diff --git a/.yamllint.yml b/.yamllint.yml index f97687f50e..60cd7dbd87 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -28,6 +28,7 @@ ignore: - 'observability/arobit/deploy/templates/forwarder-secretprovider.yaml' - 'observability/kube-events/deploy/templates/deployment.yaml' - 'mgmt-fixes/deploy/kubelet-ds/templates/ds-kubelet-parameters.yaml' +- 'sessiongate/deploy/templates/deployment.yaml' - '**/zz_fixture_TestHelmTemplate*.yaml' rules: brackets: enable diff --git a/admin/deploy/templates/admin.virtualservice.yaml b/admin/deploy/templates/admin.virtualservice.yaml index f0704dba94..4afed2bfba 100644 --- a/admin/deploy/templates/admin.virtualservice.yaml +++ b/admin/deploy/templates/admin.virtualservice.yaml @@ -11,7 +11,7 @@ spec: http: - match: - uri: - regex: '.+' + prefix: /admin/ headers: request: add: @@ -21,3 +21,15 @@ spec: host: admin-api port: number: 8443 + - match: + - uri: + prefix: /sessiongate/ + headers: + request: + add: + mise-inbound-policies-to-filter: "{{ .Values.sessiongate.mise.policyLabel }}" + route: + - destination: + host: sessiongate.{{ .Values.sessiongate.namespace }}.svc.cluster.local + port: + number: 8080 diff --git a/admin/server/go.mod b/admin/server/go.mod index 56cff4ed2a..9cd52290a5 100644 --- a/admin/server/go.mod +++ b/admin/server/go.mod @@ -19,6 +19,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos v1.4.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect + github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/aymerick/douceur v0.2.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect @@ -80,8 +81,7 @@ require ( go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect go.opentelemetry.io/otel/trace v1.38.0 // indirect go.opentelemetry.io/proto/otlp v1.7.1 // indirect - go.uber.org/automaxprocs v1.6.0 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect golang.org/x/crypto v0.46.0 // indirect golang.org/x/net v0.47.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect @@ -95,7 +95,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apimachinery v0.34.3 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/randfill v1.0.0 // indirect sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect diff --git a/admin/server/go.sum b/admin/server/go.sum index fd4dfddace..db337d1bf3 100644 --- a/admin/server/go.sum +++ b/admin/server/go.sum @@ -24,6 +24,8 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -119,10 +121,10 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/openshift-online/ocm-api-model/clientapi v0.0.435 h1:5t/65lUYiXoD87LTpexUnMo/fHgEYvTPmOcQtHBfScY= github.com/openshift-online/ocm-api-model/clientapi v0.0.435/go.mod h1:fZwy5HY2URG9nrExvQeXrDU/08TGqZ16f8oymVEN5lo= github.com/openshift-online/ocm-api-model/model v0.0.435 h1:z9japbtB75gd/8oKvWRHmcbn0RyGeCFlYpisF1J+5mo= @@ -214,12 +216,11 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -228,6 +229,8 @@ golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -239,6 +242,8 @@ golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKl golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= +golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -282,8 +287,8 @@ k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/admin/testdata/zz_fixture_TestHelmTemplate_admin_api_mise_enabled.yaml b/admin/testdata/zz_fixture_TestHelmTemplate_admin_api_mise_enabled.yaml index e412c49433..730d0c5b01 100644 --- a/admin/testdata/zz_fixture_TestHelmTemplate_admin_api_mise_enabled.yaml +++ b/admin/testdata/zz_fixture_TestHelmTemplate_admin_api_mise_enabled.yaml @@ -279,7 +279,7 @@ spec: http: - match: - uri: - regex: '.+' + prefix: /admin/ headers: request: add: @@ -289,4 +289,16 @@ spec: host: admin-api port: number: 8443 + - match: + - uri: + prefix: /sessiongate/ + headers: + request: + add: + mise-inbound-policies-to-filter: "Session Gate" + route: + - destination: + host: sessiongate.sessiongate.svc.cluster.local + port: + number: 8080 diff --git a/admin/testdata/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_admin_api.yaml b/admin/testdata/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_admin_api.yaml index b0eae4407a..4e9d474152 100644 --- a/admin/testdata/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_admin_api.yaml +++ b/admin/testdata/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_admin_api.yaml @@ -263,7 +263,7 @@ spec: http: - match: - uri: - regex: '.+' + prefix: /admin/ headers: request: add: @@ -273,4 +273,16 @@ spec: host: admin-api port: number: 8443 + - match: + - uri: + prefix: /sessiongate/ + headers: + request: + add: + mise-inbound-policies-to-filter: "Session Gate" + route: + - destination: + host: sessiongate.sessiongate.svc.cluster.local + port: + number: 8080 diff --git a/admin/values.yaml b/admin/values.yaml index c629f70a16..1ac658bb07 100644 --- a/admin/values.yaml +++ b/admin/values.yaml @@ -47,3 +47,7 @@ fpa: keyVaultName: "{{ .serviceKeyVault.name }}" certName: "{{ .firstPartyAppCertificate.name }}" clientId: "{{ .firstPartyAppClientId }}" +sessiongate: + namespace: "{{ .sessiongate.k8s.namespace }}" + mise: + policyLabel: "{{ .mise.sessiongate.policyLabel }}" diff --git a/backend/go.mod b/backend/go.mod index 85865d671f..4fe963368a 100644 --- a/backend/go.mod +++ b/backend/go.mod @@ -20,7 +20,7 @@ require ( k8s.io/apimachinery v0.34.3 k8s.io/client-go v0.34.1 k8s.io/klog/v2 v2.130.1 - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 ) require ( @@ -30,6 +30,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect + github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/aymerick/douceur v0.2.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect @@ -65,7 +66,6 @@ require ( github.com/openshift-online/ocm-api-model/clientapi v0.0.435 // indirect github.com/openshift-online/ocm-api-model/model v0.0.435 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect - github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.66.1 // indirect @@ -94,8 +94,7 @@ require ( go.opentelemetry.io/otel/sdk/log v0.14.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect go.opentelemetry.io/proto/otlp v1.7.1 // indirect - go.uber.org/automaxprocs v1.6.0 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/crypto v0.46.0 // indirect golang.org/x/net v0.47.0 // indirect @@ -108,11 +107,11 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect google.golang.org/grpc v1.76.0 // indirect google.golang.org/protobuf v1.36.10 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.34.1 // indirect - k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect + k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/randfill v1.0.0 // indirect sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect diff --git a/backend/go.sum b/backend/go.sum index afb36e1423..be88c3cac3 100644 --- a/backend/go.sum +++ b/backend/go.sum @@ -20,6 +20,8 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -132,10 +134,10 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/openshift-online/ocm-api-model/clientapi v0.0.435 h1:5t/65lUYiXoD87LTpexUnMo/fHgEYvTPmOcQtHBfScY= github.com/openshift-online/ocm-api-model/clientapi v0.0.435/go.mod h1:fZwy5HY2URG9nrExvQeXrDU/08TGqZ16f8oymVEN5lo= github.com/openshift-online/ocm-api-model/model v0.0.435 h1:z9japbtB75gd/8oKvWRHmcbn0RyGeCFlYpisF1J+5mo= @@ -227,14 +229,12 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y= go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -244,6 +244,8 @@ golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -294,8 +296,8 @@ google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= -gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= @@ -310,10 +312,10 @@ k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/config/config.schema.json b/config/config.schema.json index 1f0f239b78..c6313a276b 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -1290,6 +1290,27 @@ "managedIdentityName" ] }, + "sessiongate": { + "type": "object", + "properties": { + "image": { + "$ref": "#/definitions/containerImage" + }, + "k8s": { + "$ref": "#/definitions/k8sDeployment" + }, + "managedIdentityName": { + "type": "string", + "description": "The name of the MSI that will be used by the sessiongate to interact with Azure" + } + }, + "additionalProperties": false, + "required": [ + "image", + "k8s", + "managedIdentityName" + ] + }, "adminApi": { "type": "object", "properties": { @@ -1839,6 +1860,28 @@ "audienceFQDN" ] }, + "sessiongate": { + "type": "object", + "properties": { + "policyLabel": { + "type": "string", + "description": "The label of the Session Gate policy." + }, + "authorityFQDN": { + "type": "string", + "description": "The authority/issuer FQDN of the Session Gate applications auth tokens." + }, + "audience": { + "type": "string", + "description": "The audience of the Session Gate applications auth tokens." + } + }, + "required": [ + "policyLabel", + "authorityFQDN", + "audience" + ] + }, "image": { "$ref": "#/definitions/containerImage" }, @@ -1852,6 +1895,7 @@ "image", "arm", "genevaActions", + "sessiongate", "tracing" ] }, @@ -2810,6 +2854,7 @@ "regionRG", "regionBuildout", "serviceKeyVault", + "sessiongate", "svc", "msiRp", "msiCredentialsRefresher", diff --git a/config/config.yaml b/config/config.yaml index f62f9097ba..3b0981ab30 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -497,6 +497,17 @@ defaults: serviceAccountName: admin-api cert: name: admin-api-cert-{{ .ctx.environment }}-{{ .ctx.regionShort }} + # Session Gate + sessiongate: + image: + registry: arohcpsvcdev.azurecr.io + repository: arohcpsessiongate + digest: "" + managedIdentityName: sessiongate + k8s: + replicas: 2 + namespace: sessiongate + serviceAccountName: sessiongate # Frontend frontend: audit: @@ -561,6 +572,10 @@ defaults: policyLabel: "Geneva Actions" authorityFQDN: "{{ .ev2.entra.fqdn.sts }}" audienceFQDN: "{{ .ev2.arm.endpoint }}" + sessiongate: + policyLabel: "Session Gate" + authorityFQDN: "{{ .ev2.entra.fqdn.sts }}" + audience: "6dae42f8-4368-4678-94ff-3960e28e3630" image: repository: "mise-1p-container-image" digest: "" diff --git a/config/dev.digests.yaml b/config/dev.digests.yaml index 169e076f19..5193db85bb 100644 --- a/config/dev.digests.yaml +++ b/config/dev.digests.yaml @@ -3,22 +3,22 @@ clouds: environments: cspr: regions: - westus3: b905b5431c40db4a5f18aef856cd7b230a6e676e08ec5d480e32f79950d80939 + westus3: 18b597049a97913e07a561585e2e4509f3cc55b169f6ef7462ad8a474711b10a dev: regions: - westus3: 68fe37563c0b58c36b583fbc4cd3696ea37860fca0be7e52e7a72c24c8216027 + westus3: db1855b6d88c7164a65422fe685649b4778be5bf8b9dea9836e83cbe5b13073b ntly: regions: - uksouth: 97fc3fe690f8c37aa2435ad84e840aaabd7b3728346d9468961f29db32bee887 + uksouth: 1a23e81b19bccdb4654518c489dcce6f5b115688fc003e859601cb019c58b835 perf: regions: - westus3: dbcc359647553e4925da830e947ce33dc2a6d20dd4e86938448433d6ca467e5c + westus3: a8cc4e554c42e3cc77e3214c16cf8c1e6732114e0d202367e58aa83f7ad99bfe pers: regions: - westus3: be86b5985c587d92448161ba4899d98e42be71d96d502ceefa7c274edd9cd808 + westus3: 61413e54db0b669d76302fbfada4d63a27667e9e94e358f0fcba8610bd3c49aa prow: regions: - westus3: aba07151075e8eff2dd1c6814bb4433f222c745b4ca5df746bce5966307bffcd + westus3: 32a53623b07b79cef7105977a4b9b0790099462b0597bba0b3a7982a2755842f swft: regions: - uksouth: 10e52aef7b317d00ceca5ce9493fd4d61cc726179c6ee49578f58b84f75764c5 + uksouth: aa0ab4ba7e1f0b460e65bde9ace5eaf75302f485a1868cb7a1d173a46d47f2a6 diff --git a/config/rendered/dev/cspr/westus3.yaml b/config/rendered/dev/cspr/westus3.yaml index 881d9d1323..b4dbf48655 100755 --- a/config/rendered/dev/cspr/westus3.yaml +++ b/config/rendered/dev/cspr/westus3.yaml @@ -556,6 +556,10 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + sessiongate: + audience: 6dae42f8-4368-4678-94ff-3960e28e3630 + authorityFQDN: sts.windows.net + policyLabel: Session Gate tracing: address: "" exporter: "" @@ -683,6 +687,16 @@ serviceKeyVault: softDelete: true tagKey: aroHCPPurpose tagValue: service +sessiongate: + image: + digest: "" + registry: arohcpsvcdev.azurecr.io + repository: arohcpsessiongate + k8s: + namespace: sessiongate + replicas: 2 + serviceAccountName: sessiongate + managedIdentityName: sessiongate svc: aks: clusterOutboundIPAddressIPTags: "" diff --git a/config/rendered/dev/dev/westus3.yaml b/config/rendered/dev/dev/westus3.yaml index 3c2a12bc00..26e2439d91 100755 --- a/config/rendered/dev/dev/westus3.yaml +++ b/config/rendered/dev/dev/westus3.yaml @@ -556,6 +556,10 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + sessiongate: + audience: 6dae42f8-4368-4678-94ff-3960e28e3630 + authorityFQDN: sts.windows.net + policyLabel: Session Gate tracing: address: "" exporter: "" @@ -683,6 +687,16 @@ serviceKeyVault: softDelete: true tagKey: aroHCPPurpose tagValue: service +sessiongate: + image: + digest: "" + registry: arohcpsvcdev.azurecr.io + repository: arohcpsessiongate + k8s: + namespace: sessiongate + replicas: 2 + serviceAccountName: sessiongate + managedIdentityName: sessiongate svc: aks: clusterOutboundIPAddressIPTags: "" diff --git a/config/rendered/dev/ntly/uksouth.yaml b/config/rendered/dev/ntly/uksouth.yaml index b14d6b1588..62c1b3e634 100755 --- a/config/rendered/dev/ntly/uksouth.yaml +++ b/config/rendered/dev/ntly/uksouth.yaml @@ -556,6 +556,10 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + sessiongate: + audience: 6dae42f8-4368-4678-94ff-3960e28e3630 + authorityFQDN: sts.windows.net + policyLabel: Session Gate tracing: address: "" exporter: "" @@ -683,6 +687,16 @@ serviceKeyVault: softDelete: false tagKey: aroHCPPurpose tagValue: service +sessiongate: + image: + digest: "" + registry: arohcpsvcdev.azurecr.io + repository: arohcpsessiongate + k8s: + namespace: sessiongate + replicas: 2 + serviceAccountName: sessiongate + managedIdentityName: sessiongate svc: aks: clusterOutboundIPAddressIPTags: "" diff --git a/config/rendered/dev/perf/westus3.yaml b/config/rendered/dev/perf/westus3.yaml index 328ee14e33..b9bcdea40e 100755 --- a/config/rendered/dev/perf/westus3.yaml +++ b/config/rendered/dev/perf/westus3.yaml @@ -556,6 +556,10 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + sessiongate: + audience: 6dae42f8-4368-4678-94ff-3960e28e3630 + authorityFQDN: sts.windows.net + policyLabel: Session Gate tracing: address: "" exporter: "" @@ -683,6 +687,16 @@ serviceKeyVault: softDelete: true tagKey: aroHCPPurpose tagValue: service +sessiongate: + image: + digest: "" + registry: arohcpsvcdev.azurecr.io + repository: arohcpsessiongate + k8s: + namespace: sessiongate + replicas: 2 + serviceAccountName: sessiongate + managedIdentityName: sessiongate svc: aks: clusterOutboundIPAddressIPTags: "" diff --git a/config/rendered/dev/pers/westus3.yaml b/config/rendered/dev/pers/westus3.yaml index d36669d8a5..d1c2a95024 100755 --- a/config/rendered/dev/pers/westus3.yaml +++ b/config/rendered/dev/pers/westus3.yaml @@ -558,6 +558,10 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + sessiongate: + audience: 6dae42f8-4368-4678-94ff-3960e28e3630 + authorityFQDN: sts.windows.net + policyLabel: Session Gate tracing: address: "" exporter: "" @@ -685,6 +689,16 @@ serviceKeyVault: softDelete: true tagKey: aroHCPPurpose tagValue: service +sessiongate: + image: + digest: "" + registry: arohcpsvcdev.azurecr.io + repository: arohcpsessiongate + k8s: + namespace: sessiongate + replicas: 2 + serviceAccountName: sessiongate + managedIdentityName: sessiongate svc: aks: clusterOutboundIPAddressIPTags: "" diff --git a/config/rendered/dev/prow/westus3.yaml b/config/rendered/dev/prow/westus3.yaml index 4371cf0d79..72e3b9947b 100755 --- a/config/rendered/dev/prow/westus3.yaml +++ b/config/rendered/dev/prow/westus3.yaml @@ -558,6 +558,10 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + sessiongate: + audience: 6dae42f8-4368-4678-94ff-3960e28e3630 + authorityFQDN: sts.windows.net + policyLabel: Session Gate tracing: address: "" exporter: "" @@ -685,6 +689,16 @@ serviceKeyVault: softDelete: true tagKey: aroHCPPurpose tagValue: service +sessiongate: + image: + digest: "" + registry: arohcpsvcdev.azurecr.io + repository: arohcpsessiongate + k8s: + namespace: sessiongate + replicas: 2 + serviceAccountName: sessiongate + managedIdentityName: sessiongate svc: aks: clusterOutboundIPAddressIPTags: "" diff --git a/config/rendered/dev/swft/uksouth.yaml b/config/rendered/dev/swft/uksouth.yaml index 48054295e5..dde9ae7969 100755 --- a/config/rendered/dev/swft/uksouth.yaml +++ b/config/rendered/dev/swft/uksouth.yaml @@ -558,6 +558,10 @@ mise: image: digest: sha256:4822b1998fafa4c7ed1e0723dfed8fd0562e1525545327b821e6d9ef29573c74 repository: mise-1p-container-image + sessiongate: + audience: 6dae42f8-4368-4678-94ff-3960e28e3630 + authorityFQDN: sts.windows.net + policyLabel: Session Gate tracing: address: "" exporter: "" @@ -685,6 +689,16 @@ serviceKeyVault: softDelete: true tagKey: aroHCPPurpose tagValue: service +sessiongate: + image: + digest: "" + registry: arohcpsvcdev.azurecr.io + repository: arohcpsessiongate + k8s: + namespace: sessiongate + replicas: 2 + serviceAccountName: sessiongate + managedIdentityName: sessiongate svc: aks: clusterOutboundIPAddressIPTags: "" diff --git a/dev-infrastructure/configurations/output-svc.tmpl.bicepparam b/dev-infrastructure/configurations/output-svc.tmpl.bicepparam index 715df47ee0..fb01076c46 100644 --- a/dev-infrastructure/configurations/output-svc.tmpl.bicepparam +++ b/dev-infrastructure/configurations/output-svc.tmpl.bicepparam @@ -4,3 +4,4 @@ param csMIName = '{{ .clustersService.managedIdentityName }}' param msiRefresherMIName = '{{ .msiCredentialsRefresher.managedIdentityName }}' param adminApiMIName = '{{ .adminApi.managedIdentityName }}' param backendMIName = '{{ .backend.managedIdentityName }}' +param sessiongateMIName = '{{ .sessiongate.managedIdentityName }}' diff --git a/dev-infrastructure/configurations/sessiongate-lookup.tmpl.bicepparam b/dev-infrastructure/configurations/sessiongate-lookup.tmpl.bicepparam new file mode 100644 index 0000000000..54da2a6537 --- /dev/null +++ b/dev-infrastructure/configurations/sessiongate-lookup.tmpl.bicepparam @@ -0,0 +1,5 @@ +using '../modules/sessiongate/sessiongate-lookup.bicep' + +param sessiongateMsiName = '{{ .sessiongate.managedIdentityName }}' +param imagePullerMsiName = 'image-puller' +param aksClusterName = '{{ .svc.aks.name }}' diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam index 964473d4b4..ed9389f4a0 100644 --- a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam @@ -50,6 +50,10 @@ param backendMIName = '{{ .backend.managedIdentityName }}' param backendNamespace = '{{ .backend.k8s.namespace }}' param backendServiceAccountName = '{{ .backend.k8s.serviceAccountName }}' +param sessiongateMIName = '{{ .sessiongate.managedIdentityName }}' +param sessiongateNamespace = '{{ .sessiongate.k8s.namespace }}' +param sessiongateServiceAccountName = '{{ .sessiongate.k8s.serviceAccountName }}' + param maestroMIName = '{{ .maestro.server.managedIdentityName }}' param maestroNamespace = '{{ .maestro.server.k8s.namespace }}' param maestroServiceAccountName = '{{ .maestro.server.k8s.serviceAccountName }}' diff --git a/dev-infrastructure/configurations/svc-mgmt-permissions.tmpl.bicepparam b/dev-infrastructure/configurations/svc-mgmt-permissions.tmpl.bicepparam index 891ce662c1..7dc48afbce 100644 --- a/dev-infrastructure/configurations/svc-mgmt-permissions.tmpl.bicepparam +++ b/dev-infrastructure/configurations/svc-mgmt-permissions.tmpl.bicepparam @@ -1,5 +1,8 @@ using '../templates/svc-mgmt-permissions.bicep' +// AKS cluster name +param aksClusterName = '{{ .mgmt.aks.name }}' + // CX KV param cxKeyVaultName = '{{ .cxKeyVault.name }}' @@ -21,3 +24,7 @@ param adminApiMIResourceId = '__adminApiMIResourceId__' // RP Backend identity // used for Key Vault access param rpBackendMIResourceId = '__rpBackendMIResourceId__' + +// Session Gate identity +// used for AKS access +param sessiongateMIResourceId = '__sessiongateMIResourceId__' diff --git a/dev-infrastructure/mgmt-pipeline.yaml b/dev-infrastructure/mgmt-pipeline.yaml index eef5a8dc80..9443a782f5 100644 --- a/dev-infrastructure/mgmt-pipeline.yaml +++ b/dev-infrastructure/mgmt-pipeline.yaml @@ -107,6 +107,11 @@ resourceGroups: resourceGroup: service step: output name: backend + - name: sessiongateMIResourceId + input: + resourceGroup: service + step: output + name: sessiongate dependsOn: - resourceGroup: management step: infra diff --git a/dev-infrastructure/modules/sessiongate/sessiongate-lookup.bicep b/dev-infrastructure/modules/sessiongate/sessiongate-lookup.bicep new file mode 100644 index 0000000000..82e27a3497 --- /dev/null +++ b/dev-infrastructure/modules/sessiongate/sessiongate-lookup.bicep @@ -0,0 +1,37 @@ +@description('The name of the SessionGate MSI') +param sessiongateMsiName string + +@description('The name of the Image Puller MSI') +param imagePullerMsiName string + +@description('The name of the AKS cluster in which the SessionGate will run') +param aksClusterName string + +// +// S E S S I O N G A T E L O O K U P +// + +resource sessiongateIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { + scope: resourceGroup() + name: sessiongateMsiName +} + +output tenantId string = tenant().tenantId +output sessiongateMsiClientId string = sessiongateIdentity.properties.clientId + +resource imagePullerIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { + scope: resourceGroup() + name: imagePullerMsiName +} + +output imagePullerMsiClientId string = imagePullerIdentity.properties.clientId + +// +// C S I S E C R E T S T O R E L O O K U P +// + +resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-02-01' existing = { + name: aksClusterName +} + +output csiSecretStoreClientId string = aksCluster.properties.addonProfiles.azureKeyvaultSecretsProvider.identity.clientId diff --git a/dev-infrastructure/templates/output-svc.bicep b/dev-infrastructure/templates/output-svc.bicep index 1acff84697..adf4bcebf9 100644 --- a/dev-infrastructure/templates/output-svc.bicep +++ b/dev-infrastructure/templates/output-svc.bicep @@ -10,6 +10,9 @@ param adminApiMIName string @description('The name of the Backend managed identity') param backendMIName string +@description('The name of the Session Gate managed identity') +param sessiongateMIName string + // CS MI resource ID resource csMSI 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { name: csMIName @@ -38,4 +41,11 @@ resource rpBackendMSI 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01- output backend string = rpBackendMSI.id +// Session Gate MI resource ID +resource sessiongateMSI 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { + name: sessiongateMIName +} + +output sessiongate string = sessiongateMSI.id + output subscriptionId string = subscription().id diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index 3d55550354..055bcc2efd 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -397,6 +397,15 @@ param adminApiIngressCertIssuer string @description('The cluster tag value for the owning team') param owningTeamTagValue string +@description('The name of the Session Gate managed identity') +param sessiongateMIName string + +@description('The namespace of the Session Gate managed identity') +param sessiongateNamespace string + +@description('The service account name of the Session Gate managed identity') +param sessiongateServiceAccountName string + resource serviceKeyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = { name: serviceKeyVaultName scope: resourceGroup(serviceKeyVaultResourceGroup) @@ -452,6 +461,11 @@ var workloadIdentities = items({ namespace: adminApiNamespace serviceAccountName: adminApiServiceAccountName } + sessiongate_wi: { + uamiName: sessiongateMIName + namespace: sessiongateNamespace + serviceAccountName: sessiongateServiceAccountName + } }) module managedIdentities '../modules/managed-identities.bicep' = { diff --git a/dev-infrastructure/templates/svc-mgmt-permissions.bicep b/dev-infrastructure/templates/svc-mgmt-permissions.bicep index e41b2c8ca0..910e3ce142 100644 --- a/dev-infrastructure/templates/svc-mgmt-permissions.bicep +++ b/dev-infrastructure/templates/svc-mgmt-permissions.bicep @@ -1,3 +1,6 @@ +@description('The name of the AKS cluster') +param aksClusterName string + @description('The name of the CX KeyVault') param cxKeyVaultName string @@ -16,6 +19,9 @@ param rpBackendMIResourceId string @description('Admin API MI resource ID, used to grant resource group introspection access') param adminApiMIResourceId string +@description('Session Gate MI resource ID, used to grant AKS access') +param sessiongateMIResourceId string + resource cxKeyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = { name: cxKeyVaultName } @@ -24,6 +30,10 @@ resource msiKeyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = { name: msiKeyVaultName } +resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-02-01' existing = { + name: aksClusterName +} + // // C L U S T E R S E R V I C E K V A C C E S S // @@ -78,3 +88,30 @@ resource resourceGroupReaderRoleAssignment 'Microsoft.Authorization/roleAssignme principalType: 'ServicePrincipal' } } + +// +// S E S S I O N G A T E A K S A C C E S S +// + +// Azure Kubernetes Service RBAC Cluster Admin Role +// https://www.azadvertizer.net/azrolesadvertizer/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b.html +var aksClusterRBACAdminRoleId = subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions/', + 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b' +) + +var sessiongateMIRef = res.msiRefFromId(sessiongateMIResourceId) +resource sessiongateMSI 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { + scope: resourceGroup(sessiongateMIRef.resourceGroup.subscriptionId, sessiongateMIRef.resourceGroup.name) + name: sessiongateMIRef.name +} + +resource sessiongateAksAccess 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + scope: aksCluster + name: guid(resourceGroup().id, aksClusterName, sessiongateMIResourceId, aksClusterRBACAdminRoleId) + properties: { + roleDefinitionId: aksClusterRBACAdminRoleId + principalId: sessiongateMSI.properties.principalId + principalType: 'ServicePrincipal' + } +} diff --git a/frontend/go.mod b/frontend/go.mod index 8f28b7db05..ff9bd8018e 100644 --- a/frontend/go.mod +++ b/frontend/go.mod @@ -18,13 +18,14 @@ require ( go.opentelemetry.io/otel/trace v1.38.0 go.uber.org/mock v0.6.0 golang.org/x/sync v0.19.0 - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 ) require ( dario.cat/mergo v1.0.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 // indirect github.com/Azure/retry v0.0.0-20250221010952-92c9290cea0f // indirect + github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/cenkalti/backoff/v5 v5.0.3 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/evanphx/json-patch v5.9.11+incompatible // indirect @@ -69,8 +70,7 @@ require ( go.opentelemetry.io/otel/sdk/log v0.14.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect go.opentelemetry.io/proto/otlp v1.7.1 // indirect - go.uber.org/automaxprocs v1.6.0 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect diff --git a/frontend/go.sum b/frontend/go.sum index 3159980941..951453cce9 100644 --- a/frontend/go.sum +++ b/frontend/go.sum @@ -22,6 +22,8 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -138,10 +140,10 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/openshift-online/ocm-api-model/clientapi v0.0.435 h1:5t/65lUYiXoD87LTpexUnMo/fHgEYvTPmOcQtHBfScY= github.com/openshift-online/ocm-api-model/clientapi v0.0.435/go.mod h1:fZwy5HY2URG9nrExvQeXrDU/08TGqZ16f8oymVEN5lo= github.com/openshift-online/ocm-api-model/model v0.0.435 h1:z9japbtB75gd/8oKvWRHmcbn0RyGeCFlYpisF1J+5mo= @@ -244,14 +246,13 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y= go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -264,6 +265,8 @@ golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -341,8 +344,8 @@ k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/go.work b/go.work index 1b1d7038d2..0a46126e2a 100644 --- a/go.work +++ b/go.work @@ -6,6 +6,7 @@ use ( ./backend ./frontend ./internal + ./sessiongate ./test ./test-integration ./tooling/hcpctl diff --git a/internal/go.mod b/internal/go.mod index 64d5122b62..c5eb408bc9 100644 --- a/internal/go.mod +++ b/internal/go.mod @@ -28,7 +28,7 @@ require ( go.uber.org/mock v0.6.0 gotest.tools v2.2.0+incompatible k8s.io/apimachinery v0.34.3 - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 sigs.k8s.io/randfill v1.0.0 ) @@ -65,8 +65,8 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/onsi/ginkgo/v2 v2.23.4 // indirect - github.com/onsi/gomega v1.37.0 // indirect + github.com/onsi/ginkgo/v2 v2.27.2 // indirect + github.com/onsi/gomega v1.38.2 // indirect github.com/openshift-online/ocm-api-model/model v0.0.435 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pkg/errors v0.9.1 // indirect @@ -101,7 +101,7 @@ require ( go.opentelemetry.io/otel/sdk/log v0.14.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect go.opentelemetry.io/proto/otlp v1.7.1 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect golang.org/x/crypto v0.46.0 // indirect golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect golang.org/x/net v0.47.0 // indirect diff --git a/internal/go.sum b/internal/go.sum index 318cad341a..26ba12652b 100644 --- a/internal/go.sum +++ b/internal/go.sum @@ -18,6 +18,8 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -142,10 +144,10 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/openshift-online/ocm-api-model/clientapi v0.0.435 h1:5t/65lUYiXoD87LTpexUnMo/fHgEYvTPmOcQtHBfScY= github.com/openshift-online/ocm-api-model/clientapi v0.0.435/go.mod h1:fZwy5HY2URG9nrExvQeXrDU/08TGqZ16f8oymVEN5lo= github.com/openshift-online/ocm-api-model/model v0.0.435 h1:z9japbtB75gd/8oKvWRHmcbn0RyGeCFlYpisF1J+5mo= @@ -242,14 +244,14 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y= go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -261,6 +263,8 @@ golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -277,6 +281,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= +golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -336,8 +342,8 @@ k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/istio/deploy/charts/mise/templates/deployment.yaml b/istio/deploy/charts/mise/templates/deployment.yaml index 71f9278ec4..5671740f0f 100644 --- a/istio/deploy/charts/mise/templates/deployment.yaml +++ b/istio/deploy/charts/mise/templates/deployment.yaml @@ -72,6 +72,14 @@ spec: value: '{{ .Values.genevaActionsPolicy.audience }}' - name: AzureAd__InboundPolicies__1__ValidApplicationIds__0 value: "{{ .Values.genevaActionsPolicy.applicationId }}" + - name: AzureAd__InboundPolicies__2__Label + value: "{{ .Values.sessiongatePolicy.label }}" + - name: AzureAd__InboundPolicies__2__Authority + value: "{{ .Values.sessiongatePolicy.authority }}" + - name: AzureAd__InboundPolicies__2__AuthenticationSchemes__0 + value: "Bearer" + - name: AzureAd__InboundPolicies__2__ValidAudiences__0 + value: '{{ .Values.sessiongatePolicy.audience }}' - name: AllowedHosts value: "*" - name: Kestrel__Endpoints__Http__Url diff --git a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml index d61b4f20ab..40aa7051c9 100644 --- a/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml +++ b/istio/testdata/zz_fixture_TestHelmTemplate_istio_mise_enabled.yaml @@ -106,6 +106,14 @@ spec: value: 'https://management.azure.com' - name: AzureAd__InboundPolicies__1__ValidApplicationIds__0 value: "__genevaActionsAppId__" + - name: AzureAd__InboundPolicies__2__Label + value: "Session Gate" + - name: AzureAd__InboundPolicies__2__Authority + value: "https://sts.windows.net/__tenantId__" + - name: AzureAd__InboundPolicies__2__AuthenticationSchemes__0 + value: "Bearer" + - name: AzureAd__InboundPolicies__2__ValidAudiences__0 + value: '6dae42f8-4368-4678-94ff-3960e28e3630' - name: AllowedHosts value: "*" - name: Kestrel__Endpoints__Http__Url diff --git a/istio/values.yaml b/istio/values.yaml index 9dc0434023..42f5b9bc2c 100644 --- a/istio/values.yaml +++ b/istio/values.yaml @@ -27,3 +27,7 @@ mise: authority: "https://{{ .mise.genevaActions.authorityFQDN }}/__tenantId__/" # iss audience: "https://{{ .mise.genevaActions.audienceFQDN }}" # aud applicationId: "__genevaActionsAppId__" + sessiongatePolicy: + label: "{{ .mise.sessiongate.policyLabel }}" + authority: "https://{{ .mise.sessiongate.authorityFQDN }}/__tenantId__" # iss + audience: "{{ .mise.sessiongate.audience }}" # aud diff --git a/sessiongate/.gitignore b/sessiongate/.gitignore new file mode 100644 index 0000000000..1d4af440df --- /dev/null +++ b/sessiongate/.gitignore @@ -0,0 +1,3 @@ +bin/ +image +vendor \ No newline at end of file diff --git a/sessiongate/Dockerfile b/sessiongate/Dockerfile new file mode 100644 index 0000000000..2d8c95e405 --- /dev/null +++ b/sessiongate/Dockerfile @@ -0,0 +1,26 @@ +ARG PLATFORM + +# Builder image installs tools needed to build aro-hcp-backend +FROM --platform=${PLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-azurelinux3.0 AS builder + +WORKDIR /workspace +# Copy the Go Modules manifests +COPY go.mod go.mod +COPY go.sum go.sum +# cache deps before building and copying source so that we don't need to re-download as much +# and so that source changes don't invalidate our downloaded layer +RUN go mod download + +# Copy the Go source (relies on .dockerignore to filter) +COPY . . + +ENV CGO_ENABLED=1 GOFLAGS='-tags=requirefips' +RUN make bin/sessiongate + +FROM --platform=${PLATFORM} mcr.microsoft.com/azurelinux/distroless/base:3.0 +USER 65532:65532 +WORKDIR / +COPY --from=builder /workspace/bin/sessiongate . +USER 65532:65532 + +ENTRYPOINT ["/sessiongate", "controller"] diff --git a/sessiongate/Env.mk b/sessiongate/Env.mk new file mode 100644 index 0000000000..323ceda162 --- /dev/null +++ b/sessiongate/Env.mk @@ -0,0 +1,5 @@ +ARO_HCP_IMAGE_ACR ?