add Unknown SearchBaseFound status condition for AD only

2026-01-03 11:45:45 +00:00 · 2024-08-06 12:40:19 -07:00
parent afa3aa2232
commit 6b49cd7d28
5 changed files with 80 additions and 43 deletions
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@@ -118,6 +118,15 @@ func (s *activeDirectoryUpstreamGenericLDAPSpec) GroupSearch() upstreamwatchers.
 	return &activeDirectoryUpstreamGenericLDAPGroupSearch{s.activeDirectoryIdentityProvider.Spec.GroupSearch}
 }

+func (s *activeDirectoryUpstreamGenericLDAPSpec) UnknownSearchBaseCondition() *metav1.Condition {
+	return &metav1.Condition{
+		Type:    upstreamwatchers.TypeSearchBaseFound,
+		Status:  metav1.ConditionUnknown,
+		Reason:  conditionsutil.ReasonUnableToValidate,
+		Message: conditionsutil.MessageUnableToValidate,
+	}
+}
+
 func (s *activeDirectoryUpstreamGenericLDAPSpec) DetectAndSetSearchBase(ctx context.Context, config *upstreamldap.ProviderConfig) *metav1.Condition {
 	config.GroupSearch.Base = s.activeDirectoryIdentityProvider.Spec.GroupSearch.Base
 	config.UserSearch.Base = s.activeDirectoryIdentityProvider.Spec.UserSearch.Base
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
@@ -366,6 +366,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			ObservedGeneration: gen,
 		}
 	}
+
 	activeDirectoryConnectionValidTrueCondition := func(gen int64, secretVersion string) metav1.Condition {
 		return metav1.Condition{
 			Type:               "LDAPConnectionValid",
@@ -383,6 +384,17 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		c.LastTransitionTime = metav1.Time{}
 		return c
 	}
+	ldapConnectionValidUnknownCondition := func(gen int64) metav1.Condition {
+		return metav1.Condition{
+			Type:               "LDAPConnectionValid",
+			Status:             "Unknown",
+			LastTransitionTime: now,
+			Reason:             "UnableToValidate",
+			Message:            "unable to validate; see other conditions for details",
+			ObservedGeneration: gen,
+		}
+	}
+
 	condPtr := func(c metav1.Condition) *metav1.Condition {
 		return &c
 	}
@@ -391,6 +403,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		c.LastTransitionTime = metav1.Time{}
 		return c
 	}
+
 	tlsConfigurationValidLoadedTrueCondition := func(gen int64, msg string) metav1.Condition {
 		return metav1.Condition{
 			Type:               "TLSConfigurationValid",
@@ -402,17 +415,6 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		}
 	}

-	ldapConnectionValidUnknown := func(gen int64) metav1.Condition {
-		return metav1.Condition{
-			Type:               "LDAPConnectionValid",
-			Status:             "Unknown",
-			LastTransitionTime: now,
-			Reason:             "UnableToValidate",
-			Message:            "unable to validate; see other conditions for details",
-			ObservedGeneration: gen,
-		}
-	}
-
 	searchBaseFoundInRootDSECondition := func(gen int64) metav1.Condition {
 		return metav1.Condition{
 			Type:               "SearchBaseFound",
@@ -446,6 +448,17 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		}
 	}

+	searchBaseFoundUnknownCondition := func(gen int64) metav1.Condition {
+		return metav1.Condition{
+			Type:               "SearchBaseFound",
+			Status:             "Unknown",
+			LastTransitionTime: now,
+			Reason:             "UnableToValidate",
+			Message:            "unable to validate; see other conditions for details",
+			ObservedGeneration: gen,
+		}
+	}
+
 	allConditionsTrue := func(gen int64, secretVersion string) []metav1.Condition {
 		return []metav1.Condition{
 			bindSecretValidTrueCondition(gen),
@@ -674,7 +687,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`secret "%s" not found`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -703,7 +717,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -731,7 +746,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -751,7 +767,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					Phase: "Error",
 					Conditions: []metav1.Condition{
 						bindSecretValidTrueCondition(1234),
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						{
 							Type:               "TLSConfigurationValid",
 							Status:             "False",
@@ -778,7 +795,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					Phase: "Error",
 					Conditions: []metav1.Condition{
 						bindSecretValidTrueCondition(1234),
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						{
 							Type:               "TLSConfigurationValid",
 							Status:             "False",
@@ -1174,7 +1192,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 								Message:            fmt.Sprintf(`secret "%s" not found`, "non-existent-secret"),
 								ObservedGeneration: 42,
 							},
-							ldapConnectionValidUnknown(42),
+							ldapConnectionValidUnknownCondition(42),
+							searchBaseFoundUnknownCondition(42),
 							tlsConfigurationValidLoadedTrueCondition(42, "using configured CA bundle"),
 						},
 					},
--- a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go
@@ -74,10 +74,14 @@ func (s *ldapUpstreamGenericLDAPSpec) GroupSearch() upstreamwatchers.UpstreamGen
 	return &ldapUpstreamGenericLDAPGroupSearch{s.ldapIdentityProvider.Spec.GroupSearch}
 }

