mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-05 10:19:50 +00:00
use the ClusterTrustBundles beta API
This commit is contained in:
Stanislav Láznička
parent
f598b4860c
commit
e0f536bf1f
@ -23,7 +23,7 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
"k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
@ -272,7 +272,7 @@ func newKubeAPIServerSignerClusterTrustBundledPublisherController(ctx context.Co
|
||||
}
|
||||
|
||||
func clusterTrustBundlesAvailable(client kubernetes.Interface) (bool, error) {
|
||||
resList, err := client.Discovery().ServerResourcesForGroupVersion(certificatesv1alpha1.SchemeGroupVersion.String())
|
||||
resList, err := client.Discovery().ServerResourcesForGroupVersion(certificatesv1beta1.SchemeGroupVersion.String())
|
||||
|
||||
if resList != nil {
|
||||
// even in case of an error above there might be a partial list for APIs that
|
||||
|
||||
@ -23,7 +23,7 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/component-base/metrics/legacyregistry"
|
||||
"k8s.io/component-base/metrics/testutil"
|
||||
@ -50,7 +50,7 @@ clustertrustbundle_publisher_sync_total{code="200"} 1
|
||||
},
|
||||
{
|
||||
desc: "kube api error",
|
||||
err: apierrors.NewNotFound(certificatesv1alpha1.Resource("clustertrustbundle"), "test.test:testSigner:something"),
|
||||
err: apierrors.NewNotFound(certificatesv1beta1.Resource("clustertrustbundle"), "test.test:testSigner:something"),
|
||||
metrics: []string{
|
||||
"clustertrustbundle_publisher_sync_total",
|
||||
},
|
||||
|
||||
@ -23,7 +23,7 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/fields"
|
||||
@ -31,9 +31,9 @@ import (
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
certinformers "k8s.io/client-go/informers/certificates/v1alpha1"
|
||||
certinformers "k8s.io/client-go/informers/certificates/v1beta1"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
certlisters "k8s.io/client-go/listers/certificates/v1alpha1"
|
||||
certlisters "k8s.io/client-go/listers/certificates/v1beta1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/util/workqueue"
|
||||
"k8s.io/klog/v2"
|
||||
@ -174,11 +174,11 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context
|
||||
|
||||
bundle, err := p.ctbLister.Get(bundleName)
|
||||
if apierrors.IsNotFound(err) {
|
||||
_, err = p.client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, &certificatesv1alpha1.ClusterTrustBundle{
|
||||
_, err = p.client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, &certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: bundleName,
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: p.signerName,
|
||||
TrustBundle: caBundle,
|
||||
},
|
||||
@ -186,7 +186,7 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context
|
||||
} else if err == nil && bundle.Spec.TrustBundle != caBundle {
|
||||
bundle = bundle.DeepCopy()
|
||||
bundle.Spec.TrustBundle = caBundle
|
||||
_, err = p.client.CertificatesV1alpha1().ClusterTrustBundles().Update(ctx, bundle, metav1.UpdateOptions{})
|
||||
_, err = p.client.CertificatesV1beta1().ClusterTrustBundles().Update(ctx, bundle, metav1.UpdateOptions{})
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
@ -205,7 +205,7 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context
|
||||
continue
|
||||
}
|
||||
|
||||
if err := p.client.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, bundleObject.Name, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) {
|
||||
if err := p.client.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, bundleObject.Name, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) {
|
||||
klog.FromContext(ctx).Error(err, "failed to remove a cluster trust bundle", "bundleName", bundleObject.Name)
|
||||
deletionError = err
|
||||
}
|
||||
|
||||
@ -22,7 +22,7 @@ import (
|
||||
cryptorand "crypto/rand"
|
||||
"testing"
|
||||
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
@ -44,7 +44,7 @@ func TestCTBPublisherSync(t *testing.T) {
|
||||
|
||||
createAction := expectAction[clienttesting.CreateAction](t, filteredActions[0], "create")
|
||||
|
||||
ctb, ok := createAction.GetObject().(*certificatesv1alpha1.ClusterTrustBundle)
|
||||
ctb, ok := createAction.GetObject().(*certificatesv1beta1.ClusterTrustBundle)
|
||||
if !ok {
|
||||
t.Fatalf("expected ClusterTrustBundle create, got %v", createAction.GetObject())
|
||||
}
|
||||
@ -63,7 +63,7 @@ func TestCTBPublisherSync(t *testing.T) {
|
||||
|
||||
updateAction := expectAction[clienttesting.UpdateAction](t, filteredActions[0], "update")
|
||||
|
||||
ctb, ok := updateAction.GetObject().(*certificatesv1alpha1.ClusterTrustBundle)
|
||||
ctb, ok := updateAction.GetObject().(*certificatesv1beta1.ClusterTrustBundle)
|
||||
if !ok {
|
||||
t.Fatalf("expected ClusterTrustBundle update, got %v", updateAction.GetObject())
|
||||
}
|
||||
@ -109,19 +109,19 @@ func TestCTBPublisherSync(t *testing.T) {
|
||||
{
|
||||
name: "no CTBs for the current signer exist",
|
||||
existingCTBs: []runtime.Object{
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "nosigner",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
TrustBundle: "somedatahere",
|
||||
},
|
||||
},
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "signer:one",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: "signer",
|
||||
TrustBundle: "signerdata",
|
||||
},
|
||||
@ -132,11 +132,11 @@ func TestCTBPublisherSync(t *testing.T) {
|
||||
{
|
||||
name: "CTB for the signer exists with different content",
|
||||
existingCTBs: []runtime.Object{
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: testBundleName,
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: testSignerName,
|
||||
TrustBundle: "olddata",
|
||||
},
|
||||
@ -147,20 +147,20 @@ func TestCTBPublisherSync(t *testing.T) {
