Skip to content

Commit

Permalink
crdgen: Update testdata (#49375) (#49670)
Browse files Browse the repository at this point in the history
* Update crdgen testdata

* Update CONTRIBUTING.md
  • Loading branch information
bernardjkim authored Dec 3, 2024
1 parent 20aec3a commit d20c267
Show file tree
Hide file tree
Showing 15 changed files with 1,806 additions and 129 deletions.
20 changes: 11 additions & 9 deletions integrations/operator/CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@ other .proto files used to generate the CRDs have changed).

#### Generate the new CRD

1. Add the type name to the `resources` list in `crdgen/main.go`.
1. Add the type name to the `resources` list in `crdgen/handlerequest.go`.
2. Add the proto file to the `PROTOS` list in `Makefile` if it is not
already present. Also add it to the `PROTOS` list in `crdgen/Makefile`.
3. Run `make manifests` to generate the CRD.
4. Run `make crdgen-test`. This will should fail if your new CRD is generated.
Update the test snapshots with `make -C crdgen update-snapshots`
Update the test snapshots with `make -C crdgen update-snapshot`

#### Create a "scheme" defining Go types to match the CRD

Expand All @@ -40,13 +40,16 @@ Follow the same patterns of existing reconcilers in those packages.
Use the generic TeleportResourceReconciler if possible, that way you only have
to implement CRUD methods for your resource.

Write unit tests for your reconciler. Use the generic `testResourceCreation`,
`testResourceDeletionDrift`, and `testResourceUpdate` helpers to get baseline
Write unit tests for your reconciler. Use the generic `ResourceCreationTest`,
`ResourceDeletionDriftTest`, and `ResourceUpdateTest` helpers to get baseline
coverage.

Update the `defaultTeleportServiceConfig` teleport role in
`controllers/resources/testlib/env.go` with any new required permissions.

#### Register your reconciler and scheme

In `main.go` and `controllers/resources/testlib/env.go` instantiate your
In `controllers/resources/setup.go` instantiate your
controller and register it with the controller-runtime manager.
Follow the pattern of existing resources which instantiate the reconciler and
call the `SetupWithManager(mgr)` method.
Expand All @@ -59,11 +62,10 @@ your resource version is added to the root `scheme` with a call like

Add Kubernetes RBAC permissions to allow the operator to work with the resources
on the Kubernetes side.
The cluster role spec is found in `../../examples/chart/teleport-cluster/templates/auth/clusterrole.yaml`.
The cluster role spec is found in `../../examples/chart/teleport-cluster/templates/auth/config.yaml`.

Add Teleport RBAC permissions for to allow the operator to work with the
resources on the Teleport side.
These should be added to the sidecar role in `sidecar/sidecar.go`.
Update the RBAC permissions in `hack/fixture-operator-role.yaml` to update
operator the role used for debugging.

### Debugging tips

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,10 @@ spec:
description: ineligible_status describes if this owner is eligible
or not and if not, describes how they're lacking eligibility.
x-kubernetes-int-or-string: true
membership_kind:
description: membership_kind describes the type of membership,
either `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`.
x-kubernetes-int-or-string: true
name:
description: name is the username of the owner.
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ spec:
type: array
client_id:
description: ClientID is the id of the authentication client (Teleport
Auth server).
Auth Service).
type: string
client_redirect_settings:
description: ClientRedirectSettings defines which client redirect
Expand Down Expand Up @@ -116,6 +116,42 @@ spec:
time period, they will be forced to re-authenticate.
format: duration
type: string
mfa:
description: MFASettings contains settings to enable SSO MFA checks
through this auth connector.
nullable: true
properties:
acr_values:
description: AcrValues are Authentication Context Class Reference
values. The meaning of the ACR value is context-specific and
varies for identity providers. Some identity providers support
MFA specific contexts, such Okta with its "phr" (phishing-resistant)
ACR.
type: string
client_id:
description: ClientID is the OIDC OAuth app client ID.
type: string
client_secret:
description: ClientSecret is the OIDC OAuth app client secret.
type: string
enabled:
description: Enabled specified whether this OIDC connector supports
MFA checks. Defaults to false.
type: boolean
max_age:
description: MaxAge is the amount of time in nanoseconds that
an IdP session is valid for. Defaults to 0 to always force re-authentication
for MFA checks. This should only be set to a non-zero value
if the IdP is setup to perform MFA checks on top of active user
sessions.
format: duration
type: string
prompt:
description: Prompt is an optional OIDC prompt. An empty string
omits prompt. If not specified, it defaults to select_account
for backwards compatibility.
type: string
type: object
prompt:
description: Prompt is an optional OIDC prompt. An empty string omits
prompt. If not specified, it defaults to select_account for backwards
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,8 @@ spec:
type: array
aws_role:
description: AWSRole is used for the EC2 join method and is
the ARN of the AWS role that the auth server will assume in
order to call the ec2 API.
the ARN of the AWS role that the Auth Service will assume
in order to call the ec2 API.
type: string
type: object
nullable: true
Expand Down Expand Up @@ -102,6 +102,40 @@ spec:
nullable: true
type: array
type: object
bitbucket:
description: Bitbucket allows the configuration of options specific
to the "bitbucket" join method.
nullable: true
properties:
allow:
description: Allow is a list of Rules, nodes using this token
must match one allow rule to use this token.
items:
properties:
branch_name:
type: string
deployment_environment_uuid:
type: string
repository_uuid:
type: string
workspace_uuid:
type: string
type: object
nullable: true
type: array
audience:
description: Audience is a Bitbucket-specified audience value
for this token. It is unique to each Bitbucket repository, and
must be set to the value as written in the Pipelines -> OpenID
Connect section of the repository settings.
type: string
identity_provider_url:
description: IdentityProviderURL is a Bitbucket-specified issuer
URL for incoming OIDC tokens. It is unique to each Bitbucket
repository, and must be set to the value as written in the Pipelines
-> OpenID Connect section of the repository settings.
type: string
type: object
bot_name:
description: BotName is the name of the bot this token grants access
to, if any
Expand Down Expand Up @@ -192,7 +226,7 @@ spec:
against host. This value should be the hostname of the GHES
instance, and should not include the scheme or a path. The instance
must be accessible over HTTPS at this hostname and the certificate
must be trusted by the Auth Server.
must be trusted by the Auth Service.
type: string
enterprise_slug:
description: EnterpriseSlug allows the slug of a GitHub Enterprise
Expand All @@ -204,6 +238,12 @@ spec:
if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise
for more information about customized issuer values.
type: string
static_jwks:
description: StaticJWKS disables fetching of the GHES signing
keys via the JWKS/OIDC endpoints, and allows them to be directly
specified. This allows joining from GitHub Actions in GHES instances
that are not reachable by the Teleport Auth Service.
type: string
type: object
gitlab:
description: GitLab allows the configuration of options specific to
Expand Down Expand Up @@ -377,6 +417,14 @@ spec:
is set to match the cluster name, it does not need to be set
here.
type: string
hostname:
description: Hostname is the hostname of the Terraform Enterprise
instance expected to issue JWTs allowed by this token. This
may be unset for regular Terraform Cloud use, in which case
it will be assumed to be `app.terraform.io`. Otherwise, it must
both match the `iss` (issuer) field included in JWTs, and provide
standard JWKS endpoints.
type: string
type: object
tpm:
description: TPM allows the configuration of options specific to the
Expand Down
Loading

0 comments on commit d20c267

Please sign in to comment.