Examples with Subject - io.fabric8.kubernetes.api.model.rbac.Subject

Example 6 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project che-server by eclipse-che.

the class UserPermissionConfiguratorTest method keepOtherClusterRoles.

@Test
public void keepOtherClusterRoles() throws InfrastructureException {
    // given - some other binding in place
    client.rbac().roleBindings().inNamespace(TEST_NAMESPACE_NAME).create(new RoleBindingBuilder().withNewMetadata().withName("othercr").endMetadata().withSubjects(new Subject("blabol", "blabol", "blabol", "blabol")).withNewRoleRef().withName("blabol").endRoleRef().build());
    // when
    configurator.configure(namespaceResolutionContext, TEST_NAMESPACE_NAME);
    // then
    var roleBindings = client.rbac().roleBindings().inNamespace(TEST_NAMESPACE_NAME);
    Assert.assertEquals(roleBindings.list().getItems().size(), 3);
}

Also used : RoleBindingBuilder(io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder) Subject(io.fabric8.kubernetes.api.model.rbac.Subject) Test(org.testng.annotations.Test)

Example 7 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project che-server by eclipse-che.

the class UserPermissionConfiguratorTest method replaceExistingBindingsWithSameName.

@Test
public void replaceExistingBindingsWithSameName() throws InfrastructureException {
    // given - cr1 binding already exists
    client.rbac().roleBindings().inNamespace(TEST_NAMESPACE_NAME).create(new RoleBindingBuilder().withNewMetadata().withName("cr1").endMetadata().withSubjects(new Subject("blabol", "blabol", "blabol", "blabol")).withNewRoleRef().withName("blabol").endRoleRef().build());
    // when
    configurator.configure(namespaceResolutionContext, TEST_NAMESPACE_NAME);
    // then
    var roleBindings = client.rbac().roleBindings().inNamespace(TEST_NAMESPACE_NAME);
    Assert.assertEquals(roleBindings.list().getItems().size(), 2);
    var cr1 = roleBindings.withName("cr1").get();
    Assert.assertEquals(cr1.getRoleRef().getName(), "cr1");
    Assert.assertEquals(cr1.getSubjects().size(), 1);
    Assert.assertEquals(cr1.getSubjects().get(0).getName(), TEST_USERNAME);
    Assert.assertEquals(cr1.getSubjects().get(0).getNamespace(), TEST_NAMESPACE_NAME);
}

Also used : RoleBindingBuilder(io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder) Subject(io.fabric8.kubernetes.api.model.rbac.Subject) Test(org.testng.annotations.Test)

Example 8 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project java-operator-sdk by java-operator-sdk.

the class E2EOperatorExtension method before.

protected void before(ExtensionContext context) {
    super.before(context);
    final var crdPath = "./target/classes/META-INF/fabric8/";
    final var crdSuffix = "-v1.yml";
    final var kubernetesClient = getKubernetesClient();
    for (var crdFile : Objects.requireNonNull(new File(crdPath).listFiles((ignored, name) -> name.endsWith(crdSuffix)))) {
        try (InputStream is = new FileInputStream(crdFile)) {
            final var crd = kubernetesClient.load(is);
            crd.createOrReplace();
            crd.waitUntilReady(2, TimeUnit.SECONDS);
            LOGGER.debug("Applied CRD with name: {}", crd.get().get(0).getMetadata().getName());
        } catch (Exception ex) {
            throw new IllegalStateException("Cannot apply CRD yaml: " + crdFile.getAbsolutePath(), ex);
        }
    }
    LOGGER.debug("Deploying the operator into Kubernetes");
    operatorDeployment.forEach(hm -> {
        hm.getMetadata().setNamespace(namespace);
        if (hm.getKind().toLowerCase(Locale.ROOT).equals("clusterrolebinding")) {
            var crb = (ClusterRoleBinding) hm;
            for (var subject : crb.getSubjects()) {
                subject.setNamespace(namespace);
            }
        }
    });
    kubernetesClient.resourceList(operatorDeployment).inNamespace(namespace).createOrReplace();
    kubernetesClient.resourceList(operatorDeployment).waitUntilReady(operatorDeploymentTimeout.toMillis(), TimeUnit.MILLISECONDS);
}

Also used : ClusterRoleBinding(io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding) ConfigurationService(io.javaoperatorsdk.operator.api.config.ConfigurationService) Arrays(java.util.Arrays) Logger(org.slf4j.Logger) LoggerFactory(org.slf4j.LoggerFactory) FileInputStream(java.io.FileInputStream) ExtensionContext(org.junit.jupiter.api.extension.ExtensionContext) HasMetadata(io.fabric8.kubernetes.api.model.HasMetadata) File(java.io.File) ArrayList(java.util.ArrayList) Objects(java.util.Objects) TimeUnit(java.util.concurrent.TimeUnit) List(java.util.List) Locale(java.util.Locale) Duration(java.time.Duration) InputStream(java.io.InputStream) FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) ClusterRoleBinding(io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding) File(java.io.File) FileInputStream(java.io.FileInputStream)

Example 9 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project devspaces-images by redhat-developer.

the class KubernetesPersonalAccessTokenManager method get.

