Introduce POST /v3/roles endpoint to create space roles
#215
Conversation
danail-branekov
force-pushed
the
wip-create-role
branch
2 times, most recently
from
33969d0
to
6699804
Compare
api/apis/role_handler_test.go
Outdated
| }) | ||
| }) | ||
|
|
||
| When("the request body is invalid with missing required name field", func() { |
| JustBeforeEach(func() { | ||
| namespaces, getErr = org.GetAuthorizedNamespaces(ctx, identity) | ||
| roleName1 = generateGUID("org-user-1") | ||
| roleName2 = generateGUID("org-user-1") |
There was a problem hiding this comment.
s/org-user-1/org-user-2/
| It("lists the namespaces with bindings for current user", func() { | ||
| Expect(getErr).NotTo(HaveOccurred()) | ||
| Expect(namespaces).To(ConsistOf(org1Ns)) | ||
| Expect(k8sClient.Delete(context.Background(), &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: roleName1}})).To(Succeed()) |
There was a problem hiding this comment.
maybe use a ctx var above somewhere and replace all those context.Background() calls?
| BeforeEach(func() { | ||
| ctx, cancelCtx = context.WithDeadline(ctx, time.Now().Add(-time.Minute)) | ||
| BeforeEach(func() { | ||
| ctx, cancelCtx = context.WithDeadline(ctx, time.Now().Add(-time.Minute)) |
There was a problem hiding this comment.
I know it's not from this PR, but I really appreciate using an expired context to make k8s client calls fail :)
api/repositories/role_repository.go
Outdated
| } | ||
|
|
||
| now := time.Now() | ||
| role.CreatedAt = now |
There was a problem hiding this comment.
Should we use the metadata.creationTimestamp from the k8s roleBinding instead of now?
| }) | ||
|
|
||
| Describe("CreateSpaceRole", func() { | ||
| createSubnamespaceAnchor := func(name, parent string) *hnsv1alpha2.SubnamespaceAnchor { |
There was a problem hiding this comment.
Given we set SpaceNameLabel, this is creating a space subnamespaceanchor. Consider renaming.
There was a problem hiding this comment.
There is also some duplication with org/space creation in the org_repository_test code. Potential refactor.
|
|
||
| BeforeEach(func() { | ||
| authorizedInChecker.AuthorizedInReturns(true, nil) | ||
| orgAnchor = createSubnamespaceAnchor(uuid.NewString(), rootNamespace) |
There was a problem hiding this comment.
We are creating an org anchor, but setting the SpaceNameLabel on it. Suggest modifying this to remove future confusion
| @@ -59,6 +67,16 @@ var _ = BeforeSuite(func() { | |||
| ensureServerIsUp() | |||
| }) | |||
|
|
|||
| var _ = BeforeEach(func() { | |||
| serviceAccountName = generateGUID("user") | |||
| token := obtainServiceAccountToken(serviceAccountName) | |||
There was a problem hiding this comment.
obtainServiceAccountToken does a fair bit of work, so we're introducing a significant overhead into each test here.
Consider whether this is necessary for every e2e test. If so, it might make more sense to be shared in a synchronised before suite.
api/tests/e2e/roles_test.go
Outdated
| userName string | ||
| ) | ||
|
|
||
| createRoleWithHeaders := func(roleName, userName, spaceGUID string, headers map[string]string) (*http.Response, error) { |
There was a problem hiding this comment.
Is this a bit premature? We're currently using the privileged client to create the role binding, so the auth header is not used.
api/tests/e2e/roles_test.go
Outdated
| }) | ||
|
|
||
| It("creates a role binding", func() { | ||
| response, err := createRoleWithHeaders("space_developer", userName, space.GUID, nil) |
* Currently supports only creating space roles * Generate predictable role binding names by doing a sha256sum on the role name and user. The name is also prefixed with `cf-` to ensure it starts witha lowercase letter. * The role will fail to create if the user does not have a role in the parent org namespace (as per the docs for POST /v3/roles) Issue: #160 Co-authored-by: Mario Nitchev <marionitchev@gmail.com> Co-authored-by: Kieron Browne <kbrowne@vmware.com>
We've seen an increased amount of flakes while trying to get the ServiceAccount secret Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Mario Nitchev <marionitchev@gmail.com>
Although it doesn't work in GitHub Actions, it still saves time when running locally Co-authored-by: Kieron Browne <kbrowne@vmware.com>
* the api now parses all yaml files in a directory pointed by the CONFIG env var and merges them in a single config * adjust the CONFIG in .envrc Co-authored-by: Mario Nitchev <marionitchev@gmail.com>
Co-authored-by: Mario Nitchev <marionitchev@gmail.com>
Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Mario Nitchev <marionitchev@gmail.com>
kieron-dev
force-pushed
the
wip-create-role
branch
from
6699804
to
229aed3
Compare
Is there a related GitHub Issue?
#160
What is this change about?
Introduce the
POST /v3/rolesAPI endpoint. Whenever called, the API would create a rolebinding in a space namespace that binds a user to a role. Note that the API would fail to create a space role if the user does not have a role (i.e. a role binding) in the parent org namespace (this is how the API should behave according to the CF API documentation)Does this PR introduce a breaking change?
Yes
K8s role names differ from the CF roles, for example,
space_developermaps tocf-k8s-controllers-space-developer. In order to express this mapping we have introduced a new configuration yaml providing that mapping. We did not want to put that config incf_k8s_api_config.yamlas that would mean that we would have to carry those mappings across all kustomization overlays.That is why we now have two config files and we changed the meaning of the
CONFIGenvironment variable to reference a directory, rather than a single file. Themainwould read the content of the directory and gradually fill the configuration object.We have amended the
.envrcaccordingly so thatmake runworks.Acceptance Steps
Create org
curl -X POST /v3/organizations -H 'Content-Type: application/json' -d '{"name":"my-org"}'Create a rolebinding in the org namespaces that binds a user to whatever role
kubectl create rolebinding <rolebinding-name> -n <org-ns-name> --clusterrole=some-role --user=some-userCreate space
curl -X POST /v3/spaces -H 'Content-Type: application/json' -d '{ "name": "space-name", "relationships": { "organization": { "data": { "guid": "<org-guid>" } } } }'Create the role:
*See success response like:
Tag your pair, your PM, and/or team
@cloudfoundry/cf-k8s