mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2026-01-06 05:27:23 +00:00
Use Conditions from apimachinery, specifically k8s.io/apimachinery/pkg/apis/meta/v1.Conditions
This commit is contained in:
Joshua Casey
committed by
Ryan Richard
Ryan Richard
parent
96fcfe4d53
commit
64f1bff13f
@@ -1,4 +1,4 @@
|
||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package conditionsutil
|
||||
@@ -9,13 +9,11 @@ import (
|
||||
"k8s.io/apimachinery/pkg/api/equality"
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
||||
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
|
||||
"go.pinniped.dev/internal/plog"
|
||||
)
|
||||
|
||||
// MergeIDPConditions merges conditions into conditionsToUpdate. If returns true if it merged any error conditions.
|
||||
func MergeIDPConditions(conditions []*idpv1alpha1.Condition, observedGeneration int64, conditionsToUpdate *[]idpv1alpha1.Condition, log plog.MinLogger) bool {
|
||||
func MergeIDPConditions(conditions []*v1.Condition, observedGeneration int64, conditionsToUpdate *[]v1.Condition, log plog.MinLogger) bool {
|
||||
hadErrorCondition := false
|
||||
for i := range conditions {
|
||||
cond := conditions[i].DeepCopy()
|
||||
@@ -24,7 +22,7 @@ func MergeIDPConditions(conditions []*idpv1alpha1.Condition, observedGeneration
|
||||
if mergeIDPCondition(conditionsToUpdate, cond) {
|
||||
log.Info("updated condition", "type", cond.Type, "status", cond.Status, "reason", cond.Reason, "message", cond.Message)
|
||||
}
|
||||
if cond.Status == idpv1alpha1.ConditionFalse {
|
||||
if cond.Status == v1.ConditionFalse {
|
||||
hadErrorCondition = true
|
||||
}
|
||||
}
|
||||
@@ -34,11 +32,11 @@ func MergeIDPConditions(conditions []*idpv1alpha1.Condition, observedGeneration
|
||||
return hadErrorCondition
|
||||
}
|
||||
|
||||
// mergeIDPCondition merges a new idpv1alpha1.Condition into a slice of existing conditions. It returns true
|
||||
// mergeIDPCondition merges a new v1.Condition into a slice of existing conditions. It returns true
|
||||
// if the condition has meaningfully changed.
|
||||
func mergeIDPCondition(existing *[]idpv1alpha1.Condition, new *idpv1alpha1.Condition) bool {
|
||||
func mergeIDPCondition(existing *[]v1.Condition, new *v1.Condition) bool {
|
||||
// Find any existing condition with a matching type.
|
||||
var old *idpv1alpha1.Condition
|
||||
var old *v1.Condition
|
||||
for i := range *existing {
|
||||
if (*existing)[i].Type == new.Type {
|
||||
old = &(*existing)[i]
|
||||
@@ -69,7 +67,7 @@ func mergeIDPCondition(existing *[]idpv1alpha1.Condition, new *idpv1alpha1.Condi
|
||||
}
|
||||
|
||||
// MergeConfigConditions merges conditions into conditionsToUpdate. If returns true if it merged any error conditions.
|
||||
func MergeConfigConditions(conditions []*configv1alpha1.Condition, observedGeneration int64, conditionsToUpdate *[]configv1alpha1.Condition, log plog.MinLogger) bool {
|
||||
func MergeConfigConditions(conditions []*v1.Condition, observedGeneration int64, conditionsToUpdate *[]v1.Condition, log plog.MinLogger) bool {
|
||||
hadErrorCondition := false
|
||||
for i := range conditions {
|
||||
cond := conditions[i].DeepCopy()
|
||||
@@ -78,7 +76,7 @@ func MergeConfigConditions(conditions []*configv1alpha1.Condition, observedGener
|
||||
if mergeConfigCondition(conditionsToUpdate, cond) {
|
||||
log.Info("updated condition", "type", cond.Type, "status", cond.Status, "reason", cond.Reason, "message", cond.Message)
|
||||
}
|
||||
if cond.Status == configv1alpha1.ConditionFalse {
|
||||
if cond.Status == v1.ConditionFalse {
|
||||
hadErrorCondition = true
|
||||
}
|
||||
}
|
||||
@@ -88,11 +86,11 @@ func MergeConfigConditions(conditions []*configv1alpha1.Condition, observedGener
|
||||
return hadErrorCondition
|
||||
}
|
||||
|
||||
// mergeConfigCondition merges a new idpv1alpha1.Condition into a slice of existing conditions. It returns true
|
||||
// mergeConfigCondition merges a new v1.Condition into a slice of existing conditions. It returns true
|
||||
// if the condition has meaningfully changed.
|
||||
func mergeConfigCondition(existing *[]configv1alpha1.Condition, new *configv1alpha1.Condition) bool {
|
||||
func mergeConfigCondition(existing *[]v1.Condition, new *v1.Condition) bool {
|
||||
// Find any existing condition with a matching type.
|
||||
var old *configv1alpha1.Condition
|
||||
var old *v1.Condition
|
||||
for i := range *existing {
|
||||
if (*existing)[i].Type == new.Type {
|
||||
old = &(*existing)[i]
|
||||
|
||||
@@ -121,14 +121,14 @@ func (s *activeDirectoryUpstreamGenericLDAPSpec) GroupSearch() upstreamwatchers.