|
||||
{
|
||||
name: "multiple CTBs for the signer",
|
||||
existingCTBs: []runtime.Object{
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: testBundleName,
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: testSignerName,
|
||||
TrustBundle: string(testCAProvider.CurrentCABundleContent()),
|
||||
},
|
||||
},
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test.test/testSigner:name2",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: testSignerName,
|
||||
TrustBundle: string(testCAProvider.CurrentCABundleContent()),
|
||||
},
|
||||
@ -171,20 +171,20 @@ func TestCTBPublisherSync(t *testing.T) {
|
||||
{
|
||||
name: "multiple CTBs for the signer - the one with the proper name needs changing",
|
||||
existingCTBs: []runtime.Object{
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: testBundleName,
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: testSignerName,
|
||||
TrustBundle: "olddata",
|
||||
},
|
||||
},
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test.test/testSigner:name2",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: testSignerName,
|
||||
TrustBundle: string(testCAProvider.CurrentCABundleContent()),
|
||||
},
|
||||
@ -202,11 +202,11 @@ func TestCTBPublisherSync(t *testing.T) {
|
||||
{
|
||||
name: "another CTB with a different name exists for the signer",
|
||||
existingCTBs: []runtime.Object{
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test.test/testSigner:preexisting",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: testSignerName,
|
||||
TrustBundle: string(testCAProvider.CurrentCABundleContent()),
|
||||
},
|
||||
@ -224,28 +224,28 @@ func TestCTBPublisherSync(t *testing.T) {
|
||||
{
|
||||
name: "CTB at the correct state - noop",
|
||||
existingCTBs: []runtime.Object{
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "nosigner",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
TrustBundle: "somedatahere",
|
||||
},
|
||||
},
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "signer:one",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: "signer",
|
||||
TrustBundle: "signerdata",
|
||||
},
|
||||
},
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: testBundleName,
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: testSignerName,
|
||||
TrustBundle: string(testCAProvider.CurrentCABundleContent()),
|
||||
},
|
||||
@ -297,9 +297,9 @@ func fakeKubeClientSetWithCTBList(t *testing.T, signerName string, ctbs ...runti
|
||||
return false, nil, nil
|
||||
}
|
||||
|
||||
retList := &certificatesv1alpha1.ClusterTrustBundleList{}
|
||||
retList := &certificatesv1beta1.ClusterTrustBundleList{}
|
||||
for _, ctb := range ctbs {
|
||||
ctbObj, ok := ctb.(*certificatesv1alpha1.ClusterTrustBundle)
|
||||
ctbObj, ok := ctb.(*certificatesv1beta1.ClusterTrustBundle)
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
|
||||
@ -277,6 +277,7 @@ func DefaultGenericAPIServicePriorities() map[schema.GroupVersion]APIServicePrio
|
||||
{Group: "authentication.k8s.io", Version: "v1alpha1"}: {Group: 17700, Version: 1},
|
||||
{Group: "authorization.k8s.io", Version: "v1"}: {Group: 17600, Version: 15},
|
||||
{Group: "certificates.k8s.io", Version: "v1"}: {Group: 17300, Version: 15},
|
||||
{Group: "certificates.k8s.io", Version: "v1beta1"}: {Group: 17300, Version: 9},
|
||||
{Group: "certificates.k8s.io", Version: "v1alpha1"}: {Group: 17300, Version: 1},
|
||||
{Group: "rbac.authorization.k8s.io", Version: "v1"}: {Group: 17000, Version: 15},
|
||||
{Group: "apiextensions.k8s.io", Version: "v1"}: {Group: 16700, Version: 15},
|
||||
|
||||
@ -37,6 +37,7 @@ import (
|
||||
batchapiv1 "k8s.io/api/batch/v1"
|
||||
certificatesapiv1 "k8s.io/api/certificates/v1"
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
coordinationapiv1 "k8s.io/api/coordination/v1"
|
||||
coordinationv1alpha2 "k8s.io/api/coordination/v1alpha2"
|
||||
apiv1 "k8s.io/api/core/v1"
|
||||
@ -457,6 +458,7 @@ var (
|
||||
betaAPIGroupVersionsDisabledByDefault = []schema.GroupVersion{
|
||||
admissionregistrationv1beta1.SchemeGroupVersion,
|
||||
authenticationv1beta1.SchemeGroupVersion,
|
||||
certificatesv1beta1.SchemeGroupVersion,
|
||||
storageapiv1beta1.SchemeGroupVersion,
|
||||
flowcontrolv1beta1.SchemeGroupVersion,
|
||||
flowcontrolv1beta2.SchemeGroupVersion,
|
||||
|
||||
@ -86,7 +86,7 @@ func NewStorageFactoryConfigEffectiveVersion(effectiveVersion basecompatibility.
|
||||
networking.Resource("servicecidrs").WithVersion("v1beta1"),
|
||||
admissionregistration.Resource("mutatingadmissionpolicies").WithVersion("v1alpha1"),
|
||||
admissionregistration.Resource("mutatingadmissionpolicybindings").WithVersion("v1alpha1"),
|
||||
certificates.Resource("clustertrustbundles").WithVersion("v1alpha1"),
|
||||
certificates.Resource("clustertrustbundles").WithVersion("v1beta1"),
|
||||
storage.Resource("volumeattributesclasses").WithVersion("v1beta1"),
|
||||
storagemigration.Resource("storagemigrations").WithVersion("v1alpha1"),
|
||||
}
|
||||
|
||||
@ -25,13 +25,13 @@ import (
|
||||
"math/rand"
|
||||
"time"
|
||||
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
k8serrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
lrucache "k8s.io/apimachinery/pkg/util/cache"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
certinformersv1alpha1 "k8s.io/client-go/informers/certificates/v1alpha1"
|
||||
certlistersv1alpha1 "k8s.io/client-go/listers/certificates/v1alpha1"
|
||||
certinformersv1beta1 "k8s.io/client-go/informers/certificates/v1beta1"
|
||||
certlistersv1beta1 "k8s.io/client-go/listers/certificates/v1beta1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/klog/v2"
|
||||
)
|
||||
@ -50,7 +50,7 @@ type Manager interface {
|
||||
// ClusterTrustBundle objects.
