diff --git a/go.mod b/go.mod index 165ecbee2b..77e1e1c0a5 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/openshift/api v0.0.0-20230424202542-f7a9b7696bc2 github.com/openshift/build-machinery-go v0.0.0-20230228230858-4cd708338479 github.com/openshift/client-go v0.0.0-20230120202327-72f107311084 - github.com/openshift/library-go v0.0.0-20230425132011-00923e044766 + github.com/openshift/library-go v0.0.0-20230425205800-ab66adbd0bb5 github.com/pkg/profile v1.5.0 // indirect github.com/prometheus-operator/prometheus-operator/pkg/client v0.45.0 github.com/prometheus/client_golang v1.14.0 diff --git a/go.sum b/go.sum index 0a0e5b061a..1193547815 100644 --- a/go.sum +++ b/go.sum @@ -444,8 +444,8 @@ github.com/openshift/build-machinery-go v0.0.0-20230228230858-4cd708338479 h1:IU github.com/openshift/build-machinery-go v0.0.0-20230228230858-4cd708338479/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20230120202327-72f107311084 h1:66uaqNwA+qYyQDwsMWUfjjau8ezmg1dzCqub13KZOcE= github.com/openshift/client-go v0.0.0-20230120202327-72f107311084/go.mod h1:M3h9m001PWac3eAudGG3isUud6yBjr5XpzLYLLTlHKo= -github.com/openshift/library-go v0.0.0-20230425132011-00923e044766 h1:pENkmo53xgk2+QsTdoClC50Vnb92wJ4rq+LWiNgujX4= -github.com/openshift/library-go v0.0.0-20230425132011-00923e044766/go.mod h1:tUWJLc0m8/1GyMKXFKZMWWfaGtFhX1T6kdcGtiGtZIE= +github.com/openshift/library-go v0.0.0-20230425205800-ab66adbd0bb5 h1:U+Cdda576x6c0s9PlTFf+JXSHUkPjg1u3Smb/piRTyc= +github.com/openshift/library-go v0.0.0-20230425205800-ab66adbd0bb5/go.mod h1:tUWJLc0m8/1GyMKXFKZMWWfaGtFhX1T6kdcGtiGtZIE= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= diff --git a/pkg/operator/configobservation/auth/podsecurityadmission_test.go b/pkg/operator/configobservation/auth/podsecurityadmission_test.go index 7343fc4552..7914fe0c8e 100644 --- a/pkg/operator/configobservation/auth/podsecurityadmission_test.go +++ b/pkg/operator/configobservation/auth/podsecurityadmission_test.go @@ -2,7 +2,7 @@ package auth import ( "encoding/json" - "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" + "errors" "strings" "testing" @@ -12,6 +12,7 @@ import ( "github.com/stretchr/testify/require" configv1 "github.com/openshift/api/config/v1" + "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" "github.com/openshift/library-go/pkg/operator/events" ) @@ -28,15 +29,7 @@ func TestObservePodSecurityAdmissionEnforcement(t *testing.T) { defaultFeatureSet := featuregates.NewHardcodedFeatureGateAccess([]configv1.FeatureGateName{}, []configv1.FeatureGateName{}) - // TODO provide a hardcoded test harness that allows not-ready and error - //corruptFeatureSet := &configv1.FeatureGate{ - // Spec: configv1.FeatureGateSpec{ - // FeatureGateSelection: configv1.FeatureGateSelection{ - // FeatureSet: "Bad", - // CustomNoUpgrade: nil, - // }, - // }, - //} + const sentinelExistingJSON = `{"admission":{"pluginConfig":{"PodSecurity":{"configuration":{"defaults":{"foo":"bar"}}}}}}` disabledFeatureSet := featuregates.NewHardcodedFeatureGateAccess([]configv1.FeatureGateName{}, []configv1.FeatureGateName{"OpenShiftPodSecurityAdmission"}) @@ -54,20 +47,6 @@ func TestObservePodSecurityAdmissionEnforcement(t *testing.T) { expectedErr: "", expectedJSON: string(restrictedJSON), }, - //{ - // name: "corrupt-1", - // existingJSON: string(privilegedJSON), - // featureGateAccessor: corruptFeatureSet, - // expectedErr: "not found", - // expectedJSON: string(privilegedJSON), - //}, - //{ - // name: "corrupt-2", - // existingJSON: string(restrictedJSON), - // featureGateAccessor: corruptFeatureSet, - // expectedErr: "not found", - // expectedJSON: string(restrictedJSON), - //}, { name: "disabled", existingJSON: string(restrictedJSON), @@ -75,6 +54,28 @@ func TestObservePodSecurityAdmissionEnforcement(t *testing.T) { expectedErr: "", expectedJSON: string(privilegedJSON), }, + { + name: "initial feature gates not observed", + existingJSON: sentinelExistingJSON, + featureGateAccessor: featuregates.NewHardcodedFeatureGateAccessForTesting(nil, nil, make(chan struct{}), nil), + expectedJSON: sentinelExistingJSON, + }, + { + name: "error reading current feature gates", + existingJSON: sentinelExistingJSON, + featureGateAccessor: featuregates.NewHardcodedFeatureGateAccessForTesting( + nil, + nil, + func() chan struct{} { + c := make(chan struct{}) + close(c) + return c + }(), + errors.New("test error"), + ), + expectedJSON: sentinelExistingJSON, + expectedErr: "test error", + }, } { t.Run(tc.name, func(t *testing.T) { testRecorder := events.NewInMemoryRecorder("SAIssuerTest") diff --git a/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go b/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go index 33178919cc..68e74792b5 100644 --- a/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go +++ b/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go @@ -10,6 +10,7 @@ import ( "time" "github.com/spf13/cobra" + "k8s.io/apiserver/pkg/server/healthz" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -61,6 +62,7 @@ type ControllerCommandConfig struct { RetryPeriod metav1.Duration ComponentOwnerReference *corev1.ObjectReference + healthChecks []healthz.HealthChecker } // NewControllerConfig returns a new ControllerCommandConfig which can be used to wire up all the boiler plate of a controller @@ -84,6 +86,11 @@ func (c *ControllerCommandConfig) WithComponentOwnerReference(reference *corev1. return c } +func (c *ControllerCommandConfig) WithHealthChecks(healthChecks ...healthz.HealthChecker) *ControllerCommandConfig { + c.healthChecks = append(c.healthChecks, healthChecks...) + return c +} + // NewCommand returns a new command that a caller must set the Use and Descriptions on. It wires default log, profiling, // leader election and other "normal" behaviors. // Deprecated: Use the NewCommandWithContext instead, this is here to be less disturbing for existing usages. @@ -300,6 +307,7 @@ func (c *ControllerCommandConfig) StartController(ctx context.Context) error { WithComponentNamespace(c.basicFlags.Namespace). WithLeaderElection(config.LeaderElection, c.basicFlags.Namespace, c.componentName+"-lock"). WithVersion(c.version). + WithHealthChecks(c.healthChecks...). WithEventRecorderOptions(events.RecommendedClusterSingletonCorrelatorOptions()). WithRestartOnChange(exitOnChangeReactorCh, startingFileContent, observedFiles...). WithComponentOwnerReference(c.ComponentOwnerReference) diff --git a/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/hardcoded_featuregate_reader.go b/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/hardcoded_featuregate_reader.go index e8c6c3cc0c..4bda9752c8 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/hardcoded_featuregate_reader.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/hardcoded_featuregate_reader.go @@ -11,11 +11,11 @@ type hardcodedFeatureGateAccess struct { disabled []configv1.FeatureGateName readErr error - initialFeatureGatesObserved chan struct{} - featureGatesHaveChangedSinceFirstObserved chan struct{} + initialFeatureGatesObserved chan struct{} } -// NewHardcodedFeatureGateAccess is useful for unit testing, potentially in other packages as well. +// NewHardcodedFeatureGateAccess returns a FeatureGateAccess that is always initialized and always +// returns the provided feature gates. func NewHardcodedFeatureGateAccess(enabled, disabled []configv1.FeatureGateName) FeatureGateAccess { initialFeatureGatesObserved := make(chan struct{}) close(initialFeatureGatesObserved) @@ -23,12 +23,22 @@ func NewHardcodedFeatureGateAccess(enabled, disabled []configv1.FeatureGateName) enabled: enabled, disabled: disabled, initialFeatureGatesObserved: initialFeatureGatesObserved, - featureGatesHaveChangedSinceFirstObserved: make(chan struct{}), } return c } +// NewHardcodedFeatureGateAccessForTesting returns a FeatureGateAccess that returns stub responses +// using caller-supplied values. +func NewHardcodedFeatureGateAccessForTesting(enabled, disabled []configv1.FeatureGateName, initialFeatureGatesObserved chan struct{}, readErr error) FeatureGateAccess { + return &hardcodedFeatureGateAccess{ + enabled: enabled, + disabled: disabled, + initialFeatureGatesObserved: initialFeatureGatesObserved, + readErr: readErr, + } +} + func (c *hardcodedFeatureGateAccess) SetChangeHandler(featureGateChangeHandlerFn FeatureGateChangeHandlerFunc) { // ignore } @@ -37,14 +47,10 @@ func (c *hardcodedFeatureGateAccess) Run(ctx context.Context) { // ignore } -func (c *hardcodedFeatureGateAccess) InitialFeatureGatesObserved() chan struct{} { +func (c *hardcodedFeatureGateAccess) InitialFeatureGatesObserved() <-chan struct{} { return c.initialFeatureGatesObserved } -func (c *hardcodedFeatureGateAccess) FeatureGatesHaveChangedSinceFirstObserved() chan struct{} { - return c.featureGatesHaveChangedSinceFirstObserved -} - func (c *hardcodedFeatureGateAccess) AreInitialFeatureGatesObserved() bool { select { case <-c.InitialFeatureGatesObserved(): diff --git a/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/simple_featuregate_reader.go b/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/simple_featuregate_reader.go index d125f20580..5cfc60254b 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/simple_featuregate_reader.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/simple_featuregate_reader.go @@ -38,9 +38,10 @@ type FeatureGateAccess interface { // Run starts a go func that continously watches the set of featuregates enabled in the cluster. Run(ctx context.Context) - // InitialFeatureGatesObserved returns a channel that is closed once the featuregates have been observed. - // Once closed, the CurrentFeatureGates method can be called successfully. - InitialFeatureGatesObserved() chan struct{} + // InitialFeatureGatesObserved returns a channel that is closed once the featuregates have + // been observed. Once closed, the CurrentFeatureGates method will return the current set of + // featuregates and will never return a non-nil error. + InitialFeatureGatesObserved() <-chan struct{} // CurrentFeatureGates returns the list of enabled and disabled featuregates. // It returns an error if the current set of featuregates is not known. CurrentFeatureGates() (enabled []configv1.FeatureGateName, disabled []configv1.FeatureGateName, err error) @@ -254,7 +255,7 @@ func (c *defaultFeatureGateAccess) setFeatureGates(features Features) { } } -func (c *defaultFeatureGateAccess) InitialFeatureGatesObserved() chan struct{} { +func (c *defaultFeatureGateAccess) InitialFeatureGatesObserved() <-chan struct{} { return c.initialFeatureGatesObserved } diff --git a/vendor/modules.txt b/vendor/modules.txt index 13b694a0f5..b6765359d1 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -324,7 +324,7 @@ github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/i github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/operatorcontrolplane github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/operatorcontrolplane/v1alpha1 github.com/openshift/client-go/operatorcontrolplane/listers/operatorcontrolplane/v1alpha1 -# github.com/openshift/library-go v0.0.0-20230425132011-00923e044766 +# github.com/openshift/library-go v0.0.0-20230425205800-ab66adbd0bb5 ## explicit; go 1.19 github.com/openshift/library-go/pkg/assets github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer