restrict creating of applications to team-namespaces

nais · Sep 27, 2021 · 41d6396 · 41d6396
1 parent 401e58d
commit 41d6396
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 18 deletions.
diff --git a/cmd/aiven/create_cmd.go b/cmd/aiven/create_cmd.go
@@ -57,7 +57,7 @@ nais aiven create username namespace -e 10 | nais aiven create username namespac
 		aivenConfig := aiven.SetupAiven(client.SetupClient(), username, namespace, pool, secretName, expiry)
 		aivenApp, err := aivenConfig.GenerateApplication()
 		if err != nil {
-			return fmt.Errorf("an error occurred generating aivenApplication %s", err)
+			return fmt.Errorf("an error occurred generating 'AivenApplication': %s", err)
 		}
 		log.Default().Printf("use: '%s get %s %s' to generate configuration secrets.", "nais aiven", aivenApp.Spec.SecretName, aivenApp.Namespace)
 		return nil

diff --git a/pkg/aiven/aiven_test.go b/pkg/aiven/aiven_test.go
@@ -2,23 +2,16 @@ package aiven
 
 import (
 	aiven_nais_io_v1 "github.com/nais/liberator/pkg/apis/aiven.nais.io/v1"
-	"github.com/nais/nais-cli/pkg/client"
 	"github.com/nais/nais-cli/pkg/common"
+	"github.com/nais/nais-cli/pkg/test"
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"testing"
 	"time"
 )
 
-var scheme = runtime.NewScheme()
-
 func TestAivenGenerateApplicationCreated(t *testing.T) {
-
-	client.InitScheme(scheme)
-
 	username := "user"
 	team := "team"
 	pool := "pool"
@@ -35,7 +28,7 @@ func TestAivenGenerateApplicationCreated(t *testing.T) {
 		},
 	}
 
-	fakeClient := fake.NewFakeClientWithScheme(scheme, &namespace)
+	fakeClient := test.BuildWithScheme(&namespace).Build()
 	aiven := SetupAiven(fakeClient, username, team, pool, secretName, expiry)
 	currentAivenApp, err := aiven.GenerateApplication()
 	assert.NoError(t, err)
@@ -51,9 +44,6 @@ func TestAivenGenerateApplicationCreated(t *testing.T) {
 }
 
 func TestAivenGenerateApplicationUpdated(t *testing.T) {
-
-	client.InitScheme(scheme)
-
 	username := "user"
 	team := "team"
 	pool := "pool"
@@ -77,7 +67,7 @@ func TestAivenGenerateApplicationUpdated(t *testing.T) {
 		},
 	}
 
-	fakeClient := fake.NewFakeClientWithScheme(scheme, &namespace, &aivenApp)
+	fakeClient := test.BuildWithScheme(&namespace, &aivenApp).Build()
 	aiven := SetupAiven(fakeClient, username, team, pool, secretName, expiry)
 	currentAivenApp, err := aiven.GenerateApplication()
 	assert.NoError(t, err)

diff --git a/pkg/common/common.go b/pkg/common/common.go
@@ -25,11 +25,13 @@ func WriteToFile(dest, filename string, value []byte) error {
 }
 
 func ValidateNamespace(ctx context.Context, client ctrl.Client, name string, namespace *v1.Namespace) error {
-	err := client.Get(ctx, ctrl.ObjectKey{
-		Name: name,
-	}, namespace)
+	err := client.Get(ctx, ctrl.ObjectKey{Name: name}, namespace)
 	if err != nil {
-		return fmt.Errorf("getting namespace: %s", err)
+		return fmt.Errorf("getting namespace: %w", err)
+	}
+
+	if namespace.GetLabels()["shared"] == "true" {
+		return fmt.Errorf("shared namespace is not allowed: %s", name)
 	}
 	return nil
 }

diff --git a/pkg/common/common_test.go b/pkg/common/common_test.go
@@ -0,0 +1,52 @@
+package common
+
+import (
+	"context"
+	"github.com/nais/nais-cli/pkg/test"
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"testing"
+)
+
+var scheme = runtime.NewScheme()
+
+func TestValidateNamespaceShared(t *testing.T) {
+	ctx := context.Background()
+	namespaceName := "default"
+
+	namespace := &v1.Namespace{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Namespace",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   namespaceName,
+			Labels: map[string]string{"shared": "true"},
+		},
+	}
+
+	fakeClient := test.BuildWithScheme(namespace).Build()
+	err := ValidateNamespace(ctx, fakeClient, namespaceName, namespace)
+	assert.EqualError(t, err, "shared namespace is not allowed: default")
+}
+
+func TestValidNamespace(t *testing.T) {
+	ctx := context.Background()
+	namespaceName := "team-namespace"
+
+	namespace := &v1.Namespace{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Namespace",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: namespaceName,
+		},
+	}
+
+	fakeClient := test.BuildWithScheme(namespace).Build()
+	err := ValidateNamespace(ctx, fakeClient, namespaceName, namespace)
+	assert.NoError(t, err)
+}
diff --git a/pkg/test/helpers.go b/pkg/test/helpers.go
@@ -1,14 +1,19 @@
 package test
 
 import (
+	"github.com/nais/nais-cli/pkg/client"
 	"github.com/stretchr/testify/assert"
 	"io/ioutil"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"os"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"testing"
 )
 
+var scheme = runtime.NewScheme()
+
 func SetupDest(t *testing.T) string {
 	tempDir, err := ioutil.TempDir(os.TempDir(), "test-")
 	assert.NoError(t, err)
@@ -38,3 +43,8 @@ func SetupSecret(envKeys []string) *v1.Secret {
 	}
 	return createdSecret
 }
+
+func BuildWithScheme(objects ...runtime.Object) *fake.ClientBuilder {
+	client.InitScheme(scheme)
+	return fake.NewClientBuilder().WithScheme(scheme).WithRuntimeObjects(objects...)
+}