|
||||
type InformerManager struct {
|
||||
ctbInformer cache.SharedIndexInformer
|
||||
ctbLister certlistersv1alpha1.ClusterTrustBundleLister
|
||||
ctbLister certlistersv1beta1.ClusterTrustBundleLister
|
||||
|
||||
normalizationCache *lrucache.LRUExpireCache
|
||||
cacheTTL time.Duration
|
||||
@ -59,7 +59,7 @@ type InformerManager struct {
|
||||
var _ Manager = (*InformerManager)(nil)
|
||||
|
||||
// NewInformerManager returns an initialized InformerManager.
|
||||
func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.ClusterTrustBundleInformer, cacheSize int, cacheTTL time.Duration) (*InformerManager, error) {
|
||||
func NewInformerManager(ctx context.Context, bundles certinformersv1beta1.ClusterTrustBundleInformer, cacheSize int, cacheTTL time.Duration) (*InformerManager, error) {
|
||||
// We need to call Informer() before calling start on the shared informer
|
||||
// factory, or the informer won't be registered to be started.
|
||||
m := &InformerManager{
|
||||
@ -74,7 +74,7 @@ func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.Clust
|
||||
// apply to them.
|
||||
_, err := m.ctbInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
|
||||
AddFunc: func(obj any) {
|
||||
ctb, ok := obj.(*certificatesv1alpha1.ClusterTrustBundle)
|
||||
ctb, ok := obj.(*certificatesv1beta1.ClusterTrustBundle)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
@ -82,21 +82,21 @@ func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.Clust
|
||||
m.dropCacheFor(ctb)
|
||||
},
|
||||
UpdateFunc: func(old, new any) {
|
||||
ctb, ok := new.(*certificatesv1alpha1.ClusterTrustBundle)
|
||||
ctb, ok := new.(*certificatesv1beta1.ClusterTrustBundle)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
logger.Info("Dropping cache for ClusterTrustBundle", "signerName", ctb.Spec.SignerName)
|
||||
m.dropCacheFor(new.(*certificatesv1alpha1.ClusterTrustBundle))
|
||||
m.dropCacheFor(new.(*certificatesv1beta1.ClusterTrustBundle))
|
||||
},
|
||||
DeleteFunc: func(obj any) {
|
||||
ctb, ok := obj.(*certificatesv1alpha1.ClusterTrustBundle)
|
||||
ctb, ok := obj.(*certificatesv1beta1.ClusterTrustBundle)
|
||||
if !ok {
|
||||
tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
ctb, ok = tombstone.Obj.(*certificatesv1alpha1.ClusterTrustBundle)
|
||||
ctb, ok = tombstone.Obj.(*certificatesv1beta1.ClusterTrustBundle)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
@ -112,7 +112,7 @@ func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.Clust
|
||||
return m, nil
|
||||
}
|
||||
|
||||
func (m *InformerManager) dropCacheFor(ctb *certificatesv1alpha1.ClusterTrustBundle) {
|
||||
func (m *InformerManager) dropCacheFor(ctb *certificatesv1beta1.ClusterTrustBundle) {
|
||||
if ctb.Spec.SignerName != "" {
|
||||
m.normalizationCache.RemoveAll(func(key any) bool {
|
||||
return key.(cacheKeyType).signerName == ctb.Spec.SignerName
|
||||
@ -145,7 +145,7 @@ func (m *InformerManager) GetTrustAnchorsByName(name string, allowMissing bool)
|
||||
return nil, fmt.Errorf("while getting ClusterTrustBundle: %w", err)
|
||||
}
|
||||
|
||||
pemTrustAnchors, err := m.normalizeTrustAnchors([]*certificatesv1alpha1.ClusterTrustBundle{ctb})
|
||||
pemTrustAnchors, err := m.normalizeTrustAnchors([]*certificatesv1beta1.ClusterTrustBundle{ctb})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("while normalizing trust anchors: %w", err)
|
||||
}
|
||||
@ -184,7 +184,7 @@ func (m *InformerManager) GetTrustAnchorsBySigner(signerName string, labelSelect
|
||||
return nil, fmt.Errorf("while listing ClusterTrustBundles matching label selector %v: %w", labelSelector, err)
|
||||
}
|
||||
|
||||
ctbList := []*certificatesv1alpha1.ClusterTrustBundle{}
|
||||
ctbList := []*certificatesv1beta1.ClusterTrustBundle{}
|
||||
for _, ctb := range rawCTBList {
|
||||
if ctb.Spec.SignerName == signerName {
|
||||
ctbList = append(ctbList, ctb)
|
||||
@ -208,7 +208,7 @@ func (m *InformerManager) GetTrustAnchorsBySigner(signerName string, labelSelect
|
||||
return pemTrustAnchors, nil
|
||||
}
|
||||
|
||||
func (m *InformerManager) normalizeTrustAnchors(ctbList []*certificatesv1alpha1.ClusterTrustBundle) ([]byte, error) {
|
||||
func (m *InformerManager) normalizeTrustAnchors(ctbList []*certificatesv1beta1.ClusterTrustBundle) ([]byte, error) {
|
||||
// Deduplicate trust anchors from all ClusterTrustBundles.