|
||||
return &activeDirectoryUpstreamGenericLDAPGroupSearch{s.activeDirectoryIdentityProvider.Spec.GroupSearch}
|
||||
}
|
||||
|
||||
func (s *activeDirectoryUpstreamGenericLDAPSpec) DetectAndSetSearchBase(ctx context.Context, config *upstreamldap.ProviderConfig) *v1alpha1.Condition {
|
||||
func (s *activeDirectoryUpstreamGenericLDAPSpec) DetectAndSetSearchBase(ctx context.Context, config *upstreamldap.ProviderConfig) *metav1.Condition {
|
||||
config.GroupSearch.Base = s.activeDirectoryIdentityProvider.Spec.GroupSearch.Base
|
||||
config.UserSearch.Base = s.activeDirectoryIdentityProvider.Spec.UserSearch.Base
|
||||
if config.GroupSearch.Base != "" && config.UserSearch.Base != "" {
|
||||
// Both were already set in spec so just return; no need to query the RootDSE
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: upstreamwatchers.TypeSearchBaseFound,
|
||||
Status: v1alpha1.ConditionTrue,
|
||||
Status: metav1.ConditionTrue,
|
||||
Reason: upstreamwatchers.ReasonUsingConfigurationFromSpec,
|
||||
Message: "Using search base from ActiveDirectoryIdentityProvider config.",
|
||||
}
|
||||
@@ -139,9 +139,9 @@ func (s *activeDirectoryUpstreamGenericLDAPSpec) DetectAndSetSearchBase(ctx cont
|
||||
// https://ldapwiki.com/wiki/DefaultNamingContext
|
||||
defaultNamingContext, err := ldapProvider.SearchForDefaultNamingContext(ctx)
|
||||
if err != nil {
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: upstreamwatchers.TypeSearchBaseFound,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: upstreamwatchers.ReasonErrorFetchingSearchBase,
|
||||
Message: fmt.Sprintf(`Error finding search base: %s`, err.Error()),
|
||||
}
|
||||
@@ -152,9 +152,9 @@ func (s *activeDirectoryUpstreamGenericLDAPSpec) DetectAndSetSearchBase(ctx cont
|
||||
if config.GroupSearch.Base == "" {
|
||||
config.GroupSearch.Base = defaultNamingContext
|
||||
}
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: upstreamwatchers.TypeSearchBaseFound,
|
||||
Status: v1alpha1.ConditionTrue,
|
||||
Status: metav1.ConditionTrue,
|
||||
Reason: upstreamwatchers.ReasonSuccess,
|
||||
Message: "Successfully fetched defaultNamingContext to use as default search base from RootDSE.",
|
||||
}
|
||||
@@ -219,7 +219,7 @@ type activeDirectoryUpstreamGenericLDAPStatus struct {
|
||||
activeDirectoryIdentityProvider v1alpha1.ActiveDirectoryIdentityProvider
|
||||
}
|
||||
|
||||
func (s *activeDirectoryUpstreamGenericLDAPStatus) Conditions() []v1alpha1.Condition {
|
||||
func (s *activeDirectoryUpstreamGenericLDAPStatus) Conditions() []metav1.Condition {
|
||||
return s.activeDirectoryIdentityProvider.Status.Conditions
|
||||
}
|
||||
|
||||
@@ -364,7 +364,7 @@ func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context,
|
||||
return upstreamwatchers.EvaluateConditions(conditions, config)
|
||||
}
|
||||
|
||||
func (c *activeDirectoryWatcherController) updateStatus(ctx context.Context, upstream *v1alpha1.ActiveDirectoryIdentityProvider, conditions []*v1alpha1.Condition) {
|
||||
func (c *activeDirectoryWatcherController) updateStatus(ctx context.Context, upstream *v1alpha1.ActiveDirectoryIdentityProvider, conditions []*metav1.Condition) {
|
||||
log := plog.WithValues("namespace", upstream.Namespace, "name", upstream.Name)
|
||||
updated := upstream.DeepCopy()
|
||||
|
||||
|
||||
@@ -241,8 +241,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
providerConfigForValidUpstreamWithStartTLS := ©OfProviderConfigForValidUpstreamWithTLS
|
||||
providerConfigForValidUpstreamWithStartTLS.ConnectionProtocol = upstreamldap.StartTLS
|
||||
|
||||
bindSecretValidTrueCondition := func(gen int64) v1alpha1.Condition {
|
||||
return v1alpha1.Condition{
|
||||
bindSecretValidTrueCondition := func(gen int64) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "BindSecretValid",
|
||||
Status: "True",
|
||||
LastTransitionTime: now,
|
||||
@@ -251,8 +251,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObservedGeneration: gen,
|
||||
}
|
||||
}
|
||||
activeDirectoryConnectionValidTrueCondition := func(gen int64, secretVersion string) v1alpha1.Condition {
|
||||
return v1alpha1.Condition{
|
||||
activeDirectoryConnectionValidTrueCondition := func(gen int64, secretVersion string) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "True",
|
||||
LastTransitionTime: now,
|
||||
@@ -263,21 +263,21 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObservedGeneration: gen,
|
||||
}
|
||||
}
|
||||
activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration := func(secretVersion string) v1alpha1.Condition {
|
||||
activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration := func(secretVersion string) metav1.Condition {
|
||||
c := activeDirectoryConnectionValidTrueCondition(0, secretVersion)
|
||||
c.LastTransitionTime = metav1.Time{}
|
||||
return c
|
||||
}
|
||||
condPtr := func(c v1alpha1.Condition) *v1alpha1.Condition {
|
||||
condPtr := func(c metav1.Condition) *metav1.Condition {
|
||||
return &c
|
||||
}
|
||||
withoutTime := func(c v1alpha1.Condition) v1alpha1.Condition {
|
||||
withoutTime := func(c metav1.Condition) metav1.Condition {
|
||||
c = *c.DeepCopy()
|
||||
c.LastTransitionTime = metav1.Time{}
|
||||
return c
|
||||
}
|
||||
tlsConfigurationValidLoadedTrueCondition := func(gen int64) v1alpha1.Condition {
|
||||
return v1alpha1.Condition{
|
||||
tlsConfigurationValidLoadedTrueCondition := func(gen int64) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "True",
|
||||
LastTransitionTime: now,
|
||||
@@ -287,8 +287,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
searchBaseFoundInRootDSECondition := func(gen int64) v1alpha1.Condition {
|
||||
return v1alpha1.Condition{
|
||||
searchBaseFoundInRootDSECondition := func(gen int64) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "SearchBaseFound",
|
||||
Status: "True",
|
||||
LastTransitionTime: now,
|
||||
@@ -298,8 +298,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
searchBaseFoundInConfigCondition := func(gen int64) v1alpha1.Condition {
|
||||
return v1alpha1.Condition{
|
||||
searchBaseFoundInConfigCondition := func(gen int64) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "SearchBaseFound",
|
||||
Status: "True",
|
||||
LastTransitionTime: now,
|
||||
@@ -309,8 +309,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
searchBaseFoundErrorCondition := func(gen int64, message string) v1alpha1.Condition {
|
||||
return v1alpha1.Condition{
|
||||
searchBaseFoundErrorCondition := func(gen int64, message string) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "SearchBaseFound",
|
||||
Status: "False",
|
||||
LastTransitionTime: now,
|
||||
@@ -320,8 +320,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
allConditionsTrue := func(gen int64, secretVersion string) []v1alpha1.Condition {
|
||||
return []v1alpha1.Condition{
|
||||
allConditionsTrue := func(gen int64, secretVersion string) []metav1.Condition {
|
||||
return []metav1.Condition{
|
||||
bindSecretValidTrueCondition(gen),
|
||||
activeDirectoryConnectionValidTrueCondition(gen, secretVersion),
|
||||
searchBaseFoundInConfigCondition(gen),
|
||||
@@ -418,7 +418,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{
|
||||
Type: "BindSecretValid",
|
||||
Status: "False",
|
||||
@@ -446,7 +446,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{
|
||||
Type: "BindSecretValid",
|
||||
Status: "False",
|
||||
@@ -473,7 +473,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{
|
||||
Type: "BindSecretValid",
|
||||
Status: "False",
|
||||
@@ -499,7 +499,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
@@ -525,7 +525,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
@@ -583,7 +583,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInConfigCondition(1234),
|
||||
@@ -653,7 +653,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInConfigCondition(1234),
|
||||
@@ -726,7 +726,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
@@ -749,7 +749,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
UserSearchBase: testUserSearchBase,
|
||||
GroupSearchBase: testGroupSearchBase,
|
||||
IDPSpecGeneration: 1234,
|
||||
ConnectionValidCondition: &v1alpha1.Condition{
|
||||
ConnectionValidCondition: &metav1.Condition{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "True",
|
||||
Reason: "Success",
|
||||
@@ -807,7 +807,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
@@ -904,7 +904,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "other-upstream", Generation: 42, UID: "other-uid"},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{
|
||||
Type: "BindSecretValid",
|
||||
Status: "False",
|
||||
@@ -953,7 +953,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
@@ -1021,7 +1021,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
@@ -1057,7 +1057,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
@@ -1080,7 +1080,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection was already validated using TLS for the current resource generation and secret version, then do not validate it again and keep using TLS",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInConfigCondition(1234),
|
||||
}
|
||||
@@ -1122,7 +1122,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
// validatedsettings cache invalid.
