciergeconfigv1alpha1.ImpersonationProxyTLSSpec{ CertificateAuthorityData: string(externalCA.Bundle()), SecretName: externallyProvidedTLSSecretName, }, @@ -1325,16 +1325,16 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) addSecretToTrackers(externalTLSSecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, - TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + TLS: &conciergeconfigv1alpha1.ImpersonationProxyTLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("hello")), SecretName: externallyProvidedTLSSecretName, }, @@ -1364,16 +1364,16 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) externalTLSSecret.Data["ca.crt"] = externalCA.Bundle() addSecretToTrackers(externalTLSSecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, - TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + TLS: &conciergeconfigv1alpha1.ImpersonationProxyTLSSpec{ SecretName: externallyProvidedTLSSecretName, }, }, @@ -1397,16 +1397,16 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) externalTLSSecret.Data["ca.crt"] = []byte("hello") addSecretToTrackers(externalTLSSecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, - TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + TLS: &conciergeconfigv1alpha1.ImpersonationProxyTLSSpec{ SecretName: externallyProvidedTLSSecretName, }, }, @@ -1428,16 +1428,16 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) addSecretToTrackers(externalTLSSecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, - TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + TLS: &conciergeconfigv1alpha1.ImpersonationProxyTLSSpec{ SecretName: externallyProvidedTLSSecretName, }, }, @@ -1461,11 +1461,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the configuration is auto mode", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -1762,11 +1762,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the configuration is disabled mode", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeDisabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeDisabled, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -1790,11 +1790,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }) when("no load balancer", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -1824,11 +1824,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("a loadbalancer already exists", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -1860,13 +1860,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("a clusterip already exists with ingress", func() { const fakeIP = "127.0.0.123" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeClusterIP, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }, @@ -1893,13 +1893,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { const fakeIP1 = "127.0.0.123" const fakeIP2 = "fd00::5118" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeClusterIP, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }, @@ -1925,11 +1925,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("a load balancer and a secret already exists", func() { var caCrt []byte it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -1957,13 +1957,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("credentialissuer has service type loadbalancer and custom annotations", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, Annotations: map[string]string{"some-annotation-key": "some-annotation-value"}, }, }, @@ -1992,14 +1992,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has a hostname specified and service type none", func() { const fakeHostname = "fake.example.com" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostname, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -2024,14 +2024,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has a hostname specified and service type loadbalancer", func() { const fakeHostname = "fake.example.com" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostname, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, }, }, }, @@ -2056,13 +2056,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has a hostname specified and service type clusterip", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeClusterIP, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }, @@ -2087,14 +2087,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has a endpoint which is an IP address with a port", func() { const fakeIPWithPort = "127.0.0.1:3000" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeIPWithPort, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -2119,14 +2119,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has a endpoint which is a hostname with a port, service type none", func() { const fakeHostnameWithPort = "fake.example.com:3000" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostnameWithPort, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -2151,14 +2151,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has a endpoint which is a hostname with a port, service type loadbalancer with loadbalancerip", func() { const fakeHostnameWithPort = "fake.example.com:3000" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostnameWithPort, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, LoadBalancerIP: localhostIP, }, }, @@ -2187,27 +2187,27 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { const fakeHostname = "fake.example.com" const fakeIP = "127.0.0.42" - var hostnameConfig = v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + var hostnameConfig = conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostname, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, } - var ipAddressConfig = v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + var ipAddressConfig = conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, } it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, Spec: ipAddressConfig, }, pinnipedInformerClient, pinnipedAPIClient) @@ -2264,14 +2264,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the TLS cert goes missing and needs to be recreated, e.g. when a user manually deleted it", func() { const fakeHostname = "fake.example.com" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostname, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -2312,14 +2312,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CA cert goes missing and needs to be recreated, e.g. when a user manually deleted it", func() { const fakeHostname = "fake.example.com" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostname, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -2363,14 +2363,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { const fakeHostname = "fake.example.com" var caCrt []byte it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostname, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -2439,11 +2439,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("service type loadbalancer", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -2467,9 +2467,9 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addObjectFromCreateActionToInformerAndWait(kubeAPIClient.Actions()[2], kubeInformers.Core().V1().Secrets()) // Update the CredentialIssuer. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeDisabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeDisabled, }, }, pinnipedInformers.Config().V1alpha1().CredentialIssuers()) @@ -2484,9 +2484,9 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { waitForObjectToBeDeletedFromInformer(loadBalancerServiceName, kubeInformers.Core().V1().Services()) // Update the CredentialIssuer again. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, }, }, pinnipedInformers.Config().V1alpha1().CredentialIssuers()) @@ -2502,13 +2502,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("service type clusterip", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeClusterIP, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }, @@ -2533,9 +2533,9 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addObjectFromCreateActionToInformerAndWait(kubeAPIClient.Actions()[2], kubeInformers.Core().V1().Secrets()) // Update the CredentialIssuer. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeDisabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeDisabled, }, }, pinnipedInformers.Config().V1alpha1().CredentialIssuers()) @@ -2550,11 +2550,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { waitForObjectToBeDeletedFromInformer(clusterIPServiceName, kubeInformers.Core().V1().Services()) // Update the CredentialIssuer again. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeClusterIP, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }, pinnipedInformers.Config().V1alpha1().CredentialIssuers()) @@ -2572,14 +2572,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { const fakeHostname = "hello.com" it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostname, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -2607,9 +2607,9 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addObjectFromCreateActionToInformerAndWait(kubeAPIClient.Actions()[2], kubeInformers.Core().V1().Secrets()) // Update the CredentialIssuer. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeDisabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeDisabled, }, }, pinnipedInformers.Config().V1alpha1().CredentialIssuers()) @@ -2627,12 +2627,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { waitForObjectToBeDeletedFromInformer(internallyGeneratedTLSServingCertSecretName, kubeInformers.Core().V1().Secrets()) // Update the CredentialIssuer again. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostname, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, pinnipedInformers.Config().V1alpha1().CredentialIssuers()) @@ -2653,14 +2653,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the endpoint and mode switch from specified with no service, to not specified, to specified again", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -2686,9 +2686,9 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addObjectFromCreateActionToInformerAndWait(kubeAPIClient.Actions()[2], kubeInformers.Core().V1().Secrets()) // Switch to "enabled" mode without an "endpoint", so a load balancer is needed now. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, }, }, pinnipedInformers.Config().V1alpha1().CredentialIssuers()) @@ -2727,12 +2727,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addObjectFromCreateActionToInformerAndWait(kubeAPIClient.Actions()[5], kubeInformers.Core().V1().Secrets()) // Now switch back to having the "endpoint" specified and explicitly saying that we don't want the load balancer service. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, pinnipedInformers.Config().V1alpha1().CredentialIssuers()) @@ -2751,14 +2751,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("requesting a load balancer via CredentialIssuer, then updating the annotations", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, }, }, }, @@ -2798,12 +2798,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { // Add annotations to the CredentialIssuer spec. credentialIssuerAnnotations := map[string]string{"my-annotation-key": "my-annotation-val"} - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, Annotations: credentialIssuerAnnotations, }, }, @@ -2829,14 +2829,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("requesting a cluster ip via CredentialIssuer, then updating the annotations", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeClusterIP, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }, @@ -2876,12 +2876,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { // Add annotations to the CredentialIssuer spec. credentialIssuerAnnotations := map[string]string{"my-annotation-key": "my-annotation-val"} - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeClusterIP, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, Annotations: credentialIssuerAnnotations, }, }, @@ -2907,14 +2907,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("requesting a load balancer via CredentialIssuer with annotations, then updating the CredentialIssuer annotations to remove one", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, Annotations: map[string]string{ "my-initial-annotation1-key": "my-initial-annotation1-val", "my-initial-annotation2-key": "my-initial-annotation2-val", @@ -2960,12 +2960,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { r.Len(kubeAPIClient.Actions(), 4) // no new actions because the controller decides there is nothing to update on the Service // Remove one of the annotations from the CredentialIssuer spec. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, Annotations: map[string]string{ "my-initial-annotation1-key": "my-initial-annotation1-val", "my-initial-annotation3-key": "my-initial-annotation3-val", @@ -2992,12 +2992,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { requireMTLSClientCertProviderHasLoadedCerts(mTLSClientCertCACertPEM, mTLSClientCertCAPrivateKeyPEM) // Remove all the rest of the annotations from the CredentialIssuer spec so there are none remaining. - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, Annotations: map[string]string{}, }, }, @@ -3021,14 +3021,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("requesting a load balancer via CredentialIssuer, but there is already a load balancer with an invalid bookkeeping annotation value", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, Annotations: map[string]string{"some-annotation": "annotation-value"}, }, }, @@ -3066,14 +3066,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("requesting a load balancer via CredentialIssuer, then adding a static loadBalancerIP to the spec", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, }, }, }, @@ -3104,12 +3104,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { // Add annotations to the spec. loadBalancerIP := "1.2.3.4" - updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + updateCredentialIssuerInInformerAndWait(credentialIssuerResourceName, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, LoadBalancerIP: loadBalancerIP, }, }, @@ -3129,11 +3129,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) addNodeWithRoleToTracker("worker", kubeAPIClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3237,28 +3237,28 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }) when("there is already a CredentialIssuer", func() { - preExistingStrategy := v1alpha1.CredentialIssuerStrategy{ - Type: v1alpha1.KubeClusterSigningCertificateStrategyType, - Status: v1alpha1.SuccessStrategyStatus, - Reason: v1alpha1.FetchedKeyStrategyReason, + preExistingStrategy := conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, + Reason: conciergeconfigv1alpha1.FetchedKeyStrategyReason, Message: "happy other unrelated strategy", LastUpdateTime: metav1.NewTime(frozenNow), - Frontend: &v1alpha1.CredentialIssuerFrontend{ - Type: v1alpha1.TokenCredentialRequestAPIFrontendType, + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, }, } it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, - Status: v1alpha1.CredentialIssuerStatus{ - Strategies: []v1alpha1.CredentialIssuerStrategy{ + Status: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ preExistingStrategy, }, }, @@ -3275,17 +3275,17 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { requireLoadBalancerWasCreated(kubeAPIClient.Actions()[1]) requireCASecretWasCreated(kubeAPIClient.Actions()[2]) credentialIssuer := getCredentialIssuer() - r.Equal([]v1alpha1.CredentialIssuerStrategy{preExistingStrategy, newPendingStrategyWaitingForLB()}, credentialIssuer.Status.Strategies) + r.Equal([]conciergeconfigv1alpha1.CredentialIssuerStrategy{preExistingStrategy, newPendingStrategyWaitingForLB()}, credentialIssuer.Status.Strategies) }) }) when("getting the control plane nodes returns an error, e.g. when there are no nodes", func() { it("returns an error", func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3302,11 +3302,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) addNodeWithRoleToTracker("worker", kubeAPIClient) impersonatorFuncReturnedFuncError = errors.New("some immediate impersonator startup error") - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3366,11 +3366,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) addNodeWithRoleToTracker("worker", kubeAPIClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3425,9 +3425,9 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has nil impersonation spec", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ ImpersonationProxy: nil, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3445,10 +3445,10 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has invalid mode", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ Mode: "not-valid", }, }, @@ -3467,12 +3467,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has invalid service type", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, - Service: v1alpha1.ImpersonationProxyServiceSpec{ + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ Type: "not-valid", }, }, @@ -3492,12 +3492,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has invalid LoadBalancerIP", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, - Service: v1alpha1.ImpersonationProxyServiceSpec{ + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ LoadBalancerIP: "invalid-ip-address", }, }, @@ -3517,11 +3517,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CredentialIssuer has invalid ExternalEndpoint", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: "[invalid", }, }, @@ -3547,11 +3547,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { action.(coretesting.CreateAction).GetObject().(*corev1.Service).Name, ) }) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3572,11 +3572,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { kubeAPIClient.PrependReactor("delete", "services", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { return true, nil, fmt.Errorf("error on delete") }) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeDisabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeDisabled, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3598,13 +3598,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { kubeAPIClient.PrependReactor("create", "services", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { return true, nil, fmt.Errorf("error on create") }) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeClusterIP, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }, @@ -3626,13 +3626,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { kubeAPIClient.PrependReactor("update", "services", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { return true, nil, fmt.Errorf("error on update") }) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeClusterIP, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, Annotations: map[string]string{"key": "val"}, }, }, @@ -3657,11 +3657,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { kubeAPIClient.PrependReactor("delete", "services", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { return true, nil, fmt.Errorf("error on delete") }) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeDisabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeDisabled, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3679,14 +3679,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there is an error creating the tls secret", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: "example.com", - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -3716,14 +3716,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there is an error creating the CA secret", func() { it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: "example.com", - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -3753,14 +3753,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the CA secret exists but is invalid while the TLS secret needs to be created", func() { it.Before(func() { addNodeWithRoleToTracker("control-plane", kubeAPIClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: "example.com", - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -3786,11 +3786,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeInformerClient) addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeAPIClient) addSecretToTrackers(newEmptySecret(internallyGeneratedTLSServingCertSecretName), kubeAPIClient, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3816,11 +3816,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { addNodeWithRoleToTracker("control-plane", kubeAPIClient) addSecretToTrackers(newEmptySecret(internallyGeneratedTLSServingCertSecretName), kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeDisabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeDisabled, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3841,14 +3841,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the PEM formatted data in the TLS Secret is not a valid cert", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: localhostIP, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -3901,11 +3901,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { var caCrt []byte it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -3967,11 +3967,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { addSecretToTrackers(tlsSecret, kubeAPIClient, kubeInformerClient) addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -4015,11 +4015,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) addNodeWithRoleToTracker("worker", kubeAPIClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeAuto, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, }, }, }, pinnipedInformerClient, pinnipedAPIClient) @@ -4050,14 +4050,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the impersonator is ready but there is a problem with the signing secret, which should be created by another controller", func() { const fakeHostname = "foo.example.com" it.Before(func() { - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: fakeHostname, - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, @@ -4145,14 +4145,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the impersonator is enabled but the service type is none and the external endpoint is empty", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + addCredentialIssuerToTrackers(conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, - Spec: v1alpha1.CredentialIssuerSpec{ - ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ - Mode: v1alpha1.ImpersonationProxyModeEnabled, + Spec: conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: "", - Service: v1alpha1.ImpersonationProxyServiceSpec{ - Type: v1alpha1.ImpersonationProxyServiceTypeNone, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeNone, }, }, }, diff --git a/internal/controller/issuerconfig/issuerconfig.go b/internal/controller/issuerconfig/issuerconfig.go index 136734bc4..faea9ad30 100644 --- a/internal/controller/issuerconfig/issuerconfig.go +++ b/internal/controller/issuerconfig/issuerconfig.go @@ -1,4 +1,4 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package issuerconfig contains helpers for updating CredentialIssuer status entries. @@ -12,12 +12,12 @@ import ( apiequality "k8s.io/apimachinery/pkg/api/equality" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" - "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" ) // Update a strategy on an existing CredentialIssuer, merging into any existing strategy entries. -func Update(ctx context.Context, client versioned.Interface, issuer *v1alpha1.CredentialIssuer, strategy v1alpha1.CredentialIssuerStrategy) error { +func Update(ctx context.Context, client conciergeclientset.Interface, issuer *conciergeconfigv1alpha1.CredentialIssuer, strategy conciergeconfigv1alpha1.CredentialIssuerStrategy) error { // Update the existing object to merge in the new strategy. updated := issuer.DeepCopy() mergeStrategy(&updated.Status, strategy) @@ -33,8 +33,8 @@ func Update(ctx context.Context, client versioned.Interface, issuer *v1alpha1.Cr return nil } -func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1alpha1.CredentialIssuerStrategy) { - var existing *v1alpha1.CredentialIssuerStrategy +func mergeStrategy(configToUpdate *conciergeconfigv1alpha1.CredentialIssuerStatus, strategy conciergeconfigv1alpha1.CredentialIssuerStrategy) { + var existing *conciergeconfigv1alpha1.CredentialIssuerStrategy for i := range configToUpdate.Strategies { if configToUpdate.Strategies[i].Type == strategy.Type { existing = &configToUpdate.Strategies[i] @@ -51,8 +51,8 @@ func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1a sort.Stable(sortableStrategies(configToUpdate.Strategies)) // Special case: the "TokenCredentialRequestAPI" data is mirrored into the deprecated status.kubeConfigInfo field. - if strategy.Frontend != nil && strategy.Frontend.Type == v1alpha1.TokenCredentialRequestAPIFrontendType { - configToUpdate.KubeConfigInfo = &v1alpha1.CredentialIssuerKubeConfigInfo{ + if strategy.Frontend != nil && strategy.Frontend.Type == conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType { + configToUpdate.KubeConfigInfo = &conciergeconfigv1alpha1.CredentialIssuerKubeConfigInfo{ Server: strategy.Frontend.TokenCredentialRequestAPIInfo.Server, CertificateAuthorityData: strategy.Frontend.TokenCredentialRequestAPIInfo.CertificateAuthorityData, } @@ -60,13 +60,13 @@ func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1a } // weights are a set of priorities for each strategy type. -var weights = map[v1alpha1.StrategyType]int{ //nolint:gochecknoglobals - v1alpha1.KubeClusterSigningCertificateStrategyType: 2, // most preferred strategy - v1alpha1.ImpersonationProxyStrategyType: 1, +var weights = map[conciergeconfigv1alpha1.StrategyType]int{ //nolint:gochecknoglobals + conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType: 2, // most preferred strategy + conciergeconfigv1alpha1.ImpersonationProxyStrategyType: 1, // unknown strategy types will have weight 0 by default } -type sortableStrategies []v1alpha1.CredentialIssuerStrategy +type sortableStrategies []conciergeconfigv1alpha1.CredentialIssuerStrategy func (s sortableStrategies) Len() int { return len(s) } func (s sortableStrategies) Less(i, j int) bool { @@ -77,7 +77,7 @@ func (s sortableStrategies) Less(i, j int) bool { } func (s sortableStrategies) Swap(i, j int) { s[i], s[j] = s[j], s[i] } -func equalExceptLastUpdated(s1, s2 *v1alpha1.CredentialIssuerStrategy) bool { +func equalExceptLastUpdated(s1, s2 *conciergeconfigv1alpha1.CredentialIssuerStrategy) bool { s1 = s1.DeepCopy() s2 = s2.DeepCopy() s1.LastUpdateTime = metav1.Time{} diff --git a/internal/controller/issuerconfig/issuerconfig_test.go b/internal/controller/issuerconfig/issuerconfig_test.go index 7b4fef97f..f671c03ea 100644 --- a/internal/controller/issuerconfig/issuerconfig_test.go +++ b/internal/controller/issuerconfig/issuerconfig_test.go @@ -14,7 +14,7 @@ import ( "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" ) func TestMergeStrategy(t *testing.T) { @@ -23,27 +23,27 @@ func TestMergeStrategy(t *testing.T) { tests := []struct { name string - configToUpdate v1alpha1.CredentialIssuerStatus - strategy v1alpha1.CredentialIssuerStrategy - expected v1alpha1.CredentialIssuerStatus + configToUpdate conciergeconfigv1alpha1.CredentialIssuerStatus + strategy conciergeconfigv1alpha1.CredentialIssuerStrategy + expected conciergeconfigv1alpha1.CredentialIssuerStatus }{ { name: "new entry", - configToUpdate: v1alpha1.CredentialIssuerStatus{ + configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{ Strategies: nil, }, - strategy: v1alpha1.CredentialIssuerStrategy{ + strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{ Type: "Type1", - Status: v1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "some reason", Message: "some message", LastUpdateTime: t1, }, - expected: v1alpha1.CredentialIssuerStatus{ - Strategies: []v1alpha1.CredentialIssuerStrategy{ + expected: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "Type1", - Status: v1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "some reason", Message: "some message", LastUpdateTime: t1, @@ -53,41 +53,41 @@ func TestMergeStrategy(t *testing.T) { }, { name: "new entry updating deprecated kubeConfigInfo", - configToUpdate: v1alpha1.CredentialIssuerStatus{ + configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{ Strategies: nil, }, - strategy: v1alpha1.CredentialIssuerStrategy{ + strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{ Type: "Type1", - Status: v1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "some reason", Message: "some message", LastUpdateTime: t1, - Frontend: &v1alpha1.CredentialIssuerFrontend{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ Type: "TokenCredentialRequestAPI", - TokenCredentialRequestAPIInfo: &v1alpha1.TokenCredentialRequestAPIInfo{ + TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: "https://test-server", CertificateAuthorityData: "test-ca-bundle", }, }, }, - expected: v1alpha1.CredentialIssuerStatus{ - Strategies: []v1alpha1.CredentialIssuerStrategy{ + expected: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "Type1", - Status: v1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "some reason", Message: "some message", LastUpdateTime: t1, - Frontend: &v1alpha1.CredentialIssuerFrontend{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ Type: "TokenCredentialRequestAPI", - TokenCredentialRequestAPIInfo: &v1alpha1.TokenCredentialRequestAPIInfo{ + TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: "https://test-server", CertificateAuthorityData: "test-ca-bundle", }, }, }, }, - KubeConfigInfo: &v1alpha1.CredentialIssuerKubeConfigInfo{ + KubeConfigInfo: &conciergeconfigv1alpha1.CredentialIssuerKubeConfigInfo{ Server: "https://test-server", CertificateAuthorityData: "test-ca-bundle", }, @@ -95,29 +95,29 @@ func TestMergeStrategy(t *testing.T) { }, { name: "existing entry to update", - configToUpdate: v1alpha1.CredentialIssuerStatus{ - Strategies: []v1alpha1.CredentialIssuerStrategy{ + configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "Type1", - Status: v1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "some starting reason", Message: "some starting message", LastUpdateTime: t2, }, }, }, - strategy: v1alpha1.CredentialIssuerStrategy{ + strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{ Type: "Type1", - Status: v1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "some reason", Message: "some message", LastUpdateTime: t1, }, - expected: v1alpha1.CredentialIssuerStatus{ - Strategies: []v1alpha1.CredentialIssuerStrategy{ + expected: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "Type1", - Status: v1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "some reason", Message: "some message", LastUpdateTime: t1, @@ -127,29 +127,29 @@ func TestMergeStrategy(t *testing.T) { }, { name: "existing entry matches except for LastUpdated time", - configToUpdate: v1alpha1.CredentialIssuerStatus{ - Strategies: []v1alpha1.CredentialIssuerStrategy{ + configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "Type1", - Status: v1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "some starting reason", Message: "some starting message", LastUpdateTime: t1, }, }, }, - strategy: v1alpha1.CredentialIssuerStrategy{ + strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{ Type: "Type1", - Status: v1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "some starting reason", Message: "some starting message", LastUpdateTime: t2, }, - expected: v1alpha1.CredentialIssuerStatus{ - Strategies: []v1alpha1.CredentialIssuerStrategy{ + expected: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "Type1", - Status: v1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "some starting reason", Message: "some starting message", LastUpdateTime: t1, @@ -159,36 +159,36 @@ func TestMergeStrategy(t *testing.T) { }, { name: "new entry among others", - configToUpdate: v1alpha1.CredentialIssuerStatus{ - Strategies: []v1alpha1.CredentialIssuerStrategy{ + configToUpdate: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "Type0", - Status: v1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "some starting reason 0", Message: "some starting message 0", LastUpdateTime: t2, }, { Type: "Type2", - Status: v1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "some starting reason 0", Message: "some starting message 0", LastUpdateTime: t2, }, }, }, - strategy: v1alpha1.CredentialIssuerStrategy{ + strategy: conciergeconfigv1alpha1.CredentialIssuerStrategy{ Type: "Type1", - Status: v1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "some reason", Message: "some message", LastUpdateTime: t1, }, - expected: v1alpha1.CredentialIssuerStatus{ - Strategies: []v1alpha1.CredentialIssuerStrategy{ + expected: conciergeconfigv1alpha1.CredentialIssuerStatus{ + Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{ { Type: "Type0", - Status: v1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "some starting reason 0", Message: "some starting message 0", LastUpdateTime: t2, @@ -196,14 +196,14 @@ func TestMergeStrategy(t *testing.T) { // Expect the Type1 entry to be sorted alphanumerically between the existing entries. { Type: "Type1", - Status: v1alpha1.SuccessStrategyStatus, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, Reason: "some reason", Message: "some message", LastUpdateTime: t1, }, { Type: "Type2", - Status: v1alpha1.ErrorStrategyStatus, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: "some starting reason 0", Message: "some starting message 0", LastUpdateTime: t2, @@ -222,9 +222,9 @@ func TestMergeStrategy(t *testing.T) { } func TestStrategySorting(t *testing.T) { - expected := []v1alpha1.CredentialIssuerStrategy{ - {Type: v1alpha1.KubeClusterSigningCertificateStrategyType}, - {Type: v1alpha1.ImpersonationProxyStrategyType}, + expected := []conciergeconfigv1alpha1.CredentialIssuerStrategy{ + {Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType}, + {Type: conciergeconfigv1alpha1.ImpersonationProxyStrategyType}, {Type: "Type1"}, {Type: "Type2"}, {Type: "Type3"}, @@ -233,7 +233,7 @@ func TestStrategySorting(t *testing.T) { // Create a randomly shuffled copy of the expected output. //nolint:gosec // this is not meant to be a secure random, just a seeded RNG for shuffling deterministically rng := rand.New(rand.NewSource(seed)) - output := make([]v1alpha1.CredentialIssuerStrategy, len(expected)) + output := make([]conciergeconfigv1alpha1.CredentialIssuerStrategy, len(expected)) copy(output, expected) rng.Shuffle( len(output), diff --git a/internal/controller/kubecertagent/kubecertagent.go b/internal/controller/kubecertagent/kubecertagent.go index 2a441fc90..6a02f782a 100644 --- a/internal/controller/kubecertagent/kubecertagent.go +++ b/internal/controller/kubecertagent/kubecertagent.go @@ -32,7 +32,7 @@ import ( "k8s.io/utils/clock" "k8s.io/utils/ptr" - configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" configv1alpha1informers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/config/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controller/issuerconfig" @@ -272,7 +272,7 @@ func (c *agentController) Sync(ctx controllerlib.Context) error { controllerManagerPods, err := c.kubeSystemPods.Lister().Pods(ControllerManagerNamespace).List(controllerManagerLabels) if err != nil { err := fmt.Errorf("could not list controller manager pods: %w", err) - return c.failStrategyAndErr(ctx.Context, credIssuer, err, configv1alpha1.CouldNotFetchKeyStrategyReason) + return c.failStrategyAndErr(ctx.Context, credIssuer, err, conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason) } newestControllerManager := newestRunningPod(controllerManagerPods) @@ -286,7 +286,7 @@ func (c *agentController) Sync(ctx controllerlib.Context) error { } else { err = errors.New(msg) } - return c.failStrategyAndErr(ctx.Context, credIssuer, err, configv1alpha1.CouldNotFetchKeyStrategyReason) + return c.failStrategyAndErr(ctx.Context, credIssuer, err, conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason) } depErr := c.createOrUpdateDeployment(ctx, newestControllerManager) @@ -301,7 +301,7 @@ func (c *agentController) Sync(ctx controllerlib.Context) error { agentPods, err := c.agentPods.Lister().Pods(c.cfg.Namespace).List(agentLabels) if err != nil { err := fmt.Errorf("could not list agent pods: %w", err) - return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotFetchKeyStrategyReason) + return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason) } newestAgentPod := newestRunningPod(agentPods) @@ -309,42 +309,42 @@ func (c *agentController) Sync(ctx controllerlib.Context) error { // the CredentialIssuer. if newestAgentPod == nil { err := fmt.Errorf("could not find a healthy agent pod (%s)", pluralize(agentPods)) - return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotFetchKeyStrategyReason) + return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason) } // Load the Kubernetes API info from the kube-public/cluster-info ConfigMap. configMap, err := c.kubePublicConfigMaps.Lister().ConfigMaps(ClusterInfoNamespace).Get(clusterInfoName) if err != nil { err := fmt.Errorf("failed to get %s/%s configmap: %w", ClusterInfoNamespace, clusterInfoName, err) - return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotGetClusterInfoStrategyReason) + return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason) } apiInfo, err := c.extractAPIInfo(configMap) if err != nil { err := fmt.Errorf("could not extract Kubernetes API endpoint info from %s/%s configmap: %w", ClusterInfoNamespace, clusterInfoName, err) - return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotGetClusterInfoStrategyReason) + return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason) } // Load the certificate and key from the agent pod into our in-memory signer. if err := c.loadSigningKey(ctx.Context, newestAgentPod); err != nil { - return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), configv1alpha1.CouldNotFetchKeyStrategyReason) + return c.failStrategyAndErr(ctx.Context, credIssuer, firstErr(depErr, err), conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason) } if depErr != nil { // if we get here, it means that we have successfully loaded a signing key but failed to reconcile the deployment. // mark the status as failed and re-kick the sync loop until we are happy with the state of the deployment. - return c.failStrategyAndErr(ctx.Context, credIssuer, depErr, configv1alpha1.CouldNotFetchKeyStrategyReason) + return c.failStrategyAndErr(ctx.Context, credIssuer, depErr, conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason) } // Set the CredentialIssuer strategy to successful. - return issuerconfig.Update(ctx.Context, c.client.PinnipedConcierge, credIssuer, configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.SuccessStrategyStatus, - Reason: configv1alpha1.FetchedKeyStrategyReason, + return issuerconfig.Update(ctx.Context, c.client.PinnipedConcierge, credIssuer, conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, + Reason: conciergeconfigv1alpha1.FetchedKeyStrategyReason, Message: "key was fetched successfully", LastUpdateTime: metav1.NewTime(c.clock.Now()), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.TokenCredentialRequestAPIFrontendType, + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, TokenCredentialRequestAPIInfo: apiInfo, }, }) @@ -454,10 +454,10 @@ func (c *agentController) createOrUpdateDeployment(ctx controllerlib.Context, ne return err } -func (c *agentController) failStrategyAndErr(ctx context.Context, credIssuer *configv1alpha1.CredentialIssuer, err error, reason configv1alpha1.StrategyReason) error { - updateErr := issuerconfig.Update(ctx, c.client.PinnipedConcierge, credIssuer, configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, +func (c *agentController) failStrategyAndErr(ctx context.Context, credIssuer *conciergeconfigv1alpha1.CredentialIssuer, err error, reason conciergeconfigv1alpha1.StrategyReason) error { + updateErr := issuerconfig.Update(ctx, c.client.PinnipedConcierge, credIssuer, conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, Reason: reason, Message: err.Error(), LastUpdateTime: metav1.NewTime(c.clock.Now()), @@ -465,7 +465,7 @@ func (c *agentController) failStrategyAndErr(ctx context.Context, credIssuer *co return utilerrors.NewAggregate([]error{err, updateErr}) } -func (c *agentController) extractAPIInfo(configMap *corev1.ConfigMap) (*configv1alpha1.TokenCredentialRequestAPIInfo, error) { +func (c *agentController) extractAPIInfo(configMap *corev1.ConfigMap) (*conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo, error) { kubeConfigYAML, kubeConfigPresent := configMap.Data[clusterInfoConfigMapKey] if !kubeConfigPresent { return nil, fmt.Errorf("missing %q key", clusterInfoConfigMapKey) @@ -478,7 +478,7 @@ func (c *agentController) extractAPIInfo(configMap *corev1.ConfigMap) (*configv1 } for _, v := range kubeconfig.Clusters { - result := &configv1alpha1.TokenCredentialRequestAPIInfo{ + result := &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: v.Server, CertificateAuthorityData: base64.StdEncoding.EncodeToString(v.CertificateAuthorityData), } diff --git a/internal/controller/kubecertagent/kubecertagent_test.go b/internal/controller/kubecertagent/kubecertagent_test.go index 3f7e38010..5a9d9160f 100644 --- a/internal/controller/kubecertagent/kubecertagent_test.go +++ b/internal/controller/kubecertagent/kubecertagent_test.go @@ -28,7 +28,7 @@ import ( clocktesting "k8s.io/utils/clock/testing" "k8s.io/utils/ptr" - configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" conciergefake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake" conciergeinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions" "go.pinniped.dev/internal/controller/kubecertagent/mocks" @@ -45,7 +45,7 @@ func TestAgentController(t *testing.T) { t.Parallel() now := time.Date(2021, 4, 13, 9, 57, 0, 0, time.UTC) - initialCredentialIssuer := &configv1alpha1.CredentialIssuer{ + initialCredentialIssuer := &conciergeconfigv1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: "pinniped-concierge-config"}, } @@ -247,7 +247,7 @@ func TestAgentController(t *testing.T) { wantAgentDeployment *appsv1.Deployment wantDeploymentActionVerbs []string wantDeploymentDeleteActionOpts []metav1.DeleteOptions - wantStrategy *configv1alpha1.CredentialIssuerStrategy + wantStrategy *conciergeconfigv1alpha1.CredentialIssuerStrategy }{ { name: "no CredentialIssuer found", @@ -273,10 +273,10 @@ func TestAgentController(t *testing.T) { "could not find a healthy kube-controller-manager pod (0 candidates): " + "note that this error is the expected behavior for some cluster types, including most cloud provider clusters (e.g. GKE, AKS, EKS)", }, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not find a healthy kube-controller-manager pod (0 candidates): " + "note that this error is the expected behavior for some cluster types, including most cloud provider clusters (e.g. GKE, AKS, EKS)", LastUpdateTime: metav1.NewTime(now), @@ -317,10 +317,10 @@ func TestAgentController(t *testing.T) { wantDistinctErrors: []string{ "could not find a healthy kube-controller-manager pod (2 candidates)", }, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not find a healthy kube-controller-manager pod (2 candidates)", LastUpdateTime: metav1.NewTime(now), }, @@ -344,10 +344,10 @@ func TestAgentController(t *testing.T) { wantDistinctLogs: []string{ `{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","logger":"kube-cert-agent-controller","caller":"kubecertagent/kubecertagent.go:$kubecertagent.(*agentController).createOrUpdateDeployment","message":"creating new deployment","deployment":{"name":"pinniped-concierge-kube-cert-agent","namespace":"concierge"},"templatePod":{"name":"kube-controller-manager-1","namespace":"kube-system"}}`, }, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not ensure agent deployment: some creation error", LastUpdateTime: metav1.NewTime(now), }, @@ -393,10 +393,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch", "create"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not find a healthy agent pod (1 candidate)", LastUpdateTime: metav1.NewTime(now), }, @@ -442,10 +442,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeploymentWithDefaultedPaths, wantDeploymentActionVerbs: []string{"list", "watch", "create"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not find a healthy agent pod (1 candidate)", LastUpdateTime: metav1.NewTime(now), }, @@ -472,10 +472,10 @@ func TestAgentController(t *testing.T) { wantDeploymentDeleteActionOpts: []metav1.DeleteOptions{ testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion), }, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not find a healthy agent pod (1 candidate)", LastUpdateTime: metav1.NewTime(now), }, @@ -508,10 +508,10 @@ func TestAgentController(t *testing.T) { testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion), testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion), }, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not ensure agent deployment: some delete error", LastUpdateTime: metav1.NewTime(now), }, @@ -545,10 +545,10 @@ func TestAgentController(t *testing.T) { wantDeploymentDeleteActionOpts: []metav1.DeleteOptions{ testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion), }, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not ensure agent deployment: some create error", LastUpdateTime: metav1.NewTime(now), }, @@ -591,10 +591,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeploymentWithExtraLabels, wantDeploymentActionVerbs: []string{"list", "watch", "update"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not find a healthy agent pod (1 candidate)", LastUpdateTime: metav1.NewTime(now), }, @@ -614,10 +614,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeploymentWithHostNetwork, wantDeploymentActionVerbs: []string{"list", "watch", "update"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotGetClusterInfoStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason, Message: "failed to get kube-public/cluster-info configmap: configmap \"cluster-info\" not found", LastUpdateTime: metav1.NewTime(now), }, @@ -640,10 +640,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotGetClusterInfoStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason, Message: "failed to get kube-public/cluster-info configmap: configmap \"cluster-info\" not found", LastUpdateTime: metav1.NewTime(now), }, @@ -667,10 +667,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotGetClusterInfoStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason, Message: "could not extract Kubernetes API endpoint info from kube-public/cluster-info configmap: missing \"kubeconfig\" key", LastUpdateTime: metav1.NewTime(now), }, @@ -694,10 +694,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotGetClusterInfoStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason, Message: "could not extract Kubernetes API endpoint info from kube-public/cluster-info configmap: key \"kubeconfig\" does not contain a valid kubeconfig", LastUpdateTime: metav1.NewTime(now), }, @@ -721,10 +721,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotGetClusterInfoStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotGetClusterInfoStrategyReason, Message: "could not extract Kubernetes API endpoint info from kube-public/cluster-info configmap: kubeconfig in key \"kubeconfig\" does not contain any clusters", LastUpdateTime: metav1.NewTime(now), }, @@ -750,10 +750,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not exec into agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: some exec error", LastUpdateTime: metav1.NewTime(now), }, @@ -779,10 +779,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: `failed to decode signing cert/key JSON from agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: invalid character 'b' looking for beginning of value`, LastUpdateTime: metav1.NewTime(now), }, @@ -808,10 +808,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: `failed to decode signing cert base64 from agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: illegal base64 data at input byte 4`, LastUpdateTime: metav1.NewTime(now), }, @@ -837,10 +837,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: `failed to decode signing key base64 from agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: illegal base64 data at input byte 4`, LastUpdateTime: metav1.NewTime(now), }, @@ -869,10 +869,10 @@ func TestAgentController(t *testing.T) { }, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "failed to set signing cert/key content from agent pod concierge/pinniped-concierge-kube-cert-agent-xyz-1234: some dynamic cert error", LastUpdateTime: metav1.NewTime(now), }, @@ -895,15 +895,15 @@ func TestAgentController(t *testing.T) { wantDistinctErrors: []string{""}, wantAgentDeployment: healthyAgentDeployment, wantDeploymentActionVerbs: []string{"list", "watch"}, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.SuccessStrategyStatus, - Reason: configv1alpha1.FetchedKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, + Reason: conciergeconfigv1alpha1.FetchedKeyStrategyReason, Message: "key was fetched successfully", LastUpdateTime: metav1.NewTime(now), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.TokenCredentialRequestAPIFrontendType, - TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, + TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: "https://test-kubernetes-endpoint.example.com", CertificateAuthorityData: "dGVzdC1rdWJlcm5ldGVzLWNh", }, @@ -941,10 +941,10 @@ func TestAgentController(t *testing.T) { testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion), testutil.NewPreconditions(healthyAgentDeploymentWithOldStyleSelector.UID, healthyAgentDeploymentWithOldStyleSelector.ResourceVersion), }, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.ErrorStrategyStatus, - Reason: configv1alpha1.CouldNotFetchKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.ErrorStrategyStatus, + Reason: conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, Message: "could not ensure agent deployment: some delete error", LastUpdateTime: metav1.NewTime(now), }, @@ -967,15 +967,15 @@ func TestAgentController(t *testing.T) { wantDistinctLogs: []string{ `{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","logger":"kube-cert-agent-controller","caller":"kubecertagent/kubecertagent.go:$kubecertagent.(*agentController).loadSigningKey","message":"successfully loaded signing key from agent pod into cache"}`, }, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.SuccessStrategyStatus, - Reason: configv1alpha1.FetchedKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, + Reason: conciergeconfigv1alpha1.FetchedKeyStrategyReason, Message: "key was fetched successfully", LastUpdateTime: metav1.NewTime(now), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.TokenCredentialRequestAPIFrontendType, - TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, + TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: "https://test-kubernetes-endpoint.example.com", CertificateAuthorityData: "dGVzdC1rdWJlcm5ldGVzLWNh", }, @@ -1001,15 +1001,15 @@ func TestAgentController(t *testing.T) { wantDistinctLogs: []string{ `{"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","logger":"kube-cert-agent-controller","caller":"kubecertagent/kubecertagent.go:$kubecertagent.