|
||||
trustAnchorSet := sets.Set[string]{}
|
||||
for _, ctb := range ctbList {
|
||||
|
||||
@ -32,7 +32,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/google/go-cmp/cmp"
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/informers"
|
||||
"k8s.io/client-go/kubernetes/fake"
|
||||
@ -46,7 +46,7 @@ func TestBeforeSynced(t *testing.T) {
|
||||
|
||||
informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
|
||||
|
||||
ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
|
||||
ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
|
||||
ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
|
||||
|
||||
_, err := ctbManager.GetTrustAnchorsByName("foo", false)
|
||||
@ -60,20 +60,20 @@ func TestGetTrustAnchorsByName(t *testing.T) {
|
||||
tCtx := ktesting.Init(t)
|
||||
defer cancel()
|
||||
|
||||
ctb1 := &certificatesv1alpha1.ClusterTrustBundle{
|
||||
ctb1 := &certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "ctb1",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
TrustBundle: mustMakeRoot(t, "root1"),
|
||||
},
|
||||
}
|
||||
|
||||
ctb2 := &certificatesv1alpha1.ClusterTrustBundle{
|
||||
ctb2 := &certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "ctb2",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
TrustBundle: mustMakeRoot(t, "root2"),
|
||||
},
|
||||
}
|
||||
@ -82,7 +82,7 @@ func TestGetTrustAnchorsByName(t *testing.T) {
|
||||
|
||||
informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
|
||||
|
||||
ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
|
||||
ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
|
||||
ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
|
||||
|
||||
informerFactory.Start(ctx.Done())
|
||||
@ -124,20 +124,20 @@ func TestGetTrustAnchorsByNameCaching(t *testing.T) {
|
||||
ctx, cancel := context.WithTimeout(tCtx, 20*time.Second)
|
||||
defer cancel()
|
||||
|
||||
ctb1 := &certificatesv1alpha1.ClusterTrustBundle{
|
||||
ctb1 := &certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "foo",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
TrustBundle: mustMakeRoot(t, "root1"),
|
||||
},
|
||||
}
|
||||
|
||||
ctb2 := &certificatesv1alpha1.ClusterTrustBundle{
|
||||
ctb2 := &certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "foo",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
TrustBundle: mustMakeRoot(t, "root2"),
|
||||
},
|
||||
}
|
||||
@ -146,7 +146,7 @@ func TestGetTrustAnchorsByNameCaching(t *testing.T) {
|
||||
|
||||
informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
|
||||
|
||||
ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
|
||||
ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
|
||||
ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
|
||||
|
||||
informerFactory.Start(ctx.Done())
|
||||
@ -180,10 +180,10 @@ func TestGetTrustAnchorsByNameCaching(t *testing.T) {
|
||||
}
|
||||
})
|
||||
|
||||
if err := kc.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil {
|
||||
if err := kc.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil {
|
||||
t.Fatalf("Error while deleting the old CTB: %v", err)
|
||||
}
|
||||
if _, err := kc.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil {
|
||||
if _, err := kc.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil {
|
||||
t.Fatalf("Error while adding new CTB: %v", err)
|
||||
}
|
||||
|
||||
@ -221,7 +221,7 @@ func TestGetTrustAnchorsBySignerName(t *testing.T) {
|
||||
|
||||
informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
|
||||
|
||||
ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
|
||||
ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
|
||||
ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
|
||||
|
||||
informerFactory.Start(ctx.Done())
|
||||
@ -335,7 +335,7 @@ func TestGetTrustAnchorsBySignerNameCaching(t *testing.T) {
|
||||
|
||||
informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
|
||||
|
||||
ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
|
||||
ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
|
||||
ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
|
||||
|
||||
informerFactory.Start(ctx.Done())
|
||||
@ -369,10 +369,10 @@ func TestGetTrustAnchorsBySignerNameCaching(t *testing.T) {
|
||||
}
|
||||
})
|
||||
|
||||
if err := kc.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil {
|
||||
if err := kc.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil {
|
||||
t.Fatalf("Error while deleting the old CTB: %v", err)
|
||||
}
|
||||
if _, err := kc.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil {
|
||||
if _, err := kc.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil {
|
||||
t.Fatalf("Error while adding new CTB: %v", err)
|
||||
}
|
||||
|
||||
@ -422,13 +422,13 @@ func mustMakeRoot(t *testing.T, cn string) string {
|
||||
}))
|
||||
}
|
||||
|
||||
func mustMakeCTB(name, signerName string, labels map[string]string, bundle string) *certificatesv1alpha1.ClusterTrustBundle {
|
||||
return &certificatesv1alpha1.ClusterTrustBundle{
|
||||
func mustMakeCTB(name, signerName string, labels map[string]string, bundle string) *certificatesv1beta1.ClusterTrustBundle {
|
||||
return &certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Labels: labels,
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: signerName,
|
||||
TrustBundle: bundle,
|
||||
},
|
||||
|
||||
@ -881,7 +881,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
|
||||
var clusterTrustBundleManager clustertrustbundle.Manager
|
||||
if kubeDeps.KubeClient != nil && utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundleProjection) {
|
||||
kubeInformers := informers.NewSharedInformerFactoryWithOptions(kubeDeps.KubeClient, 0)
|
||||
clusterTrustBundleManager, err = clustertrustbundle.NewInformerManager(ctx, kubeInformers.Certificates().V1alpha1().ClusterTrustBundles(), 2*int(kubeCfg.MaxPods), 5*time.Minute)
|
||||
clusterTrustBundleManager, err = clustertrustbundle.NewInformerManager(ctx, kubeInformers.Certificates().V1beta1().ClusterTrustBundles(), 2*int(kubeCfg.MaxPods), 5*time.Minute)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("while starting informer-based ClusterTrustBundle manager: %w", err)
|
||||
}
|
||||
|
||||
@ -30,8 +30,7 @@ import (
|
||||
autoscalingv1 "k8s.io/api/autoscaling/v1"
|
||||
autoscalingv2beta1 "k8s.io/api/autoscaling/v2beta1"
|
||||
batchv1 "k8s.io/api/batch/v1"
|
||||
batchv1beta1 "k8s.io/api/batch/v1beta1"
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
batchv1beta1 "k8s.io/api/batch/v1beta1" // should this change, too? there are still certv1beta1.CSR printers, but not their v1 versions
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
coordinationv1 "k8s.io/api/coordination/v1"
|
||||
coordinationv1alpha2 "k8s.io/api/coordination/v1alpha2"
|
||||
@ -420,7 +419,7 @@ func AddHandlers(h printers.PrintHandler) {
|
||||
|
||||
clusterTrustBundleColumnDefinitions := []metav1.TableColumnDefinition{
|
||||
{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
|
||||
{Name: "SignerName", Type: "string", Description: certificatesv1alpha1.ClusterTrustBundleSpec{}.SwaggerDoc()["signerName"]},
|
||||
{Name: "SignerName", Type: "string", Description: certificatesv1beta1.ClusterTrustBundleSpec{}.SwaggerDoc()["signerName"]},
|
||||
}
|
||||
h.TableHandler(clusterTrustBundleColumnDefinitions, printClusterTrustBundle)
|
||||
h.TableHandler(clusterTrustBundleColumnDefinitions, printClusterTrustBundleList)
|
||||
|
||||
@ -19,6 +19,7 @@ package rest
|
||||
import (
|
||||
certificatesapiv1 "k8s.io/api/certificates/v1"
|
||||
certificatesapiv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesapiv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
"k8s.io/apiserver/pkg/registry/generic"
|
||||
"k8s.io/apiserver/pkg/registry/rest"
|
||||
genericapiserver "k8s.io/apiserver/pkg/server"
|
||||
@ -45,6 +46,12 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
|
||||
apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1.SchemeGroupVersion.Version] = storageMap
|
||||
}
|
||||
|
||||
if storageMap, err := p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
|
||||
return genericapiserver.APIGroupInfo{}, err
|
||||
} else if len(storageMap) > 0 {
|
||||
apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1beta1.SchemeGroupVersion.Version] = storageMap
|
||||
}
|
||||
|
||||
if storageMap, err := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
|
||||
return genericapiserver.APIGroupInfo{}, err
|
||||
} else if len(storageMap) > 0 {
|
||||
@ -70,6 +77,24 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API
|
||||
return storage, nil
|
||||
}
|
||||
|
||||
func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
|
||||
storage := map[string]rest.Storage{}
|
||||
|
||||
if resource := "clustertrustbundles"; apiResourceConfigSource.ResourceEnabled(certificatesapiv1beta1.SchemeGroupVersion.WithResource(resource)) {
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
|
||||
bundleStorage, err := clustertrustbundlestore.NewREST(restOptionsGetter)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
storage[resource] = bundleStorage
|
||||
} else {
|
||||
klog.Warning("ClusterTrustBundle storage is disabled because the ClusterTrustBundle feature gate is disabled")
|
||||
}
|
||||
}
|
||||
|
||||
return storage, nil
|
||||
}
|
||||
|
||||
func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
|
||||
storage := map[string]rest.Storage{}
|
||||
|
||||
|
||||
@ -32,7 +32,7 @@ import (
|
||||
|
||||
"github.com/google/go-cmp/cmp"
|
||||
authenticationv1 "k8s.io/api/authentication/v1"
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
@ -912,11 +912,11 @@ func TestCollectDataWithClusterTrustBundle(t *testing.T) {
|
||||
DefaultMode: utilptr.Int32(0644),
|
||||
},
|
||||
bundles: []runtime.Object{
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "foo",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
TrustBundle: string(goodCert1),
|
||||
},
|
||||
},
|
||||
@ -947,14 +947,14 @@ func TestCollectDataWithClusterTrustBundle(t *testing.T) {
|
||||
DefaultMode: utilptr.Int32(0644),
|
||||
},
|
||||
bundles: []runtime.Object{
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "foo:example:bar",
|
||||
Labels: map[string]string{
|
||||
"key": "value",
|
||||
},
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: "foo.example/bar",
|
||||
TrustBundle: string(goodCert1),
|
||||
},
|
||||
@ -981,11 +981,11 @@ func TestCollectDataWithClusterTrustBundle(t *testing.T) {
|
||||
DefaultMode: utilptr.Int32(0600),
|
||||
},
|
||||
bundles: []runtime.Object{
|
||||
&certificatesv1alpha1.ClusterTrustBundle{
|
||||
&certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "foo",
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
TrustBundle: string(goodCert1),
|
||||
},
|
||||
},
|
||||
|
||||
@ -427,7 +427,7 @@ func (f *fakeKubeletVolumeHost) GetHostUtil() hostutil.HostUtils {
|
||||
}
|
||||
|
||||
func (f *fakeKubeletVolumeHost) GetTrustAnchorsByName(name string, allowMissing bool) ([]byte, error) {
|
||||
ctb, err := f.kubeClient.CertificatesV1alpha1().ClusterTrustBundles().Get(context.Background(), name, metav1.GetOptions{})
|
||||
ctb, err := f.kubeClient.CertificatesV1beta1().ClusterTrustBundles().Get(context.Background(), name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("while getting ClusterTrustBundle %s: %w", name, err)
|
||||
}
|
||||
@ -437,7 +437,7 @@ func (f *fakeKubeletVolumeHost) GetTrustAnchorsByName(name string, allowMissing
|
||||
|
||||
// Note: we do none of the deduplication and sorting that the real deal should do.
