Merge branch 'master' of github.com:codeready-toolchain/member-operat…

…or into vmWebhookLimits

.github/workflows/ci-build.yml

@@ -15,12 +15,12 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v4
       with:
         go-version: 1.19.x
 
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Generate Assets
       run: |
@@ -49,7 +49,7 @@ jobs:
         go-version: 1.19.x
 
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Generate Assets
       run: |
@@ -68,10 +68,10 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Generate SBOM
-      uses: CycloneDX/gh-gomod-generate-sbom@v1
+      uses: CycloneDX/gh-gomod-generate-sbom@v2
       with:
         version: v1
-        args: mod -licenses -json -output -
+        args: mod -licenses -json -output -

.github/workflows/ci-check-gomod.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: check
       run: |

.github/workflows/operator-cd.yml

@@ -17,24 +17,24 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v4
       with:
         go-version: ${{ env.GO_VERSION }}
 
     - name: Cache dependencies
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         path: ~/go/pkg/mod
         key: ${{ runner.os }}-go-${{ hashFiles ('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-go-
 
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
 

.github/workflows/publish-operators-for-e2e-tests.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
     # Checkout from PR event - in that case the comment field is empty
     - name: Checkout code from PR event
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       if: ${{ github.event.comment == '' }}
       with:
         ref: ${{github.event.pull_request.head.ref}}
@@ -39,27 +39,27 @@ jobs:
     # Checkout the code based on the data retrieved from the previous step
     # Is executed only for comment events - in that case the pull_request field is empty
     - name: Checkout code from PR
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       if: ${{ github.event.pull_request == '' }}
       with:
         repository: ${{ fromJson(steps.request.outputs.data).head.repo.full_name }}
         ref: ${{ fromJson(steps.request.outputs.data).head.ref }}
         fetch-depth: 0
 
     - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v4
       with:
         go-version: ${{ env.GO_VERSION }}
 
     - name: Cache dependencies
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         path: ~/go/pkg/mod
         key: ${{ runner.os }}-go-${{ hashFiles ('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-go-
 
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
 

config/crd/bases/toolchain.dev.openshift.com_workspaces.yaml

@@ -64,13 +64,31 @@ spec:
                         when the role in the current binding can be changed - "delete"
                         when the current binding can be deleted - "override" when
                         the current binding is inherited from a parent workspace,
-                        it cannot be updated but it can be overridden by creating
+                        it cannot be updated, but it can be overridden by creating
                         a new binding containing the same MasterUserRecord but different
                         role in the subworkspace.'
                       items:
                         type: string
                       type: array
                       x-kubernetes-list-type: atomic
+                    bindingRequest:
+                      description: BindingRequest provides the name and namespace
+                        of the SpaceBindingRequest that generated the SpaceBinding
+                        resource. It's available only if the binding was generated
+                        using the SpaceBindingRequest mechanism.
+                      properties:
+                        name:
+                          description: Name of the SpaceBindingRequest that generated
+                            the SpaceBinding resource.
+                          type: string
+                        namespace:
+                          description: Namespace of the SpaceBindingRequest that generated
+                            the SpaceBinding resource.
+                          type: string
+                      required:
+                      - name
+                      - namespace
+                      type: object
                     masterUserRecord:
                       description: MasterUserRecord is the name of the user that has
                         access to the workspace. This field is immutable via a validating

deploy/webhook/member-operator-webhook.yaml

@@ -228,6 +228,11 @@ objects:
       namespaceSelector:
         matchLabels:
           toolchain.dev.openshift.com/provider: codeready-toolchain
+    # The users.spacebindingrequests.webhook.sandbox webhook validates SpaceBindingRequest CRs,
+    # Specifically it makes sure that once a SBR resource is created, the SpaceBindingRequest.Spec.MasterUserRecord field is not changed by the user.
+    # The reason for making SpaceBindingRequest.Spec.MasterUserRecord field immutable is that as of now the SpaceBinding resource name is composed as follows: <Space.Name>-checksum(<Space.Name>-<MasterUserRecord.Name>),
+    # thus changing it will trigger an updated of the SpaceBinding content but the name will still be based on the old MUR name.
+    # The webhook code is available at member-operator/pkg/webhook/validatingwebhook/validate_spacebindingrequest.go
     - name: users.spacebindingrequests.webhook.sandbox
       admissionReviewVersions:
         - v1
@@ -248,7 +253,7 @@ objects:
       sideEffects: None
       timeoutSeconds: 5
       reinvocationPolicy: Never
-      failurePolicy: Ignore
+      failurePolicy: Fail
       namespaceSelector:
         matchLabels:
           toolchain.dev.openshift.com/provider: codeready-toolchain

