Merge pull request #2034 from vmware-tanzu/jtc/older-idps-should-use-…

…unknown-condition-status OIDC/LDAP/AD IDPs should use unknown condition status
vmware-tanzu · Aug 7, 2024 · b377040 · b377040
2 parents fbbec50 + c1328d9
commit b377040
Show file tree

Hide file tree

Showing 16 changed files with 591 additions and 120 deletions.
diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
@@ -64,8 +64,6 @@ const (
 	reasonInvalidAuthenticator                      = "InvalidAuthenticator"
 	reasonInvalidCouldNotFetchJWKS                  = "InvalidCouldNotFetchJWKS"
 
-	msgUnableToValidate = "unable to validate; see other conditions for details"
-
 	// These default values come from the way that the Supervisor issues and signs tokens. We make these
 	// the defaults for a JWTAuthenticator so that they can easily integrate with the Supervisor.
 	defaultUsernameClaim = oidcapi.IDTokenClaimUsername
@@ -462,7 +460,7 @@ func (c *jwtCacheFillerController) validateProviderDiscovery(ctx context.Context
 			Type:    typeDiscoveryValid,
 			Status:  metav1.ConditionUnknown,
 			Reason:  conditionsutil.ReasonUnableToValidate,
-			Message: msgUnableToValidate,
+			Message: conditionsutil.MessageUnableToValidate,
 		})
 		return nil, nil, conditions, nil
 	}
@@ -500,7 +498,7 @@ func (c *jwtCacheFillerController) validateProviderJWKSURL(provider *coreosoidc.
 			Type:    typeJWKSURLValid,
 			Status:  metav1.ConditionUnknown,
 			Reason:  conditionsutil.ReasonUnableToValidate,
-			Message: msgUnableToValidate,
+			Message: conditionsutil.MessageUnableToValidate,
 		})
 		return "", conditions, nil
 	}
@@ -567,7 +565,7 @@ func (c *jwtCacheFillerController) validateJWKSFetch(ctx context.Context, jwksUR
 			Type:    typeJWKSFetchValid,
 			Status:  metav1.ConditionUnknown,
 			Reason:  conditionsutil.ReasonUnableToValidate,
-			Message: msgUnableToValidate,
+			Message: conditionsutil.MessageUnableToValidate,
 		})
 		return nil, conditions, nil
 	}
@@ -646,7 +644,7 @@ func (c *jwtCacheFillerController) newCachedJWTAuthenticator(
 			Type:    typeAuthenticatorValid,
 			Status:  metav1.ConditionUnknown,
 			Reason:  conditionsutil.ReasonUnableToValidate,
-			Message: msgUnableToValidate,
+			Message: conditionsutil.MessageUnableToValidate,
 		})
 		return nil, conditions, nil
 	}

diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
@@ -54,8 +54,6 @@ const (
 	reasonUnableToInstantiateWebhook = "UnableToInstantiateWebhook"
 	reasonInvalidEndpointURL         = "InvalidEndpointURL"
 	reasonInvalidEndpointURLScheme   = "InvalidEndpointURLScheme"
-
-	msgUnableToValidate = "unable to validate; see other conditions for details"
 )
 
 type cachedWebhookAuthenticator struct {
@@ -344,7 +342,7 @@ func newWebhookAuthenticator(
 			Type:    typeAuthenticatorValid,
 			Status:  metav1.ConditionUnknown,
 			Reason:  conditionsutil.ReasonUnableToValidate,
-			Message: msgUnableToValidate,
+			Message: conditionsutil.MessageUnableToValidate,
 		})
 		return nil, conditions, nil
 	}
@@ -425,7 +423,7 @@ func (c *webhookCacheFillerController) validateConnection(
 			Type:    typeWebhookConnectionValid,
 			Status:  metav1.ConditionUnknown,
 			Reason:  conditionsutil.ReasonUnableToValidate,
-			Message: msgUnableToValidate,
+			Message: conditionsutil.MessageUnableToValidate,
 		})
 		return conditions, nil
 	}

diff --git a/internal/controller/conditionsutil/conditions_util.go b/internal/controller/conditionsutil/conditions_util.go
@@ -12,13 +12,15 @@ import (
 	"go.pinniped.dev/internal/plog"
 )
 
