add code review todos and light refactoring

Co-authored-by: Ryan Richard <richardry@vmware.com>
2026-01-08 15:21:55 +00:00 · 2024-07-18 09:32:48 -05:00
parent 1b7a26d932
commit 6e9023e090
11 changed files with 142 additions and 116 deletions
--- a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go
@@ -282,6 +282,7 @@ func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx contro
 	tlsConfigCondition, certPool := c.validateTLSConfiguration(upstream.Spec.GitHubAPI.TLS)
 	conditions = append(conditions, tlsConfigCondition)

+	// TODO: skip this if it is already validated for this same spec and CA bundle (or perhaps hash of CA bundle)
 	githubConnectionCondition, hostURL, httpClient, githubConnectionErr := c.validateGitHubConnection(
 		hostPort,
 		certPool,
@@ -373,7 +374,7 @@ func validateHost(gitHubAPIConfig idpv1alpha1.GitHubAPIConfig) (*metav1.Conditio
 }

 func (c *gitHubWatcherController) validateTLSConfiguration(tlsSpec *idpv1alpha1.TLSSpec) (*metav1.Condition, *x509.CertPool) {
-	tlsCondition, _, certPool, _ := tlsconfigutil.ValidateTLSConfig(
+	tlsCondition, _, certPool := tlsconfigutil.ValidateTLSConfig(
 		tlsconfigutil.TLSSpecForSupervisor(tlsSpec),
 		"spec.githubAPI.tls",
 		c.namespace,
--- a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher_test.go
+++ b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher_test.go
@@ -2347,9 +2347,8 @@ func TestGitHubUpstreamWatcherControllerFilterSecret(t *testing.T) {
 			var log bytes.Buffer
 			logger := plog.TestLogger(t, &log)

-			secretInformer := kubeInformers.Core().V1().Secrets()
-			configMapInformer := kubeInformers.Core().V1().ConfigMaps()
 			observableInformers := testutil.NewObservableWithInformerOption()
+			secretInformer := kubeInformers.Core().V1().Secrets()

 			_ = New(
 				"some-namespace",
@@ -2357,7 +2356,7 @@ func TestGitHubUpstreamWatcherControllerFilterSecret(t *testing.T) {
 				supervisorfake.NewSimpleClientset(),
 				supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders(),
 				secretInformer,
-				configMapInformer,
+				kubeInformers.Core().V1().ConfigMaps(),
 				logger,
 				observableInformers.WithInformer,
 				clock.RealClock{},
@@ -2390,7 +2389,7 @@ func TestGitHubUpstreamWatcherControllerFilterConfigMaps(t *testing.T) {
 		wantDelete bool
 	}{
 		{
-			name:       "a configMap in the right namespace",
+			name:       "any ConfigMap",
 			cm:         goodCM,
 			wantAdd:    true,
 			wantUpdate: true,
@@ -2404,16 +2403,14 @@ func TestGitHubUpstreamWatcherControllerFilterConfigMaps(t *testing.T) {
 			var log bytes.Buffer
 			logger := plog.TestLogger(t, &log)

-			gitHubIdentityProviderInformer := supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders()
 			observableInformers := testutil.NewObservableWithInformerOption()
-
 			configMapInformer := k8sinformers.NewSharedInformerFactoryWithOptions(kubernetesfake.NewSimpleClientset(), 0).Core().V1().ConfigMaps()

 			_ = New(
 				namespace,
 				dynamicupstreamprovider.NewDynamicUpstreamIDPProvider(),
 				supervisorfake.NewSimpleClientset(),
-				gitHubIdentityProviderInformer,
+				supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders(),
 				k8sinformers.NewSharedInformerFactoryWithOptions(kubernetesfake.NewSimpleClientset(), 0).Core().V1().Secrets(),
 				configMapInformer,
 				logger,
@@ -2448,7 +2445,7 @@ func TestGitHubUpstreamWatcherControllerFilterGitHubIDP(t *testing.T) {
 		wantDelete bool
 	}{
 		{
-			name:       "an IDP in the right namespace",
+			name:       "any GitHubIdentityProvider",
 			idp:        goodIDP,
 			wantAdd:    true,
 			wantUpdate: true,
@@ -2462,8 +2459,8 @@ func TestGitHubUpstreamWatcherControllerFilterGitHubIDP(t *testing.T) {
 			var log bytes.Buffer
 			logger := plog.TestLogger(t, &log)

-			gitHubIdentityProviderInformer := supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders()
 			observableInformers := testutil.NewObservableWithInformerOption()
+			gitHubIdentityProviderInformer := supervisorinformers.NewSharedInformerFactory(supervisorfake.NewSimpleClientset(), 0).IDP().V1alpha1().GitHubIdentityProviders()

 			_ = New(
 				namespace,
--- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
@@ -324,15 +324,17 @@ func (c *oidcWatcherController) validateSecret(upstream *idpv1alpha1.OIDCIdentit

 // validateIssuer validates the .spec.issuer field, performs OIDC discovery, and returns the appropriate OIDCDiscoverySucceeded condition.
 func (c *oidcWatcherController) validateIssuer(ctx context.Context, upstream *idpv1alpha1.OIDCIdentityProvider, result *upstreamoidc.ProviderConfig) []*metav1.Condition {
-	// Get the provider and HTTP Client from cache if possible.
-	discoveredProvider, httpClient := c.validatorCache.getProvider(&upstream.Spec)
-	tlsCondition, _, certPool, _ := tlsconfigutil.ValidateTLSConfig(
+	tlsCondition, _, certPool := tlsconfigutil.ValidateTLSConfig(
 		tlsconfigutil.TLSSpecForSupervisor(upstream.Spec.TLS),
 		"spec.tls",
 		upstream.Namespace,
 		c.secretInformer,
 		c.configMapInformer)

+	// TODO: If either the spec or the CA bundle has changed, then we need to redo the validations below. So maybe the cache key should be the combination of spec and bundle (or hash of bundle)?
+	// Get the provider and HTTP Client from cache if possible.
+	discoveredProvider, httpClient := c.validatorCache.getProvider(&upstream.Spec)
+
 	// If the provider does not exist in the cache, do a fresh discovery lookup and save to the cache.
 	if discoveredProvider == nil {
 		var err error
--- a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
+++ b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
@@ -254,7 +254,7 @@ func ValidateGenericLDAP(
 	conditions.Append(secretValidCondition, true)

 	tlsSpec := tlsconfigutil.TLSSpecForSupervisor(upstream.Spec().TLSSpec())
-	tlsValidCondition, caBundle, _, _ := tlsconfigutil.ValidateTLSConfig(tlsSpec, "spec.tls", upstream.Namespace(), secretInformer, configMapInformer)
+	tlsValidCondition, caBundle, _ := tlsconfigutil.ValidateTLSConfig(tlsSpec, "spec.tls", upstream.Namespace(), secretInformer, configMapInformer)
 	conditions.Append(tlsValidCondition, true)
 	config.CABundle = caBundle

@@ -277,6 +277,7 @@ func validateAndSetLDAPServerConnectivityAndSearchBase(
 	config *upstreamldap.ProviderConfig,
 	currentSecretVersion string,
 ) (*metav1.Condition, *metav1.Condition) {
+	// TODO: if the CA bundle has changed, then we should redo the below connection probes. So maybe this cache should also include the CA bundle (or the hash of the bundle) as part of the lookup?
 	validatedSettings, hasPreviousValidatedSettings := validatedSettingsCache.Get(upstream.Name(), currentSecretVersion, upstream.Generation())
 	var ldapConnectionValidCondition, searchBaseFoundCondition *metav1.Condition