Add additional cluster regexp info to RerunAuthConfigs

kaalams · Jul 14, 2022 · 8c25d75 · 8c25d75
1 parent f113564
commit 8c25d75
Show file tree

Hide file tree

Showing 7 changed files with 618 additions and 164 deletions.
diff --git a/prow/ANNOUNCEMENTS.md b/prow/ANNOUNCEMENTS.md
@@ -3,6 +3,11 @@
 ## New features
 
 New features added to each component:
+  - *June 8, 2022* `deck.rerun_auth_configs` can optionally be replaced with
+    `deck.default_rerun_auth_configs` which supports a new format
+    that is a slice of filters with associated rerun auth configs rather than a
+    map. Currently entries can filter by repo and/or cluster. The old field is still
+    supported and will not be deprecated.
   - *April 6, 2022* Highlight and pin interesting lines. To do this,
     shift-click on log lines in the buildlog lens. The URL fragment
     causes the same lines to be highlighted next page load. Additionally,

diff --git a/prow/apis/prowjobs/v1/types.go b/prow/apis/prowjobs/v1/types.go
@@ -1046,6 +1046,13 @@ func (r Refs) String() string {
 	return strings.Join(rs, ",")
 }
 
+func (r Refs) OrgRepoString() string {
+	if r.Repo != "" {
+		return r.Org + "/" + r.Repo
+	}
+	return r.Org
+}
+
 // JenkinsSpec is optional parameters for Jenkins jobs.
 // Currently, the only parameter supported is for telling
 // jenkins-operator that the job is generated by the https://go.cloudbees.com/docs/plugins/github-branch-source/#github-branch-source plugin

diff --git a/prow/cmd/deck/main.go b/prow/cmd/deck/main.go
@@ -216,7 +216,7 @@ var (
 	traceHandler        = metrics.TraceHandler(simplifier, httpRequestDuration, httpResponseSize)
 )
 
-type authCfgGetter func(*prowapi.Refs) *prowapi.RerunAuthConfig
+type authCfgGetter func(*prowapi.Refs, string) *prowapi.RerunAuthConfig
 
 func init() {
 	prometheus.MustRegister(httpRequestDuration)
@@ -419,9 +419,8 @@ func main() {
 		}
 	}
 
-	authCfgGetter := func(refs *prowapi.Refs) *prowapi.RerunAuthConfig {
-		rac := cfg().Deck.RerunAuthConfigs.GetRerunAuthConfig(refs)
-		return &rac
+	authCfgGetter := func(refs *prowapi.Refs, cluster string) *prowapi.RerunAuthConfig {
+		return cfg().Deck.GetRerunAuthConfig(refs, cluster)
 	}
 
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
@@ -493,7 +492,7 @@ func main() {
 	// if we allow direct reruns, we must protect against CSRF in all post requests using the cookie secret as a token
 	// for more information about CSRF, see https://github.com/kubernetes/test-infra/blob/master/prow/cmd/deck/csrf.md
 	empty := prowapi.Refs{}
-	if o.rerunCreatesJob && csrfToken == nil && !authCfgGetter(&empty).IsAllowAnyone() {
+	if o.rerunCreatesJob && csrfToken == nil && !authCfgGetter(&empty, "").IsAllowAnyone() {
 		logrus.Fatal("Rerun creates job cannot be enabled without CSRF protection, which requires --cookie-secret to be exactly 32 bytes")
 		return
 	}
@@ -1499,7 +1498,7 @@ func handleRerun(prowJobClient prowv1.ProwJobInterface, createProwJob bool, cfg
 				http.Error(w, "Direct rerun feature is not enabled. Enable with the '--rerun-creates-job' flag.", http.StatusMethodNotAllowed)
 				return
 			}
-			authConfig := cfg(pj.Spec.Refs)
+			authConfig := cfg(pj.Spec.Refs, pj.Spec.Cluster)
 			var allowed bool
 			if pj.Spec.RerunAuthConfig.IsAllowAnyone() || authConfig.IsAllowAnyone() {
 				// Skip getting the users login via GH oauth if anyone is allowed to rerun

diff --git a/prow/cmd/deck/main_test.go b/prow/cmd/deck/main_test.go
@@ -543,7 +543,7 @@ func TestRerun(t *testing.T) {
 					State: prowapi.PendingState,
 				},
 			})
-			authCfgGetter := func(refs *prowapi.Refs) *prowapi.RerunAuthConfig {
+			authCfgGetter := func(refs *prowapi.Refs, cluster string) *prowapi.RerunAuthConfig {
 				return &prowapi.RerunAuthConfig{
 					AllowAnyone: tc.allowAnyone,
 					GitHubUsers: tc.authorized,