@Override
public Optional<PersonalAccessToken> get(Subject cheUser, String scmServerUrl) throws ScmConfigurationPersistenceException, ScmUnauthorizedException, ScmCommunicationException {
    try {
        for (KubernetesNamespaceMeta namespaceMeta : namespaceFactory.list()) {
            List<Secret> secrets = namespaceFactory.access(null, namespaceMeta.getName()).secrets().get(KUBERNETES_PERSONAL_ACCESS_TOKEN_LABEL_SELECTOR);
            for (Secret secret : secrets) {
                Map<String, String> annotations = secret.getMetadata().getAnnotations();
                String trimmedUrl = StringUtils.trimEnd(annotations.get(ANNOTATION_SCM_URL), '/');
                if (annotations.get(ANNOTATION_CHE_USERID).equals(cheUser.getUserId()) && trimmedUrl.equals(StringUtils.trimEnd(scmServerUrl, '/'))) {
                    PersonalAccessToken token = new PersonalAccessToken(trimmedUrl, annotations.get(ANNOTATION_CHE_USERID), annotations.get(ANNOTATION_SCM_USERNAME), annotations.get(ANNOTATION_SCM_USERID), annotations.get(ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_NAME), annotations.get(ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_ID), new String(Base64.getDecoder().decode(secret.getData().get("token"))));
                    if (scmPersonalAccessTokenFetcher.isValid(token)) {
                        return Optional.of(token);
                    } else {
                        // Removing token that is no longer valid. If several tokens exist the next one could
                        // be valid. If no valid token can be found, the caller should react in the same way
                        // as it reacts if no token exists. Usually, that means that process of new token
                        // retrieval would be initiated.
                        clientFactory.create().secrets().inNamespace(namespaceMeta.getName()).delete(secret);
                    }
                }
            }
        }
    } catch (InfrastructureException | UnknownScmProviderException e) {
        throw new ScmConfigurationPersistenceException(e.getMessage(), e);
    }
    return Optional.empty();
}

Also used : Secret(io.fabric8.kubernetes.api.model.Secret) PersonalAccessToken(org.eclipse.che.api.factory.server.scm.PersonalAccessToken) KubernetesNamespaceMeta(org.eclipse.che.workspace.infrastructure.kubernetes.api.shared.KubernetesNamespaceMeta) UnknownScmProviderException(org.eclipse.che.api.factory.server.scm.exception.UnknownScmProviderException) InfrastructureException(org.eclipse.che.api.workspace.server.spi.InfrastructureException) ScmConfigurationPersistenceException(org.eclipse.che.api.factory.server.scm.exception.ScmConfigurationPersistenceException)

Example 10 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project devspaces-images by redhat-developer.

the class GitConfigProvisionerTest method setup.

@BeforeMethod
public void setup() {
    k8sEnv = KubernetesEnvironment.builder().build();
    ObjectMeta podMeta = new ObjectMetaBuilder().withName("wksp").build();
    when(pod.getMetadata()).thenReturn(podMeta);
    when(pod.getSpec()).thenReturn(podSpec);
    k8sEnv.addPod(pod);
    gitConfigProvisioner = new GitConfigProvisioner(preferenceManager, userManager, vcsSslCertificateProvisioner);
    Subject subject = new SubjectImpl(null, "id", null, false);
    EnvironmentContext environmentContext = new EnvironmentContext();
    environmentContext.setSubject(subject);
    EnvironmentContext.setCurrent(environmentContext);
}

Also used : EnvironmentContext(org.eclipse.che.commons.env.EnvironmentContext) ObjectMeta(io.fabric8.kubernetes.api.model.ObjectMeta) ObjectMetaBuilder(io.fabric8.kubernetes.api.model.ObjectMetaBuilder) SubjectImpl(org.eclipse.che.commons.subject.SubjectImpl) Subject(org.eclipse.che.commons.subject.Subject) BeforeMethod(org.testng.annotations.BeforeMethod)

Aggregations

Subject (io.fabric8.kubernetes.api.model.rbac.Subject)23 RoleRef (io.fabric8.kubernetes.api.model.rbac.RoleRef)18 RoleRefBuilder (io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder)18 SubjectBuilder (io.fabric8.kubernetes.api.model.rbac.SubjectBuilder)18 File (java.io.File)15 SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)14 Secret (io.fabric8.kubernetes.api.model.Secret)12 CertAndKey (io.strimzi.certs.CertAndKey)12 Subject (io.strimzi.certs.Subject)12 X509Certificate (java.security.cert.X509Certificate)12 Map (java.util.Map)12 IOException (java.io.IOException)11 RoleBindingBuilder (io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder)10 CertificateExpirationPolicy (io.strimzi.api.kafka.model.CertificateExpirationPolicy)10 CertManager (io.strimzi.certs.CertManager)10 PasswordGenerator (io.strimzi.operator.common.PasswordGenerator)10 Reconciliation (io.strimzi.operator.common.Reconciliation)10 Base64 (java.util.Base64)10 Function (java.util.function.Function)10 Test (org.testng.annotations.Test)8