From 77d165ee13a23218d23c973c6ac6cb71c6f900d5 Mon Sep 17 00:00:00 2001 From: Francisc Munteanu Date: Mon, 9 Oct 2023 09:22:20 +0200 Subject: [PATCH 1/3] fix: switch sbr webhook to fail policy, add some comments (#479) * switch sbr webhook to fail policy, add some comments --- deploy/webhook/member-operator-webhook.yaml | 7 ++++++- pkg/webhook/deploy/deployment_test.go | 2 +- .../validatingwebhook/validate_spacebindingrequest.go | 5 +++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/deploy/webhook/member-operator-webhook.yaml b/deploy/webhook/member-operator-webhook.yaml index e9cf3947..5092a09a 100644 --- a/deploy/webhook/member-operator-webhook.yaml +++ b/deploy/webhook/member-operator-webhook.yaml @@ -193,6 +193,11 @@ objects: namespaceSelector: matchLabels: toolchain.dev.openshift.com/provider: codeready-toolchain + # The users.spacebindingrequests.webhook.sandbox webhook validates SpaceBindingRequest CRs, + # Specifically it makes sure that once a SBR resource is created, the SpaceBindingRequest.Spec.MasterUserRecord field is not changed by the user. + # The reason for making SpaceBindingRequest.Spec.MasterUserRecord field immutable is that as of now the SpaceBinding resource name is composed as follows: -checksum(-), + # thus changing it will trigger an updated of the SpaceBinding content but the name will still be based on the old MUR name. + # The webhook code is available at member-operator/pkg/webhook/validatingwebhook/validate_spacebindingrequest.go - name: users.spacebindingrequests.webhook.sandbox admissionReviewVersions: - v1 @@ -213,7 +218,7 @@ objects: sideEffects: None timeoutSeconds: 5 reinvocationPolicy: Never - failurePolicy: Ignore + failurePolicy: Fail namespaceSelector: matchLabels: toolchain.dev.openshift.com/provider: codeready-toolchain diff --git a/pkg/webhook/deploy/deployment_test.go b/pkg/webhook/deploy/deployment_test.go index c7a377f3..0164f810 100644 --- a/pkg/webhook/deploy/deployment_test.go +++ b/pkg/webhook/deploy/deployment_test.go @@ -227,7 +227,7 @@ func mutatingWebhookConfig(namespace, caBundle string) string { } func validatingWebhookConfig(namespace, caBundle string) string { - return fmt.Sprintf(`{"apiVersion":"admissionregistration.k8s.io/v1","kind":"ValidatingWebhookConfiguration","metadata":{"labels":{"app":"member-operator-webhook","toolchain.dev.openshift.com/provider":"codeready-toolchain"},"name":"member-operator-validating-webhook"},"webhooks":[{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-users-rolebindings","port":443}},"failurePolicy":"Ignore","matchPolicy":"Equivalent","name":"users.rolebindings.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["rbac.authorization.k8s.io","authorization.openshift.io"],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["rolebindings"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5},{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-users-checlusters","port":443}},"failurePolicy":"Ignore","matchPolicy":"Equivalent","name":"users.checlusters.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["org.eclipse.che"],"apiVersions":["v2"],"operations":["CREATE"],"resources":["checlusters"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5},{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-spacebindingrequests","port":443}},"failurePolicy":"Ignore","matchPolicy":"Equivalent","name":"users.spacebindingrequests.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["toolchain.dev.openshift.com"],"apiVersions":["v1alpha1"],"operations":["CREATE", "UPDATE"],"resources":["spacebindingrequests"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5}]}`, caBundle, namespace) + return fmt.Sprintf(`{"apiVersion":"admissionregistration.k8s.io/v1","kind":"ValidatingWebhookConfiguration","metadata":{"labels":{"app":"member-operator-webhook","toolchain.dev.openshift.com/provider":"codeready-toolchain"},"name":"member-operator-validating-webhook"},"webhooks":[{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-users-rolebindings","port":443}},"failurePolicy":"Ignore","matchPolicy":"Equivalent","name":"users.rolebindings.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["rbac.authorization.k8s.io","authorization.openshift.io"],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["rolebindings"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5},{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-users-checlusters","port":443}},"failurePolicy":"Ignore","matchPolicy":"Equivalent","name":"users.checlusters.