= {{ .acr.svc.name }} +ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.{{ .acrDNSSuffix }} +SESSION_GATE_IMAGE_REPOSITORY ?= {{ .sessiongate.image.repository }} + +NAMESPACE ?= {{ .sessiongate.k8s.namespace }} \ No newline at end of file diff --git a/sessiongate/Makefile b/sessiongate/Makefile new file mode 100644 index 0000000000..3a1763976a --- /dev/null +++ b/sessiongate/Makefile @@ -0,0 +1,77 @@ +SHELL = /usr/bin/env bash -o pipefail +.SHELLFLAGS = -ec + +-include ../setup-templatize-env.mk +-include ../.bingo/Variables.mk +-include ../tooling/hcpctl/Variables.mk + +# Image +ARO_HCP_REVISION ?= $(shell git rev-parse HEAD) +SESSION_GATE_IMAGE_TAG ?= $(shell DETECT_DIRTY_GIT_WORKTREE=${DETECT_DIRTY_GIT_WORKTREE} DEPLOY_ENV=${DEPLOY_ENV} ../generate-tag.sh) +SESSION_GATE_GENERATED_IMAGE_REPOSITORY = $(shell DEPLOY_ENV=${DEPLOY_ENV} BASELINE_REPO=${SESSION_GATE_IMAGE_REPOSITORY} ../generate-repo.sh) +SESSION_GATE_TAGGED_IMAGE ?= $(ARO_HCP_IMAGE_REGISTRY)/$(SESSION_GATE_GENERATED_IMAGE_REPOSITORY):$(SESSION_GATE_IMAGE_TAG) + +HELMCHART_DIR = deploy +CONTAINER_TOOL ?= docker +BINARY = bin/sessiongate +SESSION_GATE_SOURCES = $(shell find . -name '*.go' -o -name 'go.mod' -o -name 'go.sum') +LDFLAGS = -ldflags "" + +# K8S Codegen Dir +K8S_CODEGEN_DIR = /tmp/code-generator + +# Default target +.DEFAULT_GOAL := build + +update-codegen: + @rm -rf vendor + GOWORK=off go mod vendor + ./hack/update-codegen.sh + make -C .. fmt + @rm -rf vendor +.PHONY: update-codegen + +build: $(BINARY) +.PHONY: build + +$(BINARY): $(SESSION_GATE_SOURCES) + go build $(LDFLAGS) -o $(BINARY) . + +run: + go run . controller --namespace ${NAMESPACE} --ingress-base-url "http://localhost:8080" -v 2 +.PHONY: run + +image: Dockerfile $(SESSION_GATE_SOURCES) + rm -f $(BINARY) + $(CONTAINER_TOOL) build . --file Dockerfile \ + --build-arg PLATFORM=linux/amd64 \ + --build-arg ARO_HCP_REVISION=${ARO_HCP_REVISION} \ + --build-arg ARO_HCP_IMAGE_TAG=${SESSION_GATE_IMAGE_TAG} \ + --tag ${SESSION_GATE_TAGGED_IMAGE} + touch $@ + +build-and-push: image + az acr login --name ${ARO_HCP_IMAGE_ACR} + $(CONTAINER_TOOL) push ${SESSION_GATE_TAGGED_IMAGE} +.PHONY: build-and-push + +OVERRIDE_CONFIG_FILE ?= /tmp/sessiongate-override-config-$(date +%s).yaml + +record-override: $(YQ) $(ORAS) + @az acr login --name ${ARO_HCP_IMAGE_ACR} --expose-token --output tsv --query accessToken | \ + $(ORAS) login ${ARO_HCP_IMAGE_REGISTRY} \ + --username 00000000-0000-0000-0000-000000000000 \ + --password-stdin + + @DIGEST=$$($(ORAS) manifest fetch --descriptor ${SESSION_GATE_TAGGED_IMAGE} | $(YQ) .digest); \ + $(YQ) eval -n "\ + .clouds.dev.environments.$(DEPLOY_ENV).defaults.sessiongate.image.repository = \"$(SESSION_GATE_GENERATED_IMAGE_REPOSITORY)\" | \ + .clouds.dev.environments.$(DEPLOY_ENV).defaults.sessiongate.image.digest = \"$$DIGEST\" \ + " > $(OVERRIDE_CONFIG_FILE) +.PHONY: record-override + +# Dev work + +deploy: build-and-push record-override + make -C .. pipeline/SessionGate OVERRIDE_CONFIG_FILE=$(OVERRIDE_CONFIG_FILE) +.PHONY: deploy diff --git a/sessiongate/README.md b/sessiongate/README.md new file mode 100644 index 0000000000..cdca92909d --- /dev/null +++ b/sessiongate/README.md @@ -0,0 +1,77 @@ +# Sessiongate + +Sessiongate is a Kubernetes controller and proxy service that provides secure, time-limited, identity-based access to customer Hosted Control Plane (HCP) clusters in ARO-HCP. It enables SREs to perform debugging and break-glass operations while maintaining security and compliance requirements. + +Sessiongate is designed to be triggered by the Admin API and Geneva Actions, operating as a dedicated component that segregates the elevated permissions needed for credential minting and network path establishment from other ARO-HCP services. + +## Overview + +Sessiongate manages the complete lifecycle of ephemeral debugging sessions. When triggered by the Admin API or Geneva Actions, it creates authorization policies to enforce identity-based access control and enable auditing, mints time-limited credentials for target clusters via Azure APIs, exposes authenticated proxy endpoints that forward Kubernetes API requests, and automatically expires sessions based on configured TTL to ensure temporary access only. + +## Architecture + +### Components + +**Control Plane Controller**: Watches `Session` custom resources, reconciles desired state by managing credential Secrets and Istio `AuthorizationPolicy` objects, and participates in leader election to coordinate credential minting across replicas. Only the elected leader mints credentials and creates authorization policies. Once credentials and policies are ready, the control plane updates the Session CR status to signal the data plane that the session is valid and ready to serve requests. + +**Data Plane Controller**: Watches `Session` custom resources for status updates and credential Secrets created by the control plane controller. When a session becomes ready (indicated by status updates), it extracts session configuration from the credential Secret and registers the session in the local session registry. Runs on all pods (both leader and followers) to enable distributed request handling across all replicas. + +**HTTP Server & Session Registry**: Serves proxy endpoints at `/sessiongate/{sessionID}/kas/*` and maintains a registry of active sessions. The registry is populated by the data plane controller watching Session status updates and credential Secrets via shared informers. + +**Credential Provider**: Mints time-limited cluster credentials by calling Azure APIs for AKS management clusters or generating client certificates for HCP hosted clusters, storing results in Kubernetes Secrets. + +**Istio**: Adds session-specific authorization by enforcing `AuthorizationPolicy` resources that match JWT claims against the session owner. + +**Mise**: Microsoft's authentication and authorization component that provides the first layer of security by validating JWTs before requests reach sessiongate. + +### Endpoint Offering + +The control plane controller updates the Session CR status with `endpoint`, `credentialsSecretRef`, and `backendKASURL` fields once credentials are minted and the authorization policy is in place. When all prerequisites are met, it sets the `Ready` condition to signal that the session is available. + +The data plane controller watches Session CR updates on all pods (leader and followers). When a session's `Ready` condition becomes true, the data plane controller validates that `credentialsSecretRef` and `backendKASURL` are present, fetches the credentials from the Secret, and registers the session in the local in-memory registry. Each pod independently registers sessions based on the Session CR status, enabling distributed request handling across all replicas without relying on leader election. + +Client requests flow through Mise for JWT validation, then through Istio for session-specific authorization based on the `AuthorizationPolicy`. Sessiongate proxies regular HTTP requests and WebSocket upgrades to the target cluster using the credentials and backend KAS URL from the Session CR status—note that SPDY is not supported due to Istio limitations. When a session expires, is deleted, or becomes not ready, the data plane controller unregisters it from the local registry, ensuring clean session termination. + +**Endpoint Format**: `https://{ingressBaseURL}/sessiongate/{sessionID}/kas` + +## Custom Resource Definition + +```yaml +apiVersion: sessiongate.aro-hcp.azure.com/v1alpha1 +kind: Session +metadata: + name: my-debug-session + namespace: sessiongate +spec: + ttl: 1h + managementCluster: + resourceId: /subscriptions/.../resourceGroups/.../providers/Microsoft.ContainerService/managedClusters/the-mgmt-cluster + hostedControlPlane: + resourceId: /subscriptions/.../resourceGroups/.../providers/Microsoft.RedHatOpenshift/hcpOpenShiftClusters/the-hcp + namespace: namespace-that-contains-the-hosted-control-plane-cr + accessLevel: + group: aro-sre-cluster-admin + owner: + type: User + userPrincipal: + name: user@example.com + claim: upn +status: + endpoint: https://sessiongate.example.com/sessiongate/my-debug-session/kas + expiresAt: "2025-12-23T16:30:00Z" + credentialsSecretRef: my-debug-session-credentials + backendKASURL: https://api.my-hcp.example.com:6443 +``` + +## Security Model + +Sessiongate implements defense-in-depth with multiple security layers. Mise validates JWTs before requests reach sessiongate, providing the first authentication barrier. Istio then enforces session-specific `AuthorizationPolicy` resources that match JWT claims against the session owner, ensuring only the designated principal can access their session endpoint. + +## Log Levels + +Sessiongate uses [klog](https://github.com/kubernetes/klog) for structured logging. Control verbosity with the `-v` flag: + +- **`-v=0` (default)**: Errors and critical events only +- **`-v=2` (recommended for production)**: Important operations - startup, session registration/unregistration, credential minting, leader election changes +- **`-v=4` (debug)**: Detailed flow - credential polling, event filtering, tombstone recovery +- **`-v=6` (trace)**: Deep debugging - URL construction, detailed request handling diff --git a/sessiongate/cmd/cmd.go b/sessiongate/cmd/cmd.go new file mode 100644 index 0000000000..0bbe230fc8 --- /dev/null +++ b/sessiongate/cmd/cmd.go @@ -0,0 +1,67 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cmd + +import ( + "context" + + "github.com/spf13/cobra" +) + +func NewRootCmd() (*cobra.Command, error) { + cmd := &cobra.Command{ + Use: "sessiongate", + Short: "Sessiongate is a controller for managing KAS API sessions in ARO HCP.", + } + subcommands := []func() (*cobra.Command, error){ + NewControllerCommand, + } + + for _, newCmd := range subcommands { + subCmd, err := newCmd() + if err != nil { + return nil, err + } + cmd.AddCommand(subCmd) + } + return cmd, nil +} + +func NewControllerCommand() (*cobra.Command, error) { + opts := DefaultControllerOptions() + cmd := &cobra.Command{ + Use: "controller", + Short: "Start the sessiongate controller", + RunE: func(cmd *cobra.Command, args []string) error { + return runController(cmd.Context(), opts) + }, + } + if err := opts.BindFlags(cmd); err != nil { + return nil, err + } + return cmd, nil +} + +func runController(ctx context.Context, opts *RawControllerOptions) error { + validated, err := opts.Validate(ctx) + if err != nil { + return err + } + completed, err := validated.Complete(ctx) + if err != nil { + return err + } + return completed.Run(ctx) +} diff --git a/sessiongate/cmd/options.go b/sessiongate/cmd/options.go new file mode 100644 index 0000000000..c0eb355bbd --- /dev/null +++ b/sessiongate/cmd/options.go @@ -0,0 +1,340 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cmd + +import ( + "context" + "flag" + "fmt" + "os" + "time" + + "github.com/prometheus/client_golang/prometheus" + "github.com/spf13/cobra" + "golang.org/x/sync/errgroup" + istioclientset "istio.io/client-go/pkg/clientset/versioned" + istioinformers "istio.io/client-go/pkg/informers/externalversions" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + kubeinformers "k8s.io/client-go/informers" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/rest" + "k8s.io/client-go/tools/clientcmd" + "k8s.io/klog/v2" + + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + + "github.com/Azure/ARO-HCP/sessiongate/pkg/controller" + "github.com/Azure/ARO-HCP/sessiongate/pkg/controller/controlplane" + "github.com/Azure/ARO-HCP/sessiongate/pkg/controller/dataplane" + clientset "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned" + informers "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/informers/externalversions" + "github.com/Azure/ARO-HCP/sessiongate/pkg/mc" + "github.com/Azure/ARO-HCP/sessiongate/pkg/server" + "github.com/Azure/ARO-HCP/sessiongate/pkg/signals" +) + +const ( + LeaderElectionLockName = "sessiongate-controller-leader" +) + +type RawControllerOptions struct { + BindAddress string + IngressBaseURL string + Kubeconfig string + Namespace string + Workers int + LeaderElectionLeaseDuration time.Duration + LeaderElectionRenewDeadline time.Duration + LeaderElectionRetryPeriod time.Duration + CredentialCheckInterval time.Duration +} + +func DefaultControllerOptions() *RawControllerOptions { + return &RawControllerOptions{ + BindAddress: "localhost:8080", + LeaderElectionLeaseDuration: 15 * time.Second, + LeaderElectionRenewDeadline: 10 * time.Second, + LeaderElectionRetryPeriod: 2 * time.Second, + CredentialCheckInterval: 2 * time.Second, + Workers: 5, + } +} + +func (o *RawControllerOptions) BindFlags(cmd *cobra.Command) error { + // Initialize klog flags before adding them to cobra + klog.InitFlags(nil) + + cmd.Flags().StringVar(&o.BindAddress, "bind-address", o.BindAddress, "The local bind address for the HTTP server (e.g., ':8080' or 'localhost:8080')") + cmd.Flags().StringVar(&o.IngressBaseURL, "ingress-base-url", o.IngressBaseURL, "The externally-accessible base URL for ingress (e.g., 'https://sessiongate.example.com'). If empty, server-address will be used.") + cmd.Flags().StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Optional.") + cmd.Flags().StringVar(&o.Namespace, "namespace", os.Getenv("POD_NAMESPACE"), "The namespace where the sessiongate controller is deployed.") + cmd.Flags().IntVar(&o.Workers, "workers", o.Workers, "Number of reconcile workers to run") + cmd.Flags().DurationVar(&o.LeaderElectionLeaseDuration, "leader-election-lease-duration", o.LeaderElectionLeaseDuration, "Leader election lease duration") + cmd.Flags().DurationVar(&o.LeaderElectionRenewDeadline, "leader-election-renew-deadline", o.LeaderElectionRenewDeadline, "Leader election renew deadline") + cmd.Flags().DurationVar(&o.LeaderElectionRetryPeriod, "leader-election-retry-period", o.LeaderElectionRetryPeriod, "Leader election retry period") + cmd.Flags().DurationVar(&o.CredentialCheckInterval, "credential-check-interval", o.CredentialCheckInterval, "Interval for checking credential minting status when pending (min 500ms, max 30s)") + cmd.Flags().AddGoFlagSet(flag.CommandLine) + + return nil +} + +type validatedControllerOptions struct { + *RawControllerOptions +} + +type ValidatedControllerOptions struct { + *validatedControllerOptions +} + +type completedControllerOptions struct { + server *server.Server + controlPlaneController *controlplane.Controller + dataPlaneController *dataplane.Controller + sessiongateInformerFactory informers.SharedInformerFactory + istioInformerFactory istioinformers.SharedInformerFactory + kubeInformerFactory kubeinformers.SharedInformerFactory + workers int +} + +type ControllerOptions struct { + *completedControllerOptions +} + +func (o *RawControllerOptions) Validate(ctx context.Context) (*ValidatedControllerOptions, error) { + if o.Namespace == "" { + return nil, fmt.Errorf("namespace is required") + } + if o.BindAddress == "" { + return nil, fmt.Errorf("bind-address is required") + } + if o.IngressBaseURL == "" { + return nil, fmt.Errorf("ingress-base-url is required") + } + return &ValidatedControllerOptions{ + validatedControllerOptions: &validatedControllerOptions{ + RawControllerOptions: o, + }, + }, nil +} + +func (o *ValidatedControllerOptions) Complete(ctx context.Context) (*ControllerOptions, error) { + logger := klog.FromContext(ctx) + + azureCredential, err := azidentity.NewDefaultAzureCredential(nil) + if err != nil { + return nil, fmt.Errorf("failed to create Azure credential: %w", err) + } + + kubeConfig, err := o.buildKubeConfig() + if err != nil { + return nil, fmt.Errorf("failed to build kubeconfig: %w", err) + } + + kubeClientset, err := kubernetes.NewForConfig(kubeConfig) + if err != nil { + return nil, fmt.Errorf("failed to create kubernetes clientset: %w", err) + } + sessiongateClientset, err := clientset.NewForConfig(kubeConfig) + if err != nil { + return nil, fmt.Errorf("failed to create sessiongate clientset: %w", err) + } + istioClientset, err := istioclientset.NewForConfig(kubeConfig) + if err != nil { + return nil, fmt.Errorf("failed to create istio clientset: %w", err) + } + sessiongateInformers := informers.NewSharedInformerFactoryWithOptions( + sessiongateClientset, + time.Second*300, + informers.WithNamespace(o.Namespace), + ) + + // create Istio informer factory for AuthorizationPolicies + istioInformers := istioinformers.NewSharedInformerFactoryWithOptions( + istioClientset, + time.Second*300, + istioinformers.WithNamespace(o.Namespace), + istioinformers.WithTweakListOptions(func(opts *metav1.ListOptions) { + opts.LabelSelector = controller.ManagedByLabelSelector() + }), + ) + authzPolicyInformer := istioInformers.Security().V1beta1().AuthorizationPolicies() + + // create Secret informer for watching session credentials + kubeInformers := kubeinformers.NewSharedInformerFactoryWithOptions( + kubeClientset, + time.Second*300, + kubeinformers.WithNamespace(o.Namespace), + kubeinformers.WithTweakListOptions(func(opts *metav1.ListOptions) { + opts.LabelSelector = controller.ManagedByLabelSelector() + }), + ) + secretsInformer := kubeInformers.Core().V1().Secrets().Informer() + + klog.V(4).Info("Successfully built kubeconfig and clientsets") + + // create server + srv := server.NewServer(o.BindAddress, o.IngressBaseURL, prometheus.DefaultRegisterer) + + // create secret store + secretStore := controller.NewDefaultSecretStore( + kubeClientset, + o.Namespace, + kubeInformers.Core().V1().Secrets().Lister(), + ) + + // create credential provider + credentialProvider := controller.NewDefaultCredentialProvider( + secretStore, + mc.NewAKSHCPProviderBuilder(azureCredential), + ) + + // setup leader election config + leaderElectionCfg := &controller.LeaderElectionConfig{ + LockName: LeaderElectionLockName, + LeaseDuration: o.LeaderElectionLeaseDuration, + RenewDeadline: o.LeaderElectionRenewDeadline, + RetryPeriod: o.LeaderElectionRetryPeriod, + Namespace: o.Namespace, + KubeConfig: kubeConfig, + } + + // create control plane controller (leader-elected) + controlPlaneCtrl, err := controlplane.NewController( + ctx, + klog.LoggerWithValues(logger, "controller", "control-plane"), + kubeClientset, + sessiongateClientset, + istioClientset.SecurityV1beta1(), + sessiongateInformers.Sessiongate().V1alpha1().Sessions(), + authzPolicyInformer, + secretsInformer, + srv, + mc.NewAKSHCPProviderBuilder(azureCredential), + credentialProvider, + o.Namespace, + leaderElectionCfg, + o.CredentialCheckInterval, + ) + if err != nil { + return nil, fmt.Errorf("failed to create control plane controller: %w", err) + } + + // create data plane controller (no leader election, runs on all replicas) + dataPlaneCtrl, err := dataplane.NewController( + ctx, + klog.LoggerWithValues(logger, "controller", "data-plane"), + sessiongateInformers.Sessiongate().V1alpha1().Sessions(), + srv, + credentialProvider, + ) + if err != nil { + return nil, fmt.Errorf("failed to create data plane controller: %w", err) + } + + return &ControllerOptions{ + completedControllerOptions: &completedControllerOptions{ + server: srv, + sessiongateInformerFactory: sessiongateInformers, + istioInformerFactory: istioInformers, + kubeInformerFactory: kubeInformers, + controlPlaneController: controlPlaneCtrl, + dataPlaneController: dataPlaneCtrl, + workers: o.Workers, + }, + }, nil +} + +// buildKubeConfig builds a Kubernetes REST config, trying in-cluster config first +// and falling back to out-of-cluster config using default loading rules. +func (o *ValidatedControllerOptions) buildKubeConfig() (*rest.Config, error) { + // try in-cluster config first + config, err := rest.InClusterConfig() + if err == nil { + klog.V(6).Info("Using in-cluster kubeconfig") + return config, nil + } + + // fall back to out-of-cluster config + klog.V(6).Info("Not running in-cluster, using out-of-cluster kubeconfig") + loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() + if o.Kubeconfig != "" { + loadingRules.ExplicitPath = o.Kubeconfig + } + + kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{}) + config, err = kubeConfig.ClientConfig() + if err != nil { + return nil, fmt.Errorf("failed to build kubeconfig from loading rules: %w", err) + } + + return config, nil +} + +func (o *ControllerOptions) Run(ctx context.Context) error { + ctx = signals.SetupSignalHandler(ctx) + logger := klog.FromContext(ctx) + + // start informers + o.sessiongateInformerFactory.Start(ctx.Done()) + o.istioInformerFactory.Start(ctx.Done()) + o.kubeInformerFactory.Start(ctx.Done()) + logger.V(6).Info("Informer factories started") + + // use errgroup to run server and controller concurrently + // the first component to fail will cancel the context for the other + g, ctx := errgroup.WithContext(ctx) + + // run webserver + g.Go(func() error { + logger.Info("Starting webserver", "address", o.server.BindAddress()) + if err := o.server.Run(ctx); err != nil { + logger.Error(err, "Webserver stopped with error") + return err + } + logger.Info("Webserver stopped") + return nil + }) + + // run control plane controller + g.Go(func() error { + logger.Info("Starting control plane controller") + if err := o.controlPlaneController.Run(ctx, o.workers); err != nil { + logger.Error(err, "Control plane controller stopped with error") + return err + } + logger.Info("Control plane controller stopped") + return nil + }) + + // run data plane controller + g.Go(func() error { + logger.Info("Starting data plane controller") + if err := o.dataPlaneController.Run(ctx); err != nil { + logger.Error(err, "Data plane controller stopped with error") + return err + } + logger.Info("Data plane controller stopped") + return nil + }) + + if err := g.Wait(); err != nil { + logger.Error(err, "Component failed") + klog.Flush() + return err + } + + return nil +} diff --git a/sessiongate/deploy/Chart.yaml b/sessiongate/deploy/Chart.yaml new file mode 100644 index 0000000000..3574cf42cb --- /dev/null +++ b/sessiongate/deploy/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: sessiongate +description: Controller for managing KAS API sessions in ARO HCP. +type: application +version: 0.1.0 +appVersion: "v0.1.0" diff --git a/sessiongate/deploy/templates/acrpullbinding.yaml b/sessiongate/deploy/templates/acrpullbinding.yaml new file mode 100644 index 0000000000..617344f5b1 --- /dev/null +++ b/sessiongate/deploy/templates/acrpullbinding.yaml @@ -0,0 +1,16 @@ +apiVersion: acrpull.microsoft.com/v1beta2 +kind: AcrPullBinding +metadata: + name: pull-binding + namespace: "{{ .Values.namespace }}" +spec: + acr: + environment: PublicCloud + server: '{{ .Values.pullBinding.registry }}' + scope: '{{ .Values.pullBinding.scope }}' + auth: + workloadIdentity: + serviceAccountRef: '{{ .Values.serviceAccount.name }}' + clientID: '{{ .Values.pullBinding.workloadIdentityClientId }}' + tenantID: '{{ .Values.pullBinding.workloadIdentityTenantId }}' + serviceAccountName: '{{ .Values.serviceAccount.name }}' diff --git a/sessiongate/deploy/templates/controller_role.yaml b/sessiongate/deploy/templates/controller_role.yaml new file mode 100644 index 0000000000..5f9214059f --- /dev/null +++ b/sessiongate/deploy/templates/controller_role.yaml @@ -0,0 +1,67 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: sessiongate + name: sessiongate-controller + namespace: {{ .Values.namespace }} +rules: +- apiGroups: + - sessiongate.aro-hcp.azure.com + resources: + - sessions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sessiongate.aro-hcp.azure.com + resources: + - sessions/finalizers + verbs: + - update +- apiGroups: + - sessiongate.aro-hcp.azure.com + resources: + - sessions/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - update + - watch + - patch +- apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/sessiongate/deploy/templates/controller_role_binding.yaml b/sessiongate/deploy/templates/controller_role_binding.yaml new file mode 100644 index 0000000000..76fe7189d3 --- /dev/null +++ b/sessiongate/deploy/templates/controller_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: sessiongate + name: sessiongate-controller-binding + namespace: {{ .Values.namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sessiongate-controller +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Values.namespace }} diff --git a/sessiongate/deploy/templates/deployment.yaml b/sessiongate/deploy/templates/deployment.yaml new file mode 100644 index 0000000000..e93bb6b891 --- /dev/null +++ b/sessiongate/deploy/templates/deployment.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sessiongate + namespace: {{ .Values.namespace }} + labels: + app.kubernetes.io/name: sessiongate +spec: + selector: + matchLabels: + app.kubernetes.io/name: sessiongate + replicas: {{ .Values.replicas }} + template: + metadata: + labels: + app.kubernetes.io/name: sessiongate + azure.workload.identity/use: "true" + spec: + securityContext: + runAsNonRoot: true + containers: + - command: + - "/sessiongate" + args: + - controller + - "--server-address=:{{ .Values.service.port }}" + - "--ingress-base-url=https://{{ .Values.virtualService.host }}" + - "-v={{ .Values.logLevel }}" + - "--leader-election-lease-duration={{ .Values.leaderElection.leaseDuration }}" + - "--leader-election-renew-deadline={{ .Values.leaderElection.renewDeadline }}" + - "--leader-election-retry-period={{ .Values.leaderElection.retryPeriod }}" + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digest }}" + name: sessiongate-controller + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - containerPort: {{ .Values.service.port }} + protocol: TCP + name: sessions + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.port }} + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.service.port }} + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + volumeMounts: [] + volumes: [] + serviceAccountName: {{ .Values.serviceAccount.name }} + terminationGracePeriodSeconds: 10 + nodeSelector: + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/sessiongate/deploy/templates/leader_election_role.yaml b/sessiongate/deploy/templates/leader_election_role.yaml new file mode 100644 index 0000000000..a85fd2f198 --- /dev/null +++ b/sessiongate/deploy/templates/leader_election_role.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: sessiongate + name: sessiongate-controller-leader-election + namespace: {{ .Values.namespace }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/sessiongate/deploy/templates/leader_election_role_binding.yaml b/sessiongate/deploy/templates/leader_election_role_binding.yaml new file mode 100644 index 0000000000..f2c21efec2 --- /dev/null +++ b/sessiongate/deploy/templates/leader_election_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: sessiongate + name: sessiongate-controller-leader-election-binding + namespace: {{ .Values.namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sessiongate-controller-leader-election +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Values.namespace }} diff --git a/sessiongate/deploy/templates/requestauthentication.yaml b/sessiongate/deploy/templates/requestauthentication.yaml new file mode 100644 index 0000000000..cf3ea25bbd --- /dev/null +++ b/sessiongate/deploy/templates/requestauthentication.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: sessiongate-request-auth + namespace: '{{ .Release.Namespace }}' +spec: + selector: + matchLabels: + app.kubernetes.io/name: sessiongate + jwtRules: + - issuer: "{{ .Values.auth.authority }}/" + jwksUri: "{{ .Values.auth.authority }}/discovery/v2.0/keys" + audiences: + - "{{ .Values.auth.audience }}" diff --git a/sessiongate/deploy/templates/service.yaml b/sessiongate/deploy/templates/service.yaml new file mode 100644 index 0000000000..5d759dd45c --- /dev/null +++ b/sessiongate/deploy/templates/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: sessiongate + namespace: '{{ .Release.Namespace }}' + labels: + app.kubernetes.io/name: sessiongate +spec: + selector: + app.kubernetes.io/name: sessiongate + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.port }} + protocol: TCP diff --git a/sessiongate/deploy/templates/serviceaccount.yaml b/sessiongate/deploy/templates/serviceaccount.yaml new file mode 100644 index 0000000000..7702e8bf65 --- /dev/null +++ b/sessiongate/deploy/templates/serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: sessiongate + annotations: + azure.workload.identity/client-id: '{{ .Values.serviceAccount.workloadIdentityClientId }}' + azure.workload.identity/tenant-id: '{{ .Values.serviceAccount.workloadIdentityTenantId }}' + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Values.namespace }} diff --git a/sessiongate/deploy/templates/sessiongate.aro-hcp.azure.com_sessions.yaml b/sessiongate/deploy/templates/sessiongate.aro-hcp.azure.com_sessions.yaml new file mode 100644 index 0000000000..e0dce977b7 --- /dev/null +++ b/sessiongate/deploy/templates/sessiongate.aro-hcp.azure.com_sessions.yaml @@ -0,0 +1,226 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: sessions.sessiongate.aro-hcp.azure.com +spec: + group: sessiongate.aro-hcp.azure.com + names: + kind: Session + listKind: SessionList + plural: sessions + singular: session + scope: Namespaced + versions: + - name: v1alpha1 + additionalPrinterColumns: + - name: Endpoint + type: string + jsonPath: .status.endpoint + - name: Expires + type: string + format: date-time + jsonPath: .status.expiresAt + schema: + openAPIV3Schema: + description: Session is the Schema for the sessions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec defines the desired state of Session + properties: + accessLevel: + description: accessLevel defines the access permissions for the session + properties: + group: + description: group is the name of the access group + type: string + required: + - group + type: object + hostedControlPlane: + description: hostedControlPlane specifies the hosted control plane + properties: + resourceId: + description: resourceId is the Azure resource ID of the hosted control plane + type: string + pattern: '^/subscriptions/[a-fA-F0-9-]+/resourceGroups/[^/]+/providers/Microsoft\.RedHatOpenshift/hcpOpenShiftClusters/[^/]+$' + namespace: + description: namespace of the HostedControlPlane CR + type: string + required: + - resourceId + - namespace + type: object + managementCluster: + description: managementCluster specifies the AKS management cluster + properties: + resourceId: + description: resourceId is the Azure resource ID of the management cluster + type: string + pattern: '^/subscriptions/[a-fA-F0-9-]+/resourceGroups/[^/]+/providers/Microsoft\.ContainerService/managedClusters/[^/]+$' + required: + - resourceId + type: object + ttl: + description: ttl is the time-to-live duration for the session + type: string + owner: + description: owner identifies the principal (user or service account) that owns this session + properties: + type: + description: type specifies the authentication method + enum: + - User + type: string + userPrincipal: + description: userPrincipal identifies the user principal + properties: + claim: + default: upn + description: |- + claim specifies which JWT claim to use for authentication (e.g., "upn", "email", "sub", "preferred_username"). + Must be a top-level claim name. Nested claims are not currently supported. + Note: While dots are valid in JWT claim names and Istio treats them literally (not as path separators), + we restrict the pattern to alphanumeric, underscore, hyphen, and slash for safety and simplicity. + To access nested claims in the future, Istio requires bracket notation like [parent][child]. + type: string + pattern: ^[a-zA-Z0-9_/-]+$ + minLength: 1 + maxLength: 256 + name: + description: name is the user principal name (e.g., UPN for Azure AD like user@domain.com) + type: string + required: + - claim + - name + type: object + required: + - type + type: object + x-kubernetes-validations: + - rule: "self.type == 'User' ? has(self.userPrincipal) : true" + message: "userPrincipal must be set when type is User" + required: + - accessLevel + - hostedControlPlane + - managementCluster + - owner + - ttl + type: object + x-kubernetes-validations: + - rule: "self == oldSelf" + message: "spec is immutable" + status: + description: status defines the observed state of Session + properties: + conditions: + description: |- + conditions represent the current state of the Session resource. + Each condition has a unique type and reflects the status of a specific aspect of the resource. + + Standard condition types include: + - "Available": the resource is fully functional + - "Progressing": the resource is being created or updated + - "Degraded": the resource failed to reach or maintain its desired state + - "Credentials": credentials are being provisioned or ready + + The status of each condition is one of True, False, or Unknown. + items: + description: Condition contains details for one aspect of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + endpoint: + description: endpoint is the URL endpoint for accessing the session + type: string + expiresAt: + description: expiresAt is the timestamp when the session will expire + format: date-time + type: string + credentialsSecretRef: + description: credentialsSecretRef references the Secret containing the session credentials (private key and certificate) + type: string + backendKASURL: + description: backendKASURL is the Kubernetes API server URL for the backend cluster + type: string + type: object + required: + - spec + type: object + x-kubernetes-validations: + - rule: "self.metadata.name.size() <= 63" + message: "session name must be 63 characters or less" + - rule: "self.metadata.