(*agentController).loadSigningKey","message":"successfully loaded signing key from agent pod into cache"}`, }, - wantStrategy: &configv1alpha1.CredentialIssuerStrategy{ - Type: configv1alpha1.KubeClusterSigningCertificateStrategyType, - Status: configv1alpha1.SuccessStrategyStatus, - Reason: configv1alpha1.FetchedKeyStrategyReason, + wantStrategy: &conciergeconfigv1alpha1.CredentialIssuerStrategy{ + Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType, + Status: conciergeconfigv1alpha1.SuccessStrategyStatus, + Reason: conciergeconfigv1alpha1.FetchedKeyStrategyReason, Message: "key was fetched successfully", LastUpdateTime: metav1.NewTime(now), - Frontend: &configv1alpha1.CredentialIssuerFrontend{ - Type: configv1alpha1.TokenCredentialRequestAPIFrontendType, - TokenCredentialRequestAPIInfo: &configv1alpha1.TokenCredentialRequestAPIInfo{ + Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{ + Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, + TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: "https://overridden-server.example.com/some/path", CertificateAuthorityData: "dGVzdC1rdWJlcm5ldGVzLWNh", }, diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go index 6b64a7add..0a29c06c8 100644 --- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go +++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go @@ -20,7 +20,7 @@ import ( corev1informers "k8s.io/client-go/informers/core/v1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controller/conditionsutil" @@ -232,7 +232,7 @@ type activeDirectoryWatcherController struct { cache UpstreamActiveDirectoryIdentityProviderICache validatedSettingsCache upstreamwatchers.ValidatedSettingsCacheI ldapDialer upstreamldap.LDAPDialer - client pinnipedsupervisorclientset.Interface + client supervisorclientset.Interface activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer secretInformer corev1informers.SecretInformer } @@ -240,7 +240,7 @@ type activeDirectoryWatcherController struct { // New instantiates a new controllerlib.Controller which will populate the provided UpstreamActiveDirectoryIdentityProviderICache. func New( idpCache UpstreamActiveDirectoryIdentityProviderICache, - client pinnipedsupervisorclientset.Interface, + client supervisorclientset.Interface, activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer, secretInformer corev1informers.SecretInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, @@ -263,7 +263,7 @@ func newInternal( idpCache UpstreamActiveDirectoryIdentityProviderICache, validatedSettingsCache upstreamwatchers.ValidatedSettingsCacheI, ldapDialer upstreamldap.LDAPDialer, - client pinnipedsupervisorclientset.Interface, + client supervisorclientset.Interface, activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer, secretInformer corev1informers.SecretInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, diff --git a/internal/controller/supervisorconfig/federation_domain_watcher.go b/internal/controller/supervisorconfig/federation_domain_watcher.go index 664f29e6f..99eb66a02 100644 --- a/internal/controller/supervisorconfig/federation_domain_watcher.go +++ b/internal/controller/supervisorconfig/federation_domain_watcher.go @@ -22,7 +22,7 @@ import ( "k8s.io/utils/clock" supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" - pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1" idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1" "go.pinniped.dev/internal/celtransformer" @@ -82,7 +82,7 @@ type federationDomainWatcherController struct { federationDomainsSetter FederationDomainsSetter apiGroup string clock clock.Clock - client pinnipedsupervisorclientset.Interface + client supervisorclientset.Interface federationDomainInformer configinformers.FederationDomainInformer oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer @@ -99,7 +99,7 @@ func NewFederationDomainWatcherController( federationDomainsSetter FederationDomainsSetter, apiGroupSuffix string, clock clock.Clock, - client pinnipedsupervisorclientset.Interface, + client supervisorclientset.Interface, federationDomainInformer configinformers.FederationDomainInformer, oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer, ldapIdentityProviderInformer idpinformers.LDAPIdentityProviderInformer, diff --git a/internal/controller/supervisorconfig/generator/federation_domain_secrets.go b/internal/controller/supervisorconfig/generator/federation_domain_secrets.go index b4dae4fe2..ac9db77ca 100644 --- a/internal/controller/supervisorconfig/generator/federation_domain_secrets.go +++ b/internal/controller/supervisorconfig/generator/federation_domain_secrets.go @@ -17,7 +17,7 @@ import ( "k8s.io/klog/v2" supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" - pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controllerlib" @@ -28,7 +28,7 @@ type federationDomainSecretsController struct { secretHelper SecretHelper secretRefFunc func(domain *supervisorconfigv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference kubeClient kubernetes.Interface - pinnipedClient pinnipedsupervisorclientset.Interface + pinnipedClient supervisorclientset.Interface federationDomainInformer configinformers.FederationDomainInformer secretInformer corev1informers.SecretInformer } @@ -40,7 +40,7 @@ func NewFederationDomainSecretsController( secretHelper SecretHelper, secretRefFunc func(domain *supervisorconfigv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference, kubeClient kubernetes.Interface, - pinnipedClient pinnipedsupervisorclientset.Interface, + pinnipedClient supervisorclientset.Interface, secretInformer corev1informers.SecretInformer, federationDomainInformer configinformers.FederationDomainInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, diff --git a/internal/controller/supervisorconfig/jwks_writer.go b/internal/controller/supervisorconfig/jwks_writer.go index 8379796e5..c15a7fb9b 100644 --- a/internal/controller/supervisorconfig/jwks_writer.go +++ b/internal/controller/supervisorconfig/jwks_writer.go @@ -23,7 +23,7 @@ import ( "k8s.io/klog/v2" supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" - pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controller/supervisorconfig/generator" @@ -60,7 +60,7 @@ func generateECKey(r io.Reader) (any, error) { // secrets, both via a cache and via the API. type jwksWriterController struct { jwksSecretLabels map[string]string - pinnipedClient pinnipedsupervisorclientset.Interface + pinnipedClient supervisorclientset.Interface kubeClient kubernetes.Interface federationDomainInformer configinformers.FederationDomainInformer secretInformer corev1informers.SecretInformer @@ -71,7 +71,7 @@ type jwksWriterController struct { func NewJWKSWriterController( jwksSecretLabels map[string]string, kubeClient kubernetes.Interface, - pinnipedClient pinnipedsupervisorclientset.Interface, + pinnipedClient supervisorclientset.Interface, secretInformer corev1informers.SecretInformer, federationDomainInformer configinformers.FederationDomainInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, diff --git a/internal/kubeclient/kubeclient.go b/internal/kubeclient/kubeclient.go index e1ba1681f..6c70eea9f 100644 --- a/internal/kubeclient/kubeclient.go +++ b/internal/kubeclient/kubeclient.go @@ -19,18 +19,18 @@ import ( aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" aggregatorclientscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" - pinnipedconciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" - pinnipedconciergeclientsetscheme "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme" - pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" - pinnipedsupervisorclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" + conciergeclientsetscheme "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme" + supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + supervisorclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" "go.pinniped.dev/internal/crypto/ptls" ) type Client struct { Kubernetes kubernetes.Interface Aggregation aggregatorclient.Interface - PinnipedConcierge pinnipedconciergeclientset.Interface - PinnipedSupervisor pinnipedsupervisorclientset.Interface + PinnipedConcierge conciergeclientset.Interface + PinnipedSupervisor supervisorclientset.Interface JSONConfig, ProtoConfig *restclient.Config } @@ -79,7 +79,7 @@ func New(opts ...Option) (*Client, error) { // Connect to the pinniped concierge API. // We cannot use protobuf encoding here because we are using CRDs // (for which protobuf encoding is not yet supported). - pinnipedConciergeClient, err := pinnipedconciergeclientset.NewForConfig(configWithWrapper(jsonKubeConfig, pinnipedconciergeclientsetscheme.Scheme, pinnipedconciergeclientsetscheme.Codecs, c.middlewares, c.transportWrapper)) + pinnipedConciergeClient, err := conciergeclientset.NewForConfig(configWithWrapper(jsonKubeConfig, conciergeclientsetscheme.Scheme, conciergeclientsetscheme.Codecs, c.middlewares, c.transportWrapper)) if err != nil { return nil, fmt.Errorf("could not initialize pinniped client: %w", err) } @@ -87,7 +87,7 @@ func New(opts ...Option) (*Client, error) { // Connect to the pinniped supervisor API. // We cannot use protobuf encoding here because we are using CRDs // (for which protobuf encoding is not yet supported). - pinnipedSupervisorClient, err := pinnipedsupervisorclientset.NewForConfig(configWithWrapper(jsonKubeConfig, pinnipedsupervisorclientsetscheme.Scheme, pinnipedsupervisorclientsetscheme.Codecs, c.middlewares, c.transportWrapper)) + pinnipedSupervisorClient, err := supervisorclientset.NewForConfig(configWithWrapper(jsonKubeConfig, supervisorclientsetscheme.Scheme, supervisorclientsetscheme.Codecs, c.middlewares, c.transportWrapper)) if err != nil { return nil, fmt.Errorf("could not initialize pinniped client: %w", err) } diff --git a/internal/kubeclient/scheme_test.go b/internal/kubeclient/scheme_test.go index 314f352d6..9d641b4b0 100644 --- a/internal/kubeclient/scheme_test.go +++ b/internal/kubeclient/scheme_test.go @@ -16,8 +16,8 @@ import ( loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - pinnipedconciergeclientsetscheme "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme" - pinnipedsupervisorclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + conciergeclientsetscheme "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme" + supervisorclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" ) func Test_schemeRestMapper(t *testing.T) { @@ -96,7 +96,7 @@ func Test_schemeRestMapper(t *testing.T) { { name: "token credential delete", args: args{ - scheme: pinnipedconciergeclientsetscheme.Scheme, + scheme: conciergeclientsetscheme.Scheme, gvr: loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"), v: VerbDelete, }, @@ -105,7 +105,7 @@ func Test_schemeRestMapper(t *testing.T) { { name: "token credential list", args: args{ - scheme: pinnipedconciergeclientsetscheme.Scheme, + scheme: conciergeclientsetscheme.Scheme, gvr: loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"), v: VerbList, }, @@ -114,7 +114,7 @@ func Test_schemeRestMapper(t *testing.T) { { name: "oidc idp update", args: args{ - scheme: pinnipedsupervisorclientsetscheme.Scheme, + scheme: supervisorclientsetscheme.Scheme, gvr: idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"), v: VerbUpdate, }, @@ -123,7 +123,7 @@ func Test_schemeRestMapper(t *testing.T) { { name: "oidc idp list", args: args{ - scheme: pinnipedsupervisorclientsetscheme.Scheme, + scheme: supervisorclientsetscheme.Scheme, gvr: idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"), v: VerbList, }, @@ -132,7 +132,7 @@ func Test_schemeRestMapper(t *testing.T) { { name: "oidc idp list - wrong scheme", args: args{ - scheme: pinnipedconciergeclientsetscheme.Scheme, + scheme: conciergeclientsetscheme.Scheme, gvr: idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"), v: VerbList, }, diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index 2ee1b5753..3dd56bafd 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -39,7 +39,7 @@ import ( "k8s.io/utils/clock" supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" - pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" supervisorinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions" supervisoropenapi "go.pinniped.dev/generated/latest/client/supervisor/openapi" @@ -141,7 +141,7 @@ func prepareControllers( secretCache *secret.Cache, supervisorDeployment *appsv1.Deployment, kubeClient kubernetes.Interface, - pinnipedClient pinnipedsupervisorclientset.Interface, + pinnipedClient supervisorclientset.Interface, aggregatorClient aggregatorclient.Interface, kubeInformers k8sinformers.SharedInformerFactory, pinnipedInformers supervisorinformers.SharedInformerFactory, diff --git a/internal/testutil/fakekubeapi/fakekubeapi.go b/internal/testutil/fakekubeapi/fakekubeapi.go index fc6b6d4c1..3c8b5a0cf 100644 --- a/internal/testutil/fakekubeapi/fakekubeapi.go +++ b/internal/testutil/fakekubeapi/fakekubeapi.go @@ -37,8 +37,8 @@ import ( restclient "k8s.io/client-go/rest" aggregatorclientscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" - pinnipedconciergeclientsetscheme "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme" - pinnipedsupervisorclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + conciergeclientsetscheme "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme" + supervisorclientsetscheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" "go.pinniped.dev/internal/crypto/ptls" "go.pinniped.dev/internal/httputil/httperr" "go.pinniped.dev/internal/testutil/tlsserver" @@ -117,8 +117,8 @@ func decodeObj(r *http.Request) (runtime.Object, error) { codecsThatWeUseInOurCode := []runtime.NegotiatedSerializer{ kubescheme.Codecs, aggregatorclientscheme.Codecs, - pinnipedconciergeclientsetscheme.Codecs, - pinnipedsupervisorclientsetscheme.Codecs, + conciergeclientsetscheme.Codecs, + supervisorclientsetscheme.Codecs, } for _, codec := range codecsThatWeUseInOurCode { obj, err = tryDecodeObj(mediaType, body, codec) diff --git a/test/integration/concierge_credentialissuer_test.go b/test/integration/concierge_credentialissuer_test.go index c7edd1388..3ebb5de06 100644 --- a/test/integration/concierge_credentialissuer_test.go +++ b/test/integration/concierge_credentialissuer_test.go @@ -13,7 +13,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" - configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" "go.pinniped.dev/test/testlib" ) @@ -57,9 +57,9 @@ func TestCredentialIssuer(t *testing.T) { // The details of the ImpersonationProxy type is tested by a different integration test for the impersonator. // Grab the KubeClusterSigningCertificate result so we can check it in detail below. - var actualStatusStrategy configv1alpha1.CredentialIssuerStrategy + var actualStatusStrategy conciergeconfigv1alpha1.CredentialIssuerStrategy for _, s := range actualStatusStrategies { - if s.Type == configv1alpha1.KubeClusterSigningCertificateStrategyType { + if s.Type == conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType { actualStatusStrategy = s break } @@ -67,12 +67,12 @@ func TestCredentialIssuer(t *testing.T) { require.NotNil(t, actualStatusStrategy) if env.HasCapability(testlib.ClusterSigningKeyIsAvailable) { - require.Equal(t, configv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status) - require.Equal(t, configv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason) + require.Equal(t, conciergeconfigv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status) + require.Equal(t, conciergeconfigv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason) require.Equal(t, "key was fetched successfully", actualStatusStrategy.Message) require.NotNil(t, actualStatusStrategy.Frontend) - require.Equal(t, configv1alpha1.TokenCredentialRequestAPIFrontendType, actualStatusStrategy.Frontend.Type) - expectedTokenRequestAPIInfo := configv1alpha1.TokenCredentialRequestAPIInfo{ + require.Equal(t, conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, actualStatusStrategy.Frontend.Type) + expectedTokenRequestAPIInfo := conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{ Server: config.Host, CertificateAuthorityData: base64.StdEncoding.EncodeToString(config.TLSClientConfig.CAData), } @@ -81,15 +81,15 @@ func TestCredentialIssuer(t *testing.T) { // Verify the published kube config info. require.Equal( t, - &configv1alpha1.CredentialIssuerKubeConfigInfo{ + &conciergeconfigv1alpha1.CredentialIssuerKubeConfigInfo{ Server: expectedTokenRequestAPIInfo.Server, CertificateAuthorityData: expectedTokenRequestAPIInfo.CertificateAuthorityData, }, actualStatusKubeConfigInfo, ) } else { - require.Equal(t, configv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status) - require.Equal(t, configv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason) + require.Equal(t, conciergeconfigv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status) + require.Equal(t, conciergeconfigv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason) require.Contains(t, actualStatusStrategy.Message, "could not find a healthy kube-controller-manager pod (0 candidates): "+ "note that this error is the expected behavior for some cluster types, including most cloud provider clusters (e.g. GKE, AKS, EKS)") require.Nil(t, actualStatusKubeConfigInfo) diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go index 98f6cd2f0..a3edddc25 100644 --- a/test/integration/concierge_impersonation_proxy_test.go +++ b/test/integration/concierge_impersonation_proxy_test.go @@ -62,10 +62,10 @@ import ( "k8s.io/utils/ptr" authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" - conciergev1alpha "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" - pinnipedconciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" + conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" "go.pinniped.dev/internal/certauthority" "go.pinniped.dev/internal/crypto/ptls" "go.pinniped.dev/internal/httputil/roundtripper" @@ -132,7 +132,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl mostRecentTokenCredentialRequestResponseLock sync.Mutex ) - refreshCredentialHelper := func(t *testing.T, client pinnipedconciergeclientset.Interface) *loginv1alpha1.ClusterCredential { + refreshCredentialHelper := func(t *testing.T, client conciergeclientset.Interface) *loginv1alpha1.ClusterCredential { t.Helper() mostRecentTokenCredentialRequestResponseLock.Lock() @@ -209,11 +209,11 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl switch { case impersonatorShouldHaveStartedAutomaticallyByDefault && clusterSupportsLoadBalancers: // configure the credential issuer spec to have the impersonation proxy in auto mode - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeAuto, - Service: conciergev1alpha.ImpersonationProxyServiceSpec{ - Type: conciergev1alpha.ImpersonationProxyServiceTypeLoadBalancer, + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, Annotations: map[string]string{ "service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout": "4000", }, @@ -241,9 +241,9 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl requireDisabledStrategy(ctx, t, env, adminConciergeClient) // Create configuration to make the impersonation proxy turn on with no endpoint (i.e. automatically create a load balancer). - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, }, }) @@ -267,12 +267,12 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl require.Truef(t, isErr, "wanted error %q to be service unavailable via squid error, but: %s", err, message) // Create configuration to make the impersonation proxy turn on with a hard coded endpoint (without a load balancer). - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: proxyServiceEndpoint, - Service: conciergev1alpha.ImpersonationProxyServiceSpec{ - Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }) @@ -1759,12 +1759,12 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl t.Skip("Skipping ClusterIP test because squid proxy is not present") } clusterIPServiceURL := fmt.Sprintf("%s.