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
}
|
||||
upstream.Spec.UserSearch.Base = ""
|
||||
@@ -1170,7 +1170,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInRootDSECondition(1234),
|
||||
@@ -1192,7 +1192,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection was already validated using TLS, and the search base was found, load TLS and search base info into the cache",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInRootDSECondition(1234),
|
||||
}
|
||||
@@ -1243,7 +1243,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInRootDSECondition(1234),
|
||||
@@ -1265,7 +1265,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection was already validated using StartTLS for the current resource generation and secret version, then do not validate it again and keep using StartTLS",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInConfigCondition(1234),
|
||||
}
|
||||
@@ -1305,7 +1305,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection was validated for an older resource generation, then try to validate it again",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||
upstream.Generation = 1234 // current generation
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
activeDirectoryConnectionValidTrueCondition(1233, "4242"), // older spec generation!
|
||||
}
|
||||
})},
|
||||
@@ -1346,7 +1346,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection condition failed to update previously, then write the cached condition from the previous connection validation",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||
upstream.Generation = 1234 // current generation
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4200"), // old version of the condition, as if the previous update of conditions had failed
|
||||
}
|
||||
})},
|
||||
@@ -1386,7 +1386,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection validation previously failed for this resource generation, then try to validate it again",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "False", // failure!
|
||||
@@ -1425,7 +1425,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection was already validated for this resource generation but the bind secret has changed, then try to validate it again",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4241"), // same spec generation, old secret version
|
||||
}
|
||||
})},
|
||||
@@ -1570,7 +1570,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInRootDSECondition(1234),
|
||||
@@ -1634,7 +1634,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInRootDSECondition(1234),
|
||||
@@ -1698,7 +1698,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInRootDSECondition(1234),
|
||||
@@ -1734,7 +1734,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundErrorCondition(1234, "Error finding search base: error querying RootDSE for defaultNamingContext: some error"),
|
||||
@@ -1770,7 +1770,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundErrorCondition(1234, "Error finding search base: error querying RootDSE for defaultNamingContext: empty search base DN found"),
|
||||
@@ -1812,7 +1812,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundErrorCondition(1234, "Error finding search base: error querying RootDSE for defaultNamingContext: expected to find 1 entry but found 2"),
|
||||
@@ -1841,7 +1841,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundErrorCondition(1234, "Error finding search base: error querying RootDSE for defaultNamingContext: expected to find 1 entry but found 0"),
|
||||
@@ -1855,7 +1855,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when search base was previously found but the bind secret has changed",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
searchBaseFoundInRootDSECondition(1234),
|
||||
}
|
||||
upstream.Spec.UserSearch.Attributes = v1alpha1.ActiveDirectoryIdentityProviderUserSearchAttributes{}
|
||||
@@ -1910,7 +1910,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testResourceUID, Generation: 1234},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInRootDSECondition(1234),
|
||||
@@ -1973,7 +1973,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.ActiveDirectoryIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
activeDirectoryConnectionValidTrueCondition(1234, "4242"),
|
||||
searchBaseFoundInConfigCondition(1234),
|
||||
|
||||
@@ -77,7 +77,7 @@ func (s *ldapUpstreamGenericLDAPSpec) GroupSearch() upstreamwatchers.UpstreamGen
|
||||
return &ldapUpstreamGenericLDAPGroupSearch{s.ldapIdentityProvider.Spec.GroupSearch}
|
||||
}
|
||||
|
||||
func (s *ldapUpstreamGenericLDAPSpec) DetectAndSetSearchBase(_ context.Context, config *upstreamldap.ProviderConfig) *v1alpha1.Condition {
|
||||
func (s *ldapUpstreamGenericLDAPSpec) DetectAndSetSearchBase(_ context.Context, config *upstreamldap.ProviderConfig) *metav1.Condition {
|
||||
config.GroupSearch.Base = s.ldapIdentityProvider.Spec.GroupSearch.Base
|
||||
config.UserSearch.Base = s.ldapIdentityProvider.Spec.UserSearch.Base
|
||||
return nil
|
||||
@@ -127,7 +127,7 @@ type ldapUpstreamGenericLDAPStatus struct {
|
||||
ldapIdentityProvider v1alpha1.LDAPIdentityProvider
|
||||
}
|
||||
|
||||
func (s *ldapUpstreamGenericLDAPStatus) Conditions() []v1alpha1.Condition {
|
||||
func (s *ldapUpstreamGenericLDAPStatus) Conditions() []metav1.Condition {
|
||||
return s.ldapIdentityProvider.Status.Conditions
|
||||
}
|
||||
|
||||
@@ -256,7 +256,7 @@ func (c *ldapWatcherController) validateUpstream(ctx context.Context, upstream *
|
||||
return upstreamwatchers.EvaluateConditions(conditions, config)
|
||||
}
|
||||
|
||||
func (c *ldapWatcherController) updateStatus(ctx context.Context, upstream *v1alpha1.LDAPIdentityProvider, conditions []*v1alpha1.Condition) {
|
||||
func (c *ldapWatcherController) updateStatus(ctx context.Context, upstream *v1alpha1.LDAPIdentityProvider, conditions []*metav1.Condition) {
|
||||
log := plog.WithValues("namespace", upstream.Namespace, "name", upstream.Name)
|
||||
updated := upstream.DeepCopy()
|
||||
|
||||
|
||||
@@ -239,8 +239,8 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
providerConfigForValidUpstreamWithStartTLS := ©OfProviderConfigForValidUpstreamWithTLS
|
||||
providerConfigForValidUpstreamWithStartTLS.ConnectionProtocol = upstreamldap.StartTLS
|
||||
|
||||
bindSecretValidTrueCondition := func(gen int64) v1alpha1.Condition {
|
||||
return v1alpha1.Condition{
|
||||
bindSecretValidTrueCondition := func(gen int64) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "BindSecretValid",
|
||||
Status: "True",
|
||||
LastTransitionTime: now,
|
||||
@@ -249,8 +249,8 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObservedGeneration: gen,
|
||||
}
|
||||
}
|
||||
ldapConnectionValidTrueCondition := func(gen int64, secretVersion string) v1alpha1.Condition {
|
||||
return v1alpha1.Condition{
|
||||
ldapConnectionValidTrueCondition := func(gen int64, secretVersion string) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "True",
|
||||
LastTransitionTime: now,
|
||||
@@ -261,16 +261,16 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObservedGeneration: gen,
|
||||
}
|
||||
}
|
||||
ldapConnectionValidTrueConditionWithoutTimeOrGeneration := func(secretVersion string) v1alpha1.Condition {
|
||||
ldapConnectionValidTrueConditionWithoutTimeOrGeneration := func(secretVersion string) metav1.Condition {
|
||||
c := ldapConnectionValidTrueCondition(0, secretVersion)
|
||||
c.LastTransitionTime = metav1.Time{}
|
||||
return c
|
||||
}
|
||||
condPtr := func(c v1alpha1.Condition) *v1alpha1.Condition {
|
||||
condPtr := func(c metav1.Condition) *metav1.Condition {
|
||||
return &c
|
||||
}
|
||||
tlsConfigurationValidLoadedTrueCondition := func(gen int64) v1alpha1.Condition {
|
||||
return v1alpha1.Condition{
|
||||
tlsConfigurationValidLoadedTrueCondition := func(gen int64) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "True",
|
||||
LastTransitionTime: now,
|
||||
@@ -279,8 +279,8 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObservedGeneration: gen,
|
||||
}
|
||||
}
|
||||
allConditionsTrue := func(gen int64, secretVersion string) []v1alpha1.Condition {
|
||||
return []v1alpha1.Condition{
|
||||
allConditionsTrue := func(gen int64, secretVersion string) []metav1.Condition {
|
||||
return []metav1.Condition{
|
||||
bindSecretValidTrueCondition(gen),
|
||||
ldapConnectionValidTrueCondition(gen, secretVersion),
|
||||
tlsConfigurationValidLoadedTrueCondition(gen),
|
||||
@@ -347,7 +347,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{