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')" + message: "session name must be a valid DNS label (lowercase alphanumeric with hyphens)" + served: true + storage: true + subresources: + status: {} diff --git a/sessiongate/go.mod b/sessiongate/go.mod new file mode 100644 index 0000000000..3f58ebb286 --- /dev/null +++ b/sessiongate/go.mod @@ -0,0 +1,111 @@ +module github.com/Azure/ARO-HCP/sessiongate + +go 1.24.4 + +require ( + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice v1.0.0 + github.com/openshift/hypershift v0.1.70 + github.com/openshift/hypershift/api v0.0.0-20251113182218-95835694eb99 + github.com/prometheus/client_golang v1.23.2 + github.com/spf13/cobra v1.10.2 + golang.org/x/sync v0.19.0 + golang.org/x/time v0.14.0 + istio.io/api v1.28.1 + istio.io/client-go v1.28.1 + k8s.io/api v0.34.1 + k8s.io/apimachinery v0.34.3 + k8s.io/client-go v0.34.1 + k8s.io/code-generator v0.34.1 + k8s.io/klog/v2 v2.130.1 + sigs.k8s.io/structured-merge-diff/v6 v6.3.0 +) + +require ( + github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect + github.com/aws/aws-sdk-go v1.55.7 // indirect + github.com/aws/karpenter-provider-aws v1.0.8 // indirect + github.com/awslabs/operatorpkg v0.0.0-20241205163410-0fff9f28d115 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/emicklei/go-restful/v3 v3.12.2 // indirect + github.com/evanphx/json-patch v5.9.11+incompatible // indirect + github.com/evanphx/json-patch/v5 v5.9.11 // indirect + github.com/fsnotify/fsnotify v1.9.0 // indirect + github.com/fxamacker/cbor/v2 v2.9.0 // indirect + github.com/go-logr/logr v1.4.3 // indirect + github.com/go-openapi/jsonpointer v0.21.1 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.1 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v5 v5.3.0 // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/btree v1.1.3 // indirect + github.com/google/gnostic-models v0.7.0 // indirect + github.com/google/go-cmp v0.7.0 // indirect + github.com/google/gofuzz v1.2.1-0.20210504230335-f78f29fc09ea // indirect + github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/compress v1.18.1 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect + github.com/mailru/easyjson v0.9.0 // indirect + github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect + github.com/openshift/api v0.0.0-20250609083529-2b129d95495e // indirect + github.com/pelletier/go-toml/v2 v2.2.3 // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/prometheus/client_model v0.6.2 // indirect + github.com/prometheus/common v0.66.1 // indirect + github.com/prometheus/procfs v0.17.0 // indirect + github.com/robfig/cron/v3 v3.0.1 // indirect + github.com/rogpeppe/go-internal v1.14.1 // indirect + github.com/samber/lo v1.51.0 // indirect + github.com/spf13/pflag v1.0.10 // indirect + github.com/x448/float16 v0.8.4 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect + golang.org/x/crypto v0.46.0 // indirect + golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect + golang.org/x/mod v0.30.0 // indirect + golang.org/x/net v0.47.0 // indirect + golang.org/x/oauth2 v0.30.0 // indirect + golang.org/x/sys v0.39.0 // indirect + golang.org/x/term v0.38.0 // indirect + golang.org/x/text v0.32.0 // indirect + golang.org/x/tools v0.39.0 // indirect + golang.org/x/tools/go/expect v0.1.1-deprecated // indirect + gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect + google.golang.org/protobuf v1.36.10 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/apiextensions-apiserver v0.34.1 // indirect + k8s.io/component-base v0.34.1 // indirect + k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect + k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect + knative.dev/pkg v0.0.0-20240416145024-0f34a8815650 // indirect + sigs.k8s.io/controller-runtime v0.22.3 // indirect + sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect + sigs.k8s.io/karpenter v1.2.1-0.20250212185021-45f73ec7a790 // indirect + sigs.k8s.io/randfill v1.0.0 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect +) + +replace ( + github.com/aws/karpenter-provider-aws => github.com/aws/karpenter-provider-aws v1.0.0 + sigs.k8s.io/karpenter => sigs.k8s.io/karpenter v1.0.0 +) diff --git a/sessiongate/go.sum b/sessiongate/go.sum new file mode 100644 index 0000000000..6ca1b4b2b9 --- /dev/null +++ b/sessiongate/go.sum @@ -0,0 +1,288 @@ +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 h1:KpMC6LFL7mqpExyMC9jVOYRiVhLmamjeZfRsUpB7l4s= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice v1.0.0 h1:figxyQZXzZQIcP3njhC68bYUiTw45J8/SsHaLW8Ax0M= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice v1.0.0/go.mod h1:TmlMW4W5OvXOmOyKNnor8nlMMiO1ctIyzmHme/VHsrA= +github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= +github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= +github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI= +github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Pallinder/go-randomdata v1.2.0 h1:DZ41wBchNRb/0GfsePLiSwb0PHZmT67XY00lCDlaYPg= +github.com/Pallinder/go-randomdata v1.2.0/go.mod h1:yHmJgulpD2Nfrm0cR9tI/+oAgRqCQQixsA8HyRZfV9Y= +github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHSxpiH9JdtuBj0= +github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY= +github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= +github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/karpenter-provider-aws v1.0.0 h1:HaLUnL3Cx+MO6j/nVlQBDORvwg2FnaqtR5s/06mcwUc= +github.com/aws/karpenter-provider-aws v1.0.0/go.mod h1:U3vAVvdjul9qkVfc60/jqwzofKK7/qcmzZzjjolRASM= +github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20240229193347-cfab22a10647 h1:8yRBVsjGmI7qQsPWtIrbWP+XfwHO9Wq7gdLVzjqiZFs= +github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20240229193347-cfab22a10647/go.mod h1:9NafTAUHL0FlMeL6Cu5PXnMZ1q/LnC9X2emLXHsVbM8= +github.com/awslabs/operatorpkg v0.0.0-20241205163410-0fff9f28d115 h1:9nhjY3dzCpEmhpQ0vMlhB7wqucAiftLjAIEQu8uT2J4= +github.com/awslabs/operatorpkg v0.0.0-20241205163410-0fff9f28d115/go.mod h1:TTs6HGuqmgdNyNlbdv29v1OoON+kQKVPojZgJaJVtNk= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blendle/zapdriver v1.3.1 h1:C3dydBOWYRiOk+B8X9IVZ5IOe+7cl+tGOexN4QqHfpE= +github.com/blendle/zapdriver v1.3.1/go.mod h1:mdXfREi6u5MArG4j9fewC+FGnXaBR+T4Ox4J2u4eHCc= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= +github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= +github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= +github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= +github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= +github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic= +github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU= +github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= +github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= +github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= +github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.1-0.20210504230335-f78f29fc09ea h1:VcIYpAGBae3Z6BVncE0OnTE/ZjlDXqtYhOZky88neLM= +github.com/google/gofuzz v1.2.1-0.20210504230335-f78f29fc09ea/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY= +github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU= +github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co= +github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= +github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4= +github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= +github.com/openshift/api v0.0.0-20250609083529-2b129d95495e h1:QjdoupNBBgSMDypMWsbhb+/yfyv27b3mqT9eVj8g0h4= +github.com/openshift/api v0.0.0-20250609083529-2b129d95495e/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= +github.com/openshift/hypershift v0.1.70 h1:wXKWR3NqhzkBACNaJYrsgw3a0fHIUiABLHv0vIGY4HM= +github.com/openshift/hypershift v0.1.70/go.mod h1:aLJLAXW2TYBuXcLX2EghMJBXUtDCdx/wMPGsaR0nbSQ= +github.com/openshift/hypershift/api v0.0.0-20251113182218-95835694eb99 h1:SBw+YbcPyy+1gkvyl74bycv+CZIKy8Xwyuy3pqXCLvo= +github.com/openshift/hypershift/api v0.0.0-20251113182218-95835694eb99/go.mod h1:JiaoBwTsYtBVKKPgHcajChZCu20KdM97W2xc0MeBCBA= +github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc= +github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ= +github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= +github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= +github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= +github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= +github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= +github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= +github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= +github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= +github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= +github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= +github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= +github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/samber/lo v1.51.0 h1:kysRYLbHy/MB7kQZf5DSN50JHmMsNEdeY24VzJFu7wI= +github.com/samber/lo v1.51.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0= +github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU= +github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= +github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= +golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= +golang.org/x/exp v0.0.0-20250911091902-df9299821621 h1:2id6c1/gto0kaHYyrixvknJ8tUK/Qs5IsmBtrc+FtgU= +golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= +golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= +golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= +golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= +golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= +golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q= +golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= +golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= +golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= +golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ= +golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ= +golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM= +golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= +golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= +golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0= +gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY= +google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE= +google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= +google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +istio.io/api v1.28.1 h1:A1DzBrL6PUmDDT8uvs43wxmlg6FvdKNiZvZC1PdA50M= +istio.io/api v1.28.1/go.mod h1:BD3qv/ekm16kvSgvSpuiDawgKhEwG97wx849CednJSg= +istio.io/client-go v1.28.1 h1:oB5bD3r64rEcrXuqYMNjaON2Shz15tn8mNOGv53wrN4= +istio.io/client-go v1.28.1/go.mod h1:mcFWH+wv9ltQqoDYyfLeVFyRZuD7n1Fj7TD5RGohqSU= +k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= +k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= +k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= +k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= +k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= +k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= +k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= +k8s.io/cloud-provider v0.32.2 h1:8EC+fCYo0r0REczSjOZcVuQPCMxXxCKlgxDbYMrzC30= +k8s.io/cloud-provider v0.32.2/go.mod h1:2s8TeAXhVezp5VISaTxM6vW3yDonOZXoN4Aryz1p1PQ= +k8s.io/code-generator v0.34.1 h1:WpphT26E+j7tEgIUfFr5WfbJrktCGzB3JoJH9149xYc= +k8s.io/code-generator v0.34.1/go.mod h1:DeWjekbDnJWRwpw3s0Jat87c+e0TgkxoR4ar608yqvg= +k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= +k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= +k8s.io/csi-translation-lib v0.30.3 h1:wBaPWnOi14/vANRIrp8pmbdx/Pgz2QRcroH7wkodezc= +k8s.io/csi-translation-lib v0.30.3/go.mod h1:3AizNZbDttVDH1RO0x1yGEQP74e9Xbfb60IBP1oWO1o= +k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ= +k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +knative.dev/pkg v0.0.0-20240416145024-0f34a8815650 h1:m2ahFUO0L2VrgGDYdyOUFdE6xBd3pLXAJozLJwqLRQM= +knative.dev/pkg v0.0.0-20240416145024-0f34a8815650/go.mod h1:soFw5ss08G4PU3JiFDKqiZRd2U7xoqcfNpJP1coIXkY= +sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= +sigs.k8s.io/controller-runtime v0.22.3/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= +sigs.k8s.io/karpenter v1.0.0 h1:aucPhMbulRSzqu3x4ndUGYJaiinwDpwtQx/U5uwenCk= +sigs.k8s.io/karpenter v1.0.0/go.mod h1:3NLmsnHHw8p4VutpjTOPUZyhE3qH6yGTs8O94Lsu8uw= +sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= +sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= +sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/sessiongate/hack/boilerplate.go.txt b/sessiongate/hack/boilerplate.go.txt new file mode 100644 index 0000000000..40255290e9 --- /dev/null +++ b/sessiongate/hack/boilerplate.go.txt @@ -0,0 +1,13 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. \ No newline at end of file diff --git a/sessiongate/hack/tools.go b/sessiongate/hack/tools.go new file mode 100644 index 0000000000..73ab6ef11b --- /dev/null +++ b/sessiongate/hack/tools.go @@ -0,0 +1,23 @@ +//go:build tools +// +build tools + +/* +Copyright 2019 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// This package imports things required by build scripts, to force `go mod` to see them as dependencies +package tools + +import _ "k8s.io/code-generator" diff --git a/sessiongate/hack/update-codegen.sh b/sessiongate/hack/update-codegen.sh new file mode 100755 index 0000000000..5b6c6480bc --- /dev/null +++ b/sessiongate/hack/update-codegen.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +SCRIPT_ROOT=$(dirname "${BASH_SOURCE[0]}")/.. +CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-generator 2>/dev/null || echo ../code-generator)} + +source "${CODEGEN_PKG}/kube_codegen.sh" + +THIS_PKG="github.com/Azure/ARO-HCP/sessiongate" + +kube::codegen::gen_helpers \ + --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \ + "${SCRIPT_ROOT}/pkg/apis" + +kube::codegen::gen_client \ + --with-watch \ + --with-applyconfig \ + --output-dir "${SCRIPT_ROOT}/pkg/generated" \ + --output-pkg "${THIS_PKG}/pkg/generated" \ + --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \ + "${SCRIPT_ROOT}/pkg/apis" diff --git a/sessiongate/main.go b/sessiongate/main.go new file mode 100644 index 0000000000..2ec88dacd9 --- /dev/null +++ b/sessiongate/main.go @@ -0,0 +1,35 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "fmt" + "log" + "os" + + "github.com/Azure/ARO-HCP/sessiongate/cmd" +) + +func main() { + rootCmd, err := cmd.NewRootCmd() + if err != nil { + log.Println(fmt.Errorf("sessiongate error: %v", err)) + os.Exit(1) + } + if err := rootCmd.Execute(); err != nil { + log.Println(fmt.Errorf("sessiongate error: %v", err)) + os.Exit(1) + } +} diff --git a/sessiongate/namespace.yaml b/sessiongate/namespace.yaml new file mode 100644 index 0000000000..bd7950ec88 --- /dev/null +++ b/sessiongate/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: "{{ .sessiongate.k8s.namespace }}" + labels: + "istio.io/rev": "{{ .svc.istio.tag }}" diff --git a/sessiongate/pipeline.yaml b/sessiongate/pipeline.yaml new file mode 100644 index 0000000000..e8d97ab717 --- /dev/null +++ b/sessiongate/pipeline.yaml @@ -0,0 +1,76 @@ +$schema: "pipeline.schema.v1" +serviceGroup: Microsoft.Azure.ARO.HCP.SessionGate +rolloutName: Session Gate Rollout +resourceGroups: +- name: global + resourceGroup: '{{ .global.rg }}' + subscription: '{{ .global.subscription.key }}' + steps: + - name: output + action: ARM + template: templates/output-global.bicep + parameters: ../dev-infrastructure/configurations/output-global.tmpl.bicepparam + deploymentLevel: ResourceGroup + outputOnly: true + - name: mirror-image + action: ImageMirror + targetACR: + configRef: 'acr.svc.name' + sourceRegistry: + configRef: sessiongate.image.registry + repository: + configRef: sessiongate.image.repository + digest: + configRef: sessiongate.image.digest + pullSecretKeyVault: + configRef: global.keyVault.name + pullSecretName: + configRef: imageSync.ondemandSync.pullSecretName + shellIdentity: + input: + resourceGroup: global + step: output + name: globalMSIId +- name: service + resourceGroup: '{{ .svc.rg }}' + subscription: '{{ .svc.subscription.key }}' + steps: + - name: output + action: ARM + template: ../dev-infrastructure/modules/sessiongate/sessiongate-lookup.bicep + parameters: ../dev-infrastructure/configurations/sessiongate-lookup.tmpl.bicepparam + deploymentLevel: ResourceGroup + outputOnly: true + - name: deploy + aksCluster: '{{ .svc.aks.name }}' + action: Helm + releaseName: 'sessiongate' + releaseNamespace: '{{ .sessiongate.k8s.namespace }}' + chartDir: ./deploy/ + valuesFile: ./values.yaml + namespaceFiles: + - namespace.yaml + inputVariables: + tenantId: + resourceGroup: service + step: output + name: tenantId + sessiongateMsiClientId: + resourceGroup: service + step: output + name: sessiongateMsiClientId + imagePullerMsiClientId: + resourceGroup: service + step: output + name: imagePullerMsiClientId + csiSecretStoreClientId: + resourceGroup: service + step: output + name: csiSecretStoreClientId + dependsOn: + - resourceGroup: global + step: mirror-image + identityFrom: + resourceGroup: global + step: output + name: globalMSIId diff --git a/sessiongate/pkg/apis/sessiongate/register.go b/sessiongate/pkg/apis/sessiongate/register.go new file mode 100644 index 0000000000..42eeec9827 --- /dev/null +++ b/sessiongate/pkg/apis/sessiongate/register.go @@ -0,0 +1,20 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package sessiongate + +// GroupName is the group name used in this package +const ( + GroupName = "sessiongate.aro-hcp.azure.com" +) diff --git a/sessiongate/pkg/apis/sessiongate/v1alpha1/conditions.go b/sessiongate/pkg/apis/sessiongate/v1alpha1/conditions.go new file mode 100644 index 0000000000..3d6074731a --- /dev/null +++ b/sessiongate/pkg/apis/sessiongate/v1alpha1/conditions.go @@ -0,0 +1,249 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1alpha1 + +import ( + "sort" + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + ReasonUnknown = "Unknown" + ReasonInvalidConfiguration = "InvalidConfiguration" + ReasonExpired = "Expired" + ReasonAuthorizationFailed = "AuthorizationPolicyFailed" + ReasonConfiguringAuthorization = "ConfiguringAuthorization" + ReasonCredentialMintingFailed = "CredentialMintingFailed" + ReasonMintingCredentials = "MintingCredentials" + ReasonCertificatePending = "CertificatePending" + ReasonCredentialsFailed = "CredentialsFailed" + ReasonPrivateKeyCreated = "PrivateKeyCreated" + ReasonHostedControlPlaneNotFound = "HostedControlPlaneNotFound" + ReasonAvailable = "Available" + ReasonAsExpected = "AsExpected" +) + +type ConditionType string + +type ConditionSet struct { + ready ConditionType + progressing ConditionType + dependants []ConditionType +} + +// ConditionManager allows a resource to operate on its Conditions using higher +// order operations. +type ConditionManager interface { + + // GetReadyCondition finds and returns the ready Condition. + GetReadyCondition() *metav1.Condition + + // MarkTrue marks the condition as true. + MarkTrue(t ConditionType, reason string, message string) + + // MarkFalse marks the condition as false. + MarkFalse(t ConditionType, reason string, message string) + + // InitializeConditions updates all Conditions in the ConditionSet to Unknown + // if not set. + InitializeConditions() +} + +// conditionsImpl implements the helper methods for evaluating Conditions. +// +k8s:deepcopy-gen=false +type conditionsImpl struct { + session *Session + ConditionSet +} + +// Manage creates a ConditionManager from an accessor object using the original +// ConditionSet as a reference. Status must be a pointer to a struct. +func (r ConditionSet) Manage(session *Session) ConditionManager { + return conditionsImpl{ + session: session, + ConditionSet: r, + } +} + +// InitializeConditions updates all Conditions in the ConditionSet to Unknown +// if not set. +func (r conditionsImpl) InitializeConditions() { + ready := r.GetCondition(r.ready) + if ready == nil { + r.setCondition(metav1.Condition{ + Type: string(r.ready), + Status: metav1.ConditionUnknown, + Reason: ReasonUnknown, + }) + } + progressing := r.GetCondition(r.progressing) + if progressing == nil { + r.setCondition(metav1.Condition{ + Type: string(r.progressing), + Status: metav1.ConditionUnknown, + Reason: ReasonUnknown, + }) + } + for _, t := range r.dependants { + if c := r.GetCondition(t); c == nil { + r.setCondition(metav1.Condition{ + Type: string(t), + Status: metav1.ConditionUnknown, + Reason: ReasonUnknown, + }) + } + } +} + +func (c conditionsImpl) GetReadyCondition() *metav1.Condition { + return c.GetCondition(c.ready) +} + +func (r conditionsImpl) GetCondition(t ConditionType) *metav1.Condition { + if r.session == nil { + return nil + } + + for _, c := range r.session.Status.Conditions { + if c.Type == string(t) { + return &c + } + } + return nil +} + +// setCondition sets or updates the Condition on Conditions for the given ConditionType. +// If there is an update, Conditions are stored back sorted. +func (r conditionsImpl) setCondition(cond metav1.Condition) { + if r.session == nil { + return + } + if cond.Reason == "" { + cond.Reason = ReasonUnknown + } + t := cond.Type + var conditions []metav1.Condition + for _, c := range r.session.Status.Conditions { + if c.Type != t { + conditions = append(conditions, c) + } else { + if cond.Status == c.Status && cond.Reason == c.Reason && cond.Message == c.Message && cond.ObservedGeneration == c.ObservedGeneration { + return + } + } + } + cond.LastTransitionTime = metav1.NewTime(time.Now()) + conditions = append(conditions, cond) + sort.Slice(conditions, func(i, j int) bool { return conditions[i].Type < conditions[j].Type }) + r.session.Status.Conditions = conditions +} + +func (r conditionsImpl) MarkTrue(t ConditionType, reason string, message string) { + r.setCondition(metav1.Condition{ + Type: string(t), + Status: metav1.ConditionTrue, + Reason: reason, + Message: message, + ObservedGeneration: r.session.Generation, + }) + r.recomputeReady(t) +} + +func (r conditionsImpl) MarkFalse(t ConditionType, reason string, message string) { + r.setCondition(metav1.Condition{ + Type: string(t), + Status: metav1.ConditionFalse, + Reason: reason, + Message: message, + ObservedGeneration: r.session.Generation, + }) + r.recomputeReady(t) +} + +// recomputeReady marks the ready condition to true if all dependents are also true. +func (r conditionsImpl) recomputeReady(t ConditionType) { + if c := r.findUnhappyDependent(); c != nil { + // Propagate unhappy dependent to ready condition. + r.setCondition(metav1.Condition{ + Type: string(r.ready), + Status: c.Status, + Reason: c.Reason, + Message: c.Message, + ObservedGeneration: r.session.Generation, + }) + } else if t != r.ready { + // Set the happy condition to true. + r.setCondition(metav1.Condition{ + Type: string(r.ready), + Status: metav1.ConditionTrue, + Reason: string(r.ready), + Message: "Session is ready", + ObservedGeneration: r.session.Generation, + }) + } +} + +func (r conditionsImpl) findUnhappyDependent() *metav1.Condition { + // This only works if there are dependents. + if len(r.dependants) == 0 { + return nil + } + + // Do not modify the accessors condition order. + unhappyConditions := []metav1.Condition{} + for _, dependant := range r.dependants { + if c := r.GetCondition(dependant); c != nil && c.Status != metav1.ConditionTrue { + unhappyConditions = append(unhappyConditions, *c) + } + } + + // Sort set conditions by time. + sort.Slice(unhappyConditions, func(i, j int) bool { + return unhappyConditions[i].LastTransitionTime.After(unhappyConditions[j].LastTransitionTime.Time) + }) + + // First check the conditions with Status == False. + for _, c := range unhappyConditions { + if c.Status == metav1.ConditionFalse { + return &c + } + } + // Second check for conditions with Status == Unknown. + for _, c := range unhappyConditions { + if c.Status == metav1.ConditionUnknown { + return &c + } + } + + // No unhappy dependents. + return nil +} + +const ( + ConditionTypeReady ConditionType = "Ready" + ConditionTypeSessionActive ConditionType = "SessionActive" + ConditionTypeProgressing ConditionType = "Progressing" + ConditionTypeCredentialsAvailable ConditionType = "CredentialsAvailable" + ConditionTypeAuthorizationPolicyAvailable ConditionType = "AuthorizationPolicyAvailable" + ConditionTypeNetworkPathAvailable ConditionType = "NetworkPathAvailable" +) + +var sessionConditionSet = ConditionSet{ + ready: ConditionTypeReady, + progressing: ConditionTypeProgressing, + dependants: []ConditionType{ConditionTypeSessionActive, ConditionTypeCredentialsAvailable, ConditionTypeAuthorizationPolicyAvailable, ConditionTypeNetworkPathAvailable}, +} diff --git a/sessiongate/pkg/apis/sessiongate/v1alpha1/doc.go b/sessiongate/pkg/apis/sessiongate/v1alpha1/doc.go new file mode 100644 index 0000000000..3d88dd8708 --- /dev/null +++ b/sessiongate/pkg/apis/sessiongate/v1alpha1/doc.go @@ -0,0 +1,21 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +groupName=sessiongate.aro-hcp.azure.com + +// Package v1alpha1 is the v1alpha1 version of the API. +package v1alpha1 diff --git a/sessiongate/pkg/apis/sessiongate/v1alpha1/register.go b/sessiongate/pkg/apis/sessiongate/v1alpha1/register.go new file mode 100644 index 0000000000..7df52cc54e --- /dev/null +++ b/sessiongate/pkg/apis/sessiongate/v1alpha1/register.go @@ -0,0 +1,55 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + + sessiongate "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate" +) + +// SchemeGroupVersion is group version used to register these objects +var SchemeGroupVersion = schema.GroupVersion{Group: sessiongate.GroupName, Version: "v1alpha1"} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + // SchemeBuilder initializes a scheme builder + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + // AddToScheme is a global function that registers this API group & version to a scheme + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to Scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &Session{}, + &SessionList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} diff --git a/sessiongate/pkg/apis/sessiongate/v1alpha1/types.go b/sessiongate/pkg/apis/sessiongate/v1alpha1/types.go new file mode 100644 index 0000000000..322e8ba262 --- /dev/null +++ b/sessiongate/pkg/apis/sessiongate/v1alpha1/types.go @@ -0,0 +1,220 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type Session struct { + metav1.TypeMeta `json:",inline"` + + // metadata is a standard object metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty,omitzero"` + + // spec defines the desired state of Session + // +required + Spec SessionSpec `json:"spec"` + + // status defines the observed state of Session + // +optional + Status SessionStatus `json:"status,omitempty,omitzero"` +} + +// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="spec is immutable" +type SessionSpec struct { + // ttl is the time-to-live duration for the session + // +kubebuilder:validation:Required + TTL metav1.Duration `json:"ttl"` + + // managementCluster specifies the AKS management cluster + // +kubebuilder:validation:Required + ManagementCluster ManagementCluster `json:"managementCluster"` + + // hostedControlPlane specifies the hosted control plane + // +kubebuilder:validation:Required + HostedControlPlane HostedControlPlane `json:"hostedControlPlane"` + + // accessLevel defines the access permissions for the session + // +kubebuilder:validation:Required + AccessLevel AccessLevel `json:"accessLevel"` + + // owner identifies the principal (user or service account) that owns this session + // +kubebuilder:validation:Required + Owner Principal `json:"owner"` +} + +// ManagementCluster identifies an Azure management cluster +type ManagementCluster struct { + // resourceId is the Azure resource ID of the management cluster + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^/subscriptions/[a-fA-F0-9-]+/resourceGroups/[^/]+/providers/[^/]+/[^/]+/[^/]+$` + ResourceID string `json:"resourceId"` +} + +// HostedCluster identifies an hosted cluster +type HostedControlPlane struct { + // resourceId is the Azure resource ID of the hosted cluster + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^/subscriptions/[a-fA-F0-9-]+/resourceGroups/[^/]+/providers/[^/]+/[^/]+/[^/]+$` + ResourceID string `json:"resourceId"` + + // namespace of the HostedControlPlane CR + // +kubebuilder:validation:Required + Namespace string `json:"namespace,omitempty"` +} + +type AccessLevel struct { + // group is the name of the access group + // +kubebuilder:validation:Required + Group string `json:"group"` +} + +// PrincipalType defines the type of principal for authentication +// +kubebuilder:validation:Enum=User +type PrincipalType string + +const ( + // PrincipalTypeUser represents a human user principal + PrincipalTypeUser PrincipalType = "User" +) + +// Principal identifies the authenticated entity that owns this session +// +kubebuilder:validation:XValidation:rule="self.type == 'User' ? has(self.userPrincipal) : true",message="userPrincipal must be set when type is User" +type Principal struct { + // type specifies the authentication method + // +kubebuilder:validation:Required + Type PrincipalType `json:"type"` + + // userPrincipal identifies the user principal + // Required when type is User + // +optional + UserPrincipal *UserPrincipal `json:"userPrincipal,omitempty"` +} + +// UserPrincipal represents a user identity +type UserPrincipal struct { + // name is the user principal name (e.g., UPN for Azure AD like user@domain.com) + // +kubebuilder:validation:Required + Name string `json:"name"` + + // claim specifies which JWT claim to use for authentication (e.g., "upn", "email", "sub") + // +kubebuilder:validation:Required + // +kubebuilder:default="upn" + Claim string `json:"claim"` +} + +type SessionStatus struct { + // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + // Important: Run "make" to regenerate code after modifying this file + + // For Kubernetes API conventions, see: + // https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties + + // conditions represent the current state of the