Adds user impersonation

raft-tech · Jul 23, 2023 · c2b594e · c2b594e
1 parent 259d106
commit c2b594e
Show file tree

Hide file tree

Showing 29 changed files with 1,568 additions and 71 deletions.
diff --git a/PROJECT b/PROJECT
@@ -40,4 +40,12 @@ resources:
   kind: HelmPolicy
   path: github.com/raft-tech/konfirm/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: goraft.tech
+  group: konfirm
+  kind: UserRef
+  path: github.com/raft-tech/konfirm/api/v1alpha1
+  version: v1alpha1
 version: "3"
diff --git a/api/v1alpha1/test_types.go b/api/v1alpha1/test_types.go
@@ -51,6 +51,9 @@ type TestSpec struct {
 	// RetentionPolicy specifies how generated resources should be handled after the Test finishes.
 	RetentionPolicy RetainPolicy `json:"retentionPolicy,omitempty"`
 
+	// RunAs is the name of the UserRef the pod will be managed by
+	RunAs string `json:"runAs,omitempty"`
+
 	// Template is the PodSpecTemplate that will be used to run the test
 	Template v1.PodTemplateSpec `json:"template"`
 }

diff --git a/api/v1alpha1/testrun_types.go b/api/v1alpha1/testrun_types.go
@@ -41,6 +41,9 @@ type TestRunSpec struct {
 	// +kubebuilder:default=OnFailure
 	RetentionPolicy RetainPolicy `json:"retentionPolicy,omitempty"`
 
+	// RunAs is the name of the UserRef the resulting pods will be managed by
+	RunAs string `json:"runAs,omitempty"`
+
 	// +kubebuilder:validation:MinItems=1
 	Tests []TestTemplate `json:"tests"`
 }

diff --git a/api/v1alpha1/testsuite_types.go b/api/v1alpha1/testsuite_types.go
@@ -25,10 +25,11 @@ import (
 type TestSuitePhase string
 
 const (
-	TestSuitePending TestSuitePhase = "Pending"
-	TestSuiteReady   TestSuitePhase = "Ready"
-	TestSuiteRunning TestSuitePhase = "Running"
-	TestSuiteError   TestSuitePhase = "Error"
+	TestSuitePending  TestSuitePhase = "Pending"
+	TestSuiteReady    TestSuitePhase = "Ready"
+	TestSuiteStarting TestSuitePhase = "Starting"
+	TestSuiteRunning  TestSuitePhase = "Running"
+	TestSuiteError    TestSuitePhase = "Error"
 )
 
 // IsPending returns true if TestSuitePhase is "Pending"
@@ -41,14 +42,19 @@ func (p TestSuitePhase) IsReady() bool {
 	return p == TestSuiteReady
 }
 
+// IsStarting returns true if TestStuiePhase is "Starting"
+func (p TestSuitePhase) IsStarting() bool {
+	return p == TestSuiteStarting
+}
+
 // IsRunning returns true if TestSuitePhase is "Running"
 func (p TestSuitePhase) IsRunning() bool {
 	return p == TestSuiteRunning
 }
 
 // IsError returns true if TestSuitePhase is "Error"
 func (p TestSuitePhase) IsError() bool {
-	return p == TestSuitePending
+	return p == TestSuiteError
 }
 
 // TestSuiteHelmTrigger describes a Helm release that will trigger a TestSuite
@@ -88,6 +94,9 @@ type TestSuiteSpec struct {
 
 	SetUp TestSuiteSetUp `json:"setUp,omitempty"`
 
+	// RunAs is the name of the UserRef the resulting pods and any setup will be managed as
+	RunAs string `json:"runAs,omitempty"`
+
 	// +kubebuilder:validation:Required
 	Template TestRunSpec `json:"template"`
 
@@ -109,7 +118,7 @@ type TestSuiteStatus struct {
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 
 	// +kubebuilder:default=Pending
-	// Phase (Pending, Ready, Running, Error)
+	// +kubebuilder:validation:Enum=Pending;Ready;Starting;Running;Error
 	Phase TestSuitePhase `json:"phase,omitempty"`
 