|
||||
Type: "BindSecretValid",
|
||||
Status: "False",
|
||||
@@ -375,7 +375,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{
|
||||
Type: "BindSecretValid",
|
||||
Status: "False",
|
||||
@@ -402,7 +402,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{
|
||||
Type: "BindSecretValid",
|
||||
Status: "False",
|
||||
@@ -428,7 +428,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
@@ -454,7 +454,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
@@ -506,7 +506,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
ldapConnectionValidTrueCondition(1234, "4242"),
|
||||
{
|
||||
@@ -571,7 +571,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
@@ -593,7 +593,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
UserSearchBase: testUserSearchBase,
|
||||
GroupSearchBase: testGroupSearchBase,
|
||||
IDPSpecGeneration: 1234,
|
||||
ConnectionValidCondition: &v1alpha1.Condition{
|
||||
ConnectionValidCondition: &metav1.Condition{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "True",
|
||||
Reason: "Success",
|
||||
@@ -644,7 +644,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
@@ -733,7 +733,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "other-upstream", Generation: 42, UID: "other-uid"},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{
|
||||
Type: "BindSecretValid",
|
||||
Status: "False",
|
||||
@@ -779,7 +779,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
@@ -801,7 +801,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection was already validated using TLS for the current resource generation and secret version, then do not validate it again and keep using TLS",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
ldapConnectionValidTrueCondition(1234, "4242"),
|
||||
}
|
||||
})},
|
||||
@@ -838,7 +838,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection was already validated using StartTLS for the current resource generation and secret version, then do not validate it again and keep using StartTLS",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
ldapConnectionValidTrueCondition(1234, "4242"),
|
||||
}
|
||||
})},
|
||||
@@ -875,7 +875,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection was validated for an older resource generation, then try to validate it again",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Generation = 1234 // current generation
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
ldapConnectionValidTrueCondition(1233, "4242"), // older spec generation!
|
||||
}
|
||||
})},
|
||||
@@ -913,7 +913,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection condition failed to update previously, then write the cached condition from the previous connection validation",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Generation = 1234 // current generation
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
ldapConnectionValidTrueCondition(1234, "4200"), // old version of the condition, as if the previous update of conditions had failed
|
||||
}
|
||||
})},
|
||||
@@ -951,7 +951,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection validation previously failed for this resource generation, then try to validate it again",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "False", // failure!
|
||||
@@ -990,7 +990,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
// this shouldn't happen, but if it does, just throw it out and try again.
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "False", // failure!
|
||||
@@ -1032,7 +1032,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
name: "when the LDAP server connection was already validated for this resource generation but the bind secret has changed, then try to validate it again",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Generation = 1234
|
||||
upstream.Status.Conditions = []v1alpha1.Condition{
|
||||
upstream.Status.Conditions = []metav1.Condition{
|
||||
ldapConnectionValidTrueCondition(1234, "4241"), // same spec generation, old secret version
|
||||
}
|
||||
})},
|
||||
@@ -1104,7 +1104,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testResourceUID},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
ldapConnectionValidTrueCondition(1234, "4242"),
|
||||
{
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package oidcclientwatcher
|
||||
@@ -128,7 +128,7 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error {
|
||||
func (c *oidcClientWatcherController) updateStatus(
|
||||
ctx context.Context,
|
||||
upstream *v1alpha1.OIDCClient,
|
||||
conditions []*v1alpha1.Condition,
|
||||
conditions []*metav1.Condition,
|
||||
totalClientSecrets int,
|
||||
) error {
|
||||
updated := upstream.DeepCopy()
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package oidcclientwatcher
|
||||
@@ -169,8 +169,8 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
now := metav1.NewTime(time.Now().UTC())
|
||||
earlier := metav1.NewTime(now.Add(-1 * time.Hour).UTC())
|
||||
|
||||
happyAllowedGrantTypesCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
|
||||
return configv1alpha1.Condition{
|
||||
happyAllowedGrantTypesCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "AllowedGrantTypesValid",
|
||||
Status: "True",
|
||||
LastTransitionTime: time,
|
||||
@@ -180,8 +180,8 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
sadAllowedGrantTypesCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition {
|
||||
return configv1alpha1.Condition{
|
||||
sadAllowedGrantTypesCondition := func(time metav1.Time, observedGeneration int64, message string) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "AllowedGrantTypesValid",
|
||||
Status: "False",
|
||||
LastTransitionTime: time,
|
||||
@@ -191,8 +191,8 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
happyClientSecretsCondition := func(howMany int, time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
|
||||
return configv1alpha1.Condition{
|
||||
happyClientSecretsCondition := func(howMany int, time metav1.Time, observedGeneration int64) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "ClientSecretExists",
|
||||
Status: "True",
|
||||
LastTransitionTime: time,
|
||||
@@ -202,8 +202,8 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
sadNoClientSecretsCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition {
|
||||
return configv1alpha1.Condition{
|
||||
sadNoClientSecretsCondition := func(time metav1.Time, observedGeneration int64, message string) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "ClientSecretExists",
|
||||
Status: "False",
|
||||
LastTransitionTime: time,
|
||||
@@ -213,8 +213,8 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
sadInvalidClientSecretsCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition {
|
||||
return configv1alpha1.Condition{
|
||||
sadInvalidClientSecretsCondition := func(time metav1.Time, observedGeneration int64, message string) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "ClientSecretExists",
|
||||
Status: "False",
|
||||
LastTransitionTime: time,
|
||||
@@ -224,8 +224,8 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
happyAllowedScopesCondition := func(time metav1.Time, observedGeneration int64) configv1alpha1.Condition {
|
||||
return configv1alpha1.Condition{
|
||||
happyAllowedScopesCondition := func(time metav1.Time, observedGeneration int64) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "AllowedScopesValid",
|
||||
Status: "True",
|
||||
LastTransitionTime: time,
|
||||
@@ -235,8 +235,8 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
sadAllowedScopesCondition := func(time metav1.Time, observedGeneration int64, message string) configv1alpha1.Condition {
|
||||
return configv1alpha1.Condition{
|
||||
sadAllowedScopesCondition := func(time metav1.Time, observedGeneration int64, message string) metav1.Condition {
|
||||
return metav1.Condition{
|
||||
Type: "AllowedScopesValid",
|
||||
Status: "False",
|
||||
LastTransitionTime: time,
|
||||
@@ -292,7 +292,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -317,7 +317,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(2, now, 1234),
|
||||
@@ -336,7 +336,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(earlier, 1234),
|
||||
happyAllowedScopesCondition(earlier, 1234),
|
||||
happyClientSecretsCondition(1, earlier, 1234),
|
||||
@@ -350,7 +350,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(earlier, 1234),
|
||||
happyAllowedScopesCondition(earlier, 1234),
|
||||
happyClientSecretsCondition(1, earlier, 1234),
|
||||