Session resource. + // Each condition has a unique type and reflects the status of a specific aspect of the resource. + // + // Standard condition types include: + // - "Available": the resource is fully functional + // - "Progressing": the resource is being created or updated + // - "Degraded": the resource failed to reach or maintain its desired state + // - "Credentials": credentials are being provisioned or ready + // + // The status of each condition is one of True, False, or Unknown. + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // expiresAt is the timestamp when the session will expire + // +optional + ExpiresAt *metav1.Time `json:"expiresAt,omitempty"` + + // endpoint is the URL endpoint for accessing the session + // +optional + Endpoint string `json:"endpoint,omitempty"` + + // credentialsSecretRef references the Secret containing the session credentials + // +optional + CredentialsSecretRef string `json:"credentialsSecretRef,omitempty"` + + // backendKASURL is the Kubernetes API server URL for the backend cluster + // +optional + BackendKASURL string `json:"backendKASURL,omitempty"` +} + +func (s *Session) IsReady() bool { + c := sessionConditionSet.Manage(s).GetReadyCondition() + return c != nil && c.Status == metav1.ConditionTrue +} + +func (s *Session) InitializeConditions() { + sessionConditionSet.Manage(s).InitializeConditions() +} + +func (s *Session) MarkSessionActive() { + sessionConditionSet.Manage(s).MarkTrue(ConditionTypeSessionActive, ReasonAsExpected, "Session is active") +} + +func (s *Session) MarkSessionInactive(reason, message string) { + sessionConditionSet.Manage(s).MarkFalse(ConditionTypeSessionActive, reason, message) +} + +func (s *Session) MarkCredentialsNotReady(reason, message string) { + sessionConditionSet.Manage(s).MarkFalse(ConditionTypeCredentialsAvailable, reason, message) +} + +func (s *Session) MarkCredentialsReady() { + sessionConditionSet.Manage(s).MarkTrue(ConditionTypeCredentialsAvailable, ReasonAsExpected, "Credentials Secret exists") +} + +func (s *Session) MarkAuthorizationPolicyNotReady(reason, message string) { + sessionConditionSet.Manage(s).MarkFalse(ConditionTypeAuthorizationPolicyAvailable, reason, message) +} + +func (s *Session) MarkAuthorizationPolicyReady() { + sessionConditionSet.Manage(s).MarkTrue(ConditionTypeAuthorizationPolicyAvailable, ReasonAsExpected, "Authorization policy exists") +} + +func (s *Session) MarkNetworkPathNotReady(reason, message string) { + sessionConditionSet.Manage(s).MarkFalse(ConditionTypeNetworkPathAvailable, reason, message) +} + +func (s *Session) MarkNetworkPathReady() { + sessionConditionSet.Manage(s).MarkTrue(ConditionTypeNetworkPathAvailable, ReasonAsExpected, "Network path exists") +} + +func (s *Session) Progressing(reason, message string) { + sessionConditionSet.Manage(s).MarkTrue(ConditionTypeProgressing, reason, message) +} + +func (s *Session) StopProgressing(reason, message string) { + sessionConditionSet.Manage(s).MarkFalse(ConditionTypeProgressing, reason, message) +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SessionList is a list of Session resources +type SessionList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []Session `json:"items"` +} diff --git a/sessiongate/pkg/apis/sessiongate/v1alpha1/zz_generated.deepcopy.go b/sessiongate/pkg/apis/sessiongate/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 0000000000..1953c07dab --- /dev/null +++ b/sessiongate/pkg/apis/sessiongate/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,239 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AccessLevel) DeepCopyInto(out *AccessLevel) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessLevel. +func (in *AccessLevel) DeepCopy() *AccessLevel { + if in == nil { + return nil + } + out := new(AccessLevel) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ConditionSet) DeepCopyInto(out *ConditionSet) { + *out = *in + if in.dependants != nil { + in, out := &in.dependants, &out.dependants + *out = make([]ConditionType, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionSet. +func (in *ConditionSet) DeepCopy() *ConditionSet { + if in == nil { + return nil + } + out := new(ConditionSet) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HostedControlPlane) DeepCopyInto(out *HostedControlPlane) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostedControlPlane. +func (in *HostedControlPlane) DeepCopy() *HostedControlPlane { + if in == nil { + return nil + } + out := new(HostedControlPlane) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ManagementCluster) DeepCopyInto(out *ManagementCluster) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagementCluster. +func (in *ManagementCluster) DeepCopy() *ManagementCluster { + if in == nil { + return nil + } + out := new(ManagementCluster) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Principal) DeepCopyInto(out *Principal) { + *out = *in + if in.UserPrincipal != nil { + in, out := &in.UserPrincipal, &out.UserPrincipal + *out = new(UserPrincipal) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Principal. +func (in *Principal) DeepCopy() *Principal { + if in == nil { + return nil + } + out := new(Principal) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Session) DeepCopyInto(out *Session) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Session. +func (in *Session) DeepCopy() *Session { + if in == nil { + return nil + } + out := new(Session) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *Session) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SessionList) DeepCopyInto(out *SessionList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]Session, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SessionList. +func (in *SessionList) DeepCopy() *SessionList { + if in == nil { + return nil + } + out := new(SessionList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SessionList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SessionSpec) DeepCopyInto(out *SessionSpec) { + *out = *in + out.TTL = in.TTL + out.ManagementCluster = in.ManagementCluster + out.HostedControlPlane = in.HostedControlPlane + out.AccessLevel = in.AccessLevel + in.Owner.DeepCopyInto(&out.Owner) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SessionSpec. +func (in *SessionSpec) DeepCopy() *SessionSpec { + if in == nil { + return nil + } + out := new(SessionSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SessionStatus) DeepCopyInto(out *SessionStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ExpiresAt != nil { + in, out := &in.ExpiresAt, &out.ExpiresAt + *out = (*in).DeepCopy() + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SessionStatus. +func (in *SessionStatus) DeepCopy() *SessionStatus { + if in == nil { + return nil + } + out := new(SessionStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UserPrincipal) DeepCopyInto(out *UserPrincipal) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserPrincipal. +func (in *UserPrincipal) DeepCopy() *UserPrincipal { + if in == nil { + return nil + } + out := new(UserPrincipal) + in.DeepCopyInto(out) + return out +} diff --git a/sessiongate/pkg/controller/constants.go b/sessiongate/pkg/controller/constants.go new file mode 100644 index 0000000000..92677cff75 --- /dev/null +++ b/sessiongate/pkg/controller/constants.go @@ -0,0 +1,34 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package controller + +import ( + "fmt" +) + +const ( + + // FieldManager distinguishes this controller from other things writing to API objects + ControllerAgentName = "sessiongate-controller" + + // LabelManagedBy identifies resources managed by the sessiongate controller + LabelManagedBy = "app.kubernetes.io/managed-by" +) + +// ManagedByLabelSelector returns a label selector string for resources managed by this controller +// This is used to filter informers to only watch resources created and managed by sessiongate-controller +func ManagedByLabelSelector() string { + return fmt.Sprintf("%s=%s", LabelManagedBy, ControllerAgentName) +} diff --git a/sessiongate/pkg/controller/controlplane/authzpolicy.go b/sessiongate/pkg/controller/controlplane/authzpolicy.go new file mode 100644 index 0000000000..aec835e4ef --- /dev/null +++ b/sessiongate/pkg/controller/controlplane/authzpolicy.go @@ -0,0 +1,149 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package controlplane + +import ( + "context" + "fmt" + + securityv1beta1 "istio.io/api/security/v1beta1" + typev1beta1 "istio.io/api/type/v1beta1" + metaapplyv1 "istio.io/client-go/pkg/applyconfiguration/meta/v1" + securityapplyv1beta1 "istio.io/client-go/pkg/applyconfiguration/security/v1beta1" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/klog/v2" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" + "github.com/Azure/ARO-HCP/sessiongate/pkg/controller" +) + +// buildAuthorizationPolicyApplyConfig creates an ApplyConfiguration for Server-Side Apply. +// this declaratively describes the desired state of the AuthorizationPolicy. +func buildAuthorizationPolicyApplyConfig(session *sessiongatev1alpha1.Session, namespace string) (*securityapplyv1beta1.AuthorizationPolicyApplyConfiguration, error) { + policyName := fmt.Sprintf("session-%s", session.Name) + + if session.Spec.Owner.Type != sessiongatev1alpha1.PrincipalTypeUser { + // right now we only support users but the CRD has room for other types + return nil, fmt.Errorf("unsupported principal type: %s", session.Spec.Owner.Type) + } + + // extract claim and principal from session owner + claim := session.Spec.Owner.UserPrincipal.Claim + principal := session.Spec.Owner.UserPrincipal.Name + + // NOTE: nested JWT claims are currently not supported. the claim field should reference + // a top-level claim in the JWT payload. istio's bracket notation treats everything inside + // [brackets] as a literal claim name. Nested claims would look like this: + // request.auth.claims[parent][child] + + // Build the authorization policy spec + spec := securityv1beta1.AuthorizationPolicy{ + Selector: &typev1beta1.WorkloadSelector{ + MatchLabels: map[string]string{ + "app.kubernetes.io/name": "sessiongate", + }, + }, + Action: securityv1beta1.AuthorizationPolicy_ALLOW, + Rules: []*securityv1beta1.Rule{ + { + To: []*securityv1beta1.Rule_To{ + { + Operation: &securityv1beta1.Operation{ + Paths: []string{ + fmt.Sprintf("/sessiongate/%s/kas/*", session.Name), + }, + }, + }, + }, + When: []*securityv1beta1.Condition{ + { + Key: fmt.Sprintf("request.auth.claims[%s]", claim), + Values: []string{principal}, + }, + }, + }, + }, + } + + // Build ApplyConfiguration using fluent builder pattern + //nolint:govet // copylocks: protobuf message contains a mutex internally; builder copies it + applyConfig := securityapplyv1beta1.AuthorizationPolicy(policyName, namespace). + WithLabels(map[string]string{ + controller.LabelManagedBy: controller.ControllerAgentName, + }). + WithOwnerReferences( + metaapplyv1.OwnerReference(). + WithAPIVersion(sessiongatev1alpha1.SchemeGroupVersion.String()). + WithKind("Session"). + WithName(session.Name). + WithUID(session.UID). + WithBlockOwnerDeletion(true). + WithController(true), + ). + WithSpec(spec) + + return applyConfig, nil +} + +// EnsureAuthorizationPolicy ensures an AuthorizationPolicy exists for the Session +// and matches the expected configuration using SSA +// returns true if the policy was created or updated, false if no change was needed. +func (c *Controller) ensureAuthorizationPolicy(ctx context.Context, session *sessiongatev1alpha1.Session) (bool, error) { + logger := klog.LoggerWithValues(klog.FromContext(ctx), "session", klog.KObj(session)) + + applyConfig, err := buildAuthorizationPolicyApplyConfig(session, c.sessionNamespace) + policyName := *applyConfig.Name + if err != nil { + return false, fmt.Errorf("failed to build AuthorizationPolicy ApplyConfiguration: %w", err) + } + + // if the policy exists, check if it is owned by the session + existingPolicy, err := c.authzPoliciesLister.AuthorizationPolicies(c.sessionNamespace).Get(policyName) + if err == nil { + if !metav1.IsControlledBy(existingPolicy, session) { + return false, fmt.Errorf("AuthorizationPolicy is not owned by the session") + } + } + policyExists := err == nil + + policy, err := c.istioclientset.AuthorizationPolicies(c.sessionNamespace).Apply( + ctx, + applyConfig, + metav1.ApplyOptions{ + FieldManager: controller.ControllerAgentName, + }, + ) + if err != nil { + return false, fmt.Errorf("failed to apply AuthorizationPolicy: %w", err) + } + + // determine if a change was made + changed := !policyExists || existingPolicy.ResourceVersion != policy.ResourceVersion + + if changed { + logger.V(2).Info("AuthorizationPolicy applied with changes", + "policyName", policyName, + "created", !policyExists, + "uid", policy.UID, + "resourceVersion", policy.ResourceVersion) + } else { + logger.V(6).Info("AuthorizationPolicy unchanged", + "policyName", policyName, + "resourceVersion", policy.ResourceVersion) + } + + return changed, nil +} diff --git a/sessiongate/pkg/controller/controlplane/conditions.go b/sessiongate/pkg/controller/controlplane/conditions.go new file mode 100644 index 0000000000..1160ca77ee --- /dev/null +++ b/sessiongate/pkg/controller/controlplane/conditions.go @@ -0,0 +1,29 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package controlplane + +// Condition types for Session resources +const ( + // ConditionTypeReady indicates the overall operational state of the session + ConditionTypeReady = "Ready" + // ConditionTypeProgressing indicates active reconciliation + ConditionTypeProgressing = "Progressing" + // ConditionTypeDegraded indicates permanent configuration errors + ConditionTypeDegraded = "Degraded" + // ConditionTypeAvailable indicates endpoint accessibility + ConditionTypeAvailable = "Available" + // ConditionTypeCredentials indicates the status of credential provisioning + ConditionTypeCredentials = "Credentials" +) diff --git a/sessiongate/pkg/controller/controlplane/controller.go b/sessiongate/pkg/controller/controlplane/controller.go new file mode 100644 index 0000000000..164ca4ffa8 --- /dev/null +++ b/sessiongate/pkg/controller/controlplane/controller.go @@ -0,0 +1,640 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package controlplane + +import ( + "context" + "fmt" + "os" + "strings" + "time" + + "golang.org/x/time/rate" + securityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1" + istioclientset "istio.io/client-go/pkg/clientset/versioned/typed/security/v1beta1" + istioinformers "istio.io/client-go/pkg/informers/externalversions/security/v1beta1" + istiolisters "istio.io/client-go/pkg/listers/security/v1beta1" + + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/apimachinery/pkg/util/wait" + metav1apply "k8s.io/client-go/applyconfigurations/meta/v1" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/scheme" + corev1listers "k8s.io/client-go/listers/core/v1" + "k8s.io/client-go/tools/cache" + "k8s.io/client-go/tools/leaderelection" + "k8s.io/client-go/tools/leaderelection/resourcelock" + "k8s.io/client-go/util/workqueue" + "k8s.io/klog/v2" + + azcorearm "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" + "github.com/Azure/ARO-HCP/sessiongate/pkg/controller" + sessiongateapply "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1" + clientset "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned" + sessiongateschema "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned/scheme" + informers "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/informers/externalversions/sessiongate/v1alpha1" + listers "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/listers/sessiongate/v1alpha1" + "github.com/Azure/ARO-HCP/sessiongate/pkg/mc" +) + +// control plane controller implementation for Session resources. +// it runs with leader election and handles Session reconciliation into +// - istio AuthorizationPolicies +// - session credentials secrets +type Controller struct { + kubeclientset kubernetes.Interface + sessiongateclientset clientset.Interface + istioclientset istioclientset.SecurityV1beta1Interface + sessionsLister listers.SessionLister + sessionsSynced cache.InformerSynced + authzPoliciesLister istiolisters.AuthorizationPolicyLister + authzPoliciesSynced cache.InformerSynced + workqueue workqueue.TypedRateLimitingInterface[cache.ObjectName] + registry controller.SessionRegistry + hcpProviderBuilder mc.HCPProviderBuilder + credentialProvider controller.CredentialProvider + sessionNamespace string + secretsLister corev1listers.SecretLister + secretsSynced cache.InformerSynced + leaderElectionConfig *controller.LeaderElectionConfig + credentialCheckInterval time.Duration + logger klog.Logger +} + +func NewController( + ctx context.Context, + logger klog.Logger, + kubeclientset kubernetes.Interface, + sessiongateclientset clientset.Interface, + istioclientset istioclientset.SecurityV1beta1Interface, + sessionsInformer informers.SessionInformer, + authzPolicyInformer istioinformers.AuthorizationPolicyInformer, + secretsInformer cache.SharedIndexInformer, + registry controller.SessionRegistry, + hcpProviderBuilder mc.HCPProviderBuilder, + credentialProvider controller.CredentialProvider, + sessionNamespace string, + leaderElectionConfig *controller.LeaderElectionConfig, + credentialCheckInterval time.Duration) (*Controller, error) { + + utilruntime.Must(sessiongateschema.AddToScheme(scheme.Scheme)) + + ratelimiter := workqueue.NewTypedMaxOfRateLimiter( + workqueue.NewTypedItemExponentialFailureRateLimiter[cache.ObjectName](5*time.Millisecond, 1000*time.Second), + &workqueue.TypedBucketRateLimiter[cache.ObjectName]{Limiter: rate.NewLimiter(rate.Limit(50), 300)}, + ) + + c := &Controller{ + kubeclientset: kubeclientset, + sessiongateclientset: sessiongateclientset, + istioclientset: istioclientset, + sessionsLister: sessionsInformer.Lister(), + sessionsSynced: sessionsInformer.Informer().HasSynced, + authzPoliciesLister: authzPolicyInformer.Lister(), + authzPoliciesSynced: authzPolicyInformer.Informer().HasSynced, + secretsLister: corev1listers.NewSecretLister(secretsInformer.GetIndexer()), + secretsSynced: secretsInformer.HasSynced, + workqueue: workqueue.NewTypedRateLimitingQueue(ratelimiter), + registry: registry, + hcpProviderBuilder: hcpProviderBuilder, + credentialProvider: credentialProvider, + sessionNamespace: sessionNamespace, + leaderElectionConfig: leaderElectionConfig, + credentialCheckInterval: credentialCheckInterval, + logger: logger, + } + + logger.V(2).Info("Setting up event handlers for control plane controller") + + // Session Informer for control plane + // enqueues Sessions for reconciliation + if _, err := sessionsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: c.enqueueSession, + UpdateFunc: func(old, new interface{}) { + c.enqueueSession(new) + }, + DeleteFunc: c.enqueueSession, + }); err != nil { + return nil, fmt.Errorf("failed to add event handler for sessions (control plane): %w", err) + } + + // Secret Informer for control plane + // drift detection - deletions or changes of secrets outside of Session lifecycle + if _, err := secretsInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: c.enqueueOwningSession, + UpdateFunc: func(old, new interface{}) { + + newSecret := new.(*corev1.Secret) + oldSecret := old.(*corev1.Secret) + if newSecret.ResourceVersion == oldSecret.ResourceVersion { + return + } + c.enqueueOwningSession(new) + }, + DeleteFunc: c.enqueueOwningSession, + }); err != nil { + return nil, fmt.Errorf("failed to add event handler for secrets: %w", err) + } + + // AuthorizationPolicy Informer for control plane + // drift detection - deletions or changes of policies outside of Session lifecycle + if _, err := authzPolicyInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: c.enqueueOwningSession, + UpdateFunc: func(old, new interface{}) { + newPolicy := new.(*securityv1beta1.AuthorizationPolicy) + oldPolicy := old.(*securityv1beta1.AuthorizationPolicy) + if newPolicy.ResourceVersion == oldPolicy.ResourceVersion { + return + } + c.enqueueOwningSession(new) + }, + DeleteFunc: c.enqueueOwningSession, + }); err != nil { + return nil, fmt.Errorf("failed to add event handler for authorization policies: %w", err) + } + + return c, nil +} + +// Run participates in leader election and runs controller workers when elected leader +func (c *Controller) Run(ctx context.Context, workers int) error { + hostname, err := os.Hostname() + if err != nil { + return fmt.Errorf("failed to get hostname for leader election: %w", err) + } + + // Create leader election lock + lock, err := resourcelock.NewFromKubeconfig( + resourcelock.LeasesResourceLock, + c.leaderElectionConfig.Namespace, + c.leaderElectionConfig.LockName, + resourcelock.ResourceLockConfig{ + Identity: hostname, + }, + c.leaderElectionConfig.KubeConfig, + c.leaderElectionConfig.RenewDeadline, + ) + if err != nil { + return fmt.Errorf("failed to create leader election lock: %w", err) + } + + c.logger.V(2).Info("Leader election configured", + "lockName", c.leaderElectionConfig.LockName, + "identity", hostname, + "leaseDuration", c.leaderElectionConfig.LeaseDuration, + "renewDeadline", c.leaderElectionConfig.RenewDeadline, + "retryPeriod", c.leaderElectionConfig.RetryPeriod) + + // Create leader elector + le, err := leaderelection.NewLeaderElector(leaderelection.LeaderElectionConfig{ + Lock: lock, + LeaseDuration: c.leaderElectionConfig.LeaseDuration, + RenewDeadline: c.leaderElectionConfig.RenewDeadline, + RetryPeriod: c.leaderElectionConfig.RetryPeriod, + ReleaseOnCancel: true, + Name: c.leaderElectionConfig.LockName, + Callbacks: leaderelection.LeaderCallbacks{ + OnStartedLeading: func(leaderCtx context.Context) { + c.logger.Info("Acquired leadership - starting control plane controller workers") + + if err := c.run(leaderCtx, workers); err != nil { + c.logger.Error(err, "Control plane controller stopped with error") + } + }, + OnStoppedLeading: func() { + c.logger.Info("Lost leadership - control plane controller workers stopped") + }, + }, + }) + if err != nil { + return fmt.Errorf("failed to create leader elector: %w", err) + } + + c.logger.Info("Starting leader election for control plane controller") + le.Run(ctx) + return nil +} + +// run starts the controller workers and blocks until the context is cancelled +func (c *Controller) run(ctx context.Context, workers int) error { + defer utilruntime.HandleCrash() + defer c.workqueue.ShutDown() + + c.logger.V(2).Info("Starting control plane controller... waiting for informer caches to sync") + + if ok := cache.WaitForCacheSync(ctx.Done(), c.sessionsSynced, c.secretsSynced, c.authzPoliciesSynced); !ok { + return fmt.Errorf("failed to wait for caches to sync") + } + + sessions, err := c.sessionsLister.Sessions(c.sessionNamespace).List(labels.Everything()) + if err != nil { + return fmt.Errorf("failed to list sessions for initial reconciliation: %w", err) + } + for _, session := range sessions { + c.enqueueSession(session) + } + c.logger.V(2).Info("Enqueued Sessions for reconciliation", "count", len(sessions)) + + c.logger.V(2).Info("Starting workers", "count", workers) + for range workers { + go wait.UntilWithContext(ctx, c.runWorker, time.Second) + } + + c.logger.V(2).Info("Started workers") + <-ctx.Done() + c.logger.V(2).Info("Shutting down workers") + + return nil +} + +// runWorker continually calls processNextWorkItem to read and process messages on the workqueue +func (c *Controller) runWorker(ctx context.Context) { + for c.processNextWorkItem(ctx) { + } +} + +// processNextWorkItem reads a single work item off the workqueue and attempts to process it +func (c *Controller) processNextWorkItem(ctx context.Context) bool { + objRef, shutdown := c.workqueue.Get() + logger := klog.LoggerWithValues(klog.FromContext(ctx), "session", objRef) + + if shutdown { + return false + } + + defer c.workqueue.Done(objRef) + + requeueAfter, err := c.workCeremony(ctx, logger, objRef) + if err == nil { + c.workqueue.Forget(objRef) + logger.V(6).Info("Successfully synced") + + if requeueAfter > 0 { + c.workqueue.AddAfter(objRef, requeueAfter) + } + return true + } + utilruntime.HandleErrorWithContext(ctx, err, "Error syncing; requeuing for later retry", "objectReference", objRef) + c.workqueue.AddRateLimited(objRef) + return true +} + +func (c *Controller) workCeremony(ctx context.Context, logger klog.Logger, objRef cache.ObjectName) (time.Duration, error) { + session, err := c.sessionsLister.Sessions(objRef.Namespace).Get(objRef.Name) + if err != nil { + // Session no longer exists - nothing to reconcile + if errors.IsNotFound(err) { + return 0, nil + } + + return 0, err + } + + sessionCopy := session.DeepCopy() + sessionCopy.InitializeConditions() + + requeueAfter, err := c.syncHandler(ctx, logger, sessionCopy) + + if patchErr := c.patchSessionStatus(ctx, logger, sessionCopy); patchErr != nil { + logger.Error(patchErr, "Failed to patch session status") + // return the patch error only if there was no sync error + if err == nil { + return requeueAfter, patchErr + } + } + + return requeueAfter, err +} + +// syncHandler reconciles a session to desired state and returns requeue duration (0 means no requeue) +func (c *Controller) syncHandler(ctx context.Context, logger klog.Logger, session *sessiongatev1alpha1.Session) (time.Duration, error) { + // + // Phase 0: skip reconciliation if Session is being deleted + // + + if !session.DeletionTimestamp.IsZero() { + // Session is being deleted - nothing to reconcile + // cleanup of dependent resources happens via owner references + return 0, nil + } + + // + // Phase 1: initialization, expiration, validation + // + + // calculate expiration time if not set + var expiresAt *metav1.Time + if session.Status.ExpiresAt == nil { + now := metav1.Now() + expirationTime := metav1.NewTime(now.Add(session.Spec.TTL.Duration)) + expiresAt = &expirationTime + } else { + expiresAt = session.Status.ExpiresAt + } + session.Status.ExpiresAt = expiresAt + + // check for expiration + timeUntilExpiration := time.Until(expiresAt.Time) + if timeUntilExpiration <= 0 { + logger.Info("Session has expired, deleting", "session", session.Name, "expiresAt", expiresAt.Time) + session.MarkSessionInactive(sessiongatev1alpha1.ReasonExpired, "Session has expired") + session.StopProgressing(sessiongatev1alpha1.ReasonExpired, "Session has expired") + if err := c.sessiongateclientset.SessiongateV1alpha1().Sessions(session.Namespace).Delete(ctx, session.Name, metav1.DeleteOptions{}); err != nil { + return 0, err + } + return 0, nil + } + + // validation + if err := validateSession(session); err != nil { + session.StopProgressing(sessiongatev1alpha1.ReasonInvalidConfiguration, err.Error()) + logger.Error(err, "Session has invalid configuration") + return 0, nil + } + + // + // Phase 2: authorization policy + // + + changed, err := c.ensureAuthorizationPolicy(ctx, session) + if err != nil { + logger.Error(err, "Failed to ensure AuthorizationPolicy") + session.MarkAuthorizationPolicyNotReady(sessiongatev1alpha1.ReasonAuthorizationFailed, fmt.Sprintf("Failed to ensure authorization policy: %v", err)) + return 0, err + } + if changed { + session.Progressing(sessiongatev1alpha1.ReasonConfiguringAuthorization, "Authorization policy configured") + logger.V(2).Info("AuthorizationPolicy changed, waiting for informer notification") + return 0, nil + } + session.MarkAuthorizationPolicyReady() + + // + // Phase 3: credential provisioning + // + + credReq := controller.CredentialRequest{ + SessionName: session.Name, + SessionUID: session.UID, + ManagementClusterID: session.Spec.ManagementCluster.ResourceID, + HCPNamespace: session.Spec.HostedControlPlane.Namespace, + UserPrincipalName: session.Spec.Owner.UserPrincipal.Name, + AccessLevelGroup: session.Spec.AccessLevel.Group, + } + + result, err := c.credentialProvider.EnsureCredentials(ctx, credReq) + if err != nil { + session.MarkCredentialsNotReady(sessiongatev1alpha1.ReasonCredentialMintingFailed, fmt.Sprintf("Failed to provision credentials: %v", err)) + logger.Error(err, "Failed to provision credentials") + return 0, err + } + + // Update status fields from result + session.Status.CredentialsSecretRef = result.SecretName + + switch result.Status { + case controller.CredentialStatusHostedControlPlaneNotFound: + logger.V(2).Info("HostedControlPlane not found, will retry when it becomes available") + session.MarkCredentialsNotReady(sessiongatev1alpha1.ReasonHostedControlPlaneNotFound, "HostedControlPlane not yet available") + session.Progressing(sessiongatev1alpha1.ReasonHostedControlPlaneNotFound, "Waiting for HostedControlPlane to be created") + return 0, nil + + case controller.CredentialStatusPrivateKeyCreated: + logger.V(2).Info("Private key created", "secretName", result.SecretName) + session.MarkCredentialsNotReady(sessiongatev1alpha1.ReasonPrivateKeyCreated, "Private key generated, preparing certificate request") + session.Progressing(sessiongatev1alpha1.ReasonMintingCredentials, "Creating certificate signing request") + return 0, nil + + case controller.CredentialStatusCertificatePending: + logger.V(2).Info("Certificate pending, will poll on next reconcile", "secretName", result.SecretName) + session.MarkCredentialsNotReady(sessiongatev1alpha1.ReasonCertificatePending, "Certificate signing request submitted. Waiting for certificate") + session.Progressing(sessiongatev1alpha1.ReasonMintingCredentials, "Waiting for certificate") + return c.credentialCheckInterval, nil + + case controller.CredentialStatusReady: + logger.V(2).Info("Credentials ready", "secretName", result.SecretName) + session.MarkCredentialsReady() + + default: + err := fmt.Errorf("unknown credential status: %d", result.Status) + logger.Error(err, "Unknown credential status", "status", result.Status) + session.MarkCredentialsNotReady(sessiongatev1alpha1.ReasonCredentialsFailed, err.Error()) + return 0, err + } + + // + // Phase 4: Network path + // + + // this part will be revamped soon to embrace port-forwarding to reach private HCPs + + hcpprovider, err := c.hcpProviderBuilder(ctx, session.Spec.ManagementCluster.ResourceID) + if err != nil { + logger.Error(err, "Failed to get HCP provider", "mgmtClusterID", session.Spec.ManagementCluster.ResourceID) + return 0, err + } + hcp, err := hcpprovider.GetHostedCluster(ctx, session.Spec.HostedControlPlane.Namespace) + if err != nil { + if errors.IsNotFound(err) { + logger.V(2).Info("HostedCluster not found, will retry when it becomes available") + session.MarkNetworkPathNotReady(sessiongatev1alpha1.ReasonHostedControlPlaneNotFound, "HostedControlPlane not yet available") + session.Progressing(sessiongatev1alpha1.ReasonHostedControlPlaneNotFound, "Waiting for HostedControlPlane to be created") + return 0, nil + } + logger.Error(err, "Failed to get HostedCluster") + return 0, err + } + session.Status.BackendKASURL = fmt.Sprintf("https://%s", hcp.Spec.KubeAPIServerDNSName) + session.MarkNetworkPathReady() + + // todo: this should be done based on a signal from the dataplane controller + // when ALL pods registered the session + session.MarkSessionActive() + session.Status.Endpoint = c.registry.GetSessionEndpoint(session.Name) + session.StopProgressing(sessiongatev1alpha1.ReasonAvailable, "Session is available") + + return timeUntilExpiration, nil +} + +// enqueueSession extracts the key from the object and adds it to the workqueue for reconciliation +func (c *Controller) enqueueSession(obj interface{}) { + // handle tombstones for Delete events + if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { + obj = tombstone.Obj + } + + objectRef, err := cache.ObjectToName(obj) + if err != nil { + utilruntime.HandleError(err) + return + } + c.workqueue.Add(objectRef) +} + +// enqueueOwningSession enqueues the owning Session of a resource +func (c *Controller) enqueueOwningSession(obj interface{}) { + var object metav1.Object + var ok bool + if object, ok = obj.(metav1.Object); !ok { + tombstone, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + utilruntime.HandleError(fmt.Errorf("error decoding object, invalid type")) + return + } + object, ok = tombstone.Obj.