%s.svc.cluster.local", impersonationProxyClusterIPName(env), env.ConciergeNamespace) - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: clusterIPServiceURL, - Service: conciergev1alpha.ImpersonationProxyServiceSpec{ - Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }) @@ -1815,12 +1815,12 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl t.Cleanup(func() { // Remove the TLS block from the CredentialIssuer, which should revert the ImpersonationProxy to using an // internally generated TLS serving cert derived from the original CA. - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: proxyServiceEndpoint, - Service: conciergev1alpha.ImpersonationProxyServiceSpec{ - Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }) @@ -1833,14 +1833,14 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl }, 2*time.Minute, 500*time.Millisecond) }) - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: proxyServiceEndpoint, - Service: conciergev1alpha.ImpersonationProxyServiceSpec{ - Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, - TLS: &conciergev1alpha.ImpersonationProxyTLSSpec{ + TLS: &conciergeconfigv1alpha1.ImpersonationProxyTLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(externallyProvidedCA.Bundle()), SecretName: externallyProvidedTLSServingCertSecret.Name, }, @@ -1887,12 +1887,12 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl t.Cleanup(func() { // Remove the TLS block from the CredentialIssuer, which should revert the ImpersonationProxy to using an // internally generated TLS serving cert derived from the original CA. - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: proxyServiceEndpoint, - Service: conciergev1alpha.ImpersonationProxyServiceSpec{ - Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, }, }) @@ -1905,14 +1905,14 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl }, 2*time.Minute, 500*time.Millisecond) }) - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeEnabled, ExternalEndpoint: proxyServiceEndpoint, - Service: conciergev1alpha.ImpersonationProxyServiceSpec{ - Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, + Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ + Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeClusterIP, }, - TLS: &conciergev1alpha.ImpersonationProxyTLSSpec{ + TLS: &conciergeconfigv1alpha1.ImpersonationProxyTLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(externallyProvidedCA.Bundle()), SecretName: externallyProvidedTLSServingCertSecret.Name, }, @@ -1934,9 +1934,9 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl t.Run("manually disabling the impersonation proxy feature", func(t *testing.T) { // Update configuration to force the proxy to disabled mode - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeDisabled, + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ + Mode: conciergeconfigv1alpha1.ImpersonationProxyModeDisabled, }, }) @@ -2101,7 +2101,7 @@ func expectedWhoAmIRequestResponse(username string, groups []string, extra map[s } func performImpersonatorDiscovery(ctx context.Context, t *testing.T, env *testlib.TestEnv, - adminClient kubernetes.Interface, adminConciergeClient pinnipedconciergeclientset.Interface, + adminClient kubernetes.Interface, adminConciergeClient conciergeclientset.Interface, refreshCredential func(t *testing.T, impersonationProxyURL string, impersonationProxyCACertPEM []byte) *loginv1alpha1.ClusterCredential) (string, []byte) { t.Helper() @@ -2157,7 +2157,7 @@ func performImpersonatorDiscovery(ctx context.Context, t *testing.T, env *testli return impersonationProxyURL, impersonationProxyCACertPEM } -func performImpersonatorDiscoveryURL(ctx context.Context, t *testing.T, env *testlib.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface) (string, []byte) { +func performImpersonatorDiscoveryURL(ctx context.Context, t *testing.T, env *testlib.TestEnv, adminConciergeClient conciergeclientset.Interface) (string, []byte) { t.Helper() var impersonationProxyURL string @@ -2173,7 +2173,7 @@ func performImpersonatorDiscoveryURL(ctx context.Context, t *testing.T, env *tes } for _, strategy := range credentialIssuer.Status.Strategies { // There will be other strategy types in the list, so ignore those. - if strategy.Type == conciergev1alpha.ImpersonationProxyStrategyType && strategy.Status == conciergev1alpha.SuccessStrategyStatus { //nolint:nestif + if strategy.Type == conciergeconfigv1alpha1.ImpersonationProxyStrategyType && strategy.Status == conciergeconfigv1alpha1.SuccessStrategyStatus { //nolint:nestif if strategy.Frontend == nil { return false, fmt.Errorf("did not find a Frontend") // unexpected, fail the test } @@ -2187,10 +2187,10 @@ func performImpersonatorDiscoveryURL(ctx context.Context, t *testing.T, env *tes return false, err // unexpected, fail the test } return true, nil // found it, continue the test! - } else if strategy.Type == conciergev1alpha.ImpersonationProxyStrategyType { + } else if strategy.Type == conciergeconfigv1alpha1.ImpersonationProxyStrategyType { t.Logf("Waiting for successful impersonation proxy strategy on %s: found status %s with reason %s and message: %s", credentialIssuerName(env), strategy.Status, strategy.Reason, strategy.Message) - if strategy.Reason == conciergev1alpha.ErrorDuringSetupStrategyReason { + if strategy.Reason == conciergeconfigv1alpha1.ErrorDuringSetupStrategyReason { // The server encountered an unexpected error while starting the impersonator, so fail the test fast. return false, fmt.Errorf("found impersonation strategy in %s state with message: %s", strategy.Reason, strategy.Message) } @@ -2204,7 +2204,7 @@ func performImpersonatorDiscoveryURL(ctx context.Context, t *testing.T, env *tes return impersonationProxyURL, impersonationProxyCACertPEM } -func requireDisabledStrategy(ctx context.Context, t *testing.T, env *testlib.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface) { +func requireDisabledStrategy(ctx context.Context, t *testing.T, env *testlib.TestEnv, adminConciergeClient conciergeclientset.Interface) { t.Helper() testlib.RequireEventuallyWithoutError(t, func() (bool, error) { @@ -2215,14 +2215,14 @@ func requireDisabledStrategy(ctx context.Context, t *testing.T, env *testlib.Tes } for _, strategy := range credentialIssuer.Status.Strategies { // There will be other strategy types in the list, so ignore those. - if strategy.Type == conciergev1alpha.ImpersonationProxyStrategyType && - strategy.Status == conciergev1alpha.ErrorStrategyStatus && - strategy.Reason == conciergev1alpha.DisabledStrategyReason { + if strategy.Type == conciergeconfigv1alpha1.ImpersonationProxyStrategyType && + strategy.Status == conciergeconfigv1alpha1.ErrorStrategyStatus && + strategy.Reason == conciergeconfigv1alpha1.DisabledStrategyReason { return true, nil // found it, continue the test! - } else if strategy.Type == conciergev1alpha.ImpersonationProxyStrategyType { + } else if strategy.Type == conciergeconfigv1alpha1.ImpersonationProxyStrategyType { t.Logf("Waiting for disabled impersonation proxy strategy on %s: found status %s with reason %s and message: %s", credentialIssuerName(env), strategy.Status, strategy.Reason, strategy.Message) - if strategy.Reason == conciergev1alpha.ErrorDuringSetupStrategyReason { + if strategy.Reason == conciergeconfigv1alpha1.ErrorDuringSetupStrategyReason { // The server encountered an unexpected error while stopping the impersonator, so fail the test fast. return false, fmt.Errorf("found impersonation strategy in %s state with message: %s", strategy.Reason, strategy.Message) } @@ -2283,7 +2283,7 @@ func kubeconfigProxyFunc(t *testing.T, squidProxyURL string) func(req *http.Requ } } -func updateCredentialIssuer(ctx context.Context, t *testing.T, env *testlib.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface, spec conciergev1alpha.CredentialIssuerSpec) { +func updateCredentialIssuer(ctx context.Context, t *testing.T, env *testlib.TestEnv, adminConciergeClient conciergeclientset.Interface, spec conciergeconfigv1alpha1.CredentialIssuerSpec) { t.Helper() err := retry.RetryOnConflict(retry.DefaultRetry, func() error { @@ -2445,7 +2445,7 @@ func requireClose(t *testing.T, c chan struct{}, timeout time.Duration) { func createTokenCredentialRequest( spec loginv1alpha1.TokenCredentialRequestSpec, - client pinnipedconciergeclientset.Interface, + client conciergeclientset.Interface, ) (*loginv1alpha1.TokenCredentialRequest, error) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() diff --git a/test/integration/concierge_kubecertagent_test.go b/test/integration/concierge_kubecertagent_test.go index b306da99f..12c778a77 100644 --- a/test/integration/concierge_kubecertagent_test.go +++ b/test/integration/concierge_kubecertagent_test.go @@ -16,7 +16,7 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/utils/ptr" - conciergev1alpha "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" + conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" "go.pinniped.dev/test/testlib" ) @@ -60,7 +60,7 @@ func TestKubeCertAgent(t *testing.T) { } // If there's no successful strategy yet, wait until there is. - strategy := findSuccessfulStrategy(credentialIssuer, conciergev1alpha.KubeClusterSigningCertificateStrategyType) + strategy := findSuccessfulStrategy(credentialIssuer, conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType) if strategy == nil { t.Log("could not find a successful TokenCredentialRequestAPI strategy in the CredentialIssuer:") for _, s := range credentialIssuer.Status.Strategies { @@ -73,19 +73,19 @@ func TestKubeCertAgent(t *testing.T) { if strategy.Frontend == nil { return false, fmt.Errorf("strategy did not find a Frontend") } - if strategy.Frontend.Type != conciergev1alpha.TokenCredentialRequestAPIFrontendType { + if strategy.Frontend.Type != conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType { return false, fmt.Errorf("strategy had unexpected frontend type %q", strategy.Frontend.Type) } return true, nil }, 3*time.Minute, 2*time.Second) } -func findSuccessfulStrategy(credentialIssuer *conciergev1alpha.CredentialIssuer, strategyType conciergev1alpha.StrategyType) *conciergev1alpha.CredentialIssuerStrategy { +func findSuccessfulStrategy(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, strategyType conciergeconfigv1alpha1.StrategyType) *conciergeconfigv1alpha1.CredentialIssuerStrategy { for _, strategy := range credentialIssuer.Status.Strategies { if strategy.Type != strategyType { continue } - if strategy.Status != conciergev1alpha.SuccessStrategyStatus { + if strategy.Status != conciergeconfigv1alpha1.SuccessStrategyStatus { continue } return &strategy diff --git a/test/testlib/client.go b/test/testlib/client.go index cf5cac9a9..13f642f13 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -33,7 +33,7 @@ import ( supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" - pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" "go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/kubeclient" @@ -80,13 +80,13 @@ func NewKubernetesClientset(t *testing.T) kubernetes.Interface { return NewKubeclient(t, NewClientConfig(t)).Kubernetes } -func NewSupervisorClientset(t *testing.T) pinnipedsupervisorclientset.Interface { +func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface { t.Helper() return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisor } -func NewAnonymousSupervisorClientset(t *testing.T) pinnipedsupervisorclientset.Interface { +func NewAnonymousSupervisorClientset(t *testing.T) supervisorclientset.Interface { t.Helper() return NewKubeclient(t, NewAnonymousClientRestConfig(t)).PinnipedSupervisor