Skip to content

Commit

Permalink
fix-fulcio-config
Browse files Browse the repository at this point in the history
  • Loading branch information
JasonPowr committed Mar 12, 2024
1 parent 7084f9d commit ba7585b
Show file tree
Hide file tree
Showing 23 changed files with 273 additions and 182 deletions.
11 changes: 7 additions & 4 deletions api/v1alpha1/fulcio_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
type FulcioSpec struct {
// Define whether you want to export service or not
ExternalAccess ExternalAccess `json:"externalAccess,omitempty"`
// Fulcio Configuration
//+required
Config FulcioConfig `json:"config"`
// Certificate configuration
Expand Down Expand Up @@ -44,8 +45,9 @@ type FulcioCert struct {
}

type FulcioConfig struct {
//+kubebuilder:validation:MinProperties:=1
OIDCIssuers map[string]OIDCIssuer `json:"OIDCIssuers"`
// OIDC Configuration
// +kubebuilder:validation:MinItems=1
OIDCIssuers []OIDCIssuer `json:"OIDCIssuers"`

// A meta issuer has a templated URL of the form:
// https://oidc.eks.*.amazonaws.com/id/*
Expand All @@ -55,13 +57,14 @@ type FulcioConfig struct {
// * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB
// * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster
// +optional
MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty"`
MetaIssuers []OIDCIssuer `json:"MetaIssuers,omitempty"`
}

type OIDCIssuer struct {
// The expected issuer of an OIDC token
IssuerURL string `json:"IssuerURL,omitempty"`
// The expected client ID of the OIDC token
// The expected issuer of an OIDC token
Issuer string `json:"Issuer,omitempty"`
//+required
ClientID string `json:"ClientID"`
// Used to determine the subject of the certificate and if additional
Expand Down
30 changes: 22 additions & 8 deletions api/v1alpha1/fulcio_types_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ var _ = Describe("Fulcio", func() {
Expect(k8sClient.Get(context.Background(), getKey(created), fetched)).To(Succeed())
Expect(fetched).To(Equal(created))

fetched.Spec.Config.OIDCIssuers["test"] = OIDCIssuer{
fetched.Spec.Config.OIDCIssuers[0] = OIDCIssuer{
Type: "email",
ClientID: "client",
}
Expand Down Expand Up @@ -128,11 +128,11 @@ var _ = Describe("Fulcio", func() {

It("config is not empty", func() {
invalidObject := generateFulcioObject("config-invalid")
invalidObject.Spec.Config.OIDCIssuers = make(map[string]OIDCIssuer)
invalidObject.Spec.Config.OIDCIssuers = []OIDCIssuer{}

Expect(apierrors.IsInvalid(k8sClient.Create(context.Background(), invalidObject))).To(BeTrue())
Expect(k8sClient.Create(context.Background(), invalidObject)).
To(MatchError(ContainSubstring("in body should have at least 1 properties")))
To(MatchError(ContainSubstring("in body should have at least 1 items")))
})
})

Expand Down Expand Up @@ -170,8 +170,8 @@ var _ = Describe("Fulcio", func() {
Host: "hostname",
},
Config: FulcioConfig{
OIDCIssuers: map[string]OIDCIssuer{
"oidc": {
OIDCIssuers: []OIDCIssuer{
{
ClientID: "client",
Type: "email",
IssuerURL: "url",
Expand All @@ -180,7 +180,7 @@ var _ = Describe("Fulcio", func() {
SPIFFETrustDomain: "SPIFFE",
SubjectDomain: "domain",
},
"oidc2": {
{
ClientID: "clien2",
Type: "email2",
IssuerURL: "url2",
Expand Down Expand Up @@ -220,11 +220,25 @@ func generateFulcioObject(name string) *Fulcio {
},
Spec: FulcioSpec{
Config: FulcioConfig{
OIDCIssuers: map[string]OIDCIssuer{
"oidc": {
OIDCIssuers: []OIDCIssuer{
{
ClientID: "client",
Type: "email",
IssuerURL: "url",
Issuer: "url",
},
},
MetaIssuers: []OIDCIssuer{
{
ClientID: "client",
Type: "email",
IssuerURL: "url",
Issuer: "url",
},
{
ClientID: "client",
Type: "email",
Issuer: "url",
},
},
},
Expand Down
12 changes: 4 additions & 8 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 9 additions & 7 deletions bundle/manifests/rhtas-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,13 +45,14 @@ metadata:
"organizationName": "Red Hat"
},
"config": {
"OIDCIssuers": {
"https://your-oidc-issuer-url": {
"OIDCIssuers": [
{
"ClientID": "trusted-artifact-signer",
"Issuer": "https://your-oidc-issuer-url",
"IssuerURL": "https://your-oidc-issuer-url",
"Type": "email"
}
}
]
},
"externalAccess": {
"enabled": true
Expand Down Expand Up @@ -95,13 +96,14 @@ metadata:
"organizationName": "Red Hat"
},
"config": {
"OIDCIssuers": {
"https://your-oidc-issuer-url": {
"OIDCIssuers": [
{
"ClientID": "trusted-artifact-signer",
"Issuer": "https://your-oidc-issuer-url",
"IssuerURL": "https://your-oidc-issuer-url",
"Type": "email"
}
}
]
},
"externalAccess": {
"enabled": true
Expand Down Expand Up @@ -186,7 +188,7 @@ metadata:
}
]
capabilities: Basic Install
createdAt: "2024-03-05T14:59:04Z"
createdAt: "2024-03-12T10:13:29Z"
operators.operatorframework.io/builder: operator-sdk-v1.32.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
name: rhtas-operator.v1.0.0
Expand Down
35 changes: 18 additions & 17 deletions bundle/manifests/rhtas.redhat.com_ctlogs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,16 +50,16 @@ spec:
key:
description: The key of the secret to select from. Must be a valid
secret key.
pattern: '[-._a-zA-Z0-9]+'
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
Expand All @@ -68,16 +68,16 @@ spec:
key:
description: The key of the secret to select from. Must be a valid
secret key.
pattern: '[-._a-zA-Z0-9]+'
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
publicKeyRef:
Expand All @@ -89,16 +89,16 @@ spec:
key:
description: The key of the secret to select from. Must be a valid
secret key.
pattern: '[-._a-zA-Z0-9]+'
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
rootCertificates:
Expand All @@ -111,16 +111,16 @@ spec:
key:
description: The key of the secret to select from. Must be a
valid secret key.
pattern: '[-._a-zA-Z0-9]+'
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: array
Expand Down Expand Up @@ -217,16 +217,16 @@ spec:
key:
description: The key of the secret to select from. Must be a valid
secret key.
pattern: '[-._a-zA-Z0-9]+'
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
Expand All @@ -235,16 +235,16 @@ spec:
key:
description: The key of the secret to select from. Must be a valid
secret key.
pattern: '[-._a-zA-Z0-9]+'
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
publicKeyRef:
Expand All @@ -253,16 +253,16 @@ spec:
key:
description: The key of the secret to select from. Must be a valid
secret key.
pattern: '[-._a-zA-Z0-9]+'
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
rootCertificates:
Expand All @@ -272,16 +272,16 @@ spec:
key:
description: The key of the secret to select from. Must be a
valid secret key.
pattern: '[-._a-zA-Z0-9]+'
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: array
Expand All @@ -294,8 +294,9 @@ spec:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
type: object
Expand Down
Loading

0 comments on commit ba7585b

Please sign in to comment.