-// Some common reasons shared by conditions of various resources.
+// Some common reasons and messages shared by conditions of various resources.
 const (
 	ReasonSuccess            = "Success"
 	ReasonNotReady           = "NotReady"
 	ReasonUnableToValidate   = "UnableToValidate"
 	ReasonUnableToDialServer = "UnableToDialServer"
 	ReasonInvalidIssuerURL   = "InvalidIssuerURL"
+
+	MessageUnableToValidate = "unable to validate; see other conditions for details"
 )
 
 // MergeConditions merges conditions into conditionsToUpdate.

diff --git a/...ller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go b/...ller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@@ -94,10 +94,6 @@ func (g *activeDirectoryUpstreamGenericLDAPImpl) Generation() int64 {
 	return g.activeDirectoryIdentityProvider.Generation
 }
 
-func (g *activeDirectoryUpstreamGenericLDAPImpl) Status() upstreamwatchers.UpstreamGenericLDAPStatus {
-	return &activeDirectoryUpstreamGenericLDAPStatus{g.activeDirectoryIdentityProvider}
-}
-
 type activeDirectoryUpstreamGenericLDAPSpec struct {
 	activeDirectoryIdentityProvider idpv1alpha1.ActiveDirectoryIdentityProvider
 }
@@ -122,6 +118,15 @@ func (s *activeDirectoryUpstreamGenericLDAPSpec) GroupSearch() upstreamwatchers.
 	return &activeDirectoryUpstreamGenericLDAPGroupSearch{s.activeDirectoryIdentityProvider.Spec.GroupSearch}
 }
 
+func (s *activeDirectoryUpstreamGenericLDAPSpec) UnknownSearchBaseCondition() *metav1.Condition {
+	return &metav1.Condition{
+		Type:    upstreamwatchers.TypeSearchBaseFound,
+		Status:  metav1.ConditionUnknown,
+		Reason:  conditionsutil.ReasonUnableToValidate,
+		Message: conditionsutil.MessageUnableToValidate,
+	}
+}
+
 func (s *activeDirectoryUpstreamGenericLDAPSpec) DetectAndSetSearchBase(ctx context.Context, config *upstreamldap.ProviderConfig) *metav1.Condition {
 	config.GroupSearch.Base = s.activeDirectoryIdentityProvider.Spec.GroupSearch.Base
 	config.UserSearch.Base = s.activeDirectoryIdentityProvider.Spec.UserSearch.Base
@@ -216,14 +221,6 @@ func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) GroupNameAttribute() str
 	return g.groupSearch.Attributes.GroupName
 }
 
-type activeDirectoryUpstreamGenericLDAPStatus struct {
-	activeDirectoryIdentityProvider idpv1alpha1.ActiveDirectoryIdentityProvider
-}
-
-func (s *activeDirectoryUpstreamGenericLDAPStatus) Conditions() []metav1.Condition {
-	return s.activeDirectoryIdentityProvider.Status.Conditions
-}
-
 // UpstreamActiveDirectoryIdentityProviderICache is a thread safe cache that holds a list of validated upstream LDAP IDP configurations.
 type UpstreamActiveDirectoryIdentityProviderICache interface {
 	SetActiveDirectoryIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI)

