Merge branch 'master' of https://github.com/gouthamMN/ARO-RP

2023-10-04 15:14:21 -05:00 · 2023-10-04 15:14:21 -05:00 · b1109af1cd
--- a/pkg/frontend/admin_openshiftcluster_kubernetesobjects_test.go
+++ b/pkg/frontend/admin_openshiftcluster_kubernetesobjects_test.go
@ -98,6 +98,32 @@ func TestAdminKubernetesObjectsGetAndDelete(t *testing.T) {
 			wantStatusCode: http.StatusForbidden,
 			wantError:      "403: Forbidden: : Access to secrets is forbidden.",
 		},
+		{
+			method:       http.MethodGet,
+			name:         "customer namespace requested",
+			resourceID:   fmt.Sprintf("/subscriptions/%s/resourcegroups/resourceGroup/providers/Microsoft.RedHatOpenShift/openShiftClusters/resourceName", mockSubID),
+			objKind:      "ConfigMap",
+			objNamespace: "customer",
+			objName:      "config",
+			mocks: func(tt *test, k *mock_adminactions.MockKubeActions) {
+				k.EXPECT().ResolveGVR(tt.objKind, "").Return(schema.GroupVersionResource{Resource: "configmaps"}, nil)
+			},
+			wantStatusCode: http.StatusForbidden,
+			wantError:      "403: Forbidden: : Access to the provided namespace 'customer' is forbidden.",
+		},
+		{
+			method:       http.MethodGet,
+			name:         "customer cluster-wide object requested",
+			resourceID:   fmt.Sprintf("/subscriptions/%s/resourcegroups/resourceGroup/providers/Microsoft.RedHatOpenShift/openShiftClusters/resourceName", mockSubID),
+			objKind:      "User.user.openshift.io",
+			objNamespace: "",
+			objName:      "username",
+			mocks: func(tt *test, k *mock_adminactions.MockKubeActions) {
+				k.EXPECT().ResolveGVR(tt.objKind, "").Return(schema.GroupVersionResource{Group: "user.openshift.io", Resource: "users"}, nil)
+			},
+			wantStatusCode: http.StatusForbidden,
+			wantError:      "403: Forbidden: : Access to cluster-scoped object 'user.openshift.io/, Resource=users' is forbidden.",
+		},
 		{
 			method:       http.MethodDelete,
 			name:         "cluster exist in db",
@ -179,6 +205,32 @@ func TestAdminKubernetesObjectsGetAndDelete(t *testing.T) {
 			wantStatusCode: http.StatusForbidden,
 			wantError:      "403: Forbidden: : Access to secrets is forbidden.",
 		},
+		{
+			method:       http.MethodDelete,
+			name:         "customer namespace requested",
+			resourceID:   fmt.Sprintf("/subscriptions/%s/resourcegroups/resourceGroup/providers/Microsoft.RedHatOpenShift/openShiftClusters/resourceName", mockSubID),
+			objKind:      "ConfigMap",
+			objNamespace: "customer",
+			objName:      "config",
+			mocks: func(tt *test, k *mock_adminactions.MockKubeActions) {
+				k.EXPECT().ResolveGVR(tt.objKind, "").Return(schema.GroupVersionResource{Resource: "configmaps"}, nil)
+			},
+			wantStatusCode: http.StatusForbidden,
+			wantError:      "403: Forbidden: : Access to the provided namespace 'customer' is forbidden.",
+		},
+		{
+			method:       http.MethodDelete,
+			name:         "customer cluster-wide object requested",
+			resourceID:   fmt.Sprintf("/subscriptions/%s/resourcegroups/resourceGroup/providers/Microsoft.RedHatOpenShift/openShiftClusters/resourceName", mockSubID),
+			objKind:      "User.user.openshift.io",
+			objNamespace: "",
+			objName:      "username",
+			mocks: func(tt *test, k *mock_adminactions.MockKubeActions) {
+				k.EXPECT().ResolveGVR(tt.objKind, "").Return(schema.GroupVersionResource{Group: "user.openshift.io", Resource: "users"}, nil)
+			},
+			wantStatusCode: http.StatusForbidden,
+			wantError:      "403: Forbidden: : Access to cluster-scoped object 'user.openshift.io/, Resource=users' is forbidden.",
+		},
 	} {
 		t.Run(fmt.Sprintf("%s: %s", tt.method, tt.name), func(t *testing.T) {
 			ti := newTestInfra(t).WithOpenShiftClusters().WithSubscriptions()
@ -292,6 +344,42 @@ func TestAdminPostKubernetesObjects(t *testing.T) {