 	CurrentTestRun string `json:"currentTestRun,omitempty"`

diff --git a/api/v1alpha1/userref_types.go b/api/v1alpha1/userref_types.go
@@ -0,0 +1,52 @@
+/*
+ Copyright 2022 Raft, LLC
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// UserRefSpec defines the desired state of UserRef
+type UserRefSpec struct {
+
+	// UserName sets the username that will be impersonated when this UserRef
+	// is used.
+	UserName string `json:"username,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// UserRef is the Schema for the userrefs API
+type UserRef struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec UserRefSpec `json:"spec,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// UserRefList contains a list of UserRef
+type UserRefList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []UserRef `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&UserRef{}, &UserRefList{})
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/konfirm.goraft.tech_testruns.yaml b/config/crd/bases/konfirm.goraft.tech_testruns.yaml
@@ -51,6 +51,10 @@ spec:
                 - Never
                 - OnFailure
                 type: string
+              runAs:
+                description: RunAs is the name of the UserRef the resulting pods will
+                  be managed by
+                type: string
               tests:
                 items:
                   description: TestTemplate describes a templated Test

diff --git a/config/crd/bases/konfirm.goraft.tech_tests.yaml b/config/crd/bases/konfirm.goraft.tech_tests.yaml
@@ -50,6 +50,10 @@ spec:
                 - Never
                 - OnFailure
                 type: string
+              runAs:
+                description: RunAs is the name of the UserRef the pod will be managed
+                  by
+                type: string
               template:
                 description: Template is the PodSpecTemplate that will be used to
                   run the test

diff --git a/config/crd/bases/konfirm.goraft.tech_testsuites.yaml b/config/crd/bases/konfirm.goraft.tech_testsuites.yaml
@@ -42,6 +42,10 @@ spec:
                 maximum: 255
                 minimum: 0
                 type: integer
+              runAs:
+                description: RunAs is the name of the UserRef the resulting pods and
+                  any setup will be managed as
+                type: string
               setUp:
                 description: TestSuiteSetUp describes any setup that should occur
                   before the Tests are run
@@ -67,6 +71,10 @@ spec:
                     - Never
                     - OnFailure
                     type: string
+                  runAs:
+                    description: RunAs is the name of the UserRef the resulting pods
+                      will be managed by
+                    type: string
                   tests:
                     items:
                       description: TestTemplate describes a templated Test
@@ -8586,7 +8594,14 @@ spec:
                 type: string
               phase:
                 default: Pending
-                description: Phase (Pending, Ready, Running, Error)
+                description: TestSuitePhase describes the phase a TestSuite is currently
+                  in
+                enum:
+                - Pending
+                - Ready
+                - Starting
+                - Running
+                - Error
                 type: string
             type: object
           trigger:

diff --git a/config/crd/bases/konfirm.goraft.tech_userrefs.yaml b/config/crd/bases/konfirm.goraft.tech_userrefs.yaml
@@ -0,0 +1,51 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: userrefs.konfirm.goraft.tech
+spec:
+  group: konfirm.goraft.tech
+  names:
+    kind: UserRef
+    listKind: UserRefList
+    plural: userrefs
+    singular: userref
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: UserRef is the Schema for the userrefs API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: UserRefSpec defines the desired state of UserRef
+            properties:
+              username:
+                description: UserName sets the username that will be impersonated
+                  when this UserRef is used.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
 - bases/konfirm.goraft.tech_testsuites.yaml
 - bases/konfirm.goraft.tech_testruns.yaml
 - bases/konfirm.goraft.tech_helmpolicies.yaml
+- bases/konfirm.goraft.tech_userrefs.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -14,13 +15,15 @@ patchesStrategicMerge:
 #- patches/webhook_in_news.yaml
 #- patches/webhook_in_testruns.yaml
 #- patches/webhook_in_helmpolicies.yaml
+#- patches/webhook_in_userrefs.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
 #- patches/cainjection_in_news.yaml
 #- patches/cainjection_in_testruns.yaml
 #- patches/cainjection_in_helmpolicies.yaml
+#- patches/cainjection_in_userrefs.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/config/crd/patches/cainjection_in_userrefs.yaml b/config/crd/patches/cainjection_in_userrefs.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: userrefs.konfirm.goraft.tech
diff --git a/config/crd/patches/webhook_in_userrefs.yaml b/config/crd/patches/webhook_in_userrefs.yaml
@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: userrefs.konfirm.goraft.tech
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1