diff --git a/api/clusters/v1alpha1/accessrequest_types.go b/api/clusters/v1alpha1/accessrequest_types.go index 4837a564..fa007bf9 100644 --- a/api/clusters/v1alpha1/accessrequest_types.go +++ b/api/clusters/v1alpha1/accessrequest_types.go @@ -87,7 +87,9 @@ type AccessRequestStatus struct { commonapi.Status `json:",inline"` // SecretRef holds the reference to the secret that contains the actual credentials. - SecretRef *commonapi.ObjectReference `json:"secretRef,omitempty"` + // The secret is in the same namespace as the AccessRequest. + // +optional + SecretRef *commonapi.LocalObjectReference `json:"secretRef,omitempty"` } func (ars AccessRequestStatus) IsGranted() bool { diff --git a/api/clusters/v1alpha1/zz_generated.deepcopy.go b/api/clusters/v1alpha1/zz_generated.deepcopy.go index 1c33e52d..454ddbf3 100644 --- a/api/clusters/v1alpha1/zz_generated.deepcopy.go +++ b/api/clusters/v1alpha1/zz_generated.deepcopy.go @@ -111,7 +111,7 @@ func (in *AccessRequestStatus) DeepCopyInto(out *AccessRequestStatus) { in.Status.DeepCopyInto(&out.Status) if in.SecretRef != nil { in, out := &in.SecretRef, &out.SecretRef - *out = new(common.ObjectReference) + *out = new(common.LocalObjectReference) **out = **in } } diff --git a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml index b07a7cda..a487cfb6 100644 --- a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml +++ b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml @@ -477,19 +477,21 @@ spec: description: Phase is the current phase of the resource. type: string secretRef: - description: SecretRef holds the reference to the secret that contains - the actual credentials. + description: |- + SecretRef holds the reference to the secret that contains the actual credentials. + The secret is in the same namespace as the AccessRequest. properties: name: - description: Name is the name of the object. - type: string - namespace: - description: Namespace is the namespace of the object. + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string - required: - - name - - namespace type: object + x-kubernetes-map-type: atomic required: - observedGeneration - phase diff --git a/internal/controllers/managedcontrolplane/controller_test.go b/internal/controllers/managedcontrolplane/controller_test.go index eac9b77d..f0a48358 100644 --- a/internal/controllers/managedcontrolplane/controller_test.go +++ b/internal/controllers/managedcontrolplane/controller_test.go @@ -248,9 +248,8 @@ var _ = Describe("ManagedControlPlane Controller", func() { ar.SetNamespace(platformNamespace) Expect(env.Client(platform).Get(env.Ctx, client.ObjectKeyFromObject(ar), ar)).To(Succeed()) ar.Status.Phase = clustersv1alpha1.REQUEST_GRANTED - ar.Status.SecretRef = &commonapi.ObjectReference{ - Name: ar.Name, - Namespace: ar.Namespace, + ar.Status.SecretRef = &commonapi.LocalObjectReference{ + Name: ar.Name, } sec := &corev1.Secret{} sec.SetName(ar.Status.SecretRef.Name) @@ -270,9 +269,8 @@ var _ = Describe("ManagedControlPlane Controller", func() { ar.SetNamespace(platformNamespace) Expect(env.Client(platform).Get(env.Ctx, client.ObjectKeyFromObject(ar), ar)).To(Succeed()) ar.Status.Phase = clustersv1alpha1.REQUEST_GRANTED - ar.Status.SecretRef = &commonapi.ObjectReference{ - Name: ar.Name, - Namespace: ar.Namespace, + ar.Status.SecretRef = &commonapi.LocalObjectReference{ + Name: ar.Name, } sec := &corev1.Secret{} sec.SetName(ar.Status.SecretRef.Name) diff --git a/lib/clusteraccess/advanced/clusteraccess.go b/lib/clusteraccess/advanced/clusteraccess.go index b96dcca5..52f2c91d 100644 --- a/lib/clusteraccess/advanced/clusteraccess.go +++ b/lib/clusteraccess/advanced/clusteraccess.go @@ -981,7 +981,7 @@ func AccessFromAccessRequest(ctx context.Context, platformClusterClient client.C s := &corev1.Secret{} s.Name = ar.Status.SecretRef.Name - s.Namespace = ar.Status.SecretRef.Namespace + s.Namespace = ar.Namespace if err := platformClusterClient.Get(ctx, client.ObjectKeyFromObject(s), s); err != nil { return nil, fmt.Errorf("unable to get secret '%s/%s' for AccessRequest '%s/%s': %w", s.Namespace, s.Name, ar.Namespace, ar.Name, err) @@ -1185,9 +1185,8 @@ func FakeAccessRequestReadiness(kcfgData []byte) FakingCallback { // mock AccessRequest status old := ar.DeepCopy() - ar.Status.SecretRef = &commonapi.ObjectReference{ - Name: s.Name, - Namespace: s.Namespace, + ar.Status.SecretRef = &commonapi.LocalObjectReference{ + Name: s.Name, } ar.Status.Phase = clustersv1alpha1.REQUEST_GRANTED ar.Status.ObservedGeneration = ar.Generation @@ -1279,7 +1278,7 @@ func FakeAccessRequestDeletion(finalizersToRemoveFromAccessRequest, finalizersTo if ar.Status.SecretRef != nil { s := &corev1.Secret{} s.Name = ar.Status.SecretRef.Name - s.Namespace = ar.Status.SecretRef.Namespace + s.Namespace = ar.Namespace if len(finalizersToRemoveFromSecret) > 0 { // fetch secret to remove finalizers diff --git a/lib/clusteraccess/clusteraccess.go b/lib/clusteraccess/clusteraccess.go index 6383ef14..f16309da 100644 --- a/lib/clusteraccess/clusteraccess.go +++ b/lib/clusteraccess/clusteraccess.go @@ -407,7 +407,7 @@ func createClusterForAccessRequest(ctx context.Context, platformClusterClient cl accessSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: accessRequest.Status.SecretRef.Name, - Namespace: accessRequest.Status.SecretRef.Namespace, + Namespace: accessRequest.Namespace, }, } diff --git a/lib/clusteraccess/clusteraccess_test.go b/lib/clusteraccess/clusteraccess_test.go index 050024c3..c9d11db7 100644 --- a/lib/clusteraccess/clusteraccess_test.go +++ b/lib/clusteraccess/clusteraccess_test.go @@ -210,15 +210,13 @@ var _ = Describe("ClusterAccessReconciler", func() { Expect(env.Client().Status().Update(env.Ctx, accessRequestWorkload)).To(Succeed()) // set the secret reference for the MCP access request and the workload access request - accessRequestMCP.Status.SecretRef = &commonapi.ObjectReference{ - Name: "mcp-access", - Namespace: expectedRequestNamespace, + accessRequestMCP.Status.SecretRef = &commonapi.LocalObjectReference{ + Name: "mcp-access", } Expect(env.Client().Status().Update(env.Ctx, accessRequestMCP)).To(Succeed()) - accessRequestWorkload.Status.SecretRef = &commonapi.ObjectReference{ - Name: "workload-access", - Namespace: expectedRequestNamespace, + accessRequestWorkload.Status.SecretRef = &commonapi.LocalObjectReference{ + Name: "workload-access", } Expect(env.Client().Status().Update(env.Ctx, accessRequestWorkload)).To(Succeed()) @@ -275,9 +273,8 @@ var _ = Describe("ClusterAccessReconciler", func() { env.ShouldReconcile(request, "reconcilerImpl should not return an error") // set the secret reference for the MCP access request - accessRequestMCP.Status.SecretRef = &commonapi.ObjectReference{ - Name: "mcp-access", - Namespace: expectedRequestNamespace, + accessRequestMCP.Status.SecretRef = &commonapi.LocalObjectReference{ + Name: "mcp-access", } Expect(env.Client().Status().Update(env.Ctx, accessRequestMCP)).To(Succeed()) @@ -441,7 +438,7 @@ var _ = Describe("ClusterAccessManager", func() { }() Eventually(func() bool { - // read rhe cluster request + // read the cluster request if err := env.Client().Get(ctx, client.ObjectKeyFromObject(clusterRequest), clusterRequest); err != nil { return false } @@ -464,9 +461,8 @@ var _ = Describe("ClusterAccessManager", func() { if accessRequest.Status.Phase != clustersv1alpha1.REQUEST_GRANTED { accessRequest.Status.Phase = clustersv1alpha1.REQUEST_GRANTED - accessRequest.Status.SecretRef = &commonapi.ObjectReference{ - Name: "access", - Namespace: "default", + accessRequest.Status.SecretRef = &commonapi.LocalObjectReference{ + Name: "access", } if err := env.Client().Status().Update(ctx, accessRequest); err != nil { diff --git a/lib/clusteraccess/testdata/test-03/access-secrets.yaml b/lib/clusteraccess/testdata/test-03/access-secrets.yaml index c6e2bfed..6b344342 100644 --- a/lib/clusteraccess/testdata/test-03/access-secrets.yaml +++ b/lib/clusteraccess/testdata/test-03/access-secrets.yaml @@ -2,6 +2,6 @@ apiVersion: v1 kind: Secret metadata: name: access - namespace: default + namespace: test-namespace data: kubeconfig: YXBpVmVyc2lvbjogdjEKa2luZDogQ29uZmlnCnByZWZlcmVuY2VzOiB7fQpjbHVzdGVyczoKLSBjbHVzdGVyOgogICAgc2VydmVyOiBodHRwczovL2FwaS5jbHVzdGVyLWIuZXhhbXBsZS5jb206NjQ0MwogIG5hbWU6IGNsdXN0ZXIKY29udGV4dHM6Ci0gY29udGV4dDoKICAgIGNsdXN0ZXI6IGNsdXN0ZXIKICAgIHVzZXI6IHVzZXIKICBuYW1lOiBjb250ZXh0CmN1cnJlbnQtY29udGV4dDogY29udGV4dAp1c2VyczoKLSBuYW1lOiB1c2VyCiAgdXNlcjoKICAgIHRva2VuOiBhYmM= \ No newline at end of file diff --git a/lib/clusteraccess/testing.go b/lib/clusteraccess/testing.go index 7db60dfe..5208fb50 100644 --- a/lib/clusteraccess/testing.go +++ b/lib/clusteraccess/testing.go @@ -109,16 +109,15 @@ func (m *testManagerImpl) WaitForClusterAccess(ctx context.Context, localName st } old := ar.DeepCopy() ar.Status.Phase = clustersv1alpha1.REQUEST_GRANTED - ar.Status.SecretRef = &commonapi.ObjectReference{ - Name: ar.Name, - Namespace: ar.Namespace, + ar.Status.SecretRef = &commonapi.LocalObjectReference{ + Name: ar.Name, } if err := m.platformClusterClient.Status().Patch(ctx, ar, client.MergeFrom(old)); err != nil { return nil, nil, fmt.Errorf("failed to update AccessRequest status: %w", err) } sec := &corev1.Secret{} sec.Name = ar.Status.SecretRef.Name - sec.Namespace = ar.Status.SecretRef.Namespace + sec.Namespace = ar.Namespace if _, err := controllerutil.CreateOrUpdate(ctx, m.platformClusterClient, sec, func() error { sec.Data = map[string][]byte{ clustersv1alpha1.SecretKeyKubeconfig: []byte("fake:" + localName),