(metav1.Object) + if !ok { + utilruntime.HandleError(fmt.Errorf("error decoding object tombstone, invalid type")) + return + } + c.logger.V(4).Info("Recovered deleted object", "resourceName", object.GetName()) + } + + c.logger.V(4).Info("Processing object", "object", klog.KObj(object)) + if ownerRef := metav1.GetControllerOf(object); ownerRef != nil { + if ownerRef.Kind != "Session" { + return + } + + session, err := c.sessionsLister.Sessions(object.GetNamespace()).Get(ownerRef.Name) + if err != nil { + c.logger.V(4).Info("Ignoring orphaned object", "object", klog.KObj(object), "session", ownerRef.Name) + return + } + + c.enqueueSession(session) + return + } +} + +// validateSession validates the session specification using Azure SDK parsing +func validateSession(session *sessiongatev1alpha1.Session) error { + // validate TTL is positive + if session.Spec.TTL.Duration <= 0 { + return fmt.Errorf("spec.ttl must be a positive duration") + } + + // validate managementCluster is provided + if session.Spec.ManagementCluster.ResourceID == "" { + return fmt.Errorf("spec.managementCluster.resourceId is required") + } + + // validate managementCluster resource ID format and provider type + mgmtResourceID, err := azcorearm.ParseResourceID(session.Spec.ManagementCluster.ResourceID) + if err != nil { + return fmt.Errorf("spec.managementCluster.resourceId is not a valid Azure resource ID: %w", err) + } + expectedMgmtProvider := "Microsoft.ContainerService" + expectedMgmtType := "managedClusters" + if !strings.EqualFold(mgmtResourceID.ResourceType.Namespace, expectedMgmtProvider) { + return fmt.Errorf("spec.managementCluster must be a %s resource, got %s", expectedMgmtProvider, mgmtResourceID.ResourceType.Namespace) + } + if !strings.EqualFold(mgmtResourceID.ResourceType.Type, expectedMgmtType) { + return fmt.Errorf("spec.managementCluster must be a %s/%s resource, got %s/%s", + expectedMgmtProvider, expectedMgmtType, + mgmtResourceID.ResourceType.Namespace, mgmtResourceID.ResourceType.Type) + } + + // Validate hostedControlPlane is provided + if session.Spec.HostedControlPlane.ResourceID == "" { + return fmt.Errorf("spec.hostedControlPlane.resourceId is required") + } + + // Validate hostedControlPlane resource ID format and provider type + hcpResourceID, err := azcorearm.ParseResourceID(session.Spec.HostedControlPlane.ResourceID) + if err != nil { + return fmt.Errorf("spec.hostedControlPlane.resourceId is not a valid Azure resource ID: %w", err) + } + expectedHCPProvider := "Microsoft.RedHatOpenShift" + expectedHCPType := "hcpOpenShiftClusters" + if !strings.EqualFold(hcpResourceID.ResourceType.Namespace, expectedHCPProvider) { + return fmt.Errorf("spec.hostedControlPlane must be a %s resource, got %s", expectedHCPProvider, hcpResourceID.ResourceType.Namespace) + } + if !strings.EqualFold(hcpResourceID.ResourceType.Type, expectedHCPType) { + return fmt.Errorf("spec.hostedControlPlane must be a %s/%s resource, got %s/%s", + expectedHCPProvider, expectedHCPType, + hcpResourceID.ResourceType.Namespace, hcpResourceID.ResourceType.Type) + } + + return nil +} + +// patchSessionStatus patches the session status using SSA +func (c *Controller) patchSessionStatus(ctx context.Context, logger klog.Logger, session *sessiongatev1alpha1.Session) error { + // Record the original resource version to detect if the update actually changed anything + originalResourceVersion := session.ResourceVersion + + client := c.sessiongateclientset.SessiongateV1alpha1().Sessions(session.Namespace) + + // Build apply configuration for status + statusApply := sessiongateapply.SessionStatus() + + // Apply conditions + if len(session.Status.Conditions) > 0 { + for _, cond := range session.Status.Conditions { + statusApply = statusApply.WithConditions( + metav1apply.Condition(). + WithType(cond.Type). + WithStatus(cond.Status). + WithObservedGeneration(cond.ObservedGeneration). + WithLastTransitionTime(cond.LastTransitionTime). + WithReason(cond.Reason). + WithMessage(cond.Message), + ) + } + } + + // Apply other status fields + if session.Status.ExpiresAt != nil { + statusApply = statusApply.WithExpiresAt(*session.Status.ExpiresAt) + } + if session.Status.Endpoint != "" { + statusApply = statusApply.WithEndpoint(session.Status.Endpoint) + } + if session.Status.CredentialsSecretRef != "" { + statusApply = statusApply.WithCredentialsSecretRef(session.Status.CredentialsSecretRef) + } + if session.Status.BackendKASURL != "" { + statusApply = statusApply.WithBackendKASURL(session.Status.BackendKASURL) + } + + // Build Session apply configuration with just metadata and status + sessionApply := sessiongateapply.Session(session.Name, session.Namespace). + WithStatus(statusApply) + + updatedSession, err := client.ApplyStatus( + ctx, + sessionApply, + metav1.ApplyOptions{FieldManager: controller.ControllerAgentName, Force: true}, + ) + if err != nil { + logger.Error(err, "Failed to apply session status") + return err + } + + // Log whether the update was a no-op or actually changed something + if updatedSession.ResourceVersion == originalResourceVersion { + logger.V(6).Info("Status update was a no-op - no changes detected", "resourceVersion", updatedSession.ResourceVersion) + } else { + logger.V(6).Info("Applied session status - changes detected", "oldResourceVersion", originalResourceVersion, "newResourceVersion", updatedSession.ResourceVersion) + } + + return nil +} diff --git a/sessiongate/pkg/controller/credentials.go b/sessiongate/pkg/controller/credentials.go new file mode 100644 index 0000000000..063f7fbb79 --- /dev/null +++ b/sessiongate/pkg/controller/credentials.go @@ -0,0 +1,409 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package controller + +import ( + "context" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "fmt" + "io" + + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + corev1apply "k8s.io/client-go/applyconfigurations/core/v1" + metav1apply "k8s.io/client-go/applyconfigurations/meta/v1" + "k8s.io/client-go/kubernetes" + corev1listers "k8s.io/client-go/listers/core/v1" + "k8s.io/client-go/rest" + "k8s.io/klog/v2" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" + "github.com/Azure/ARO-HCP/sessiongate/pkg/mc" +) + +const ( + // SessionSecretPrefix is the prefix for session credential secrets + SessionSecretPrefix = "session-" + // SessionSecretSuffix is the suffix for session credential secrets + SessionSecretSuffix = "-credentials" + + // AnnotationTargetCluster annotates secrets with the target cluster resource ID + AnnotationTargetCluster = "sessiongate.aro-hcp.azure.com/target-cluster" + + // Secret data keys + SecretKeyPrivateKey = "privateKey" + SecretKeyCertificate = "certificate" + SecretKeyKASURL = "kasURL" + + // RSAKeyBits is the size in bits for generated RSA private keys + RSAKeyBits = 2048 +) + +// CredentialRequest contains the minimal fields needed to provision credentials for a session. +// This is extracted from Session to avoid passing the full object to credential provisioning logic. +type CredentialRequest struct { + // SessionName is the name of the Session resource (used for CSR naming and owner references) + SessionName string + + // SessionUID is the UID of the Session resource (used for owner references) + SessionUID types.UID + + // ManagementClusterID is the Azure resource ID of the management cluster + ManagementClusterID string + + // HCPNamespace is the namespace where the HostedControlPlane CR exists + HCPNamespace string + + // UserPrincipalName is the user principal name (e.g., user@domain.com) + UserPrincipalName string + + // AccessLevelGroup is the name of the access group for RBAC + AccessLevelGroup string +} + +// CredentialReference contains the minimal fields needed to retrieve credentials from a secret. +// This is extracted from Session.Status to avoid passing the full object to credential retrieval logic. +type CredentialReference struct { + // SecretName is the name of the Secret containing the credentials + SecretName string + + // BackendKASURL is the Kubernetes API server URL for the backend cluster + BackendKASURL string +} + +// CredentialStatus represents the state of credential provisioning +type CredentialStatus int + +const ( + // CredentialStatusError indicates an error occurred + CredentialStatusError CredentialStatus = iota + // CredentialStatusHostedControlPlaneNotFound indicates the target HCP doesn't exist yet + CredentialStatusHostedControlPlaneNotFound + // CredentialStatusPrivateKeyCreated indicates the private key was created + CredentialStatusPrivateKeyCreated + // CredentialStatusCertificatePending indicates CSR submitted, waiting for certificate + CredentialStatusCertificatePending + // CredentialStatusReady indicates credentials are fully ready + CredentialStatusReady +) + +// CredentialMintingStatus contains the result of credential provisioning +type CredentialMintingStatus struct { + // Status is the current phase of credential provisioning + Status CredentialStatus + // SecretName is the name of the Secret containing credentials + SecretName string +} + +// SecretStore defines the interface for storing and retrieving credential data. +// This abstraction separates Kubernetes Secret operations from credential minting logic. +type SecretStore interface { + // StoreCredential stores credential components in a Secret with the specified owner reference. + // privateKey must be non-nil. certificate may be nil for the initial private key storage phase. + StoreCredential(ctx context.Context, secretName, ownerName string, ownerUID types.UID, privateKey *rsa.PrivateKey, certificate []byte) error + + // GetPrivateKey retrieves and decodes the private key from the specified Secret. + // Returns an error if the Secret doesn't exist or doesn't contain a valid private key. + GetPrivateKey(secretName string) (*rsa.PrivateKey, error) + + // GetCertificate retrieves the certificate from the specified Secret. + // Returns an error if the Secret doesn't exist or doesn't contain a certificate. + GetCertificate(secretName string) ([]byte, error) +} + +// CredentialProvider defines the interface for managing session credentials. +// Implementations are responsible for minting cluster credentials and storing +// them in Kubernetes Secrets for consumption by all controller pods. +type CredentialProvider interface { + // EnsureCredentials ensures credentials are being provisioned for the session. + // This method implements a phased approach: + // 1. Create Secret with private key (if missing) + // 2. Submit CSR for certificate (if certificate missing) + // 3. Poll for certificate readiness (non-blocking) + // + // The controller should requeue based on the result status: + // - PrivateKeyCreated: requeue immediately to submit CSR + // - CertificatePending: requeue after delay to poll for certificate + // - Ready: proceed to session registration + // - Error status in result or non-nil error: retry with backoff + EnsureCredentials(ctx context.Context, req CredentialRequest) (*CredentialMintingStatus, error) + + // GetCredentialsFromSecret retrieves cluster credentials from a Secret. + // This method is called by all controller pods (leader and followers) when they + // detect a new or updated session credentials Secret via their Secret informer. + // + // Returns the REST config for the cluster and the target cluster resource ID. + GetCredentialsFromSecret(ctx context.Context, ref CredentialReference) (*rest.Config, string, error) +} + +// secretNameFromRequest generates the secret name from a CredentialRequest. +func secretNameFromRequest(req CredentialRequest) string { + return fmt.Sprintf("%s%s%s", SessionSecretPrefix, req.SessionName, SessionSecretSuffix) +} + +// DefaultSecretStore implements SecretStore using Kubernetes Secrets. +type DefaultSecretStore struct { + kubeClient kubernetes.Interface + namespace string + secretLister corev1listers.SecretLister +} + +// NewDefaultSecretStore creates a new default secret store. +func NewDefaultSecretStore( + kubeClient kubernetes.Interface, + namespace string, + secretLister corev1listers.SecretLister, +) *DefaultSecretStore { + return &DefaultSecretStore{ + kubeClient: kubeClient, + namespace: namespace, + secretLister: secretLister, + } +} + +// StoreCredential stores credential components in a Secret using Server-Side Apply. +func (s *DefaultSecretStore) StoreCredential(ctx context.Context, secretName, ownerName string, ownerUID types.UID, privateKey *rsa.PrivateKey, certificate []byte) error { + data := map[string][]byte{ + SecretKeyPrivateKey: pem.EncodeToMemory(&pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: x509.MarshalPKCS1PrivateKey(privateKey), + }), + SecretKeyCertificate: certificate, + } + + applyConfig := corev1apply.Secret(secretName, s.namespace). + WithLabels(map[string]string{ + LabelManagedBy: ControllerAgentName, + }). + WithOwnerReferences( + metav1apply.OwnerReference(). + WithAPIVersion(sessiongatev1alpha1.SchemeGroupVersion.String()). + WithKind("Session"). + WithName(ownerName). + WithUID(ownerUID). + WithController(true). + WithBlockOwnerDeletion(true), + ). + WithType(corev1.SecretTypeOpaque). + WithData(data) + + _, err := s.kubeClient.CoreV1().Secrets(s.namespace).Apply( + ctx, + applyConfig, + metav1.ApplyOptions{ + FieldManager: ControllerAgentName, + Force: true, + }, + ) + return err +} + +// GetPrivateKey retrieves and decodes the private key from the specified Secret. +func (s *DefaultSecretStore) GetPrivateKey(secretName string) (*rsa.PrivateKey, error) { + privateKeyBytes, err := s.getPrivateKeyBytes(secretName) + if err != nil { + return nil, fmt.Errorf("failed to get private key from secret: %w", err) + } + block, _ := pem.Decode(privateKeyBytes) + if block == nil { + return nil, fmt.Errorf("failed to decode private key PEM") + } + return x509.ParsePKCS1PrivateKey(block.Bytes) +} + +// getPrivateKeyBytes retrieves the raw private key bytes from the Secret. +func (s *DefaultSecretStore) getPrivateKeyBytes(secretName string) ([]byte, error) { + secret, err := s.secretLister.Secrets(s.namespace).Get(secretName) + if err != nil { + return nil, fmt.Errorf("failed to get secret: %w", err) + } + if len(secret.Data[SecretKeyPrivateKey]) == 0 { + return nil, fmt.Errorf("private key not found in secret") + } + return secret.Data[SecretKeyPrivateKey], nil +} + +// GetCertificate retrieves the certificate from the specified Secret. +func (s *DefaultSecretStore) GetCertificate(secretName string) ([]byte, error) { + secret, err := s.secretLister.Secrets(s.namespace).Get(secretName) + if err != nil { + return nil, fmt.Errorf("failed to get secret: %w", err) + } + if len(secret.Data[SecretKeyCertificate]) == 0 { + return nil, fmt.Errorf("certificate not found in secret") + } + return secret.Data[SecretKeyCertificate], nil +} + +// DefaultCredentialProvider implements CredentialProvider for Kubernetes clusters. +type DefaultCredentialProvider struct { + secretStore SecretStore + hcpProviderBuilder mc.HCPProviderBuilder +} + +// NewDefaultCredentialProvider creates a new default credential provider. +func NewDefaultCredentialProvider( + secretStore SecretStore, + hcpProviderBuilder mc.HCPProviderBuilder, +) *DefaultCredentialProvider { + return &DefaultCredentialProvider{ + secretStore: secretStore, + hcpProviderBuilder: hcpProviderBuilder, + } +} + +// EnsureCredentials ensures credentials are being provisioned for the session. +// This implements a phased, non-blocking approach to credential creation: +// +// Phase 1: Private Key Creation +// - If Secret doesn't exist, create it with just the private key +// - Returns CredentialStatusPrivateKeyCreated +// +// Phase 2: Certificate Signing Request (CSR) + Hypershift Approval +// - If privateKey exists but certificate doesn't, submit CSR +// - Returns CredentialStatusCertificatePending +// +// Phase 3: Certificate Ready +// - If both privateKey and certificate exist, credentials are ready +// - Returns CredentialStatusReady +// +// The controller should requeue based on the returned status to advance through phases. +func (p *DefaultCredentialProvider) EnsureCredentials(ctx context.Context, req CredentialRequest) (*CredentialMintingStatus, error) { + logger := klog.LoggerWithValues(klog.FromContext(ctx), "session", req.SessionName) + ctx = klog.NewContext(ctx, logger) + + hcpprovider, err := p.hcpProviderBuilder(ctx, req.ManagementClusterID) + if err != nil { + return nil, fmt.Errorf("failed to get hosted cluster provider: %w", err) + } + hostedCluster, err := hcpprovider.GetHostedCluster(ctx, req.HCPNamespace) + if err != nil { + if apierrors.IsNotFound(err) { + return &CredentialMintingStatus{ + Status: CredentialStatusHostedControlPlaneNotFound, + }, nil + } + return nil, fmt.Errorf("failed to get hosted cluster: %w", err) + } + + secretName := secretNameFromRequest(req) + + // private key generation + privateKey, err := p.secretStore.GetPrivateKey(secretName) + if err != nil { + privateKey, err = generatePrivateKeyWithReader(rand.Reader, RSAKeyBits) + if err != nil { + return nil, fmt.Errorf("failed to generate private key: %w", err) + } + err := p.secretStore.StoreCredential(ctx, secretName, req.SessionName, req.SessionUID, privateKey, nil) + if err != nil { + return nil, fmt.Errorf("failed to store credentials secret: %w", err) + } + return &CredentialMintingStatus{ + Status: CredentialStatusPrivateKeyCreated, + SecretName: secretName, + }, nil + } + + // certificate minting + _, err = p.secretStore.GetCertificate(secretName) + // todo - handle different user types + if err != nil { + logger.V(2).Info("Minting certificate", "user", req.UserPrincipalName, "accessGroup", req.AccessLevelGroup) + certificate, err := hcpprovider.MintCertificate( + ctx, + req.SessionName, + req.UserPrincipalName, + req.AccessLevelGroup, + hostedCluster, + privateKey, + ) + if err != nil { + return nil, fmt.Errorf("failed to mint credentials: %w", err) + } + + if len(certificate) == 0 { + logger.V(4).Info("Certificate still pending") + return &CredentialMintingStatus{ + Status: CredentialStatusCertificatePending, + SecretName: secretName, + }, nil + } + + logger.V(4).Info("Certificate ready, storing in secret", "secretName", secretName) + if err := p.secretStore.StoreCredential(ctx, secretName, req.SessionName, req.SessionUID, privateKey, certificate); err != nil { + return nil, fmt.Errorf("failed to update secret with certificate: %w", err) + } + } + + return &CredentialMintingStatus{ + Status: CredentialStatusReady, + SecretName: secretName, + }, nil +} + +// GetCredentialsFromSecret builds a REST config from the credentials found in the secret. +func (p *DefaultCredentialProvider) GetCredentialsFromSecret(ctx context.Context, ref CredentialReference) (*rest.Config, string, error) { + logger := klog.LoggerWithValues(klog.FromContext(ctx), "secretName", ref.SecretName) + + if ref.SecretName == "" { + return nil, "", fmt.Errorf("secret name is empty") + } + + if ref.BackendKASURL == "" { + return nil, "", fmt.Errorf("backend KAS URL is empty") + } + + privateKey, err := p.secretStore.GetPrivateKey(ref.SecretName) + if err != nil { + return nil, "", fmt.Errorf("failed to get private key: %w", err) + } + + certificate, err := p.secretStore.GetCertificate(ref.SecretName) + if err != nil { + return nil, "", fmt.Errorf("failed to get certificate: %w", err) + } + + // Encode private key to PEM format for REST config + privateKeyPEM := pem.EncodeToMemory(&pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: x509.MarshalPKCS1PrivateKey(privateKey), + }) + + config := &rest.Config{ + Host: ref.BackendKASURL, + TLSClientConfig: rest.TLSClientConfig{ + Insecure: true, + CertData: certificate, + KeyData: privateKeyPEM, + }, + } + + logger.V(2).Info("Retrieved credentials", "secretName", ref.SecretName) + return config, ref.BackendKASURL, nil +} + +func generatePrivateKeyWithReader(reader io.Reader, bits int) (*rsa.PrivateKey, error) { + key, err := rsa.GenerateKey(reader, bits) + if err != nil { + return nil, fmt.Errorf("failed to generate private key: %w", err) + } + return key, nil +} diff --git a/sessiongate/pkg/controller/dataplane/controller.go b/sessiongate/pkg/controller/dataplane/controller.go new file mode 100644 index 0000000000..4c67c35e16 --- /dev/null +++ b/sessiongate/pkg/controller/dataplane/controller.go @@ -0,0 +1,219 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package dataplane + +import ( + "context" + "fmt" + "time" + + "k8s.io/apimachinery/pkg/api/errors" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/client-go/tools/cache" + "k8s.io/client-go/util/workqueue" + "k8s.io/klog/v2" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" + "github.com/Azure/ARO-HCP/sessiongate/pkg/controller" + informers "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/informers/externalversions/sessiongate/v1alpha1" + listers "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/listers/sessiongate/v1alpha1" +) + +// data plane controller implementation. +// it runs on all replicas and registers sessions with the proxy registry, so that any replica can +// proxy traffic for a session. +type Controller struct { + logger klog.Logger + registry controller.SessionRegistry + credentialProvider controller.CredentialProvider + sessionsLister listers.SessionLister + sessionsSynced cache.InformerSynced + workqueue workqueue.TypedRateLimitingInterface[cache.ObjectName] +} + +func NewController( + ctx context.Context, + logger klog.Logger, + sessionsInformer informers.SessionInformer, + registry controller.SessionRegistry, + credentialProvider controller.CredentialProvider, +) (*Controller, error) { + rateLimiter := workqueue.NewTypedItemExponentialFailureRateLimiter[cache.ObjectName]( + 100*time.Millisecond, // base delay + 60*time.Second, // max delay + ) + + c := &Controller{ + logger: logger, + registry: registry, + credentialProvider: credentialProvider, + sessionsLister: sessionsInformer.Lister(), + sessionsSynced: sessionsInformer.Informer().HasSynced, + workqueue: workqueue.NewTypedRateLimitingQueue(rateLimiter), + } + + logger.V(2).Info("Setting up event handlers for data plane controller") + + // Session Informer for data plane + // Enqueues session keys to be processed by workers + if _, err := sessionsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: c.enqueueSession, + UpdateFunc: func(old, new interface{}) { + c.enqueueSession(new) + }, + DeleteFunc: c.enqueueSession, + }); err != nil { + return nil, fmt.Errorf("failed to add event handler for sessions (data plane): %w", err) + } + + return c, nil +} + +// Run starts the data plane controller and blocks until the context is cancelled. +// Note: Informer caches are guaranteed to be synced before this is called (synchronized in cmd/options.go). +func (c *Controller) Run(ctx context.Context) error { + defer c.workqueue.ShutDown() + + c.logger.V(2).Info("Starting data plane controller... waiting for informer caches to sync") + if ok := cache.WaitForCacheSync(ctx.Done(), c.sessionsSynced); !ok { + return fmt.Errorf("failed to wait for caches to sync") + } + + // start a single worker goroutine + // since we're just maintaining local in-memory state, one worker is sufficient + go c.runWorker(ctx) + + c.logger.Info("Data plane controller started successfully") + + // block until context is cancelled + <-ctx.Done() + c.logger.V(2).Info("Data plane controller shutting down") + + return nil +} + +// runWorker processes items from the workqueue +func (c *Controller) runWorker(ctx context.Context) { + for c.processNextWorkItem(ctx) { + } +} + +// processNextWorkItem processes a single item from the workqueue +func (c *Controller) processNextWorkItem(ctx context.Context) bool { + objRef, shutdown := c.workqueue.Get() + logger := klog.LoggerWithValues(c.logger, "session", objRef) + + if shutdown { + return false + } + defer c.workqueue.Done(objRef) + + err := c.syncHandler(ctx, logger, objRef) + if err == nil { + c.workqueue.Forget(objRef) + logger.V(6).Info("Successfully synced") + return true + } + + utilruntime.HandleErrorWithContext(ctx, err, "Error syncing; requeuing for later retry", "objectReference", objRef) + c.workqueue.AddRateLimited(objRef) + klog.ErrorS(err, "Error syncing session, will retry") + + return true +} + +// enqueueSession extracts the key from the object and adds it to the workqueue +func (c *Controller) enqueueSession(obj interface{}) { + // handle tombstones for Delete events + if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { + obj = tombstone.Obj + } + + if objectRef, err := cache.ObjectToName(obj); err != nil { + utilruntime.HandleError(err) + return + } else { + c.workqueue.Add(objectRef) + } +} + +// syncHandler processes a single session from the workqueue +// it returns an error if the sync should be retried, nil otherwise +func (c *Controller) syncHandler(ctx context.Context, logger klog.Logger, objRef cache.ObjectName) error { + session, err := c.sessionsLister.Sessions(objRef.Namespace).Get(objRef.Name) + if err != nil { + if errors.IsNotFound(err) { + c.registry.UnregisterSession(objRef.Name) + logger.V(2).Info("Unregistered deleted session from local registry") + return nil + } + return fmt.Errorf("failed to get session from lister: %w", err) + } + + // validate session is ready for registration + if ready, reason := c.isReadyForRegistration(session); !ready { + c.registry.UnregisterSession(session.Name) + logger.V(2).Info("Unregistered session from local registry", "reason", reason) + return nil + } + + // register the session with the local registry for proxying traffic + return c.registerSession(ctx, logger, session) +} + +// isReadyForRegistration validates whether a session should be registered +func (c *Controller) isReadyForRegistration(session *sessiongatev1alpha1.Session) (bool, string) { + if !session.DeletionTimestamp.IsZero() { + return false, "being deleted" + } + if !session.IsReady() { + return false, "not ready" + } + if session.Status.CredentialsSecretRef == "" { + return false, "no credentials secret reference" + } + if session.Status.BackendKASURL == "" { + return false, "no backend KAS URL" + } + return true, "" +} + +// registerSession fetches credentials and registers the session in the local registry for proxying traffic +func (c *Controller) registerSession(ctx context.Context, logger klog.Logger, session *sessiongatev1alpha1.Session) error { + credRef := controller.CredentialReference{ + SecretName: session.Status.CredentialsSecretRef, + BackendKASURL: session.Status.BackendKASURL, + } + + restConfig, _, err := c.credentialProvider.GetCredentialsFromSecret(ctx, credRef) + if err != nil { + return fmt.Errorf("failed to get credentials from secret: %w", err) + } + + endpoint, err := c.registry.RegisterSession(controller.NewSessionOptions( + session.Name, + session.Status.BackendKASURL, + restConfig, + )) + if err != nil { + return fmt.Errorf("failed to register session: %w", err) + } + + logger.V(2).Info("Registered session in local registry", + "endpoint", endpoint, + "backendKASURL", session.Status.BackendKASURL) + + return nil +} diff --git a/sessiongate/pkg/controller/leaderelection.go b/sessiongate/pkg/controller/leaderelection.go new file mode 100644 index 0000000000..3f142543bd --- /dev/null +++ b/sessiongate/pkg/controller/leaderelection.go @@ -0,0 +1,31 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package controller + +import ( + "time" + + "k8s.io/client-go/rest" +) + +// LeaderElectionConfig holds configuration for leader election +type LeaderElectionConfig struct { + LockName string + LeaseDuration time.Duration + RenewDeadline time.Duration + RetryPeriod time.Duration + Namespace string + KubeConfig *rest.Config +} diff --git a/sessiongate/pkg/controller/registry.go b/sessiongate/pkg/controller/registry.go new file mode 100644 index 0000000000..a866b11da3 --- /dev/null +++ b/sessiongate/pkg/controller/registry.go @@ -0,0 +1,54 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package controller + +import ( + "k8s.io/client-go/rest" +) + +// SessionOptions contains the configuration for registering a session. +// This is defined in the controller package to avoid circular dependencies +// between controller and server packages. +type SessionOptions struct { + SessionID string + ResourceID string + RESTConfig *rest.Config +} + +// NewSessionOptions creates a new SessionOptions with the given parameters +func NewSessionOptions(sessionID string, resourceID string, restConfig *rest.Config) SessionOptions { + return SessionOptions{ + SessionID: sessionID, + ResourceID: resourceID, + RESTConfig: restConfig, + } +} + +// SessionRegistry defines the interface for registering and unregistering sessions +// with a session server. This abstraction allows for easier testing by enabling +// mock implementations. +type SessionRegistry interface { + // RegisterSession registers a session with the given options and returns + // the public endpoint URL for accessing the session. + RegisterSession(opts SessionOptions) (string, error) + + // UnregisterSession removes a session registration by its session ID. + UnregisterSession(sessionID string) + + // GetSessionEndpoint computes the public endpoint URL for a session ID + // without registering it. This is useful for updating status before + // registration completes. + GetSessionEndpoint(sessionID string) string +} diff --git a/sessiongate/pkg/generated/applyconfiguration/internal/internal.go b/sessiongate/pkg/generated/applyconfiguration/internal/internal.go new file mode 100644 index 0000000000..cd505c0afc --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/internal/internal.go @@ -0,0 +1,59 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package internal + +import ( + fmt "fmt" + sync "sync" + + typed "sigs.k8s.io/structured-merge-diff/v6/typed" +) + +func Parser() *typed.Parser { + parserOnce.Do(func() { + var err error + parser, err = typed.NewParser(schemaYAML) + if err != nil { + panic(fmt.Sprintf("Failed to parse schema: %v", err)) + } + }) + return parser +} + +var parserOnce sync.Once +var parser *typed.Parser +var schemaYAML = typed.YAMLObject(`types: +- name: __untyped_atomic_ + scalar: untyped + list: + elementType: + namedType: __untyped_atomic_ + elementRelationship: atomic + map: + elementType: + namedType: __untyped_atomic_ + elementRelationship: atomic +- name: __untyped_deduced_ + scalar: untyped + list: + elementType: + namedType: __untyped_atomic_ + elementRelationship: atomic + map: + elementType: + namedType: __untyped_deduced_ + elementRelationship: separable +`) diff --git a/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/accesslevel.go b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/accesslevel.go new file mode 100644 index 0000000000..49f2fdfaa7 --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/accesslevel.go @@ -0,0 +1,36 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// AccessLevelApplyConfiguration represents a declarative configuration of the AccessLevel type for use +// with apply. +type AccessLevelApplyConfiguration struct { + Group *string `json:"group,omitempty"` +} + +// AccessLevelApplyConfiguration constructs a declarative configuration of the AccessLevel type for use with +// apply. +func AccessLevel() *AccessLevelApplyConfiguration { + return &AccessLevelApplyConfiguration{} +} + +// WithGroup sets the Group field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Group field is set to the value of the last call. +func (b *AccessLevelApplyConfiguration) WithGroup(value string) *AccessLevelApplyConfiguration { + b.Group = &value + return b +} diff --git a/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/hostedcontrolplane.go b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/hostedcontrolplane.go new file mode 100644 index 0000000000..90ae511a80 --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/hostedcontrolplane.go @@ -0,0 +1,45 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// HostedControlPlaneApplyConfiguration represents a declarative configuration of the HostedControlPlane type for use +// with apply. +type HostedControlPlaneApplyConfiguration struct { + ResourceID *string `json:"resourceId,omitempty"` + Namespace *string `json:"namespace,omitempty"` +} + +// HostedControlPlaneApplyConfiguration constructs a declarative configuration of the HostedControlPlane type for use with +// apply. +func HostedControlPlane() *HostedControlPlaneApplyConfiguration { + return &HostedControlPlaneApplyConfiguration{} +} + +// WithResourceID sets the ResourceID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceID field is set to the value of the last call. +func (b *HostedControlPlaneApplyConfiguration) WithResourceID(value string) *HostedControlPlaneApplyConfiguration { + b.ResourceID = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *HostedControlPlaneApplyConfiguration) WithNamespace(value string) *HostedControlPlaneApplyConfiguration { + b.Namespace = &value + return b +} diff --git a/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/managementcluster.go b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/managementcluster.go new file mode 100644 index 0000000000..ef1b859d5b --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/managementcluster.go @@ -0,0 +1,36 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// ManagementClusterApplyConfiguration represents a declarative configuration of the ManagementCluster type for use +// with apply. +type ManagementClusterApplyConfiguration struct { + ResourceID *string `json:"resourceId,omitempty"` +} + +// ManagementClusterApplyConfiguration constructs a declarative configuration of the ManagementCluster type for use with +// apply. +func ManagementCluster() *ManagementClusterApplyConfiguration { + return &ManagementClusterApplyConfiguration{} +} + +// WithResourceID sets the ResourceID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceID field is set to the value of the last call. +func (b *ManagementClusterApplyConfiguration) WithResourceID(value string) *ManagementClusterApplyConfiguration { + b.ResourceID = &value + return b +} diff --git a/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/principal.go b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/principal.go new file mode 100644 index 0000000000..b93e69439e --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/principal.go @@ -0,0 +1,49 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" +) + +// PrincipalApplyConfiguration represents a declarative configuration of the Principal type for use +// with apply. +type PrincipalApplyConfiguration struct { + Type *sessiongatev1alpha1.PrincipalType `json:"type,omitempty"` + UserPrincipal *UserPrincipalApplyConfiguration `json:"userPrincipal,omitempty"` +} + +// PrincipalApplyConfiguration constructs a declarative configuration of the Principal type for use with +// apply. +func Principal() *PrincipalApplyConfiguration { + return &PrincipalApplyConfiguration{} +} + +// WithType sets the Type field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Type field is set to the value of the last call. +func (b *PrincipalApplyConfiguration) WithType(value sessiongatev1alpha1.PrincipalType) *PrincipalApplyConfiguration { + b.Type = &value + return b +} + +// WithUserPrincipal sets the UserPrincipal field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UserPrincipal field is set to the value of the last call. +func (b *PrincipalApplyConfiguration) WithUserPrincipal(value *UserPrincipalApplyConfiguration) *PrincipalApplyConfiguration { + b.UserPrincipal = value + return b +} diff --git a/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/session.go b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/session.go new file mode 100644 index 0000000000..60f6132b34 --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/session.go @@ -0,0 +1,239 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// SessionApplyConfiguration represents a declarative configuration of the Session type for use +// with apply. +type SessionApplyConfiguration struct { + v1.TypeMetaApplyConfiguration `json:",inline"` + *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *SessionSpecApplyConfiguration `json:"spec,omitempty"` + Status *SessionStatusApplyConfiguration `json:"status,omitempty"` +} + +// Session constructs a declarative configuration of the Session type for use with +// apply. +func Session(name, namespace string) *SessionApplyConfiguration { + b := &SessionApplyConfiguration{} + b.WithName(name) + b.WithNamespace(namespace) + b.WithKind("Session") + b.WithAPIVersion("sessiongate.aro-hcp.azure.com/v1alpha1") + return b +} +func (b SessionApplyConfiguration) IsApplyConfiguration() {} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithKind(value string) *SessionApplyConfiguration { + b.TypeMetaApplyConfiguration.