+func (s *ldapUpstreamGenericLDAPSpec) UnknownSearchBaseCondition() *metav1.Condition {
+	return nil // currently, only AD returns a condition for this
+}
+
 func (s *ldapUpstreamGenericLDAPSpec) DetectAndSetSearchBase(_ context.Context, config *upstreamldap.ProviderConfig) *metav1.Condition {
 	config.GroupSearch.Base = s.ldapIdentityProvider.Spec.GroupSearch.Base
 	config.UserSearch.Base = s.ldapIdentityProvider.Spec.UserSearch.Base
-	return nil
+	return nil // currently, only AD returns a condition for this
 }

 type ldapUpstreamGenericLDAPUserSearch struct {
--- a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
@@ -363,6 +363,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 			ObservedGeneration: gen,
 		}
 	}
+
 	ldapConnectionValidTrueCondition := func(gen int64, secretVersion string) metav1.Condition {
 		return metav1.Condition{
 			Type:               "LDAPConnectionValid",
@@ -380,9 +381,21 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 		c.LastTransitionTime = metav1.Time{}
 		return c
 	}
+	ldapConnectionValidUnknownCondition := func(gen int64) metav1.Condition {
+		return metav1.Condition{
+			Type:               "LDAPConnectionValid",
+			Status:             "Unknown",
+			LastTransitionTime: now,
+			Reason:             "UnableToValidate",
+			Message:            "unable to validate; see other conditions for details",
+			ObservedGeneration: gen,
+		}
+	}
+
 	condPtr := func(c metav1.Condition) *metav1.Condition {
 		return &c
 	}
+
 	tlsConfigurationValidLoadedTrueCondition := func(gen int64, msg string) metav1.Condition {
 		return metav1.Condition{
 			Type:               "TLSConfigurationValid",
@@ -394,17 +407,6 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 		}
 	}

-	ldapConnectionValidUnknown := func(gen int64) metav1.Condition {
-		return metav1.Condition{
-			Type:               "LDAPConnectionValid",
-			Status:             "Unknown",
-			LastTransitionTime: now,
-			Reason:             "UnableToValidate",
-			Message:            "unable to validate; see other conditions for details",
-			ObservedGeneration: gen,
-		}
-	}
-
 	allConditionsTrue := func(gen int64, secretVersion string) []metav1.Condition {
 		return []metav1.Condition{
 			bindSecretValidTrueCondition(gen),
@@ -600,7 +602,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`secret "%s" not found`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -629,7 +631,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -657,7 +659,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -677,7 +679,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 					Phase: "Error",
 					Conditions: []metav1.Condition{
 						bindSecretValidTrueCondition(1234),
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
 						{
 							Type:               "TLSConfigurationValid",
 							Status:             "False",
@@ -704,7 +706,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 					Phase: "Error",
 					Conditions: []metav1.Condition{
 						bindSecretValidTrueCondition(1234),
-						ldapConnectionValidUnknown(1234),
+						ldapConnectionValidUnknownCondition(1234),
 						{
 							Type:               "TLSConfigurationValid",
 							Status:             "False",
@@ -998,7 +1000,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 								Message:            fmt.Sprintf(`secret "%s" not found`, "non-existent-secret"),
 								ObservedGeneration: 42,
 							},
-							ldapConnectionValidUnknown(42),
+							ldapConnectionValidUnknownCondition(42),
 							tlsConfigurationValidLoadedTrueCondition(42, "using configured CA bundle"),
 						},
 					},
--- a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
+++ b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
@@ -108,6 +108,7 @@ type UpstreamGenericLDAPSpec interface {
 	UserSearch() UpstreamGenericLDAPUserSearch
 	GroupSearch() UpstreamGenericLDAPGroupSearch
 	DetectAndSetSearchBase(ctx context.Context, config *upstreamldap.ProviderConfig) *metav1.Condition
+	UnknownSearchBaseCondition() *metav1.Condition
 }

 type UpstreamGenericLDAPUserSearch interface {
@@ -261,21 +262,23 @@ func ValidateGenericLDAP(
 	var ldapConnectionValidCondition, searchBaseFoundCondition *metav1.Condition
 	// No point in trying to connect to the server if the config was already determined to be invalid.
 	if secretValidCondition.Status == metav1.ConditionTrue && tlsValidCondition.Status == metav1.ConditionTrue {
-		ldapConnectionValidCondition, searchBaseFoundCondition = validateAndSetLDAPServerConnectivityAndSearchBase(ctx, validatedSettingsCache, upstream, config, currentSecretVersion)
-		conditions.Append(ldapConnectionValidCondition, false)
-		// TODO: For AD, hould we add a condition of type SearchBaseFoundCondition when we can't validate the bind secret or TLS config???
-		if searchBaseFoundCondition != nil { // currently, only used for AD, so may be nil
-			conditions.Append(searchBaseFoundCondition, true)
-		}
+		ldapConnectionValidCondition, searchBaseFoundCondition = validateAndSetLDAPServerConnectivityAndSearchBase(
+			ctx, validatedSettingsCache, upstream, config, currentSecretVersion)
 	} else {
-		connectionUnknownCondition := &metav1.Condition{
+		ldapConnectionValidCondition = &metav1.Condition{
 			Type:    typeLDAPConnectionValid,
 			Status:  metav1.ConditionUnknown,
 			Reason:  conditionsutil.ReasonUnableToValidate,
 			Message: conditionsutil.MessageUnableToValidate,
 		}
-		conditions.Append(connectionUnknownCondition, true)
+		searchBaseFoundCondition = upstream.Spec().UnknownSearchBaseCondition()
 	}
+	// Append the conditions calculated by the if/else above.
+	conditions.Append(ldapConnectionValidCondition, false)
+	if searchBaseFoundCondition != nil { // currently, only used for AD, so may be nil
+		conditions.Append(searchBaseFoundCondition, true)
+	}
+
 	return conditions
 }