diff --git a/...supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go b/...supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
@@ -366,6 +366,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 			ObservedGeneration: gen,
 		}
 	}
+
 	activeDirectoryConnectionValidTrueCondition := func(gen int64, secretVersion string) metav1.Condition {
 		return metav1.Condition{
 			Type:               "LDAPConnectionValid",
@@ -383,6 +384,17 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		c.LastTransitionTime = metav1.Time{}
 		return c
 	}
+	ldapConnectionValidUnknownCondition := func(gen int64) metav1.Condition {
+		return metav1.Condition{
+			Type:               "LDAPConnectionValid",
+			Status:             "Unknown",
+			LastTransitionTime: now,
+			Reason:             "UnableToValidate",
+			Message:            "unable to validate; see other conditions for details",
+			ObservedGeneration: gen,
+		}
+	}
+
 	condPtr := func(c metav1.Condition) *metav1.Condition {
 		return &c
 	}
@@ -391,6 +403,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		c.LastTransitionTime = metav1.Time{}
 		return c
 	}
+
 	tlsConfigurationValidLoadedTrueCondition := func(gen int64, msg string) metav1.Condition {
 		return metav1.Condition{
 			Type:               "TLSConfigurationValid",
@@ -435,6 +448,17 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 		}
 	}
 
+	searchBaseFoundUnknownCondition := func(gen int64) metav1.Condition {
+		return metav1.Condition{
+			Type:               "SearchBaseFound",
+			Status:             "Unknown",
+			LastTransitionTime: now,
+			Reason:             "UnableToValidate",
+			Message:            "unable to validate; see other conditions for details",
+			ObservedGeneration: gen,
+		}
+	}
+
 	allConditionsTrue := func(gen int64, secretVersion string) []metav1.Condition {
 		return []metav1.Condition{
 			bindSecretValidTrueCondition(gen),
@@ -663,6 +687,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`secret "%s" not found`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -691,6 +717,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -718,6 +746,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -737,6 +767,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					Phase: "Error",
 					Conditions: []metav1.Condition{
 						bindSecretValidTrueCondition(1234),
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						{
 							Type:               "TLSConfigurationValid",
 							Status:             "False",
@@ -763,6 +795,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 					Phase: "Error",
 					Conditions: []metav1.Condition{
 						bindSecretValidTrueCondition(1234),
+						ldapConnectionValidUnknownCondition(1234),
+						searchBaseFoundUnknownCondition(1234),
 						{
 							Type:               "TLSConfigurationValid",
 							Status:             "False",
@@ -1158,6 +1192,8 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
 								Message:            fmt.Sprintf(`secret "%s" not found`, "non-existent-secret"),
 								ObservedGeneration: 42,
 							},
+							ldapConnectionValidUnknownCondition(42),
+							searchBaseFoundUnknownCondition(42),
 							tlsConfigurationValidLoadedTrueCondition(42, "using configured CA bundle"),
 						},
 					},

diff --git a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go
@@ -464,7 +464,7 @@ func (c *gitHubWatcherController) validateGitHubConnection(
 			Type:    GitHubConnectionValid,
 			Status:  metav1.ConditionUnknown,
 			Reason:  conditionsutil.ReasonUnableToValidate,
-			Message: "unable to validate; see other conditions for details",
+			Message: conditionsutil.MessageUnableToValidate,
 		}, nil, nil
 	}
 

diff --git a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher.go
@@ -50,10 +50,6 @@ func (g *ldapUpstreamGenericLDAPImpl) Generation() int64 {
 	return g.ldapIdentityProvider.Generation
 }
 
-func (g *ldapUpstreamGenericLDAPImpl) Status() upstreamwatchers.UpstreamGenericLDAPStatus {
-	return &ldapUpstreamGenericLDAPStatus{g.ldapIdentityProvider}
-}
-
 type ldapUpstreamGenericLDAPSpec struct {
 	ldapIdentityProvider idpv1alpha1.LDAPIdentityProvider
 }
@@ -78,10 +74,14 @@ func (s *ldapUpstreamGenericLDAPSpec) GroupSearch() upstreamwatchers.UpstreamGen
 	return &ldapUpstreamGenericLDAPGroupSearch{s.ldapIdentityProvider.Spec.GroupSearch}
 }
 