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithAPIVersion(value string) *SessionApplyConfiguration { + b.TypeMetaApplyConfiguration.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithName(value string) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithGenerateName(value string) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithNamespace(value string) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithUID(value types.UID) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithResourceVersion(value string) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithGeneration(value int64) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithCreationTimestamp(value metav1.Time) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *SessionApplyConfiguration) WithLabels(entries map[string]string) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *SessionApplyConfiguration) WithAnnotations(entries map[string]string) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 { + b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.ObjectMetaApplyConfiguration.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *SessionApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *SessionApplyConfiguration) WithFinalizers(values ...string) *SessionApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i]) + } + return b +} + +func (b *SessionApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithSpec(value *SessionSpecApplyConfiguration) *SessionApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *SessionApplyConfiguration) WithStatus(value *SessionStatusApplyConfiguration) *SessionApplyConfiguration { + b.Status = value + return b +} + +// GetKind retrieves the value of the Kind field in the declarative configuration. +func (b *SessionApplyConfiguration) GetKind() *string { + return b.TypeMetaApplyConfiguration.Kind +} + +// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration. +func (b *SessionApplyConfiguration) GetAPIVersion() *string { + return b.TypeMetaApplyConfiguration.APIVersion +} + +// GetName retrieves the value of the Name field in the declarative configuration. +func (b *SessionApplyConfiguration) GetName() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Name +} + +// GetNamespace retrieves the value of the Namespace field in the declarative configuration. +func (b *SessionApplyConfiguration) GetNamespace() *string { + b.ensureObjectMetaApplyConfigurationExists() + return b.ObjectMetaApplyConfiguration.Namespace +} diff --git a/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/sessionspec.go b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/sessionspec.go new file mode 100644 index 0000000000..e7072618ef --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/sessionspec.go @@ -0,0 +1,76 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// SessionSpecApplyConfiguration represents a declarative configuration of the SessionSpec type for use +// with apply. +type SessionSpecApplyConfiguration struct { + TTL *v1.Duration `json:"ttl,omitempty"` + ManagementCluster *ManagementClusterApplyConfiguration `json:"managementCluster,omitempty"` + HostedControlPlane *HostedControlPlaneApplyConfiguration `json:"hostedControlPlane,omitempty"` + AccessLevel *AccessLevelApplyConfiguration `json:"accessLevel,omitempty"` + Owner *PrincipalApplyConfiguration `json:"owner,omitempty"` +} + +// SessionSpecApplyConfiguration constructs a declarative configuration of the SessionSpec type for use with +// apply. +func SessionSpec() *SessionSpecApplyConfiguration { + return &SessionSpecApplyConfiguration{} +} + +// WithTTL sets the TTL field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TTL field is set to the value of the last call. +func (b *SessionSpecApplyConfiguration) WithTTL(value v1.Duration) *SessionSpecApplyConfiguration { + b.TTL = &value + return b +} + +// WithManagementCluster sets the ManagementCluster field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ManagementCluster field is set to the value of the last call. +func (b *SessionSpecApplyConfiguration) WithManagementCluster(value *ManagementClusterApplyConfiguration) *SessionSpecApplyConfiguration { + b.ManagementCluster = value + return b +} + +// WithHostedControlPlane sets the HostedControlPlane field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the HostedControlPlane field is set to the value of the last call. +func (b *SessionSpecApplyConfiguration) WithHostedControlPlane(value *HostedControlPlaneApplyConfiguration) *SessionSpecApplyConfiguration { + b.HostedControlPlane = value + return b +} + +// WithAccessLevel sets the AccessLevel field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the AccessLevel field is set to the value of the last call. +func (b *SessionSpecApplyConfiguration) WithAccessLevel(value *AccessLevelApplyConfiguration) *SessionSpecApplyConfiguration { + b.AccessLevel = value + return b +} + +// WithOwner sets the Owner field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Owner field is set to the value of the last call. +func (b *SessionSpecApplyConfiguration) WithOwner(value *PrincipalApplyConfiguration) *SessionSpecApplyConfiguration { + b.Owner = value + return b +} diff --git a/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/sessionstatus.go b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/sessionstatus.go new file mode 100644 index 0000000000..dbab17ce51 --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/sessionstatus.go @@ -0,0 +1,82 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// SessionStatusApplyConfiguration represents a declarative configuration of the SessionStatus type for use +// with apply. +type SessionStatusApplyConfiguration struct { + Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"` + ExpiresAt *metav1.Time `json:"expiresAt,omitempty"` + Endpoint *string `json:"endpoint,omitempty"` + CredentialsSecretRef *string `json:"credentialsSecretRef,omitempty"` + BackendKASURL *string `json:"backendKASURL,omitempty"` +} + +// SessionStatusApplyConfiguration constructs a declarative configuration of the SessionStatus type for use with +// apply. +func SessionStatus() *SessionStatusApplyConfiguration { + return &SessionStatusApplyConfiguration{} +} + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *SessionStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *SessionStatusApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithConditions") + } + b.Conditions = append(b.Conditions, *values[i]) + } + return b +} + +// WithExpiresAt sets the ExpiresAt field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ExpiresAt field is set to the value of the last call. +func (b *SessionStatusApplyConfiguration) WithExpiresAt(value metav1.Time) *SessionStatusApplyConfiguration { + b.ExpiresAt = &value + return b +} + +// WithEndpoint sets the Endpoint field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Endpoint field is set to the value of the last call. +func (b *SessionStatusApplyConfiguration) WithEndpoint(value string) *SessionStatusApplyConfiguration { + b.Endpoint = &value + return b +} + +// WithCredentialsSecretRef sets the CredentialsSecretRef field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CredentialsSecretRef field is set to the value of the last call. +func (b *SessionStatusApplyConfiguration) WithCredentialsSecretRef(value string) *SessionStatusApplyConfiguration { + b.CredentialsSecretRef = &value + return b +} + +// WithBackendKASURL sets the BackendKASURL field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the BackendKASURL field is set to the value of the last call. +func (b *SessionStatusApplyConfiguration) WithBackendKASURL(value string) *SessionStatusApplyConfiguration { + b.BackendKASURL = &value + return b +} diff --git a/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/userprincipal.go b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/userprincipal.go new file mode 100644 index 0000000000..581600d4ec --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1/userprincipal.go @@ -0,0 +1,45 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +// UserPrincipalApplyConfiguration represents a declarative configuration of the UserPrincipal type for use +// with apply. +type UserPrincipalApplyConfiguration struct { + Name *string `json:"name,omitempty"` + Claim *string `json:"claim,omitempty"` +} + +// UserPrincipalApplyConfiguration constructs a declarative configuration of the UserPrincipal type for use with +// apply. +func UserPrincipal() *UserPrincipalApplyConfiguration { + return &UserPrincipalApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *UserPrincipalApplyConfiguration) WithName(value string) *UserPrincipalApplyConfiguration { + b.Name = &value + return b +} + +// WithClaim sets the Claim field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Claim field is set to the value of the last call. +func (b *UserPrincipalApplyConfiguration) WithClaim(value string) *UserPrincipalApplyConfiguration { + b.Claim = &value + return b +} diff --git a/sessiongate/pkg/generated/applyconfiguration/utils.go b/sessiongate/pkg/generated/applyconfiguration/utils.go new file mode 100644 index 0000000000..0754e9636b --- /dev/null +++ b/sessiongate/pkg/generated/applyconfiguration/utils.go @@ -0,0 +1,56 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package applyconfiguration + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + managedfields "k8s.io/apimachinery/pkg/util/managedfields" + + v1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" + internal "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/applyconfiguration/internal" + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1" +) + +// ForKind returns an apply configuration type for the given GroupVersionKind, or nil if no +// apply configuration type exists for the given GroupVersionKind. +func ForKind(kind schema.GroupVersionKind) interface{} { + switch kind { + // Group=sessiongate.aro-hcp.azure.com, Version=v1alpha1 + case v1alpha1.SchemeGroupVersion.WithKind("AccessLevel"): + return &sessiongatev1alpha1.AccessLevelApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("HostedControlPlane"): + return &sessiongatev1alpha1.HostedControlPlaneApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("ManagementCluster"): + return &sessiongatev1alpha1.ManagementClusterApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("Principal"): + return &sessiongatev1alpha1.PrincipalApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("Session"): + return &sessiongatev1alpha1.SessionApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("SessionSpec"): + return &sessiongatev1alpha1.SessionSpecApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("SessionStatus"): + return &sessiongatev1alpha1.SessionStatusApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("UserPrincipal"): + return &sessiongatev1alpha1.UserPrincipalApplyConfiguration{} + + } + return nil +} + +func NewTypeConverter(scheme *runtime.Scheme) managedfields.TypeConverter { + return managedfields.NewSchemeTypeConverter(scheme, internal.Parser()) +} diff --git a/sessiongate/pkg/generated/clientset/versioned/clientset.go b/sessiongate/pkg/generated/clientset/versioned/clientset.go new file mode 100644 index 0000000000..b34a4a9949 --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/clientset.go @@ -0,0 +1,118 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +package versioned + +import ( + fmt "fmt" + http "net/http" + + discovery "k8s.io/client-go/discovery" + rest "k8s.io/client-go/rest" + flowcontrol "k8s.io/client-go/util/flowcontrol" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1" +) + +type Interface interface { + Discovery() discovery.DiscoveryInterface + SessiongateV1alpha1() sessiongatev1alpha1.SessiongateV1alpha1Interface +} + +// Clientset contains the clients for groups. +type Clientset struct { + *discovery.DiscoveryClient + sessiongateV1alpha1 *sessiongatev1alpha1.SessiongateV1alpha1Client +} + +// SessiongateV1alpha1 retrieves the SessiongateV1alpha1Client +func (c *Clientset) SessiongateV1alpha1() sessiongatev1alpha1.SessiongateV1alpha1Interface { + return c.sessiongateV1alpha1 +} + +// Discovery retrieves the DiscoveryClient +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + if c == nil { + return nil + } + return c.DiscoveryClient +} + +// NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*Clientset, error) { + configShallowCopy := *c + + if configShallowCopy.UserAgent == "" { + configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent() + } + + // share the transport between all clients + httpClient, err := rest.HTTPClientFor(&configShallowCopy) + if err != nil { + return nil, err + } + + return NewForConfigAndClient(&configShallowCopy, httpClient) +} + +// NewForConfigAndClient creates a new Clientset for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfigAndClient will generate a rate-limiter in configShallowCopy. +func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) { + configShallowCopy := *c + if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } + configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) + } + + var cs Clientset + var err error + cs.sessiongateV1alpha1, err = sessiongatev1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } + + cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient) + if err != nil { + return nil, err + } + return &cs, nil +} + +// NewForConfigOrDie creates a new Clientset for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *Clientset { + cs, err := NewForConfig(c) + if err != nil { + panic(err) + } + return cs +} + +// New creates a new Clientset for the given RESTClient. +func New(c rest.Interface) *Clientset { + var cs Clientset + cs.sessiongateV1alpha1 = sessiongatev1alpha1.New(c) + + cs.DiscoveryClient = discovery.NewDiscoveryClient(c) + return &cs +} diff --git a/sessiongate/pkg/generated/clientset/versioned/fake/clientset_generated.go b/sessiongate/pkg/generated/clientset/versioned/fake/clientset_generated.go new file mode 100644 index 0000000000..9f216bd4dd --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/fake/clientset_generated.go @@ -0,0 +1,129 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/testing" + + applyconfiguration "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/applyconfiguration" + clientset "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned" + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1" + fakesessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake" +) + +// NewSimpleClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any field management, validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +// +// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves +// server side apply testing. NewClientset is only available when apply configurations are generated (e.g. +// via --with-applyconfig). +func NewSimpleClientset(objects ...runtime.Object) *Clientset { + o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + var opts metav1.ListOptions + if watchActcion, ok := action.(testing.WatchActionImpl); ok { + opts = watchActcion.ListOptions + } + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns, opts) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +// Clientset implements clientset.Interface. Meant to be embedded into a +// struct to get a default implementation. This makes faking out just the method +// you want to test easier. +type Clientset struct { + testing.Fake + discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker +} + +func (c *Clientset) Discovery() discovery.DiscoveryInterface { + return c.discovery +} + +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + +// NewClientset returns a clientset that will respond with the provided objects. +// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, +// without applying any validations and/or defaults. It shouldn't be considered a replacement +// for a real clientset and is mostly useful in simple unit tests. +func NewClientset(objects ...runtime.Object) *Clientset { + o := testing.NewFieldManagedObjectTracker( + scheme, + codecs.UniversalDecoder(), + applyconfiguration.NewTypeConverter(scheme), + ) + for _, obj := range objects { + if err := o.Add(obj); err != nil { + panic(err) + } + } + + cs := &Clientset{tracker: o} + cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} + cs.AddReactor("*", "*", testing.ObjectReaction(o)) + cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { + var opts metav1.ListOptions + if watchAction, ok := action.(testing.WatchActionImpl); ok { + opts = watchAction.ListOptions + } + gvr := action.GetResource() + ns := action.GetNamespace() + watch, err := o.Watch(gvr, ns, opts) + if err != nil { + return false, nil, err + } + return true, watch, nil + }) + + return cs +} + +var ( + _ clientset.Interface = &Clientset{} + _ testing.FakeClient = &Clientset{} +) + +// SessiongateV1alpha1 retrieves the SessiongateV1alpha1Client +func (c *Clientset) SessiongateV1alpha1() sessiongatev1alpha1.SessiongateV1alpha1Interface { + return &fakesessiongatev1alpha1.FakeSessiongateV1alpha1{Fake: &c.Fake} +} diff --git a/sessiongate/pkg/generated/clientset/versioned/fake/doc.go b/sessiongate/pkg/generated/clientset/versioned/fake/doc.go new file mode 100644 index 0000000000..600bdf0658 --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/fake/doc.go @@ -0,0 +1,17 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated fake clientset. +package fake diff --git a/sessiongate/pkg/generated/clientset/versioned/fake/register.go b/sessiongate/pkg/generated/clientset/versioned/fake/register.go new file mode 100644 index 0000000000..382105e439 --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/fake/register.go @@ -0,0 +1,54 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" +) + +var scheme = runtime.NewScheme() +var codecs = serializer.NewCodecFactory(scheme) + +var localSchemeBuilder = runtime.SchemeBuilder{ + sessiongatev1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(scheme)) +} diff --git a/sessiongate/pkg/generated/clientset/versioned/scheme/doc.go b/sessiongate/pkg/generated/clientset/versioned/scheme/doc.go new file mode 100644 index 0000000000..62a4da4a9e --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/scheme/doc.go @@ -0,0 +1,17 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +// This package contains the scheme of the automatically generated clientset. +package scheme diff --git a/sessiongate/pkg/generated/clientset/versioned/scheme/register.go b/sessiongate/pkg/generated/clientset/versioned/scheme/register.go new file mode 100644 index 0000000000..9a026e52da --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/scheme/register.go @@ -0,0 +1,54 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +package scheme + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + serializer "k8s.io/apimachinery/pkg/runtime/serializer" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" +) + +var Scheme = runtime.NewScheme() +var Codecs = serializer.NewCodecFactory(Scheme) +var ParameterCodec = runtime.NewParameterCodec(Scheme) +var localSchemeBuilder = runtime.SchemeBuilder{ + sessiongatev1alpha1.AddToScheme, +} + +// AddToScheme adds all types of this clientset into the given scheme. This allows composition +// of clientsets, like in: +// +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) +// +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// +// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types +// correctly. +var AddToScheme = localSchemeBuilder.AddToScheme + +func init() { + v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) + utilruntime.Must(AddToScheme(Scheme)) +} diff --git a/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/doc.go b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/doc.go new file mode 100644 index 0000000000..c040c8e2e8 --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/doc.go @@ -0,0 +1,17 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake/doc.go b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake/doc.go new file mode 100644 index 0000000000..95b6a17460 --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake/doc.go @@ -0,0 +1,17 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake/fake_session.go b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake/fake_session.go new file mode 100644 index 0000000000..5f3fc914da --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake/fake_session.go @@ -0,0 +1,49 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + gentype "k8s.io/client-go/gentype" + + v1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1" + typedsessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1" +) + +// fakeSessions implements SessionInterface +type fakeSessions struct { + *gentype.FakeClientWithListAndApply[*v1alpha1.Session, *v1alpha1.SessionList, *sessiongatev1alpha1.SessionApplyConfiguration] + Fake *FakeSessiongateV1alpha1 +} + +func newFakeSessions(fake *FakeSessiongateV1alpha1, namespace string) typedsessiongatev1alpha1.SessionInterface { + return &fakeSessions{ + gentype.NewFakeClientWithListAndApply[*v1alpha1.Session, *v1alpha1.SessionList, *sessiongatev1alpha1.SessionApplyConfiguration]( + fake.Fake, + namespace, + v1alpha1.SchemeGroupVersion.WithResource("sessions"), + v1alpha1.SchemeGroupVersion.WithKind("Session"), + func() *v1alpha1.Session { return &v1alpha1.Session{} }, + func() *v1alpha1.SessionList { return &v1alpha1.SessionList{} }, + func(dst, src *v1alpha1.SessionList) { dst.ListMeta = src.ListMeta }, + func(list *v1alpha1.SessionList) []*v1alpha1.Session { return gentype.ToPointerSlice(list.Items) }, + func(list *v1alpha1.SessionList, items []*v1alpha1.Session) { + list.Items = gentype.FromPointerSlice(items) + }, + ), + fake, + } +} diff --git a/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake/fake_sessiongate_client.go b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake/fake_sessiongate_client.go new file mode 100644 index 0000000000..5e31bdc1d8 --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/fake/fake_sessiongate_client.go @@ -0,0 +1,38 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" + + v1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1" +) + +type FakeSessiongateV1alpha1 struct { + *testing.Fake +} + +func (c *FakeSessiongateV1alpha1) Sessions(namespace string) v1alpha1.SessionInterface { + return newFakeSessions(c, namespace) +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeSessiongateV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/generated_expansion.go b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/generated_expansion.go new file mode 100644 index 0000000000..0efcbfa964 --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/generated_expansion.go @@ -0,0 +1,18 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type SessionExpansion interface{} diff --git a/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/session.go b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/session.go new file mode 100644 index 0000000000..5b4b64f620 --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/session.go @@ -0,0 +1,72 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + context "context" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + gentype "k8s.io/client-go/gentype" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" + applyconfigurationsessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/applyconfiguration/sessiongate/v1alpha1" + scheme "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned/scheme" +) + +// SessionsGetter has a method to return a SessionInterface. +// A group's client should implement this interface. +type SessionsGetter interface { + Sessions(namespace string) SessionInterface +} + +// SessionInterface has methods to work with Session resources. +type SessionInterface interface { + Create(ctx context.Context, session *sessiongatev1alpha1.Session, opts v1.CreateOptions) (*sessiongatev1alpha1.Session, error) + Update(ctx context.Context, session *sessiongatev1alpha1.Session, opts v1.UpdateOptions) (*sessiongatev1alpha1.Session, error) + // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + UpdateStatus(ctx context.Context, session *sessiongatev1alpha1.Session, opts v1.UpdateOptions) (*sessiongatev1alpha1.Session, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*sessiongatev1alpha1.Session, error) + List(ctx context.Context, opts v1.ListOptions) (*sessiongatev1alpha1.SessionList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *sessiongatev1alpha1.Session, err error) + Apply(ctx context.Context, session *applyconfigurationsessiongatev1alpha1.SessionApplyConfiguration, opts v1.ApplyOptions) (result *sessiongatev1alpha1.Session, err error) + // Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus(). + ApplyStatus(ctx context.Context, session *applyconfigurationsessiongatev1alpha1.SessionApplyConfiguration, opts v1.ApplyOptions) (result *sessiongatev1alpha1.Session, err error) + SessionExpansion +} + +// sessions implements SessionInterface +type sessions struct { + *gentype.ClientWithListAndApply[*sessiongatev1alpha1.Session, *sessiongatev1alpha1.SessionList, *applyconfigurationsessiongatev1alpha1.SessionApplyConfiguration] +} + +// newSessions returns a Sessions +func newSessions(c *SessiongateV1alpha1Client, namespace string) *sessions { + return &sessions{ + gentype.NewClientWithListAndApply[*sessiongatev1alpha1.Session, *sessiongatev1alpha1.SessionList, *applyconfigurationsessiongatev1alpha1.SessionApplyConfiguration]( + "sessions", + c.RESTClient(), + scheme.ParameterCodec, + namespace, + func() *sessiongatev1alpha1.Session { return &sessiongatev1alpha1.Session{} }, + func() *sessiongatev1alpha1.SessionList { return &sessiongatev1alpha1.SessionList{} }, + ), + } +} diff --git a/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/sessiongate_client.go b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/sessiongate_client.go new file mode 100644 index 0000000000..51543d12ef --- /dev/null +++ b/sessiongate/pkg/generated/clientset/versioned/typed/sessiongate/v1alpha1/sessiongate_client.go @@ -0,0 +1,99 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + http "net/http" + + rest "k8s.io/client-go/rest" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" + scheme "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned/scheme" +) + +type SessiongateV1alpha1Interface interface { + RESTClient() rest.Interface + SessionsGetter +} + +// SessiongateV1alpha1Client is used to interact with features provided by the sessiongate.aro-hcp.azure.com group. +type SessiongateV1alpha1Client struct { + restClient rest.Interface +} + +func (c *SessiongateV1alpha1Client) Sessions(namespace string) SessionInterface { + return newSessions(c, namespace) +} + +// NewForConfig creates a new SessiongateV1alpha1Client for the given config. +// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient), +// where httpClient was generated with rest.HTTPClientFor(c). +func NewForConfig(c *rest.Config) (*SessiongateV1alpha1Client, error) { + config := *c + setConfigDefaults(&config) + httpClient, err := rest.HTTPClientFor(&config) + if err != nil { + return nil, err + } + return NewForConfigAndClient(&config, httpClient) +} + +// NewForConfigAndClient creates a new SessiongateV1alpha1Client for the given config and http client. +// Note the http client provided takes precedence over the configured transport values. +func NewForConfigAndClient(c *rest.Config, h *http.Client) (*SessiongateV1alpha1Client, error) { + config := *c + setConfigDefaults(&config) + client, err := rest.RESTClientForConfigAndClient(&config, h) + if err != nil { + return nil, err + } + return &SessiongateV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new SessiongateV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *SessiongateV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new SessiongateV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *SessiongateV1alpha1Client { + return &SessiongateV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) { + gv := sessiongatev1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = rest.CodecFactoryForGeneratedClient(scheme.Scheme, scheme.Codecs).WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *SessiongateV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/sessiongate/pkg/generated/informers/externalversions/factory.go b/sessiongate/pkg/generated/informers/externalversions/factory.go new file mode 100644 index 0000000000..71090ea8ca --- /dev/null +++ b/sessiongate/pkg/generated/informers/externalversions/factory.go @@ -0,0 +1,260 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by informer-gen. DO NOT EDIT. + +package