|
||||
func (f *fakeKubeletVolumeHost) GetTrustAnchorsBySigner(signerName string, labelSelector *metav1.LabelSelector, allowMissing bool) ([]byte, error) {
|
||||
ctbList, err := f.kubeClient.CertificatesV1alpha1().ClusterTrustBundles().List(context.Background(), metav1.ListOptions{})
|
||||
ctbList, err := f.kubeClient.CertificatesV1beta1().ClusterTrustBundles().List(context.Background(), metav1.ListOptions{})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("while listing all ClusterTrustBundles: %w", err)
|
||||
}
|
||||
|
||||
@ -265,7 +265,7 @@ const (
|
||||
|
||||
// +genclient
|
||||
// +genclient:nonNamespaced
|
||||
// +k8s:prerelease-lifecycle-gen:introduced=1.32
|
||||
// +k8s:prerelease-lifecycle-gen:introduced=1.33
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
|
||||
@ -332,7 +332,7 @@ type ClusterTrustBundleSpec struct {
|
||||
TrustBundle string `json:"trustBundle" protobuf:"bytes,2,opt,name=trustBundle"`
|
||||
}
|
||||
|
||||
// +k8s:prerelease-lifecycle-gen:introduced=1.32
|
||||
// +k8s:prerelease-lifecycle-gen:introduced=1.33
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// ClusterTrustBundleList is a collection of ClusterTrustBundle objects
|
||||
|
||||
@ -32,7 +32,7 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
@ -266,7 +266,7 @@ var _ = SIGDescribe(framework.WithFeatureGate(features.ClusterTrustBundle), fram
|
||||
ginkgo.It("should be able to mount a big number (>100) of CTBs", func(ctx context.Context) {
|
||||
const numCTBs = 150
|
||||
|
||||
var initCTBs []*certificatesv1alpha1.ClusterTrustBundle
|
||||
var initCTBs []*certificatesv1beta1.ClusterTrustBundle
|
||||
var cleanups []func(ctx context.Context)
|
||||
var projections []v1.VolumeProjection
|
||||
|
||||
@ -443,7 +443,7 @@ func podForCTBProjection(projectionSources ...v1.VolumeProjection) *v1.Pod {
|
||||
// "signer.alive=false": <set of all PEMs whose CTBs contain `signer.alive: false` labels>,
|
||||
// "no-signer": <set of all PEMs that appear in CTBs with no specific signers>,
|
||||
// }
|
||||
func initCTBData() ([]*certificatesv1alpha1.ClusterTrustBundle, map[string]sets.Set[string]) {
|
||||
func initCTBData() ([]*certificatesv1beta1.ClusterTrustBundle, map[string]sets.Set[string]) {
|
||||
var pemSets = map[string]sets.Set[string]{
|
||||
testSignerOneName: sets.New[string](),
|
||||
testSignerTwoName: sets.New[string](),
|
||||
@ -452,7 +452,7 @@ func initCTBData() ([]*certificatesv1alpha1.ClusterTrustBundle, map[string]sets.
|
||||
noSignerKey: sets.New[string](),
|
||||
}
|
||||
|
||||
var ctbs []*certificatesv1alpha1.ClusterTrustBundle
|
||||
var ctbs []*certificatesv1beta1.ClusterTrustBundle
|
||||
|
||||
for i := range 10 {
|
||||
caPEM := mustMakeCAPEM(fmt.Sprintf("root%d", i))
|
||||
@ -487,20 +487,20 @@ func initCTBData() ([]*certificatesv1alpha1.ClusterTrustBundle, map[string]sets.
|
||||
return ctbs, pemSets
|
||||
}
|
||||
|
||||
func ctbForCA(ctbName, signerName, caPEM string, labels map[string]string) *certificatesv1alpha1.ClusterTrustBundle {
|
||||
return &certificatesv1alpha1.ClusterTrustBundle{
|
||||
func ctbForCA(ctbName, signerName, caPEM string, labels map[string]string) *certificatesv1beta1.ClusterTrustBundle {
|
||||
return &certificatesv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: ctbName,
|
||||
Labels: labels,
|
||||
},
|
||||
Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certificatesv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: signerName,
|
||||
TrustBundle: caPEM,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func mustInitCTBs(ctx context.Context, f *framework.Framework, ctbs []*certificatesv1alpha1.ClusterTrustBundle) func(context.Context) {
|
||||
func mustInitCTBs(ctx context.Context, f *framework.Framework, ctbs []*certificatesv1beta1.ClusterTrustBundle) func(context.Context) {
|
||||
cleanups := []func(context.Context){}
|
||||
for _, ctb := range ctbs {
|
||||
ctb := ctb
|
||||
@ -514,15 +514,15 @@ func mustInitCTBs(ctx context.Context, f *framework.Framework, ctbs []*certifica
|
||||
}
|
||||
}
|
||||
|
||||
func mustCreateCTB(ctx context.Context, f *framework.Framework, ctb *certificatesv1alpha1.ClusterTrustBundle) func(context.Context) {
|
||||
func mustCreateCTB(ctx context.Context, f *framework.Framework, ctb *certificatesv1beta1.ClusterTrustBundle) func(context.Context) {
|
||||
mutateCTBForTesting(ctb, f.UniqueName)
|
||||
|
||||
if _, err := f.ClientSet.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, ctb, metav1.CreateOptions{}); err != nil {
|
||||
if _, err := f.ClientSet.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, ctb, metav1.CreateOptions{}); err != nil {
|
||||
framework.Failf("Error while creating ClusterTrustBundle: %v", err)
|
||||
}
|
||||
|
||||
return func(ctx context.Context) {
|
||||
if err := f.ClientSet.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, ctb.Name, metav1.DeleteOptions{}); err != nil {
|
||||
if err := f.ClientSet.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, ctb.Name, metav1.DeleteOptions{}); err != nil {
|
||||
framework.Logf("failed to remove a cluster trust bundle: %v", err)
|
||||
}
|
||||
}
|
||||
@ -584,7 +584,7 @@ func getFileModeRegex(filePath string, mask *int32) string {
|
||||
return fmt.Sprintf("(%s|%s)", linuxOutput, windowsOutput)
|
||||
}
|
||||
|
||||
func ctbsToPEMs(ctbs []*certificatesv1alpha1.ClusterTrustBundle) []string {
|
||||
func ctbsToPEMs(ctbs []*certificatesv1beta1.ClusterTrustBundle) []string {
|
||||