+func (s *ldapUpstreamGenericLDAPSpec) UnknownSearchBaseCondition() *metav1.Condition {
+	return nil // currently, only AD returns a condition for this
+}
+
 func (s *ldapUpstreamGenericLDAPSpec) DetectAndSetSearchBase(_ context.Context, config *upstreamldap.ProviderConfig) *metav1.Condition {
 	config.GroupSearch.Base = s.ldapIdentityProvider.Spec.GroupSearch.Base
 	config.UserSearch.Base = s.ldapIdentityProvider.Spec.UserSearch.Base
-	return nil
+	return nil // currently, only AD returns a condition for this
 }
 
 type ldapUpstreamGenericLDAPUserSearch struct {
@@ -124,14 +124,6 @@ func (g *ldapUpstreamGenericLDAPGroupSearch) GroupNameAttribute() string {
 	return g.groupSearch.Attributes.GroupName
 }
 
-type ldapUpstreamGenericLDAPStatus struct {
-	ldapIdentityProvider idpv1alpha1.LDAPIdentityProvider
-}
-
-func (s *ldapUpstreamGenericLDAPStatus) Conditions() []metav1.Condition {
-	return s.ldapIdentityProvider.Status.Conditions
-}
-
 // UpstreamLDAPIdentityProviderICache is a thread safe cache that holds a list of validated upstream LDAP IDP configurations.
 type UpstreamLDAPIdentityProviderICache interface {
 	SetLDAPIdentityProviders([]upstreamprovider.UpstreamLDAPIdentityProviderI)

diff --git a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
@@ -363,6 +363,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 			ObservedGeneration: gen,
 		}
 	}
+
 	ldapConnectionValidTrueCondition := func(gen int64, secretVersion string) metav1.Condition {
 		return metav1.Condition{
 			Type:               "LDAPConnectionValid",
@@ -380,9 +381,21 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 		c.LastTransitionTime = metav1.Time{}
 		return c
 	}
+	ldapConnectionValidUnknownCondition := func(gen int64) metav1.Condition {
+		return metav1.Condition{
+			Type:               "LDAPConnectionValid",
+			Status:             "Unknown",
+			LastTransitionTime: now,
+			Reason:             "UnableToValidate",
+			Message:            "unable to validate; see other conditions for details",
+			ObservedGeneration: gen,
+		}
+	}
+
 	condPtr := func(c metav1.Condition) *metav1.Condition {
 		return &c
 	}
+
 	tlsConfigurationValidLoadedTrueCondition := func(gen int64, msg string) metav1.Condition {
 		return metav1.Condition{
 			Type:               "TLSConfigurationValid",
@@ -393,6 +406,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 			ObservedGeneration: gen,
 		}
 	}
+
 	allConditionsTrue := func(gen int64, secretVersion string) []metav1.Condition {
 		return []metav1.Condition{
 			bindSecretValidTrueCondition(gen),
@@ -588,6 +602,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`secret "%s" not found`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
+						ldapConnectionValidUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -616,6 +631,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`referenced Secret "%s" has wrong type "some-other-type" (should be "kubernetes.io/basic-auth")`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
+						ldapConnectionValidUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -643,6 +659,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 							Message:            fmt.Sprintf(`referenced Secret "%s" is missing required keys ["username" "password"]`, testBindSecretName),
 							ObservedGeneration: 1234,
 						},
+						ldapConnectionValidUnknownCondition(1234),
 						tlsConfigurationValidLoadedTrueCondition(1234, "using configured CA bundle"),
 					},
 				},
@@ -662,6 +679,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 					Phase: "Error",
 					Conditions: []metav1.Condition{
 						bindSecretValidTrueCondition(1234),
+						ldapConnectionValidUnknownCondition(1234),
 						{
 							Type:               "TLSConfigurationValid",
 							Status:             "False",
@@ -688,6 +706,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 					Phase: "Error",
 					Conditions: []metav1.Condition{
 						bindSecretValidTrueCondition(1234),
+						ldapConnectionValidUnknownCondition(1234),
 						{
 							Type:               "TLSConfigurationValid",
 							Status:             "False",
@@ -981,6 +1000,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
 								Message:            fmt.Sprintf(`secret "%s" not found`, "non-existent-secret"),
 								ObservedGeneration: 42,
 							},
+							ldapConnectionValidUnknownCondition(42),
 							tlsConfigurationValidLoadedTrueCondition(42, "using configured CA bundle"),
 						},
 					},