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["org.eclipse.che"],"apiVersions":["v2"],"operations":["CREATE"],"resources":["checlusters"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5},{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"%[1]s","service":{"name":"member-operator-webhook","namespace":"%[2]s","path":"/validate-spacebindingrequests","port":443}},"failurePolicy":"Fail","matchPolicy":"Equivalent","name":"users.spacebindingrequests.webhook.sandbox","namespaceSelector":{"matchLabels":{"toolchain.dev.openshift.com/provider":"codeready-toolchain"}},"reinvocationPolicy":"Never","rules":[{"apiGroups":["toolchain.dev.openshift.com"],"apiVersions":["v1alpha1"],"operations":["CREATE", "UPDATE"],"resources":["spacebindingrequests"],"scope":"Namespaced"}],"sideEffects":"None","timeoutSeconds":5}]}`, caBundle, namespace) } func serviceAccount(namespace string) string { diff --git a/pkg/webhook/validatingwebhook/validate_spacebindingrequest.go b/pkg/webhook/validatingwebhook/validate_spacebindingrequest.go index 1e034213..60fb4f23 100644 --- a/pkg/webhook/validatingwebhook/validate_spacebindingrequest.go +++ b/pkg/webhook/validatingwebhook/validate_spacebindingrequest.go @@ -16,6 +16,11 @@ import ( runtimeClient "sigs.k8s.io/controller-runtime/pkg/client" ) +// SpaceBindingRequestValidator webhook validates SpaceBindingRequest CRs, +// Specifically it makes sure that once an SBR resource is created, the SpaceBindingRequest.Spec.MasterUserRecord field is not changed by the user. +// The reason for making SpaceBindingRequest.Spec.MasterUserRecord field immutable is that as of now the SpaceBinding resource name is composed as follows: -checksum(-), +// thus changing it will trigger an updated of the SpaceBinding content but the name will still be based on the old MUR name. +// All the webhook configuration is available at member-operator/deploy/webhook/member-operator-webhook.yaml type SpaceBindingRequestValidator struct { Client runtimeClient.Client } From 8b99ad249df3729955fb1fbbfc329219ad523c8c Mon Sep 17 00:00:00 2001 From: Francisc Munteanu Date: Tue, 10 Oct 2023 14:19:30 +0200 Subject: [PATCH 2/3] fix: add missing binding request field (#480) * add binding request field --- ...oolchain.dev.openshift.com_workspaces.yaml | 20 ++++++++++++++++++- go.mod | 2 +- go.sum | 4 ++-- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/config/crd/bases/toolchain.dev.openshift.com_workspaces.yaml b/config/crd/bases/toolchain.dev.openshift.com_workspaces.yaml index 00cb530d..9be174e0 100644 --- a/config/crd/bases/toolchain.dev.openshift.com_workspaces.yaml +++ b/config/crd/bases/toolchain.dev.openshift.com_workspaces.yaml @@ -64,13 +64,31 @@ spec: when the role in the current binding can be changed - "delete" when the current binding can be deleted - "override" when the current binding is inherited from a parent workspace, - it cannot be updated but it can be overridden by creating + it cannot be updated, but it can be overridden by creating a new binding containing the same MasterUserRecord but different role in the subworkspace.' items: type: string type: array x-kubernetes-list-type: atomic + bindingRequest: + description: BindingRequest provides the name and namespace + of the SpaceBindingRequest that generated the SpaceBinding + resource. It's available only if the binding was generated + using the SpaceBindingRequest mechanism. + properties: + name: + description: Name of the SpaceBindingRequest that generated + the SpaceBinding resource. + type: string + namespace: + description: Namespace of the SpaceBindingRequest that generated + the SpaceBinding resource. + type: string + required: + - name + - namespace + type: object masterUserRecord: description: MasterUserRecord is the name of the user that has access to the workspace. This field is immutable via a validating diff --git a/go.mod b/go.mod index ddef35dc..b02784da 100644 --- a/go.mod +++ b/go.mod @@ -1,7 +1,7 @@ module github.com/codeready-toolchain/member-operator require ( - github.com/codeready-toolchain/api v0.0.0-20230918195153-739e8fb09a33 + github.com/codeready-toolchain/api v0.0.0-20231010090546-098b27b43b3a github.com/codeready-toolchain/toolchain-common v0.0.0-20230920120310-0f59f17bca92 github.com/go-logr/logr v1.2.3 github.com/google/go-cmp v0.5.9 diff --git a/go.sum b/go.sum index cd9ceb15..76678a89 100644 --- a/go.sum +++ b/go.sum @@ -134,8 +134,8 @@ github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWH github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= -github.com/codeready-toolchain/api