-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(provider/kubernetes): v2 restrict namespaces for uploading manifests #2410
Conversation
I have tested this now and it works, except I think the default namespace handling is strange. Line 127 in 0a288b7
I think maybe I cannot use that method and also that it needs to check for the ommitnamespaces and ignore all of this if no namespaces are explicitly defined. |
@@ -93,6 +100,11 @@ public boolean validateV2Credentials(AccountCredentialsProvider provider, String | |||
return false; | |||
} | |||
|
|||
if (!((KubernetesV2Credentials)credentials.getCredentials()).containsNamespace(namespace)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing space after first )
Checking the omit namespace is definitely important - I don't think this should be the place to check the default namespace. I'm thinking some sort of validation should fail if someone specifies a "Default namespace" that they can't deploy to because it's not listed in the "namespaces", or omitted by the "omitNamespaces". |
8f89cfa
to
b4048a2
Compare
@lwander I have changed the logic and added tests for this now. I think the tests clearly shows the behaviour now. |
@@ -115,6 +115,14 @@ public String getDefaultNamespace() { | |||
return cachedDefaultNamespace; | |||
} | |||
|
|||
public List<String> getNamespaces() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would just annotated the namespaces
and omitNamespaces
fields with @Getter
like the properties above around line 77
protected boolean validateNamespace(String namespace, KubernetesV2Credentials credentials) { | ||
final List<String> configuredNamespaces = credentials.getNamespaces(); | ||
if (configuredNamespaces != null && !configuredNamespaces.isEmpty() && !configuredNamespaces.contains(namespace)) { | ||
reject( "wrongNamespace", "namespace"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Extra space before "
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, should the string "namespace
" be replaced with the actual requested namespace?
|
||
final List<String> omitNamespaces = credentials.getOmitNamespaces(); | ||
if (omitNamespaces != null && omitNamespaces.contains(namespace)) { | ||
reject( "omittedNamespace", "namespace"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Extra space before "
if (!validateNotEmpty("account", accountName)) { | ||
return false; | ||
} | ||
|
||
if (!validateNotEmpty("account", namespace)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be "namespace"
?
return true; | ||
} | ||
|
||
protected boolean validateNamespace(String namespace, KubernetesV2Credentials credentials) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking we should skip this (e.g. return true
) when namespace
is empty. If none is supplied, the default will be used which should be valid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in line 88 we check if the namespace is empty, so it wont reach this part of the code if a namespace is not supplied.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I missed that - thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line 89 returns false
, which is not correct for resources without a namespace. I've submitted #2422 to change this.
ddbc46a
to
bb99d7a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work!
Solves spinnaker/spinnaker#2325
Depends on #2409