@@ -370,7 +370,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
sadAllowedGrantTypesCondition(now, 1234, `"authorization_code" must always be included in "allowedGrantTypes"`),
|
||||
sadAllowedScopesCondition(now, 1234, `"openid" must always be included in "allowedScopes"`),
|
||||
sadNoClientSecretsCondition(now, 1234, "no client secret found (no Secret storage found)"),
|
||||
@@ -393,7 +393,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
sadNoClientSecretsCondition(now, 1234, "error reading client secret storage: OIDC client secret storage data has wrong version: OIDC client secret storage has version wrong-version instead of 1"),
|
||||
@@ -416,7 +416,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
sadNoClientSecretsCondition(now, 1234, "no client secret found (empty list in storage)"),
|
||||
@@ -443,7 +443,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
sadInvalidClientSecretsCondition(now, 1234,
|
||||
@@ -477,7 +477,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "client.oauth.pinniped.dev-test1", Generation: 1234, UID: "uid1"},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -489,7 +489,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "client.oauth.pinniped.dev-test2", Generation: 4567, UID: "uid2"},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
sadAllowedGrantTypesCondition(now, 4567, `"authorization_code" must always be included in "allowedGrantTypes"`),
|
||||
sadAllowedScopesCondition(now, 4567, `"openid" must always be included in "allowedScopes"`),
|
||||
sadNoClientSecretsCondition(now, 4567, "no client secret found (no Secret storage found)"),
|
||||
@@ -510,7 +510,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
// was invalid on previous run of controller which observed an old generation at an earlier time
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
sadAllowedGrantTypesCondition(earlier, 1234, `"authorization_code" must always be included in "allowedGrantTypes"`),
|
||||
sadAllowedScopesCondition(earlier, 1234, `"openid" must always be included in "allowedScopes"`),
|
||||
happyClientSecretsCondition(1, earlier, 1234),
|
||||
@@ -525,7 +525,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
// status was updated to reflect the current generation at the current time
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 4567),
|
||||
happyAllowedScopesCondition(now, 4567),
|
||||
happyClientSecretsCondition(1, earlier, 4567), // was already validated earlier
|
||||
@@ -549,7 +549,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
sadAllowedGrantTypesCondition(now, 1234, `"refresh_token" must be included in "allowedGrantTypes" when "offline_access" is included in "allowedScopes"`),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -573,7 +573,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
sadAllowedGrantTypesCondition(now, 1234,
|
||||
`"authorization_code" must always be included in "allowedGrantTypes"; `+
|
||||
`"urn:ietf:params:oauth:grant-type:token-exchange" must be included in "allowedGrantTypes" when "pinniped:request-audience" is included in "allowedScopes"`),
|
||||
@@ -602,7 +602,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
sadAllowedGrantTypesCondition(now, 1234,
|
||||
`"authorization_code" must always be included in "allowedGrantTypes"; `+
|
||||
`"refresh_token" must be included in "allowedGrantTypes" when "offline_access" is included in "allowedScopes"`),
|
||||
@@ -630,7 +630,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
sadAllowedGrantTypesCondition(now, 1234, `"urn:ietf:params:oauth:grant-type:token-exchange" must be included in "allowedGrantTypes" when "pinniped:request-audience" is included in "allowedScopes"`),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -654,7 +654,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
sadAllowedScopesCondition(now, 1234, `"offline_access" must be included in "allowedScopes" when "refresh_token" is included in "allowedGrantTypes"`),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -678,7 +678,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
sadAllowedScopesCondition(now, 1234, `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -702,7 +702,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
sadAllowedScopesCondition(now, 1234, `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -726,7 +726,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
sadAllowedScopesCondition(now, 1234, `"username" and "groups" must be included in "allowedScopes" when "pinniped:request-audience" is included in "allowedScopes"`),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -750,7 +750,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
sadAllowedScopesCondition(now, 1234, `"pinniped:request-audience" must be included in "allowedScopes" when "urn:ietf:params:oauth:grant-type:token-exchange" is included in "allowedGrantTypes"`),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -774,7 +774,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -798,7 +798,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -822,7 +822,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -846,7 +846,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -870,7 +870,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -894,7 +894,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -918,7 +918,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
@@ -942,7 +942,7 @@ func TestOIDCClientWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: configv1alpha1.OIDCClientStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []configv1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAllowedGrantTypesCondition(now, 1234),
|
||||
happyAllowedScopesCondition(now, 1234),
|
||||
happyClientSecretsCondition(1, now, 1234),
|
||||
|
||||
@@ -219,22 +219,22 @@ func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upst
|
||||
ResourceUID: upstream.UID,
|
||||
}
|
||||
|
||||
conditions := []*v1alpha1.Condition{
|
||||
conditions := []*metav1.Condition{
|
||||
c.validateSecret(upstream, &result),
|
||||
c.validateIssuer(ctx.Context, upstream, &result),
|
||||
}
|
||||
if len(rejectedAuthcodeAuthorizeParameters) > 0 {
|
||||
conditions = append(conditions, &v1alpha1.Condition{
|
||||
conditions = append(conditions, &metav1.Condition{
|
||||
Type: typeAdditionalAuthorizeParametersValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: reasonDisallowedParameterName,
|
||||
Message: fmt.Sprintf("the following additionalAuthorizeParameters are not allowed: %s",
|
||||
strings.Join(rejectedAuthcodeAuthorizeParameters, ",")),
|
||||
})
|
||||
} else {
|
||||
conditions = append(conditions, &v1alpha1.Condition{
|
||||
conditions = append(conditions, &metav1.Condition{
|
||||
Type: typeAdditionalAuthorizeParametersValid,
|
||||
Status: v1alpha1.ConditionTrue,
|
||||
Status: metav1.ConditionTrue,
|
||||
Reason: upstreamwatchers.ReasonSuccess,
|
||||
Message: allParamNamesAllowedMsg,
|
||||
})
|
||||
@@ -245,7 +245,7 @@ func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upst
|
||||
valid := true
|
||||
log := c.log.WithValues("namespace", upstream.Namespace, "name", upstream.Name)
|
||||
for _, condition := range conditions {
|
||||
if condition.Status == v1alpha1.ConditionFalse {
|
||||
if condition.Status == metav1.ConditionFalse {
|
||||
valid = false
|
||||
log.WithValues(
|
||||
"type", condition.Type,
|
||||
@@ -261,15 +261,15 @@ func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upst
|
||||
}
|
||||
|
||||
// validateSecret validates the .spec.client.secretName field and returns the appropriate ClientCredentialsValid condition.
|
||||
func (c *oidcWatcherController) validateSecret(upstream *v1alpha1.OIDCIdentityProvider, result *upstreamoidc.ProviderConfig) *v1alpha1.Condition {
|
||||
func (c *oidcWatcherController) validateSecret(upstream *v1alpha1.OIDCIdentityProvider, result *upstreamoidc.ProviderConfig) *metav1.Condition {
|
||||
secretName := upstream.Spec.Client.SecretName
|
||||
|
||||
// Fetch the Secret from informer cache.
|
||||
secret, err := c.secretInformer.Lister().Secrets(upstream.Namespace).Get(secretName)
|
||||
if err != nil {
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeClientCredentialsValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: upstreamwatchers.ReasonNotFound,
|
||||
Message: err.Error(),
|
||||
}
|
||||
@@ -277,9 +277,9 @@ func (c *oidcWatcherController) validateSecret(upstream *v1alpha1.OIDCIdentityPr
|
||||
|
||||
// Validate the secret .type field.