var certPEMs []string
|
||||
for _, ctb := range ctbs {
|
||||
certPEMs = append(certPEMs, ctb.Spec.TrustBundle)
|
||||
@ -594,7 +594,7 @@ func ctbsToPEMs(ctbs []*certificatesv1alpha1.ClusterTrustBundle) []string {
|
||||
|
||||
// mutateCTBForTesting mutates the .spec.signerName and .name so that the created cluster
|
||||
// objects are unique and the tests can run in parallel
|
||||
func mutateCTBForTesting(ctb *certificatesv1alpha1.ClusterTrustBundle, uniqueName string) {
|
||||
func mutateCTBForTesting(ctb *certificatesv1beta1.ClusterTrustBundle, uniqueName string) {
|
||||
signer := ctb.Spec.SignerName
|
||||
if len(signer) == 0 {
|
||||
ctb.Name += uniqueName
|
||||
|
||||
@ -24,7 +24,7 @@ import (
|
||||
"math/big"
|
||||
"testing"
|
||||
|
||||
certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certsv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
@ -38,10 +38,6 @@ import (
|
||||
// Verifies that the ClusterTrustBundle attest admission plugin correctly
|
||||
// enforces that a user has "attest" on the affected signer name.
|
||||
func TestCTBAttestPlugin(t *testing.T) {
|
||||
// KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE allows for APIs pending removal to not block tests
|
||||
// TODO: Remove this line once certificates v1alpha1 types to be removed in 1.32 are fully removed
|
||||
t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true")
|
||||
|
||||
testCases := []struct {
|
||||
description string
|
||||
trustBundleName string
|
||||
@ -78,7 +74,7 @@ func TestCTBAttestPlugin(t *testing.T) {
|
||||
t.Run(tc.description, func(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--authorization-mode=RBAC", "--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion)}, framework.SharedEtcd())
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--authorization-mode=RBAC", "--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion)}, framework.SharedEtcd())
|
||||
defer server.TearDownFn()
|
||||
|
||||
client := kubernetes.NewForConfigOrDie(server.ClientConfig)
|
||||
@ -92,11 +88,11 @@ func TestCTBAttestPlugin(t *testing.T) {
|
||||
testUserConfig.Impersonate = rest.ImpersonationConfig{UserName: "test-user"}
|
||||
testUserClient := kubernetes.NewForConfigOrDie(testUserConfig)
|
||||
|
||||
bundle := &certsv1alpha1.ClusterTrustBundle{
|
||||
bundle := &certsv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: tc.trustBundleName,
|
||||
},
|
||||
Spec: certsv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certsv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: tc.targetSignerName,
|
||||
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
|
||||
SerialNumber: big.NewInt(0),
|
||||
@ -108,7 +104,7 @@ func TestCTBAttestPlugin(t *testing.T) {
|
||||
})),
|
||||
},
|
||||
}
|
||||
_, err := testUserClient.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle, metav1.CreateOptions{})
|
||||
_, err := testUserClient.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle, metav1.CreateOptions{})
|
||||
if err != nil && err.Error() != tc.wantError {
|
||||
t.Fatalf("Bad error while creating ClusterTrustBundle; got %q want %q", err.Error(), tc.wantError)
|
||||
} else if err == nil && tc.wantError != "" {
|
||||
|
||||
@ -24,7 +24,7 @@ import (
|
||||
"math/big"
|
||||
"testing"
|
||||
|
||||
certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certsv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
|
||||
@ -38,16 +38,16 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
|
||||
|
||||
ctx := context.Background()
|
||||
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion)}, framework.SharedEtcd())
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion)}, framework.SharedEtcd())
|
||||
defer server.TearDownFn()
|
||||
|
||||
client := kubernetes.NewForConfigOrDie(server.ClientConfig)
|
||||
|
||||
bundle1 := &certsv1alpha1.ClusterTrustBundle{
|
||||
bundle1 := &certsv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "foo.com:bar:v1",
|
||||
},
|
||||
Spec: certsv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certsv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: "foo.com/bar",
|
||||
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
|
||||
SerialNumber: big.NewInt(0),
|
||||
@ -59,15 +59,15 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
|
||||
})),
|
||||
},
|
||||
}
|
||||
if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}); err != nil {
|
||||
if _, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}); err != nil {
|
||||
t.Fatalf("Error while creating bundle1: %v", err)
|
||||
}
|
||||
|
||||
bundle2 := &certsv1alpha1.ClusterTrustBundle{
|
||||
bundle2 := &certsv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "foo.com:bar:v2",
|
||||
},
|
||||
Spec: certsv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certsv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: "foo.com/bar",
|
||||
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
|
||||
SerialNumber: big.NewInt(0),
|
||||
@ -79,15 +79,15 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
|
||||
})),
|
||||
},
|
||||
}
|
||||
if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle2, metav1.CreateOptions{}); err != nil {
|
||||
if _, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle2, metav1.CreateOptions{}); err != nil {
|
||||
t.Fatalf("Error while creating bundle2: %v", err)
|
||||
}
|
||||
|
||||
bundle3 := &certsv1alpha1.ClusterTrustBundle{
|
||||
bundle3 := &certsv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "baz.com:bar:v1",