go.mod

@@ -1,7 +1,7 @@
 module github.com/codeready-toolchain/member-operator
 
 require (
-	github.com/codeready-toolchain/api v0.0.0-20230918195153-739e8fb09a33
+	github.com/codeready-toolchain/api v0.0.0-20231010090546-098b27b43b3a
 	github.com/codeready-toolchain/toolchain-common v0.0.0-20230920120310-0f59f17bca92
 	github.com/go-logr/logr v1.2.3
 	github.com/google/go-cmp v0.5.9

pkg/webhook/deploy/deployment_test.go

@@ -227,7 +227,7 @@ func mutatingWebhookConfig(namespace, caBundle string) string {
 }
 
 func validatingWebhookConfig(namespace, caBundle string) string {
-	return fmt.Sprintf(`{"apiVersion":"admissionregistration.k8s.io/v1","kind":"ValidatingWebhookConfiguration","metadata":{"labels":{"app":"member-operator-webhook","toolchain.dev.openshift.com/provider":"codeready-toolchain"},"name":"member-operator-validating-webhook"},"webhooks":[{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-users-rolebindings","port":443}},"failurePolicy":"Ignore","matchPolicy":"Equivalent","name":"users.rolebindings.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["rbac.authorization.k8s.io","authorization.openshift.io"],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["rolebindings"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5},{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-users-checlusters","port":443}},"failurePolicy":"Fail","matchPolicy":"Equivalent","name":"users.checlusters.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["org.eclipse.che"],"apiVersions":["v2"],"operations":["CREATE"],"resources":["checlusters"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5},{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-spacebindingrequests","port":443}},"failurePolicy":"Ignore","matchPolicy":"Equivalent","name":"users.spacebindingrequests.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["toolchain.dev.openshift.com"],"apiVersions":["v1alpha1"],"operations":["CREATE", "UPDATE"],"resources":["spacebindingrequests"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5}]}`, caBundle, namespace)
+	return fmt.Sprintf(`{"apiVersion":"admissionregistration.k8s.io/v1","kind":"ValidatingWebhookConfiguration","metadata":{"labels":{"app":"member-operator-webhook","toolchain.dev.openshift.com/provider":"codeready-toolchain"},"name":"member-operator-validating-webhook"},"webhooks":[{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-users-rolebindings","port":443}},"failurePolicy":"Ignore","matchPolicy":"Equivalent","name":"users.rolebindings.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["rbac.authorization.k8s.io","authorization.openshift.io"],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["rolebindings"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5},{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-users-checlusters","port":443}},"failurePolicy":"Fail","matchPolicy":"Equivalent","name":"users.checlusters.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["org.eclipse.che"],"apiVersions":["v2"],"operations":["CREATE"],"resources":["checlusters"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5},{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-spacebindingrequests","port":443}},"failurePolicy":"Fail","matchPolicy":"Equivalent","name":"users.spacebindingrequests.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["toolchain.dev.openshift.com"],"apiVersions":["v1alpha1"],"operations":["CREATE", "UPDATE"],"resources":["spacebindingrequests"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5}]}`, caBundle, namespace)
 }
 
 func serviceAccount(namespace string) string {

pkg/webhook/validatingwebhook/validate_spacebindingrequest.go

@@ -16,6 +16,11 @@ import (
 	runtimeClient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// SpaceBindingRequestValidator webhook validates SpaceBindingRequest CRs,
+// Specifically it makes sure that once an SBR resource is created, the SpaceBindingRequest.Spec.MasterUserRecord field is not changed by the user.
+// The reason for making SpaceBindingRequest.Spec.MasterUserRecord field immutable is that as of now the SpaceBinding resource name is composed as follows: <Space.Name>-checksum(<Space.Name>-<MasterUserRecord.Name>),
+// thus changing it will trigger an updated of the SpaceBinding content but the name will still be based on the old MUR name.
+// All the webhook configuration is available at member-operator/deploy/webhook/member-operator-webhook.yaml
 type SpaceBindingRequestValidator struct {
 	Client runtimeClient.Client
 }