|
||||
if secret.Type != oidcClientSecretType {
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeClientCredentialsValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: upstreamwatchers.ReasonWrongType,
|
||||
Message: fmt.Sprintf("referenced Secret %q has wrong type %q (should be %q)", secretName, secret.Type, oidcClientSecretType),
|
||||
}
|
||||
@@ -289,9 +289,9 @@ func (c *oidcWatcherController) validateSecret(upstream *v1alpha1.OIDCIdentityPr
|
||||
clientID := secret.Data[clientIDDataKey]
|
||||
clientSecret := secret.Data[clientSecretDataKey]
|
||||
if len(clientID) == 0 || len(clientSecret) == 0 {
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeClientCredentialsValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: upstreamwatchers.ReasonMissingKeys,
|
||||
Message: fmt.Sprintf("referenced Secret %q is missing required keys %q", secretName, []string{clientIDDataKey, clientSecretDataKey}),
|
||||
}
|
||||
@@ -300,16 +300,16 @@ func (c *oidcWatcherController) validateSecret(upstream *v1alpha1.OIDCIdentityPr
|
||||
// If everything is valid, update the result and set the condition to true.
|
||||
result.Config.ClientID = string(clientID)
|
||||
result.Config.ClientSecret = string(clientSecret)
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeClientCredentialsValid,
|
||||
Status: v1alpha1.ConditionTrue,
|
||||
Status: metav1.ConditionTrue,
|
||||
Reason: upstreamwatchers.ReasonSuccess,
|
||||
Message: "loaded client credentials",
|
||||
}
|
||||
}
|
||||
|
||||
// validateIssuer validates the .spec.issuer field, performs OIDC discovery, and returns the appropriate OIDCDiscoverySucceeded condition.
|
||||
func (c *oidcWatcherController) validateIssuer(ctx context.Context, upstream *v1alpha1.OIDCIdentityProvider, result *upstreamoidc.ProviderConfig) *v1alpha1.Condition {
|
||||
func (c *oidcWatcherController) validateIssuer(ctx context.Context, upstream *v1alpha1.OIDCIdentityProvider, result *upstreamoidc.ProviderConfig) *metav1.Condition {
|
||||
// Get the provider and HTTP Client from cache if possible.
|
||||
discoveredProvider, httpClient := c.validatorCache.getProvider(&upstream.Spec)
|
||||
|
||||
@@ -318,9 +318,9 @@ func (c *oidcWatcherController) validateIssuer(ctx context.Context, upstream *v1
|
||||
var err error
|
||||
httpClient, err = getClient(upstream)
|
||||
if err != nil {
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeOIDCDiscoverySucceeded,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: upstreamwatchers.ReasonInvalidTLSConfig,
|
||||
Message: err.Error(),
|
||||
}
|
||||
@@ -338,9 +338,9 @@ func (c *oidcWatcherController) validateIssuer(ctx context.Context, upstream *v1
|
||||
"name", upstream.Name,
|
||||
"issuer", upstream.Spec.Issuer,
|
||||
).Error(err, "failed to perform OIDC discovery")
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeOIDCDiscoverySucceeded,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: reasonUnreachable,
|
||||
Message: fmt.Sprintf("failed to perform OIDC discovery against %q:\n%s", upstream.Spec.Issuer, truncateMostLongErr(err)),
|
||||
}
|
||||
@@ -357,9 +357,9 @@ func (c *oidcWatcherController) validateIssuer(ctx context.Context, upstream *v1
|
||||
}
|
||||
if err := discoveredProvider.Claims(&additionalDiscoveryClaims); err != nil {
|
||||
// This shouldn't actually happen because the above call to NewProvider() would have already returned this error.
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeOIDCDiscoverySucceeded,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: reasonInvalidResponse,
|
||||
Message: fmt.Sprintf("failed to unmarshal OIDC discovery response from %q:\n%s", upstream.Spec.Issuer, truncateMostLongErr(err)),
|
||||
}
|
||||
@@ -400,15 +400,15 @@ func (c *oidcWatcherController) validateIssuer(ctx context.Context, upstream *v1
|
||||
result.Config.Endpoint = discoveredProvider.Endpoint()
|
||||
result.Provider = discoveredProvider
|
||||
result.Client = httpClient
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeOIDCDiscoverySucceeded,
|
||||
Status: v1alpha1.ConditionTrue,
|
||||
Status: metav1.ConditionTrue,
|
||||
Reason: upstreamwatchers.ReasonSuccess,
|
||||
Message: "discovered issuer configuration",
|
||||
}
|
||||
}
|
||||
|
||||
func (c *oidcWatcherController) updateStatus(ctx context.Context, upstream *v1alpha1.OIDCIdentityProvider, conditions []*v1alpha1.Condition) {
|
||||
func (c *oidcWatcherController) updateStatus(ctx context.Context, upstream *v1alpha1.OIDCIdentityProvider, conditions []*metav1.Condition) {
|
||||
log := c.log.WithValues("namespace", upstream.Namespace, "name", upstream.Name)
|
||||
updated := upstream.DeepCopy()
|
||||
|
||||
@@ -485,28 +485,28 @@ func truncateMostLongErr(err error) string {
|
||||
return msg[:max] + fmt.Sprintf(" [truncated %d chars]", len(msg)-max)
|
||||
}
|
||||
|
||||
func validateHTTPSURL(maybeHTTPSURL, endpointType, reason string) (*url.URL, *v1alpha1.Condition) {
|
||||
func validateHTTPSURL(maybeHTTPSURL, endpointType, reason string) (*url.URL, *metav1.Condition) {
|
||||
parsedURL, err := url.Parse(maybeHTTPSURL)
|
||||
if err != nil {
|
||||
return nil, &v1alpha1.Condition{
|
||||
return nil, &metav1.Condition{
|
||||
Type: typeOIDCDiscoverySucceeded,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: reason,
|
||||
Message: fmt.Sprintf("failed to parse %s URL: %v", endpointType, truncateMostLongErr(err)),
|
||||
}
|
||||
}
|
||||
if parsedURL.Scheme != "https" {
|
||||
return nil, &v1alpha1.Condition{
|
||||
return nil, &metav1.Condition{
|
||||
Type: typeOIDCDiscoverySucceeded,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: reason,
|
||||
Message: fmt.Sprintf(`%s URL '%s' must have "https" scheme, not %q`, endpointType, maybeHTTPSURL, parsedURL.Scheme),
|
||||
}
|
||||
}
|
||||
if len(parsedURL.Query()) != 0 || parsedURL.Fragment != "" {
|
||||
return nil, &v1alpha1.Condition{
|
||||
return nil, &metav1.Condition{
|
||||
Type: typeOIDCDiscoverySucceeded,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: reason,
|
||||
Message: fmt.Sprintf(`%s URL '%s' cannot contain query or fragment component`, endpointType, maybeHTTPSURL),
|
||||
}
|
||||
|
||||
@@ -123,7 +123,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
require.NoError(t, err)
|
||||
wrongCABase64 := base64.StdEncoding.EncodeToString(wrongCA.Bundle())
|
||||
|
||||
happyAdditionalAuthorizeParametersValidCondition := v1alpha1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition := metav1.Condition{
|
||||
Type: "AdditionalAuthorizeParametersValid",
|
||||
Status: "True",
|
||||
Reason: "Success",
|
||||
@@ -184,7 +184,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -231,7 +231,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -277,7 +277,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -326,7 +326,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -375,7 +375,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -421,7 +421,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -467,7 +467,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -513,7 +513,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -559,7 +559,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -607,7 +607,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -655,7 +655,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -702,7 +702,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -749,7 +749,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -796,7 +796,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -843,7 +843,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -890,7 +890,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -937,7 +937,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -973,7 +973,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{Type: "ClientCredentialsValid", Status: "False", LastTransitionTime: earlier, Reason: "SomeError1", Message: "some previous error 1"},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "False", LastTransitionTime: earlier, Reason: "SomeError2", Message: "some previous error 2"},
|
||||
},
|
||||
@@ -1008,7 +1008,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, UID: testUID},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "loaded client credentials"},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "discovered issuer configuration"},
|
||||
@@ -1028,7 +1028,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidConditionEarlier,
|
||||
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
|
||||