|
||||
},
|
||||
Spec: certsv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certsv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: "baz.com/bar",
|
||||
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
|
||||
SerialNumber: big.NewInt(0),
|
||||
@ -99,11 +99,11 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
|
||||
})),
|
||||
},
|
||||
}
|
||||
if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle3, metav1.CreateOptions{}); err != nil {
|
||||
if _, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle3, metav1.CreateOptions{}); err != nil {
|
||||
t.Fatalf("Error while creating bundle3: %v", err)
|
||||
}
|
||||
|
||||
fooList, err := client.CertificatesV1alpha1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=foo.com/bar"})
|
||||
fooList, err := client.CertificatesV1beta1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=foo.com/bar"})
|
||||
if err != nil {
|
||||
t.Fatalf("Unable to list ClusterTrustBundles with spec.signerName=foo.com/bar")
|
||||
}
|
||||
@ -127,7 +127,7 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
|
||||
t.Errorf("Didn't find foo.com:bar:v2 in the list when listing for foo.com/bar")
|
||||
}
|
||||
|
||||
bazList, err := client.CertificatesV1alpha1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=baz.com/bar"})
|
||||
bazList, err := client.CertificatesV1beta1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=baz.com/bar"})
|
||||
if err != nil {
|
||||
t.Fatalf("Unable to list ClusterTrustBundles with spec.signerName=baz.com/bar")
|
||||
}
|
||||
|
||||
@ -24,7 +24,7 @@ import (
|
||||
"math/big"
|
||||
"testing"
|
||||
|
||||
certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
|
||||
certsv1beta1 "k8s.io/api/certificates/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
|
||||
@ -32,10 +32,6 @@ import (
|
||||
)
|
||||
|
||||
func TestCTBSignerNameChangeForbidden(t *testing.T) {
|
||||
// KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE allows for APIs pending removal to not block tests
|
||||
// TODO: Remove this line once certificates v1alpha1 types to be removed in 1.32 are fully removed
|
||||
t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true")
|
||||
|
||||
testCases := []struct {
|
||||
objectName string
|
||||
signer1 string
|
||||
@ -63,16 +59,16 @@ func TestCTBSignerNameChangeForbidden(t *testing.T) {
|
||||
|
||||
ctx := context.Background()
|
||||
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion)}, framework.SharedEtcd())
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion)}, framework.SharedEtcd())
|
||||
defer server.TearDownFn()
|
||||
|
||||
client := kubernetes.NewForConfigOrDie(server.ClientConfig)
|
||||
|
||||
bundle1 := &certsv1alpha1.ClusterTrustBundle{
|
||||
bundle1 := &certsv1beta1.ClusterTrustBundle{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: tc.objectName,
|
||||
},
|
||||
Spec: certsv1alpha1.ClusterTrustBundleSpec{
|
||||
Spec: certsv1beta1.ClusterTrustBundleSpec{
|
||||
SignerName: tc.signer1,
|
||||
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
|
||||
SerialNumber: big.NewInt(0),
|
||||
@ -84,7 +80,7 @@ func TestCTBSignerNameChangeForbidden(t *testing.T) {
|
||||
})),
|
||||
},
|
||||
}
|
||||
bundle1, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{})
|
||||
bundle1, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
t.Fatalf("Error while creating bundle1: %v", err)
|
||||
}
|
||||
@ -95,7 +91,7 @@ func TestCTBSignerNameChangeForbidden(t *testing.T) {
|
||||
// cluster trust bundle.
|
||||
bundle1.Spec.SignerName = tc.signer2
|
||||
|
||||
_, err = client.CertificatesV1alpha1().ClusterTrustBundles().Update(ctx, bundle1, metav1.UpdateOptions{})
|
||||
_, err = client.CertificatesV1beta1().ClusterTrustBundles().Update(ctx, bundle1, metav1.UpdateOptions{})
|
||||
if err == nil {
|
||||
t.Fatalf("Got nil error from updating bundle foo-com--bar from signerName=foo.com/bar to signerName=foo.com/bar2, but wanted an error")
|
||||
}
|
||||
|
||||
@ -216,13 +216,23 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, removeAl
|
||||
|
||||
// k8s.io/kubernetes/pkg/apis/certificates/v1alpha1
|
||||
gvr("certificates.k8s.io", "v1alpha1", "clustertrustbundles"): {
|
||||
Stub: `{"metadata": {"name": "example.com:signer:abc"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`,
|
||||
ExpectedEtcdPath: "/registry/clustertrustbundles/example.com:signer:abc",
|
||||
Stub: `{"metadata": {"name": "example.com:signer:abcd"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`,
|
||||
ExpectedEtcdPath: "/registry/clustertrustbundles/example.com:signer:abcd",
|
||||
ExpectedGVK: gvkP("certificates.k8s.io", "v1beta1", "ClusterTrustBundle"),
|
||||
IntroducedVersion: "1.26",
|
||||
RemovedVersion: "1.37",
|
||||
},
|
||||
// --
|
||||
|
||||
// k8s.io/kubernetes/pkg/apis/certificates/v1beta1
|
||||
gvr("certificates.k8s.io", "v1beta1", "clustertrustbundles"): {
|
||||
Stub: `{"metadata": {"name": "example.com:signer:abc"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`,
|
||||
ExpectedEtcdPath: "/registry/clustertrustbundles/example.com:signer:abc",
|
||||
IntroducedVersion: "1.33",
|
||||
RemovedVersion: "1.39",
|
||||
},
|
||||
// --
|
||||
|
||||
// k8s.io/kubernetes/pkg/apis/coordination/v1
|
||||
gvr("coordination.k8s.io", "v1", "leases"): {
|
||||
Stub: `{"metadata": {"name": "leasev1"}, "spec": {"holderIdentity": "holder", "leaseDurationSeconds": 5}}`,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user