v0.0.0-20230918195153-739e8fb09a33 h1:hxXfcFq2JgFISVxrkISg8m9DZMzpcPWRjPspx3M3Sxo= -github.com/codeready-toolchain/api v0.0.0-20230918195153-739e8fb09a33/go.mod h1:nn3W6eKb9PFIVwSwZW7wDeLACMBOwAV+4kddGuN+ARM= +github.com/codeready-toolchain/api v0.0.0-20231010090546-098b27b43b3a h1:UucbKqQ0bz9xe/Hr6kbrJkPK0YzCn2bdFwGme5rCfuU= +github.com/codeready-toolchain/api v0.0.0-20231010090546-098b27b43b3a/go.mod h1:nn3W6eKb9PFIVwSwZW7wDeLACMBOwAV+4kddGuN+ARM= github.com/codeready-toolchain/toolchain-common v0.0.0-20230920120310-0f59f17bca92 h1:9gcDMkjSAjxM3RLUYCHv9prCDwdi7IgAWpTwTsDpGL8= github.com/codeready-toolchain/toolchain-common v0.0.0-20230920120310-0f59f17bca92/go.mod h1:+rs3V8do2s0DzGPyCy2sgnvUs9GfSi5RVWx+AZC+cTM= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= From a026dbe0cbe37a473748d25b048d81c2bc9f80cb Mon Sep 17 00:00:00 2001 From: Andy Sadler Date: Wed, 11 Oct 2023 17:14:01 -0500 Subject: [PATCH 3/3] ci: bump actions to silence node12 warnings (#481) As of [June 2023][1], GitHub no longer uses node v12 within its actions runner by default. They have been encouraging action authors to switch to node v16 and [encouraging users][2] to use the new versions of the actions when they become available, with the intent on removing node v12 sometime in the near future. Bump the versions of the affected actions to bring this in line. [1]: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/ [2]: https://github.com/codeready-toolchain/host-operator/actions/runs/6421632076 Signed-off-by: Andy Sadler Co-authored-by: Alexey Kazakov --- .github/workflows/ci-build.yml | 12 ++++++------ .github/workflows/ci-check-gomod.yml | 2 +- .github/workflows/operator-cd.yml | 8 ++++---- .../workflows/publish-operators-for-e2e-tests.yml | 10 +++++----- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 398eba58..f25c9e8b 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -15,12 +15,12 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Install Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v4 with: go-version: 1.19.x - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Generate Assets run: | @@ -49,7 +49,7 @@ jobs: go-version: 1.19.x - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Generate Assets run: | @@ -68,10 +68,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Generate SBOM - uses: CycloneDX/gh-gomod-generate-sbom@v1 + uses: CycloneDX/gh-gomod-generate-sbom@v2 with: version: v1 - args: mod -licenses -json -output - \ No newline at end of file + args: mod -licenses -json -output - diff --git a/.github/workflows/ci-check-gomod.yml b/.github/workflows/ci-check-gomod.yml index 264a925e..36ffb0ec 100644 --- a/.github/workflows/ci-check-gomod.yml +++ b/.github/workflows/ci-check-gomod.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: check run: | diff --git a/.github/workflows/operator-cd.yml b/.github/workflows/operator-cd.yml index 151c81b6..9ad4d493 100644 --- a/.github/workflows/operator-cd.yml +++ b/.github/workflows/operator-cd.yml @@ -17,24 +17,24 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Install Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v4 with: go-version: ${{ env.GO_VERSION }} - name: Cache dependencies - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles ('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' diff --git a/.github/workflows/publish-operators-for-e2e-tests.yml b/.github/workflows/publish-operators-for-e2e-tests.yml index ae0cea7a..c5229278 100644 --- a/.github/workflows/publish-operators-for-e2e-tests.yml +++ b/.github/workflows/publish-operators-for-e2e-tests.yml @@ -18,7 +18,7 @@ jobs: steps: # Checkout from PR event - in that case the comment field is empty - name: Checkout code from PR event - uses: actions/checkout@v2 + uses: actions/checkout@v4 if: ${{ github.event.comment == '' }} with: ref: ${{github.event.pull_request.head.ref}} @@ -39,7 +39,7 @@ jobs: # Checkout the code based on the data retrieved from the previous step # Is executed only for comment events - in that case the pull_request field is empty - name: Checkout code from PR - uses: actions/checkout@v2 + uses: actions/checkout@v4 if: ${{ github.event.pull_request == '' }} with: repository: ${{ fromJson(steps.request.outputs.data).head.repo.full_name }} @@ -47,19 +47,19 @@ jobs: fetch-depth: 0 - name: Install Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v4 with: go-version: ${{ env.GO_VERSION }} - name: Cache dependencies - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles ('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x'