@@ -1064,7 +1064,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{Type: "AdditionalAuthorizeParametersValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "additionalAuthorizeParameters parameter names are allowed", ObservedGeneration: 1234},
|
||||
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
|
||||
@@ -1084,7 +1084,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidConditionEarlier,
|
||||
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
|
||||
@@ -1120,7 +1120,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{Type: "AdditionalAuthorizeParametersValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "additionalAuthorizeParameters parameter names are allowed", ObservedGeneration: 1234},
|
||||
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
|
||||
@@ -1143,7 +1143,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidConditionEarlier,
|
||||
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
|
||||
@@ -1179,7 +1179,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{Type: "AdditionalAuthorizeParametersValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "additionalAuthorizeParameters parameter names are allowed", ObservedGeneration: 1234},
|
||||
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
|
||||
@@ -1210,7 +1210,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidConditionEarlier,
|
||||
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
|
||||
@@ -1248,7 +1248,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{Type: "AdditionalAuthorizeParametersValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "additionalAuthorizeParameters parameter names are allowed", ObservedGeneration: 1234},
|
||||
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
|
||||
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
|
||||
@@ -1297,7 +1297,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
{Type: "AdditionalAuthorizeParametersValid", Status: "False", LastTransitionTime: now, Reason: "DisallowedParameterName",
|
||||
Message: "the following additionalAuthorizeParameters are not allowed: " +
|
||||
"response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri,hd", ObservedGeneration: 1234},
|
||||
@@ -1335,7 +1335,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
@@ -1384,7 +1384,7 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
Conditions: []metav1.Condition{
|
||||
happyAdditionalAuthorizeParametersValidCondition,
|
||||
{
|
||||
Type: "ClientCredentialsValid",
|
||||
|
||||
@@ -11,6 +11,7 @@ import (
|
||||
"time"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
corev1informers "k8s.io/client-go/informers/core/v1"
|
||||
|
||||
"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
|
||||
@@ -60,7 +61,7 @@ type ValidatedSettings struct {
|
||||
// can keep writing them to the status in the future. This matters most when the first attempt
|
||||
// to write them to the IDP's status fails. In this case, future Syncs calls will be able to
|
||||
// use these cached values to try writing them again.
|
||||
ConnectionValidCondition, SearchBaseFoundCondition *v1alpha1.Condition
|
||||
ConnectionValidCondition, SearchBaseFoundCondition *metav1.Condition
|
||||
}
|
||||
|
||||
// ValidatedSettingsCacheI is an interface for an in-memory cache with an entry for each upstream
|
||||
@@ -113,7 +114,7 @@ type UpstreamGenericLDAPSpec interface {
|
||||
BindSecretName() string
|
||||
UserSearch() UpstreamGenericLDAPUserSearch
|
||||
GroupSearch() UpstreamGenericLDAPGroupSearch
|
||||
DetectAndSetSearchBase(ctx context.Context, config *upstreamldap.ProviderConfig) *v1alpha1.Condition
|
||||
DetectAndSetSearchBase(ctx context.Context, config *upstreamldap.ProviderConfig) *metav1.Condition
|
||||
}
|
||||
|
||||
type UpstreamGenericLDAPUserSearch interface {
|
||||
@@ -131,10 +132,10 @@ type UpstreamGenericLDAPGroupSearch interface {
|
||||
}
|
||||
|
||||
type UpstreamGenericLDAPStatus interface {
|
||||
Conditions() []v1alpha1.Condition
|
||||
Conditions() []metav1.Condition
|
||||
}
|
||||
|
||||
func ValidateTLSConfig(tlsSpec *v1alpha1.TLSSpec, config *upstreamldap.ProviderConfig) *v1alpha1.Condition {
|
||||
func ValidateTLSConfig(tlsSpec *v1alpha1.TLSSpec, config *upstreamldap.ProviderConfig) *metav1.Condition {
|
||||
if tlsSpec == nil {
|
||||
return validTLSCondition(noTLSConfigurationMessage)
|
||||
}
|
||||
@@ -162,7 +163,7 @@ func TestConnection(
|
||||
bindSecretName string,
|
||||
config *upstreamldap.ProviderConfig,
|
||||
currentSecretVersion string,
|
||||
) *v1alpha1.Condition {
|
||||
) *metav1.Condition {
|
||||
// First try using TLS.
|
||||
config.ConnectionProtocol = upstreamldap.TLS
|
||||
tlsLDAPProvider := upstreamldap.New(*config)
|
||||
@@ -187,57 +188,57 @@ func TestConnection(
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeLDAPConnectionValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: reasonLDAPConnectionError,
|
||||
Message: fmt.Sprintf(`could not successfully connect to "%s" and bind as user "%s": %s`,
|
||||
config.Host, config.BindUsername, err.Error()),
|
||||
}
|
||||
}
|
||||
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeLDAPConnectionValid,
|
||||
Status: v1alpha1.ConditionTrue,
|
||||
Status: metav1.ConditionTrue,
|
||||
Reason: ReasonSuccess,
|
||||
Message: fmt.Sprintf(`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
|
||||
config.Host, config.BindUsername, bindSecretName, currentSecretVersion),
|
||||
}
|
||||
}
|
||||
|
||||
func validTLSCondition(message string) *v1alpha1.Condition {
|
||||
return &v1alpha1.Condition{
|
||||
func validTLSCondition(message string) *metav1.Condition {
|
||||
return &metav1.Condition{
|
||||
Type: typeTLSConfigurationValid,
|
||||
Status: v1alpha1.ConditionTrue,
|
||||
Status: metav1.ConditionTrue,
|
||||
Reason: ReasonSuccess,
|
||||
Message: message,
|
||||
}
|
||||
}
|
||||
|
||||
func invalidTLSCondition(message string) *v1alpha1.Condition {
|
||||
return &v1alpha1.Condition{
|
||||
func invalidTLSCondition(message string) *metav1.Condition {
|
||||
return &metav1.Condition{
|
||||
Type: typeTLSConfigurationValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: ReasonInvalidTLSConfig,
|
||||
Message: message,
|
||||
}
|
||||
}
|
||||
|
||||
func ValidateSecret(secretInformer corev1informers.SecretInformer, secretName string, secretNamespace string, config *upstreamldap.ProviderConfig) (*v1alpha1.Condition, string) {
|
||||
func ValidateSecret(secretInformer corev1informers.SecretInformer, secretName string, secretNamespace string, config *upstreamldap.ProviderConfig) (*metav1.Condition, string) {
|
||||
secret, err := secretInformer.Lister().Secrets(secretNamespace).Get(secretName)
|
||||
if err != nil {
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeBindSecretValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: ReasonNotFound,
|
||||
Message: err.Error(),
|
||||
}, ""
|
||||
}
|
||||
|
||||
if secret.Type != corev1.SecretTypeBasicAuth {
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeBindSecretValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: ReasonWrongType,
|
||||
Message: fmt.Sprintf("referenced Secret %q has wrong type %q (should be %q)",
|
||||
secretName, secret.Type, corev1.SecretTypeBasicAuth),
|
||||
@@ -247,18 +248,18 @@ func ValidateSecret(secretInformer corev1informers.SecretInformer, secretName st
|
||||
config.BindUsername = string(secret.Data[corev1.BasicAuthUsernameKey])
|
||||
config.BindPassword = string(secret.Data[corev1.BasicAuthPasswordKey])
|
||||
if len(config.BindUsername) == 0 || len(config.BindPassword) == 0 {
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeBindSecretValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Status: metav1.ConditionFalse,
|
||||
Reason: ReasonMissingKeys,
|
||||
Message: fmt.Sprintf("referenced Secret %q is missing required keys %q",
|
||||
secretName, []string{corev1.BasicAuthUsernameKey, corev1.BasicAuthPasswordKey}),
|
||||
}, secret.ResourceVersion
|
||||
}
|
||||
|
||||
return &v1alpha1.Condition{
|
||||
return &metav1.Condition{
|
||||
Type: typeBindSecretValid,
|
||||
Status: v1alpha1.ConditionTrue,
|
||||
Status: metav1.ConditionTrue,
|
||||
Reason: ReasonSuccess,
|
||||
Message: "loaded bind secret",
|
||||
}, secret.ResourceVersion
|
||||
@@ -266,7 +267,7 @@ func ValidateSecret(secretInformer corev1informers.SecretInformer, secretName st
|
||||
|
||||
// gradatedCondition is a condition and a boolean that tells you whether the condition is fatal or just a warning.