 			wantStatusCode: http.StatusForbidden,
 			wantError:      "403: Forbidden: : Access to secrets is forbidden.",
 		},
+		{
+			name:       "customer namespace requested",
+			resourceID: resourceID,
+			objInBody: &unstructured.Unstructured{
+				Object: map[string]interface{}{
+					"kind": "ConfigMap",
+					"metadata": map[string]interface{}{
+						"namespace": "customer",
+						"name":      "config",
+					},
+				},
+			},
+			mocks: func(tt *test, k *mock_adminactions.MockKubeActions) {
+				k.EXPECT().ResolveGVR(tt.objInBody.GetKind(), "").Return(schema.GroupVersionResource{Resource: "configmaps"}, nil)
+			},
+			wantStatusCode: http.StatusForbidden,
+			wantError:      "403: Forbidden: : Access to the provided namespace 'customer' is forbidden.",
+		},
+		{
+			name:       "customer cluster-wide object requested",
+			resourceID: resourceID,
+			objInBody: &unstructured.Unstructured{
+				Object: map[string]interface{}{
+					"kind":       "User",
+					"apiVersion": "user.openshift.io/v1",
+					"metadata": map[string]interface{}{
+						"name": "username",
+					},
+				},
+			},
+			mocks: func(tt *test, k *mock_adminactions.MockKubeActions) {
+				k.EXPECT().ResolveGVR(tt.objInBody.GetKind(), "").Return(schema.GroupVersionResource{Group: "user.openshift.io", Resource: "users"}, nil)
+			},
+			wantStatusCode: http.StatusForbidden,
+			wantError:      "403: Forbidden: : Access to cluster-scoped object 'user.openshift.io/, Resource=users' is forbidden.",
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			ti := newTestInfra(t).WithOpenShiftClusters().WithSubscriptions()
--- a/pkg/frontend/openshiftcluster_putorpatch.go
+++ b/pkg/frontend/openshiftcluster_putorpatch.go
@ -319,6 +319,9 @@ func setUpdateProvisioningState(doc *api.OpenShiftClusterDocument, apiVersion st
 		} else {
 			// No update to provisioning state needed
 			doc.OpenShiftCluster.Properties.PucmPending = true
+
+			// This enables future admin update actions with body `{}` to succeed
+			doc.OpenShiftCluster.Properties.MaintenanceTask = ""
 		}
 	default:
 		// Non-admin update (ex: customer cluster update)
--- a/pkg/frontend/openshiftcluster_putorpatch_test.go
+++ b/pkg/frontend/openshiftcluster_putorpatch_test.go
@ -666,7 +666,7 @@ func TestPutOrPatchOpenShiftClusterAdminAPI(t *testing.T) {
 							ClusterProfile: api.ClusterProfile{
 								FipsValidatedModules: api.FipsValidatedModulesDisabled,
 							},
-							MaintenanceTask: api.MaintenanceTaskPucmPending,
+							MaintenanceTask: "",
 							NetworkProfile: api.NetworkProfile{
 								OutboundType:     api.OutboundTypeLoadbalancer,
 								PreconfiguredNSG: api.PreconfiguredNSGDisabled,
@ -697,7 +697,7 @@ func TestPutOrPatchOpenShiftClusterAdminAPI(t *testing.T) {
 					ClusterProfile: admin.ClusterProfile{
 						FipsValidatedModules: admin.FipsValidatedModulesDisabled,
 					},
-					MaintenanceTask: admin.MaintenanceTaskPucmPending,
+					MaintenanceTask: "",
 					NetworkProfile: admin.NetworkProfile{
 						OutboundType: admin.OutboundTypeLoadbalancer,
 						LoadBalancerProfile: &admin.LoadBalancerProfile{
--- a/pkg/util/restconfig/restconfig.go
+++ b/pkg/util/restconfig/restconfig.go
@ -8,7 +8,9 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/http"

+	machnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"

@ -42,6 +44,10 @@ func RestConfig(dialer proxy.Dialer, oc *api.OpenShiftCluster) (*rest.Config, er

 	restconfig.Dial = DialContext(dialer, oc)

+	// https://github.com/kubernetes/kubernetes/issues/118703#issuecomment-1595072383
+	// TODO: Revert or adapt when upstream fix is available
+	restconfig.Proxy = machnet.NewProxierWithNoProxyCIDR(http.ProxyFromEnvironment)
+
 	return restconfig, nil
 }