externalversions + +import ( + reflect "reflect" + sync "sync" + time "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + schema "k8s.io/apimachinery/pkg/runtime/schema" + cache "k8s.io/client-go/tools/cache" + + versioned "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned" + internalinterfaces "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/informers/externalversions/internalinterfaces" + sessiongate "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/informers/externalversions/sessiongate" +) + +// SharedInformerOption defines the functional option type for SharedInformerFactory. +type SharedInformerOption func(*sharedInformerFactory) *sharedInformerFactory + +type sharedInformerFactory struct { + client versioned.Interface + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc + lock sync.Mutex + defaultResync time.Duration + customResync map[reflect.Type]time.Duration + transform cache.TransformFunc + + informers map[reflect.Type]cache.SharedIndexInformer + // startedInformers is used for tracking which informers have been started. + // This allows Start() to be called multiple times safely. + startedInformers map[reflect.Type]bool + // wg tracks how many goroutines were started. + wg sync.WaitGroup + // shuttingDown is true when Shutdown has been called. It may still be running + // because it needs to wait for goroutines. + shuttingDown bool +} + +// WithCustomResyncConfig sets a custom resync period for the specified informer types. +func WithCustomResyncConfig(resyncConfig map[v1.Object]time.Duration) SharedInformerOption { + return func(factory *sharedInformerFactory) *sharedInformerFactory { + for k, v := range resyncConfig { + factory.customResync[reflect.TypeOf(k)] = v + } + return factory + } +} + +// WithTweakListOptions sets a custom filter on all listers of the configured SharedInformerFactory. +func WithTweakListOptions(tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerOption { + return func(factory *sharedInformerFactory) *sharedInformerFactory { + factory.tweakListOptions = tweakListOptions + return factory + } +} + +// WithNamespace limits the SharedInformerFactory to the specified namespace. +func WithNamespace(namespace string) SharedInformerOption { + return func(factory *sharedInformerFactory) *sharedInformerFactory { + factory.namespace = namespace + return factory + } +} + +// WithTransform sets a transform on all informers. +func WithTransform(transform cache.TransformFunc) SharedInformerOption { + return func(factory *sharedInformerFactory) *sharedInformerFactory { + factory.transform = transform + return factory + } +} + +// NewSharedInformerFactory constructs a new instance of sharedInformerFactory for all namespaces. +func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Duration) SharedInformerFactory { + return NewSharedInformerFactoryWithOptions(client, defaultResync) +} + +// NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory. +// Listers obtained via this SharedInformerFactory will be subject to the same filters +// as specified here. +// Deprecated: Please use NewSharedInformerFactoryWithOptions instead +func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory { + return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions)) +} + +// NewSharedInformerFactoryWithOptions constructs a new instance of a SharedInformerFactory with additional options. +func NewSharedInformerFactoryWithOptions(client versioned.Interface, defaultResync time.Duration, options ...SharedInformerOption) SharedInformerFactory { + factory := &sharedInformerFactory{ + client: client, + namespace: v1.NamespaceAll, + defaultResync: defaultResync, + informers: make(map[reflect.Type]cache.SharedIndexInformer), + startedInformers: make(map[reflect.Type]bool), + customResync: make(map[reflect.Type]time.Duration), + } + + // Apply all options + for _, opt := range options { + factory = opt(factory) + } + + return factory +} + +func (f *sharedInformerFactory) Start(stopCh <-chan struct{}) { + f.lock.Lock() + defer f.lock.Unlock() + + if f.shuttingDown { + return + } + + for informerType, informer := range f.informers { + if !f.startedInformers[informerType] { + f.wg.Add(1) + // We need a new variable in each loop iteration, + // otherwise the goroutine would use the loop variable + // and that keeps changing. + informer := informer + go func() { + defer f.wg.Done() + informer.Run(stopCh) + }() + f.startedInformers[informerType] = true + } + } +} + +func (f *sharedInformerFactory) Shutdown() { + f.lock.Lock() + f.shuttingDown = true + f.lock.Unlock() + + // Will return immediately if there is nothing to wait for. + f.wg.Wait() +} + +func (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool { + informers := func() map[reflect.Type]cache.SharedIndexInformer { + f.lock.Lock() + defer f.lock.Unlock() + + informers := map[reflect.Type]cache.SharedIndexInformer{} + for informerType, informer := range f.informers { + if f.startedInformers[informerType] { + informers[informerType] = informer + } + } + return informers + }() + + res := map[reflect.Type]bool{} + for informType, informer := range informers { + res[informType] = cache.WaitForCacheSync(stopCh, informer.HasSynced) + } + return res +} + +// InformerFor returns the SharedIndexInformer for obj using an internal +// client. +func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer { + f.lock.Lock() + defer f.lock.Unlock() + + informerType := reflect.TypeOf(obj) + informer, exists := f.informers[informerType] + if exists { + return informer + } + + resyncPeriod, exists := f.customResync[informerType] + if !exists { + resyncPeriod = f.defaultResync + } + + informer = newFunc(f.client, resyncPeriod) + informer.SetTransform(f.transform) + f.informers[informerType] = informer + + return informer +} + +// SharedInformerFactory provides shared informers for resources in all known +// API group versions. +// +// It is typically used like this: +// +// ctx, cancel := context.Background() +// defer cancel() +// factory := NewSharedInformerFactory(client, resyncPeriod) +// defer factory.WaitForStop() // Returns immediately if nothing was started. +// genericInformer := factory.ForResource(resource) +// typedInformer := factory.SomeAPIGroup().V1().SomeType() +// factory.Start(ctx.Done()) // Start processing these informers. +// synced := factory.WaitForCacheSync(ctx.Done()) +// for v, ok := range synced { +// if !ok { +// fmt.Fprintf(os.Stderr, "caches failed to sync: %v", v) +// return +// } +// } +// +// // Creating informers can also be created after Start, but then +// // Start must be called again: +// anotherGenericInformer := factory.ForResource(resource) +// factory.Start(ctx.Done()) +type SharedInformerFactory interface { + internalinterfaces.SharedInformerFactory + + // Start initializes all requested informers. They are handled in goroutines + // which run until the stop channel gets closed. + // Warning: Start does not block. When run in a go-routine, it will race with a later WaitForCacheSync. + Start(stopCh <-chan struct{}) + + // Shutdown marks a factory as shutting down. At that point no new + // informers can be started anymore and Start will return without + // doing anything. + // + // In addition, Shutdown blocks until all goroutines have terminated. For that + // to happen, the close channel(s) that they were started with must be closed, + // either before Shutdown gets called or while it is waiting. + // + // Shutdown may be called multiple times, even concurrently. All such calls will + // block until all goroutines have terminated. + Shutdown() + + // WaitForCacheSync blocks until all started informers' caches were synced + // or the stop channel gets closed. + WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool + + // ForResource gives generic access to a shared informer of the matching type. + ForResource(resource schema.GroupVersionResource) (GenericInformer, error) + + // InformerFor returns the SharedIndexInformer for obj using an internal + // client. + InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer + + Sessiongate() sessiongate.Interface +} + +func (f *sharedInformerFactory) Sessiongate() sessiongate.Interface { + return sessiongate.New(f, f.namespace, f.tweakListOptions) +} diff --git a/sessiongate/pkg/generated/informers/externalversions/generic.go b/sessiongate/pkg/generated/informers/externalversions/generic.go new file mode 100644 index 0000000000..d0ccb14088 --- /dev/null +++ b/sessiongate/pkg/generated/informers/externalversions/generic.go @@ -0,0 +1,60 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by informer-gen. DO NOT EDIT. + +package externalversions + +import ( + fmt "fmt" + + schema "k8s.io/apimachinery/pkg/runtime/schema" + cache "k8s.io/client-go/tools/cache" + + v1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" +) + +// GenericInformer is type of SharedIndexInformer which will locate and delegate to other +// sharedInformers based on type +type GenericInformer interface { + Informer() cache.SharedIndexInformer + Lister() cache.GenericLister +} + +type genericInformer struct { + informer cache.SharedIndexInformer + resource schema.GroupResource +} + +// Informer returns the SharedIndexInformer. +func (f *genericInformer) Informer() cache.SharedIndexInformer { + return f.informer +} + +// Lister returns the GenericLister. +func (f *genericInformer) Lister() cache.GenericLister { + return cache.NewGenericLister(f.Informer().GetIndexer(), f.resource) +} + +// ForResource gives generic access to a shared informer of the matching type +// TODO extend this to unknown resources with a client pool +func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) { + switch resource { + // Group=sessiongate.aro-hcp.azure.com, Version=v1alpha1 + case v1alpha1.SchemeGroupVersion.WithResource("sessions"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Sessiongate().V1alpha1().Sessions().Informer()}, nil + + } + + return nil, fmt.Errorf("no informer found for %v", resource) +} diff --git a/sessiongate/pkg/generated/informers/externalversions/internalinterfaces/factory_interfaces.go b/sessiongate/pkg/generated/informers/externalversions/internalinterfaces/factory_interfaces.go new file mode 100644 index 0000000000..4c0e2e668d --- /dev/null +++ b/sessiongate/pkg/generated/informers/externalversions/internalinterfaces/factory_interfaces.go @@ -0,0 +1,38 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by informer-gen. DO NOT EDIT. + +package internalinterfaces + +import ( + time "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + cache "k8s.io/client-go/tools/cache" + + versioned "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned" +) + +// NewInformerFunc takes versioned.Interface and time.Duration to return a SharedIndexInformer. +type NewInformerFunc func(versioned.Interface, time.Duration) cache.SharedIndexInformer + +// SharedInformerFactory a small interface to allow for adding an informer without an import cycle +type SharedInformerFactory interface { + Start(stopCh <-chan struct{}) + InformerFor(obj runtime.Object, newFunc NewInformerFunc) cache.SharedIndexInformer +} + +// TweakListOptionsFunc is a function that transforms a v1.ListOptions. +type TweakListOptionsFunc func(*v1.ListOptions) diff --git a/sessiongate/pkg/generated/informers/externalversions/sessiongate/interface.go b/sessiongate/pkg/generated/informers/externalversions/sessiongate/interface.go new file mode 100644 index 0000000000..56ce22b001 --- /dev/null +++ b/sessiongate/pkg/generated/informers/externalversions/sessiongate/interface.go @@ -0,0 +1,43 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by informer-gen. DO NOT EDIT. + +package sessiongate + +import ( + internalinterfaces "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/informers/externalversions/internalinterfaces" + v1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/informers/externalversions/sessiongate/v1alpha1" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/sessiongate/pkg/generated/informers/externalversions/sessiongate/v1alpha1/interface.go b/sessiongate/pkg/generated/informers/externalversions/sessiongate/v1alpha1/interface.go new file mode 100644 index 0000000000..6d6a1c7f50 --- /dev/null +++ b/sessiongate/pkg/generated/informers/externalversions/sessiongate/v1alpha1/interface.go @@ -0,0 +1,42 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // Sessions returns a SessionInformer. + Sessions() SessionInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// Sessions returns a SessionInformer. +func (v *version) Sessions() SessionInformer { + return &sessionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/sessiongate/pkg/generated/informers/externalversions/sessiongate/v1alpha1/session.go b/sessiongate/pkg/generated/informers/externalversions/sessiongate/v1alpha1/session.go new file mode 100644 index 0000000000..32ba108f8a --- /dev/null +++ b/sessiongate/pkg/generated/informers/externalversions/sessiongate/v1alpha1/session.go @@ -0,0 +1,100 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + context "context" + time "time" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" + + apissessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" + versioned "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/clientset/versioned" + internalinterfaces "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/informers/externalversions/internalinterfaces" + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/generated/listers/sessiongate/v1alpha1" +) + +// SessionInformer provides access to a shared informer and lister for +// Sessions. +type SessionInformer interface { + Informer() cache.SharedIndexInformer + Lister() sessiongatev1alpha1.SessionLister +} + +type sessionInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewSessionInformer constructs a new informer for Session type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewSessionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredSessionInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredSessionInformer constructs a new informer for Session type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredSessionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.SessiongateV1alpha1().Sessions(namespace).List(context.Background(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.SessiongateV1alpha1().Sessions(namespace).Watch(context.Background(), options) + }, + ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.SessiongateV1alpha1().Sessions(namespace).List(ctx, options) + }, + WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.SessiongateV1alpha1().Sessions(namespace).Watch(ctx, options) + }, + }, + &apissessiongatev1alpha1.Session{}, + resyncPeriod, + indexers, + ) +} + +func (f *sessionInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredSessionInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *sessionInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&apissessiongatev1alpha1.Session{}, f.defaultInformer) +} + +func (f *sessionInformer) Lister() sessiongatev1alpha1.SessionLister { + return sessiongatev1alpha1.NewSessionLister(f.Informer().GetIndexer()) +} diff --git a/sessiongate/pkg/generated/listers/sessiongate/v1alpha1/expansion_generated.go b/sessiongate/pkg/generated/listers/sessiongate/v1alpha1/expansion_generated.go new file mode 100644 index 0000000000..348854d4a9 --- /dev/null +++ b/sessiongate/pkg/generated/listers/sessiongate/v1alpha1/expansion_generated.go @@ -0,0 +1,24 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// SessionListerExpansion allows custom methods to be added to +// SessionLister. +type SessionListerExpansion interface{} + +// SessionNamespaceListerExpansion allows custom methods to be added to +// SessionNamespaceLister. +type SessionNamespaceListerExpansion interface{} diff --git a/sessiongate/pkg/generated/listers/sessiongate/v1alpha1/session.go b/sessiongate/pkg/generated/listers/sessiongate/v1alpha1/session.go new file mode 100644 index 0000000000..ab75fbe047 --- /dev/null +++ b/sessiongate/pkg/generated/listers/sessiongate/v1alpha1/session.go @@ -0,0 +1,68 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + labels "k8s.io/apimachinery/pkg/labels" + listers "k8s.io/client-go/listers" + cache "k8s.io/client-go/tools/cache" + + sessiongatev1alpha1 "github.com/Azure/ARO-HCP/sessiongate/pkg/apis/sessiongate/v1alpha1" +) + +// SessionLister helps list Sessions. +// All objects returned here must be treated as read-only. +type SessionLister interface { + // List lists all Sessions in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*sessiongatev1alpha1.Session, err error) + // Sessions returns an object that can list and get Sessions. + Sessions(namespace string) SessionNamespaceLister + SessionListerExpansion +} + +// sessionLister implements the SessionLister interface. +type sessionLister struct { + listers.ResourceIndexer[*sessiongatev1alpha1.Session] +} + +// NewSessionLister returns a new SessionLister. +func NewSessionLister(indexer cache.Indexer) SessionLister { + return &sessionLister{listers.New[*sessiongatev1alpha1.Session](indexer, sessiongatev1alpha1.Resource("session"))} +} + +// Sessions returns an object that can list and get Sessions. +func (s *sessionLister) Sessions(namespace string) SessionNamespaceLister { + return sessionNamespaceLister{listers.NewNamespaced[*sessiongatev1alpha1.Session](s.ResourceIndexer, namespace)} +} + +// SessionNamespaceLister helps list and get Sessions. +// All objects returned here must be treated as read-only. +type SessionNamespaceLister interface { + // List lists all Sessions in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*sessiongatev1alpha1.Session, err error) + // Get retrieves the Session from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*sessiongatev1alpha1.Session, error) + SessionNamespaceListerExpansion +} + +// sessionNamespaceLister implements the SessionNamespaceLister +// interface. +type sessionNamespaceLister struct { + listers.ResourceIndexer[*sessiongatev1alpha1.Session] +} diff --git a/sessiongate/pkg/mc/hcpprovider.go b/sessiongate/pkg/mc/hcpprovider.go new file mode 100644 index 0000000000..33607f1fbe --- /dev/null +++ b/sessiongate/pkg/mc/hcpprovider.go @@ -0,0 +1,291 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package mc + +import ( + "context" + "crypto/rand" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "crypto/x509/pkix" + "encoding/hex" + "encoding/pem" + "errors" + "fmt" + "io" + "strings" + + certificatesv1 "k8s.io/api/certificates/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/client-go/kubernetes" + "k8s.io/klog/v2" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + + hypershiftv1beta1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + certificatesv1alpha1apply "github.com/openshift/hypershift/client/applyconfiguration/certificates/v1alpha1" + hypershiftclientset "github.com/openshift/hypershift/client/clientset/clientset" + certificatesclientv1alpha1 "github.com/openshift/hypershift/client/clientset/clientset/typed/certificates/v1alpha1" +) + +const ( + defaultExpirationSeconds = int32(86353) // ~24 hours + + // AnnotationCSRDigest is used to track the digest of the CSR inputs (private key + subject) + AnnotationCSRDigest = "sessiongate.aro-hcp.azure.com/csr-digest" + + // AnnotationClusterReference is used to track the cluster cluster backref for a HostedControlPlane CR + AnnotationClusterReference = "hypershift.openshift.io/cluster" +) + +type HostedClusterProvider interface { + GetHostedCluster(ctx context.Context, namespace string) (*hypershiftv1beta1.HostedCluster, error) + + // MintCertificate mints break-glass credentials for a hosted control plane. + // This function is idempotent - safe to call repeatedly until certificate is returned. + MintCertificate(ctx context.Context, sessionName string, user string, accessGroup string, hostedCluster *hypershiftv1beta1.HostedCluster, privateKey *rsa.PrivateKey) ([]byte, error) +} + +// HostedClusterProvider handles hosted cluster discovery operations. +type hostedClusterProvider struct { + hypershiftClient hypershiftclientset.Interface + certificatesClient certificatesclientv1alpha1.CertificatesV1alpha1Interface + kubeClient kubernetes.Interface +} + +// NewHostedClusterProvider creates a new hosted cluster provider instance. +func NewHCPProvider(hypershiftClient hypershiftclientset.Interface, certificatesClient certificatesclientv1alpha1.CertificatesV1alpha1Interface, kubeClient kubernetes.Interface) HostedClusterProvider { + return &hostedClusterProvider{ + hypershiftClient: hypershiftClient, + certificatesClient: certificatesClient, + kubeClient: kubeClient, + } +} + +func (d *hostedClusterProvider) getHostedControlPlane(ctx context.Context, namespace string) (*hypershiftv1beta1.HostedControlPlane, error) { + hcpList, err := d.hypershiftClient.HypershiftV1beta1().HostedControlPlanes(namespace).List(ctx, metav1.ListOptions{}) + if err != nil { + return nil, fmt.Errorf("failed to list HostedControlPlanes: %w", err) + } + if len(hcpList.Items) == 0 { + return nil, apierrors.NewNotFound( + schema.GroupResource{Group: "hypershift.openshift.io", Resource: "hostedcontrolplanes"}, + namespace, + ) + } + if len(hcpList.Items) > 1 { + return nil, fmt.Errorf("multiple HostedControlPlane found for namespace %s", namespace) + } + hcp := hcpList.Items[0] + return &hcp, nil +} + +// GetHostedClusterForHCPNamespace finds the HostedCluster CR for a given HostedControlPlane namespace. +func (d *hostedClusterProvider) GetHostedCluster(ctx context.Context, namespace string) (*hypershiftv1beta1.HostedCluster, error) { + hcp, err := d.getHostedControlPlane(ctx, namespace) + if err != nil { + if apierrors.IsNotFound(err) { + return nil, err + } + return nil, fmt.Errorf("failed to get HostedControlPlane: %w", err) + } + hcRef := hcp.Annotations[AnnotationClusterReference] + hcNamespace, hcName, err := parseClusterRef(hcRef) + if err != nil { + return nil, fmt.Errorf("failed to parse cluster reference: %w", err) + } + hc, err := d.hypershiftClient.HypershiftV1beta1().HostedClusters(hcNamespace).Get(ctx, hcName, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + return nil, err + } + return nil, fmt.Errorf("failed to get HostedCluster: %w", err) + } + return hc, nil +} + +func parseClusterRef(clusterRef string) (string, string, error) { + parts := strings.Split(clusterRef, "/") + if len(parts) != 2 { + return "", "", fmt.Errorf("invalid cluster reference: %s", clusterRef) + } + return parts[0], parts[1], nil +} + +func (d *hostedClusterProvider) MintCertificate(ctx context.Context, sessionName string, user string, accessGroup string, hostedCluster *hypershiftv1beta1.HostedCluster, privateKey *rsa.PrivateKey) ([]byte, error) { + logger := klog.LoggerWithValues(klog.FromContext(ctx), "sessionName", sessionName) + + csrApprovalNamespace := fmt.Sprintf("%s-%s", hostedCluster.Namespace, hostedCluster.Name) + + csr, err := d.kubeClient.CertificatesV1().CertificateSigningRequests().Get(ctx, sessionName, metav1.GetOptions{}) + if err != nil && apierrors.IsNotFound(err) { + csr = nil + } else if err != nil { + return nil, fmt.Errorf("failed to check for existing CSR: %w", err) + } + + subject := buildSubject(user, accessGroup) + + digest := calculateCSRDigest(privateKey, subject) + if csr != nil { + if existingDigest, ok := csr.Annotations[AnnotationCSRDigest]; ok && existingDigest != digest { + logger.V(2).Info("Deleting outdated CertificateSigningRequest", "sessionName", sessionName, "csrApprovalNamespace", csrApprovalNamespace, "existingDigest", existingDigest, "digest", digest) + if err := d.deleteCSR(ctx, csrApprovalNamespace, sessionName); err != nil { + return nil, fmt.Errorf("failed to delete outdated CSR: %w", err) + } + csr = nil + } + } + + // create CertificateSigningRequest resource + if csr == nil { + logger.V(2).Info("Creating CertificateSigningRequest", "csrName", sessionName) + csrPEM, err := generateCertificateSigningRequestPEM(rand.Reader, privateKey, subject) + if err != nil { + return nil, fmt.Errorf("failed to generate certificate signing request PEM: %w", err) + } + csrResource := d.buildCertificateSigningRequest(csrApprovalNamespace, sessionName, csrPEM, digest) + _, err = d.kubeClient.CertificatesV1().CertificateSigningRequests().Create(ctx, csrResource, metav1.CreateOptions{}) + if err != nil { + return nil, fmt.Errorf("failed to create certificatesigningrequest.certificates.k8s.io: %w", err) + } + } + + // create Hypershift CertificateSigningRequestApproval resource + if err := d.ensureApproval(ctx, csrApprovalNamespace, sessionName); err != nil { + return nil, fmt.Errorf("failed to create certificatesigningrequestapprovals.certificates.hypershift.openshift.io: %w", err) + } + + if csr != nil && len(csr.Status.Certificate) > 0 { + return csr.Status.Certificate, nil + } + return nil, nil +} + +func (d *hostedClusterProvider) buildCertificateSigningRequest(csrApprovalNamespace, name string, csrPEM []byte, digest string) *certificatesv1.CertificateSigningRequest { + return &certificatesv1.CertificateSigningRequest{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Labels: map[string]string{ + "api.openshift.com/type": "break-glass-credential", + }, + Annotations: map[string]string{ + AnnotationCSRDigest: digest, + }, + }, + Spec: certificatesv1.CertificateSigningRequestSpec{ + Request: csrPEM, + SignerName: fmt.Sprintf("hypershift.openshift.io/%s.sre-break-glass", csrApprovalNamespace), + ExpirationSeconds: func() *int32 { v := defaultExpirationSeconds; return &v }(), + Usages: []certificatesv1.KeyUsage{ + certificatesv1.UsageClientAuth, + certificatesv1.UsageDigitalSignature, + }, + }, + } +} + +func buildSubject(user string, organization string) pkix.Name { + return pkix.Name{ + CommonName: fmt.Sprintf("system:sre-break-glass:%s", user), + Organization: []string{organization}, + } +} + +func (d *hostedClusterProvider) ensureApproval(ctx context.Context, namespace, name string) error { + approvalApplyConfig := certificatesv1alpha1apply.CertificateSigningRequestApproval(name, namespace). + WithLabels(map[string]string{ + "api.openshift.com/type": "break-glass-credential", + }) + + _, err := d.certificatesClient.CertificateSigningRequestApprovals(namespace).Apply( + ctx, + approvalApplyConfig, + metav1.ApplyOptions{ + FieldManager: "sessiongate-controller", + Force: true, + }, + ) + return err +} + +func (d *hostedClusterProvider) deleteCSR(ctx context.Context, namespace string, name string) error { + csrErr := d.kubeClient.CertificatesV1().CertificateSigningRequests().Delete(ctx, name, metav1.DeleteOptions{}) + approvalErr := d.certificatesClient.CertificateSigningRequestApprovals(namespace).Delete(ctx, name, metav1.DeleteOptions{}) + + var errs []error + if csrErr != nil && !apierrors.IsNotFound(csrErr) { + errs = append(errs, fmt.Errorf("failed to delete CSR: %w", csrErr)) + } + if approvalErr != nil && !apierrors.IsNotFound(approvalErr) { + errs = append(errs, fmt.Errorf("failed to delete approval: %w", approvalErr)) + } + + return errors.Join(errs...) +} + +func calculateCSRDigest(privateKey *rsa.PrivateKey, subject pkix.Name) string { + h := sha256.New() + h.Write(x509.MarshalPKCS1PrivateKey(privateKey)) + h.Write([]byte(subject.String())) + return hex.EncodeToString(h.Sum(nil)) +} + +func generateCertificateSigningRequestPEM(rngSource io.Reader, privateKey *rsa.PrivateKey, subject pkix.Name) ([]byte, error) { + template := x509.CertificateRequest{ + Subject: subject, + SignatureAlgorithm: x509.SHA256WithRSA, + } + + csrDER, err := x509.CreateCertificateRequest(rngSource, &template, privateKey) + if err != nil { + return nil, fmt.Errorf("failed to create certificate request: %w", err) + } + + // Encode to PEM + csrPEM := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE REQUEST", + Bytes: csrDER, + }) + + return csrPEM, nil +} + +type HCPProviderBuilder func(ctx context.Context, resourceId string) (HostedClusterProvider, error) + +func NewAKSHCPProviderBuilder(azureCredentials azcore.TokenCredential) HCPProviderBuilder { + return func(ctx context.Context, resourceId string) (HostedClusterProvider, error) { + kubeConfig, err := GetAKSRESTConfig(ctx, resourceId, azureCredentials) + if err != nil { + return nil, fmt.Errorf("failed to get AKS REST config: %w", err) + } + kubeClient, err := kubernetes.NewForConfig(kubeConfig) + if err != nil { + return nil, fmt.Errorf("failed to create kubernetes client: %w", err) + } + hypershiftClientset, err := hypershiftclientset.NewForConfig(kubeConfig) + if err != nil { + return nil, fmt.Errorf("failed to create hypershift clientset: %w", err) + } + certificatesClientset, err := certificatesclientv1alpha1.NewForConfig(kubeConfig) + if err != nil { + return nil, fmt.Errorf("failed to create certificates clientset: %w", err) + } + return NewHCPProvider(hypershiftClientset, certificatesClientset, kubeClient), nil + } +} diff --git a/sessiongate/pkg/mc/kubeconfig.go b/sessiongate/pkg/mc/kubeconfig.go new file mode 100644 index 0000000000..98aabd12f2 --- /dev/null +++ b/sessiongate/pkg/mc/kubeconfig.go @@ -0,0 +1,124 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package mc + +import ( + "context" + "fmt" + "net/http" + + "k8s.io/client-go/rest" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + azcorearm "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice" +) + +const ( + // Azure AKS OAuth2 server ID for RBAC + aksOAuthServerID = "6dae42f8-4368-4678-94ff-3960e28e3630" +) + +// GetAKSRESTConfig creates a REST config for an AKS cluster with dynamic Azure token authentication +func GetAKSRESTConfig(ctx context.Context, resourceID string, credential azcore.TokenCredential) (*rest.Config, error) { + // Parse the resource ID using the Azure Go SDK + parsedResourceID, err := azcorearm.ParseResourceID(resourceID) + if err != nil { + return nil, fmt.Errorf("failed to parse resource ID: %w", err) + } + subscriptionID := parsedResourceID.SubscriptionID + resourceGroup := parsedResourceID.ResourceGroupName + clusterName := parsedResourceID.Name + + // Create AKS client + client, err := armcontainerservice.NewManagedClustersClient(subscriptionID, credential, nil) + if err != nil { + return nil, fmt.Errorf("failed to create AKS client: %w", err) + } + + // Get the cluster user credentials to extract server URL and CA cert + resp, err := client.ListClusterUserCredentials(ctx, resourceGroup, clusterName, nil) + if err != nil { + return nil, fmt.Errorf("failed to get cluster user credentials: %w", err) + } + if len(resp.Kubeconfigs) == 0 { + return nil, fmt.Errorf("no kubeconfig found") + } + + // Parse the kubeconfig to extract server URL and CA data + config, err := clientcmd.Load(resp.Kubeconfigs[0].Value) + if err != nil { + return nil, fmt.Errorf("failed to load kubeconfig: %w", err) + } + + // Get the first cluster info + var clusterInfo *clientcmdapi.Cluster + for _, cluster := range config.Clusters { + clusterInfo = cluster + break + } + if clusterInfo == nil { + return nil, fmt.Errorf("no cluster found in kubeconfig") + } + + // Build REST config with dynamic Azure token authentication + restConfig := &rest.Config{ + Host: clusterInfo.Server, + TLSClientConfig: rest.TLSClientConfig{ + CAData: clusterInfo.CertificateAuthorityData, + ServerName: clusterInfo.TLSServerName, + Insecure: clusterInfo.InsecureSkipTLSVerify, + }, + } + + // Wrap transport to inject Azure tokens dynamically + restConfig.Wrap(func(rt http.RoundTripper) http.RoundTripper { + return &azureTokenRoundTripper{ + credential: credential, + base: rt, + } + }) + + return restConfig, nil +} + +// azureTokenRoundTripper injects Azure bearer tokens into Kubernetes API requests +type azureTokenRoundTripper struct { + credential azcore.TokenCredential + base http.RoundTripper +} + +// RoundTrip implements http.RoundTripper by fetching an Azure token and adding it to the request +func (rt *azureTokenRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { + // Get Azure token for AKS + token, err := rt.credential.GetToken(req.Context(), policy.TokenRequestOptions{ + Scopes: []string{aksOAuthServerID + "/.default"}, + }) + if err != nil { + return nil, fmt.Errorf("failed to get Azure token: %w", err) + } + + // Clone the request to avoid modifying the original + reqClone := req.Clone(req.Context()) + + // Add the bearer token + reqClone.Header.Set("Authorization", "Bearer "+token.Token) + + // Execute the request with the base transport + return rt.base.RoundTrip(reqClone) +} diff --git a/sessiongate/pkg/server/connection.go b/sessiongate/pkg/server/connection.go new file mode 100644 index 0000000000..e3a9cde1f1 --- /dev/null +++ b/sessiongate/pkg/server/connection.go @@ -0,0 +1,72 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package server + +import ( + "errors" + "net" + "sync" +) + +type ConnTracker struct { + mu sync.Mutex + conns map[net.Conn]struct{} +} + +func NewConnTracker() *ConnTracker { + return &ConnTracker{ + conns: make(map[net.Conn]struct{}), + } +} + +func (t *ConnTracker) wrap(c net.Conn) net.Conn { + t.mu.Lock() + t.conns[c] = struct{}{} + t.mu.Unlock() + return &trackedConn{Conn: c, tracker: t} +} + +func (t *ConnTracker) remove(c net.Conn) { + t.mu.Lock() + delete(t.conns, c) + t.mu.Unlock() +} + +func (t *ConnTracker) CloseAll() error { + t.mu.Lock() + defer t.mu.Unlock() + var errs []error + for c := range t.conns { + if err := c.Close(); err != nil { + errs = append(errs, err) + } + } + return errors.Join(errs...) +} + +type trackedConn struct { + net.Conn + tracker *ConnTracker + once sync.Once +} + +func (c *trackedConn) Close() error { + var err error + c.once.Do(func() { + err = c.Conn.Close() + c.tracker.remove(c.Conn) + }) + return err +} diff --git a/sessiongate/pkg/server/middleware/metrics.go b/sessiongate/pkg/server/middleware/metrics.go new file mode 100644 index 0000000000..5d79a4f2d4 --- /dev/null +++ b/sessiongate/pkg/server/middleware/metrics.go @@ -0,0 +1,78 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package middleware + +import ( + "bufio" + "fmt" + "net" + "net/http" + "strconv" + "time" + + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promauto" +) + +type logResponseWriter struct { + http.ResponseWriter + statusCode int +} + +// WriteHeader captures the status code sent to the client. +func (lrw *logResponseWriter) WriteHeader(code int) { + lrw.statusCode = code + lrw.ResponseWriter.WriteHeader(code) +} + +// Hijack implements http.Hijacker to support WebSocket upgrades. +func (lrw *logResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) { + hijacker, ok := lrw.ResponseWriter.