|
||||
type gradatedCondition struct {
|
||||
condition *v1alpha1.Condition
|
||||
condition *metav1.Condition
|
||||
isFatal bool
|
||||
}
|
||||
|
||||
@@ -275,15 +276,15 @@ type GradatedConditions struct {
|
||||
gradatedConditions []gradatedCondition
|
||||
}
|
||||
|
||||
func (g *GradatedConditions) Conditions() []*v1alpha1.Condition {
|
||||
conditions := []*v1alpha1.Condition{}
|
||||
func (g *GradatedConditions) Conditions() []*metav1.Condition {
|
||||
conditions := []*metav1.Condition{}
|
||||
for _, gc := range g.gradatedConditions {
|
||||
conditions = append(conditions, gc.condition)
|
||||
}
|
||||
return conditions
|
||||
}
|
||||
|
||||
func (g *GradatedConditions) Append(condition *v1alpha1.Condition, isFatal bool) {
|
||||
func (g *GradatedConditions) Append(condition *metav1.Condition, isFatal bool) {
|
||||
g.gradatedConditions = append(g.gradatedConditions, gradatedCondition{condition: condition, isFatal: isFatal})
|
||||
}
|
||||
|
||||
@@ -302,9 +303,9 @@ func ValidateGenericLDAP(
|
||||
tlsValidCondition := ValidateTLSConfig(upstream.Spec().TLSSpec(), config)
|
||||
conditions.Append(tlsValidCondition, true)
|
||||
|
||||
var ldapConnectionValidCondition, searchBaseFoundCondition *v1alpha1.Condition
|
||||
var ldapConnectionValidCondition, searchBaseFoundCondition *metav1.Condition
|
||||
// No point in trying to connect to the server if the config was already determined to be invalid.
|
||||
if secretValidCondition.Status == v1alpha1.ConditionTrue && tlsValidCondition.Status == v1alpha1.ConditionTrue {
|
||||
if secretValidCondition.Status == metav1.ConditionTrue && tlsValidCondition.Status == metav1.ConditionTrue {
|
||||
ldapConnectionValidCondition, searchBaseFoundCondition = validateAndSetLDAPServerConnectivityAndSearchBase(ctx, validatedSettingsCache, upstream, config, currentSecretVersion)
|
||||
conditions.Append(ldapConnectionValidCondition, false)
|
||||
if searchBaseFoundCondition != nil { // currently, only used for AD, so may be nil
|
||||
@@ -320,9 +321,9 @@ func validateAndSetLDAPServerConnectivityAndSearchBase(
|
||||
upstream UpstreamGenericLDAPIDP,
|
||||
config *upstreamldap.ProviderConfig,
|
||||
currentSecretVersion string,
|
||||
) (*v1alpha1.Condition, *v1alpha1.Condition) {
|
||||
) (*metav1.Condition, *metav1.Condition) {
|
||||
validatedSettings, hasPreviousValidatedSettings := validatedSettingsCache.Get(upstream.Name(), currentSecretVersion, upstream.Generation())
|
||||
var ldapConnectionValidCondition, searchBaseFoundCondition *v1alpha1.Condition
|
||||
var ldapConnectionValidCondition, searchBaseFoundCondition *metav1.Condition
|
||||
|
||||
if hasPreviousValidatedSettings && validatedSettings.UserSearchBase != "" && validatedSettings.GroupSearchBase != "" {
|
||||
// Found previously validated settings in the cache (which is also not missing search base fields), so use them.
|
||||
@@ -344,8 +345,8 @@ func validateAndSetLDAPServerConnectivityAndSearchBase(
|
||||
// When there were no failures, write the newly validated settings to the cache.
|
||||
// It's okay for the search base condition to be nil, since it's only used by Active Directory providers,
|
||||
// but if it exists make sure it was not a failure.
|
||||
if ldapConnectionValidCondition.Status == v1alpha1.ConditionTrue &&
|
||||
(searchBaseFoundCondition == nil || (searchBaseFoundCondition.Status == v1alpha1.ConditionTrue)) {
|
||||
if ldapConnectionValidCondition.Status == metav1.ConditionTrue &&
|
||||
(searchBaseFoundCondition == nil || (searchBaseFoundCondition.Status == metav1.ConditionTrue)) {
|
||||
// Remember (in-memory for this pod) that the controller has successfully validated the LDAP or AD provider
|
||||
// using this version of the Secret. This is for performance reasons, to avoid attempting to connect to
|
||||
// the LDAP server more than is needed. If the pod restarts, it will attempt this validation again.
|
||||
@@ -366,14 +367,14 @@ func validateAndSetLDAPServerConnectivityAndSearchBase(
|
||||
|
||||
func EvaluateConditions(conditions GradatedConditions, config *upstreamldap.ProviderConfig) (provider.UpstreamLDAPIdentityProviderI, bool) {
|
||||
for _, gradatedCondition := range conditions.gradatedConditions {
|
||||
if gradatedCondition.condition.Status != v1alpha1.ConditionTrue && gradatedCondition.isFatal {
|
||||
if gradatedCondition.condition.Status != metav1.ConditionTrue && gradatedCondition.isFatal {
|
||||
// Invalid provider, so do not load it into the cache.
|
||||
return nil, true
|
||||
}
|
||||
}
|
||||
|
||||
for _, gradatedCondition := range conditions.gradatedConditions {
|
||||
if gradatedCondition.condition.Status != v1alpha1.ConditionTrue && !gradatedCondition.isFatal {
|
||||
if gradatedCondition.condition.Status != metav1.ConditionTrue && !gradatedCondition.isFatal {
|
||||
// Error but load it into the cache anyway, treating this condition failure more like a warning.
|
||||
// Try again hoping that the condition will improve.
|
||||
return upstreamldap.New(*config), true
|
||||
|
||||
Reference in New Issue
Block a user