(http.Hijacker) + if !ok { + return nil, nil, fmt.Errorf("response writer does not support hijacking") + } + return hijacker.Hijack() +} + +func WithMetrics(requestCounterName, requestDurationName string, registry prometheus.Registerer, next http.HandlerFunc) http.HandlerFunc { + requestCounter := promauto.With(registry).NewCounterVec( + prometheus.CounterOpts{ + Name: requestCounterName, + Help: "Counter for HTTP requests by method, status, route", + }, + []string{"method", "status", "route"}, + ) + requestDuration := promauto.With(registry).NewHistogramVec( + prometheus.HistogramOpts{ + Name: requestDurationName, + Help: "Histogram of latencies for HTTP requests by method, status, route", + NativeHistogramBucketFactor: 1.1, + NativeHistogramMaxBucketNumber: 100, + NativeHistogramMinResetDuration: 1 * time.Hour, + }, + []string{"method", "status", "route"}, + ) + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + startTime := time.Now() + + lrw := &logResponseWriter{ResponseWriter: w, statusCode: 200} + + next(lrw, r) + + duration := time.Since(startTime).Seconds() + requestCounter.WithLabelValues(r.Method, strconv.Itoa(lrw.statusCode), r.Pattern).Inc() + requestDuration.WithLabelValues(r.Method, strconv.Itoa(lrw.statusCode), r.Pattern).Observe(duration) + }) +} diff --git a/sessiongate/pkg/server/proxy.go b/sessiongate/pkg/server/proxy.go new file mode 100644 index 0000000000..696c725408 --- /dev/null +++ b/sessiongate/pkg/server/proxy.go @@ -0,0 +1,129 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package server + +import ( + "context" + "fmt" + "net" + "net/http" + "net/url" + "strings" + + "k8s.io/apimachinery/pkg/util/proxy" + "k8s.io/client-go/rest" + "k8s.io/klog/v2" +) + +// kasProxySession wraps a KAS proxy handler with lifecycle management +type kasProxySession struct { + handler http.Handler + cleanup func() +} + +// ServeHTTP implements http.Handler +func (s *kasProxySession) ServeHTTP(w http.ResponseWriter, r *http.Request) { + s.handler.ServeHTTP(w, r) +} + +// Close performs cleanup +func (s *kasProxySession) Close() { + s.cleanup() +} + +func newKASProxyHandler( + ctx context.Context, + restCfg *rest.Config, + sessionID string, + stripPathPrefix string, +) (*kasProxySession, error) { + klog.V(4).InfoS("Creating KAS proxy handler", "sessionID", sessionID, "host", restCfg.Host, "stripPathPrefix", stripPathPrefix) + + backendBase, err := url.Parse(restCfg.Host) + if err != nil { + return nil, err + } + + tracker := NewConnTracker() + + // Set up connection tracking on the dialer + originalDial := restCfg.Dial + if originalDial == nil { + dialer := &net.Dialer{} + originalDial = dialer.DialContext + } + restCfg.Dial = func(ctx context.Context, network, addr string) (net.Conn, error) { + conn, err := originalDial(ctx, network, addr) + if err != nil { + return nil, err + } + return tracker.wrap(conn), nil + } + + transport, err := rest.TransportFor(restCfg) + if err != nil { + return nil, err + } + + // Create a cancellable context for this session + sessionCtx, cancel := context.WithCancel(ctx) + + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + logger := klog.FromContext(r.Context()).WithValues("sessionID", sessionID, "host", restCfg.Host) + // Use the session context so requests can be cancelled when session is unregistered + r = r.Clone(klog.NewContext(sessionCtx, logger)) + logger.V(6).Info("Proxying request", "method", r.Method, "path", r.URL.Path) + + if !strings.HasPrefix(r.URL.Path, stripPathPrefix) { + http.NotFound(w, r) + return + } + + restPath := strings.TrimPrefix(r.URL.Path, stripPathPrefix) + + backendURL := *backendBase + backendURL.Path = backendURL.Path + restPath + backendURL.RawQuery = r.URL.RawQuery + + klog.V(6).Info("Backend URL constructed", "backendURL", backendURL.String()) + + proxyHandler := proxy.NewUpgradeAwareHandler(&backendURL, transport, true, false, &sessionErrorResponder{sessionID: sessionID}) + proxyHandler.ServeHTTP(w, r) + }) + + return &kasProxySession{ + handler: handler, + cleanup: func() { + cancel() + // Kill all active connections immediately when the session expires. + // This ensures long-running connections (watches, websockets) are + // terminated promptly rather than waiting for idle timeouts. + err := tracker.CloseAll() + if err != nil { + klog.Error(err, "Failed to close connections", "sessionID", sessionID) + } + klog.V(2).InfoS("Session closed", "sessionID", sessionID) + }, + }, nil +} + +// sessionErrorResponder implements proxy.ErrorResponder with session-specific context +type sessionErrorResponder struct { + sessionID string +} + +func (r *sessionErrorResponder) Error(w http.ResponseWriter, req *http.Request, err error) { + http.Error(w, fmt.Sprintf("Proxy request failed for session %s: %v", r.sessionID, err), http.StatusBadGateway) +} diff --git a/sessiongate/pkg/server/server.go b/sessiongate/pkg/server/server.go new file mode 100644 index 0000000000..564c0223bf --- /dev/null +++ b/sessiongate/pkg/server/server.go @@ -0,0 +1,215 @@ +// Copyright 2025 Microsoft Corporation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package server + +import ( + "context" + "fmt" + "net" + "net/http" + "sync" + "time" + + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promauto" + "github.com/prometheus/client_golang/prometheus/promhttp" + + "k8s.io/klog/v2" + + "github.com/Azure/ARO-HCP/sessiongate/pkg/controller" + "github.com/Azure/ARO-HCP/sessiongate/pkg/server/middleware" +) + +const ( + sessionGatePathPrefix = "/sessiongate" +) + +type sessionRegistration struct { + session *kasProxySession +} + +// Server manages a shared HTTP server with dynamic session path handlers +type Server struct { + bindAddress string + ingressBaseURL string + server *http.Server + mux *http.ServeMux + sessions map[string]*sessionRegistration + mu sync.RWMutex + reg prometheus.Registerer +} + +// NewServer creates a new shared webserver instance +// bindAddress is the local bind address (e.g., "localhost:8080" or ":8080") +// ingressBaseURL is the externally-accessible base URL for session URLs (e.g., "https://sessiongate.example.com") +func NewServer(bindAddress, ingressBaseURL string, reg prometheus.Registerer) *Server { + mux := http.NewServeMux() + s := &Server{ + bindAddress: bindAddress, + ingressBaseURL: ingressBaseURL, + mux: mux, + sessions: make(map[string]*sessionRegistration), + reg: reg, + server: &http.Server{ + Addr: bindAddress, + Handler: mux, + ReadTimeout: 10 * time.Second, + WriteTimeout: 10 * time.Second, + IdleTimeout: 60 * time.Second, + }, + } + + promauto.With(reg).NewGaugeFunc( + prometheus.GaugeOpts{ + Name: "sessiongate_active_sessions", + Help: "Number of currently active sessions", + }, + func() float64 { + s.mu.RLock() + defer s.mu.RUnlock() + return float64(len(s.sessions)) + }, + ) + + return s +} + +func (s *Server) BindAddress() string { + return s.bindAddress +} + +// Run starts the HTTP server and blocks until the context is cancelled or an error occurs. +// It fails fast if the port is unavailable, then serves requests until shutdown. +func (s *Server) Run(ctx context.Context) error { + // Bind the port immediately - fails fast if port unavailable + listener, err := net.Listen("tcp", s.bindAddress) + if err != nil { + return fmt.Errorf("failed to bind to %s: %w", s.bindAddress, err) + } + defer listener.Close() + + // Register handlers using Go 1.22+ path patterns with logging middleware + s.mux.Handle( + fmt.Sprintf("%s/{path...}", buildSessionKASPath("{sessionID}")), + middleware.WithMetrics( + "sessiongate_kas_proxy_requests_total", + "sessiongate_kas_proxy_requests_duration_seconds", + s.reg, + http.HandlerFunc(s.kasProxyHandler), + ), + ) + s.mux.Handle("/healthz", http.HandlerFunc(s.healthzHandler)) + s.mux.Handle("/readyz", http.HandlerFunc(s.readyzHandler)) + s.mux.Handle("/metrics", promhttp.Handler()) + + // Start server in goroutine + serverErr := make(chan error, 1) + go func() { + if err := s.server.Serve(listener); err != nil && err != http.ErrServerClosed { + serverErr <- err + } + }() + + // Block until context cancels or server errors + select { + case <-ctx.Done(): + klog.Info("Context cancelled - performing graceful webserver shutdown") + shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + if err := s.server.Shutdown(shutdownCtx); err != nil { + return fmt.Errorf("failed to shutdown server: %w", err) + } + return nil + case err := <-serverErr: + klog.Error(err, "Server encountered an error") + return err + } +} + +// RegisterSession registers session information and REST configuration. +// If the session already exists, this is a no-op (returns existing endpoint). +// Note: Sessions are immutable - we don't support updating REST config for existing sessions. +// To update credentials, the session must be unregistered and re-registered. +func (s *Server) RegisterSession(opts controller.SessionOptions) (string, error) { + s.mu.Lock() + defer s.mu.Unlock() + + _, exists := s.sessions[opts.SessionID] + if !exists { + klog.V(2).Info("Registering new session", "sessionID", opts.SessionID, "resourceID", opts.ResourceID) + session, err := newKASProxyHandler(context.Background(), opts.RESTConfig, opts.SessionID, buildSessionKASPath(opts.SessionID)) + if err != nil { + klog.Error(err, "Failed to create KAS proxy handler", "sessionID", opts.SessionID) + return "", fmt.Errorf("failed to create KAS proxy handler: %w", err) + } + s.sessions[opts.SessionID] = &sessionRegistration{ + session: session, + } + } else { + klog.V(4).Info("Session already registered, returning existing endpoint", "sessionID", opts.SessionID) + } + + endpoint := s.GetSessionEndpoint(opts.SessionID) + return endpoint, nil +} + +// GetSessionEndpoint computes the public endpoint URL for a given session ID. +func (s *Server) GetSessionEndpoint(sessionID string) string { + return fmt.Sprintf("%s%s", s.ingressBaseURL, buildSessionKASPath(sessionID)) +} + +// UnregisterSession removes session data and forcibly stops all backend interactions. +// This is a hard stop - all in-flight requests will be cancelled, WebSocket/SPDY upgrades +// will fail, and idle connections will be closed. +func (s *Server) UnregisterSession(sessionID string) { + s.mu.Lock() + defer s.mu.Unlock() + + if reg, exists := s.sessions[sessionID]; exists { + klog.V(2).InfoS("Unregister session", "sessionID", sessionID) + reg.session.Close() + + delete(s.sessions, sessionID) + } +} + +// kasProxyHandler handles /session/{sessionID}/kas/* requests +func (s *Server) kasProxyHandler(w http.ResponseWriter, r *http.Request) { + sessionID := r.PathValue("sessionID") + + s.mu.RLock() + info, exists := s.sessions[sessionID] + s.mu.RUnlock() + + if !exists { + http.Error(w, "Session not found", http.StatusNotFound) + return + } + info.session.ServeHTTP(w, r) +} + +// healthzHandler returns 200 OK if the server is running +func (s *Server) healthzHandler(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) +} + +// readyzHandler returns 200 OK if the server is ready to accept requests +func (s *Server) readyzHandler(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) +} + +func buildSessionKASPath(sessionID string) string { + return fmt.Sprintf("%s/%s/kas", sessionGatePathPrefix, sessionID) +} diff --git a/sessiongate/pkg/signals/signal.go b/sessiongate/pkg/signals/signal.go new file mode 100644 index 0000000000..16d9084d69 --- /dev/null +++ b/sessiongate/pkg/signals/signal.go @@ -0,0 +1,52 @@ +/* + MIT License + + Copyright (c) Microsoft Corporation. + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE +*/ + +package signals + +import ( + "context" + "os" + "os/signal" +) + +var onlyOneSignalHandler = make(chan struct{}) + +// SetupSignalHandler registered for SIGTERM and SIGINT. A context is returned +// which is cancelled on one of these signals. If a second signal is caught, +// the program is terminated with exit code 1. +func SetupSignalHandler(ctx context.Context) context.Context { + close(onlyOneSignalHandler) // panics when called twice + + c := make(chan os.Signal, 2) + ctx, cancel := context.WithCancel(ctx) + signal.Notify(c, shutdownSignals...) + go func() { + <-c + cancel() + <-c + os.Exit(1) // second signal. Exit directly. + }() + + return ctx +} diff --git a/sessiongate/pkg/signals/signal_posix.go b/sessiongate/pkg/signals/signal_posix.go new file mode 100644 index 0000000000..a2556d5d3b --- /dev/null +++ b/sessiongate/pkg/signals/signal_posix.go @@ -0,0 +1,32 @@ +/* + MIT License + + Copyright (c) Microsoft Corporation. + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE +*/ + +package signals + +import ( + "os" + "syscall" +) + +var shutdownSignals = []os.Signal{os.Interrupt, syscall.SIGTERM} diff --git a/sessiongate/pkg/signals/signal_windows.go b/sessiongate/pkg/signals/signal_windows.go new file mode 100644 index 0000000000..8afa8d241c --- /dev/null +++ b/sessiongate/pkg/signals/signal_windows.go @@ -0,0 +1,31 @@ +/* + MIT License + + Copyright (c) Microsoft Corporation. + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE +*/ + +package signals + +import ( + "os" +) + +var shutdownSignals = []os.Signal{os.Interrupt} diff --git a/sessiongate/testdata/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_sessiongate.yaml b/sessiongate/testdata/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_sessiongate.yaml new file mode 100644 index 0000000000..ee98b7c0ff --- /dev/null +++ b/sessiongate/testdata/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_sessiongate.yaml @@ -0,0 +1,500 @@ +--- +# Source: sessiongate/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: sessiongate + annotations: + azure.workload.identity/client-id: '__sessiongateMsiClientId__' + azure.workload.identity/tenant-id: '__tenantId__' + name: sessiongate + namespace: sessiongate +--- +# Source: sessiongate/templates/sessiongate.aro-hcp.azure.com_sessions.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: sessions.sessiongate.aro-hcp.azure.com +spec: + group: sessiongate.aro-hcp.azure.com + names: + kind: Session + listKind: SessionList + plural: sessions + singular: session + scope: Namespaced + versions: + - name: v1alpha1 + additionalPrinterColumns: + - name: Endpoint + type: string + jsonPath: .status.endpoint + - name: Expires + type: string + format: date-time + jsonPath: .status.expiresAt + schema: + openAPIV3Schema: + description: Session is the Schema for the sessions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec defines the desired state of Session + properties: + accessLevel: + description: accessLevel defines the access permissions for the session + properties: + group: + description: group is the name of the access group + type: string + required: + - group + type: object + hostedControlPlane: + description: hostedControlPlane specifies the hosted control plane + properties: + resourceId: + description: resourceId is the Azure resource ID of the hosted control plane + type: string + pattern: '^/subscriptions/[a-fA-F0-9-]+/resourceGroups/[^/]+/providers/Microsoft\.RedHatOpenshift/hcpOpenShiftClusters/[^/]+$' + namespace: + description: namespace of the HostedControlPlane CR + type: string + required: + - resourceId + - namespace + type: object + managementCluster: + description: managementCluster specifies the AKS management cluster + properties: + resourceId: + description: resourceId is the Azure resource ID of the management cluster + type: string + pattern: '^/subscriptions/[a-fA-F0-9-]+/resourceGroups/[^/]+/providers/Microsoft\.ContainerService/managedClusters/[^/]+$' + required: + - resourceId + type: object + ttl: + description: ttl is the time-to-live duration for the session + type: string + owner: + description: owner identifies the principal (user or service account) that owns this session + properties: + type: + description: type specifies the authentication method + enum: + - User + type: string + userPrincipal: + description: userPrincipal identifies the user principal + properties: + claim: + default: upn + description: |- + claim specifies which JWT claim to use for authentication (e.g., "upn", "email", "sub", "preferred_username"). + Must be a top-level claim name. Nested claims are not currently supported. + Note: While dots are valid in JWT claim names and Istio treats them literally (not as path separators), + we restrict the pattern to alphanumeric, underscore, hyphen, and slash for safety and simplicity. + To access nested claims in the future, Istio requires bracket notation like [parent][child]. + type: string + pattern: ^[a-zA-Z0-9_/-]+$ + minLength: 1 + maxLength: 256 + name: + description: name is the user principal name (e.g., UPN for Azure AD like user@domain.com) + type: string + required: + - claim + - name + type: object + required: + - type + type: object + x-kubernetes-validations: + - rule: "self.type == 'User' ? has(self.userPrincipal) : true" + message: "userPrincipal must be set when type is User" + required: + - accessLevel + - hostedControlPlane + - managementCluster + - owner + - ttl + type: object + x-kubernetes-validations: + - rule: "self == oldSelf" + message: "spec is immutable" + status: + description: status defines the observed state of Session + properties: + conditions: + description: |- + conditions represent the current state of the Session resource. + Each condition has a unique type and reflects the status of a specific aspect of the resource. + + Standard condition types include: + - "Available": the resource is fully functional + - "Progressing": the resource is being created or updated + - "Degraded": the resource failed to reach or maintain its desired state + - "Credentials": credentials are being provisioned or ready + + The status of each condition is one of True, False, or Unknown. + items: + description: Condition contains details for one aspect of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + endpoint: + description: endpoint is the URL endpoint for accessing the session + type: string + expiresAt: + description: expiresAt is the timestamp when the session will expire + format: date-time + type: string + credentialsSecretRef: + description: credentialsSecretRef references the Secret containing the session credentials (private key and certificate) + type: string + backendKASURL: + description: backendKASURL is the Kubernetes API server URL for the backend cluster + type: string + type: object + required: + - spec + type: object + x-kubernetes-validations: + - rule: "self.metadata.name.size() <= 63" + message: "session name must be 63 characters or less" + - rule: "self.metadata.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')" + message: "session name must be a valid DNS label (lowercase alphanumeric with hyphens)" + served: true + storage: true + subresources: + status: {} +--- +# Source: sessiongate/templates/controller_role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: sessiongate + name: sessiongate-controller + namespace: sessiongate +rules: +- apiGroups: + - sessiongate.aro-hcp.azure.com + resources: + - sessions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sessiongate.aro-hcp.azure.com + resources: + - sessions/finalizers + verbs: + - update +- apiGroups: + - sessiongate.aro-hcp.azure.com + resources: + - sessions/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - update + - watch + - patch +- apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: sessiongate/templates/leader_election_role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: sessiongate + name: sessiongate-controller-leader-election + namespace: sessiongate +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: sessiongate/templates/controller_role_binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: sessiongate + name: sessiongate-controller-binding + namespace: sessiongate +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sessiongate-controller +subjects: +- kind: ServiceAccount + name: sessiongate + namespace: sessiongate +--- +# Source: sessiongate/templates/leader_election_role_binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: sessiongate + name: sessiongate-controller-leader-election-binding + namespace: sessiongate +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sessiongate-controller-leader-election +subjects: +- kind: ServiceAccount + name: sessiongate + namespace: sessiongate +--- +# Source: sessiongate/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: sessiongate + namespace: 'sessiongate' + labels: + app.kubernetes.io/name: sessiongate +spec: + selector: + app.kubernetes.io/name: sessiongate + ports: + - port: 8080 + targetPort: 8080 + protocol: TCP +--- +# Source: sessiongate/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sessiongate + namespace: sessiongate + labels: + app.kubernetes.io/name: sessiongate +spec: + selector: + matchLabels: + app.kubernetes.io/name: sessiongate + replicas: 2 + template: + metadata: + labels: + app.kubernetes.io/name: sessiongate + azure.workload.identity/use: "true" + spec: + securityContext: + runAsNonRoot: true + containers: + - command: + - "/sessiongate" + args: + - controller + - "--server-address=:8080" + - "--ingress-base-url=https://admin.westus3.hcpsvc.osadev.cloud" + - "-v=6" + - "--leader-election-lease-duration=15s" + - "--leader-election-renew-deadline=10s" + - "--leader-election-retry-period=2s" + image: arohcpsvcdev.azurecr.io/arohcpsessiongate@sha256:1234567890 + name: sessiongate-controller + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - containerPort: 8080 + protocol: TCP + name: sessions + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + volumeMounts: [] + volumes: [] + serviceAccountName: sessiongate + terminationGracePeriodSeconds: 10 + nodeSelector: +--- +# Source: sessiongate/templates/acrpullbinding.yaml +apiVersion: acrpull.microsoft.com/v1beta2 +kind: AcrPullBinding +metadata: + name: pull-binding + namespace: "sessiongate" +spec: + acr: + environment: PublicCloud + server: 'arohcpsvcdev.azurecr.io' + scope: 'repository:arohcpsessiongate:pull' + auth: + workloadIdentity: + serviceAccountRef: 'sessiongate' + clientID: '__imagePullerMsiClientId__' + tenantID: '__tenantId__' + serviceAccountName: 'sessiongate' +--- +# Source: sessiongate/templates/requestauthentication.yaml +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: sessiongate-request-auth + namespace: 'sessiongate' +spec: + selector: + matchLabels: + app.kubernetes.io/name: sessiongate + jwtRules: + - issuer: "https://sts.windows.net/64dc69e4-d083-49fc-9569-ebece1dd1408/" + jwksUri: "https://sts.windows.net/64dc69e4-d083-49fc-9569-ebece1dd1408/discovery/v2.0/keys" + audiences: + - "6dae42f8-4368-4678-94ff-3960e28e3630" + diff --git a/sessiongate/values.yaml b/sessiongate/values.yaml new file mode 100644 index 0000000000..b2aa93e3ee --- /dev/null +++ b/sessiongate/values.yaml @@ -0,0 +1,31 @@ +namespace: "{{ .sessiongate.k8s.namespace }}" +image: + registry: "{{ .acr.svc.name }}.{{ .acrDNSSuffix }}" + repository: "{{ .sessiongate.image.repository }}" + digest: "{{ .sessiongate.image.digest }}" +replicas: "{{ .sessiongate.k8s.replicas }}" +logLevel: "2" +leaderElection: + leaseDuration: "15s" + renewDeadline: "10s" + retryPeriod: "2s" +nodeSelector: {} +tolerations: [] +affinity: {} +serviceAccount: + name: "{{ .sessiongate.k8s.serviceAccountName }}" + workloadIdentityClientId: "__sessiongateMsiClientId__" + workloadIdentityTenantId: "__tenantId__" +# Pull binding configuration for ACR Pull Operator +pullBinding: + registry: "{{ .acr.svc.name }}.{{ .acrDNSSuffix }}" + scope: "repository:{{ .sessiongate.image.repository }}:pull" + workloadIdentityClientId: "__imagePullerMsiClientId__" + workloadIdentityTenantId: "__tenantId__" +virtualService: + host: "admin.{{ .dns.regionalSubdomain }}.{{ .dns.svcParentZoneName }}" +service: + port: 8080 +auth: + authority: "https://{{ .mise.sessiongate.authorityFQDN }}/{{ .tenantId }}" # iss + audience: "{{ .mise.sessiongate.audience }}" # aud diff --git a/test-integration/go.mod b/test-integration/go.mod index 87164d6733..73dc3227c2 100644 --- a/test-integration/go.mod +++ b/test-integration/go.mod @@ -17,7 +17,7 @@ require ( github.com/stretchr/testify v1.11.1 go.uber.org/mock v0.6.0 k8s.io/apimachinery v0.34.3 - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 ) require ( @@ -70,7 +70,7 @@ require ( go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect go.opentelemetry.io/otel/trace v1.38.0 // indirect go.opentelemetry.io/proto/otlp v1.7.1 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect golang.org/x/sync v0.19.0 // indirect golang.org/x/time v0.14.0 // indirect diff --git a/test-integration/go.sum b/test-integration/go.sum index 64c44e66da..c4003b804d 100644 --- a/test-integration/go.sum +++ b/test-integration/go.sum @@ -24,6 +24,8 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI= github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -143,10 +145,10 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/neilotoole/slogt v1.1.0 h1:c7qE92sq+V0yvCuaxph+RQ2jOKL61c4hqS1Bv9W7FZE= github.com/neilotoole/slogt v1.1.0/go.mod h1:RCrGXkPc/hYybNulqQrMHRtvlQ7F6NktNVLuLwk6V+w= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/openshift-online/ocm-api-model/clientapi v0.0.435 h1:5t/65lUYiXoD87LTpexUnMo/fHgEYvTPmOcQtHBfScY= github.com/openshift-online/ocm-api-model/clientapi v0.0.435/go.mod h1:fZwy5HY2URG9nrExvQeXrDU/08TGqZ16f8oymVEN5lo= github.com/openshift-online/ocm-api-model/model v0.0.435 h1:z9japbtB75gd/8oKvWRHmcbn0RyGeCFlYpisF1J+5mo= @@ -249,14 +251,13 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y= go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -269,6 +270,8 @@ golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -350,8 +353,8 @@ k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/test/go.mod b/test/go.mod index 98392be1f4..a7645a53a7 100644 --- a/test/go.mod +++ b/test/go.mod @@ -8,7 +8,7 @@ require ( github.com/Azure/ARO-HCP/tooling/templatize v0.0.0-20251212175206-b7a20d67a1b7 github.com/Azure/ARO-Tools v0.0.0-20251219030559-37f654161c5a github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2 - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.6.0 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions v1.3.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0 @@ -16,8 +16,8 @@ require ( github.com/dusted-go/logging v1.3.0 github.com/go-echarts/go-echarts/v2 v2.6.7 github.com/google/uuid v1.6.0 - github.com/onsi/ginkgo/v2 v2.23.4 - github.com/onsi/gomega v1.37.0 + github.com/onsi/ginkgo/v2 v2.27.2 + github.com/onsi/gomega v1.38.2 github.com/openshift-eng/openshift-tests-extension v0.0.0-20251217181008-4f0b29a50e82 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.10.2 @@ -28,19 +28,19 @@ require ( k8s.io/client-go v0.34.1 k8s.io/klog/v2 v2.130.1 k8s.io/kube-aggregator v0.34.0 - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 sigs.k8s.io/prow v0.0.0-20251030184004-0e4d5be4200d sigs.k8s.io/yaml v1.6.0 ) require ( cel.dev/expr v0.24.0 // indirect - cloud.google.com/go v0.116.0 // indirect + cloud.google.com/go v0.118.0 // indirect cloud.google.com/go/auth v0.15.0 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect cloud.google.com/go/compute/metadata v0.7.0 // indirect - cloud.google.com/go/iam v1.2.2 // indirect - cloud.google.com/go/monitoring v1.21.2 // indirect + cloud.google.com/go/iam v1.3.1 // indirect + cloud.google.com/go/monitoring v1.22.1 // indirect cloud.google.com/go/storage v1.49.0 // indirect contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect @@ -65,9 +65,9 @@ require ( github.com/Masterminds/squirrel v1.5.4 // indirect github.com/ProtonMail/go-crypto v1.3.0 // indirect github.com/andygrunwald/go-jira v1.17.0 // indirect - github.com/antlr4-go/antlr/v4 v4.13.0 // indirect + github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go v1.55.5 // indirect + github.com/aws/aws-sdk-go v1.55.7 // indirect github.com/aws/aws-sdk-go-v2 v1.38.1 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.0 // indirect github.com/aws/aws-sdk-go-v2/config v1.31.3 // indirect @@ -94,9 +94,9 @@ require ( github.com/bwmarrin/snowflake v0.0.0 // indirect github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect - github.com/chai2010/gettext-go v1.0.2 // indirect + github.com/chai2010/gettext-go v1.0.3 // indirect github.com/cjwagner/httpcache v0.0.0-20230907212505-d4841bbad466 // indirect - github.com/clarketm/json v1.13.4 // indirect + github.com/clarketm/json v1.17.1 // indirect github.com/cloudflare/circl v1.6.1 // indirect github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect github.com/cyphar/filepath-securejoin v0.5.0 // indirect @@ -142,7 +142,7 @@ require ( github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect github.com/google/s2a-go v0.1.9 // indirect github.com/google/wire v0.6.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.5 // indirect github.com/googleapis/gax-go/v2 v2.14.1 // indirect github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect github.com/gosuri/uitable v0.0.4 // indirect @@ -200,7 +200,7 @@ require ( github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.66.1 // indirect github.com/prometheus/procfs v0.17.0 // indirect - github.com/prometheus/statsd_exporter v0.22.7 // indirect + github.com/prometheus/statsd_exporter v0.24.0 // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/rubenv/sql-migrate v1.8.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -240,7 +240,7 @@ require ( go.opentelemetry.io/proto/otlp v1.7.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect go4.org v0.0.0-20201209231011-d4a079459e60 // indirect gocloud.dev v0.40.0 // indirect @@ -251,13 +251,13 @@ require ( golang.org/x/tools v0.39.0 // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect - google.golang.org/api v0.223.0 // indirect - google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect + google.golang.org/api v0.224.0 // indirect + google.golang.org/genproto v0.0.0-20250115164207-1a7da9e5054f // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect google.golang.org/grpc v1.76.0 // indirect google.golang.org/protobuf v1.36.10 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/fsnotify.v1 v1.4.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -268,7 +268,7 @@ require ( k8s.io/apiserver v0.34.1 // indirect k8s.io/cli-runtime v0.34.1 // indirect k8s.io/component-base v0.34.1 // indirect - k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect + k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect k8s.io/kubectl v0.34.1 // indirect knative.dev/pkg v0.0.0-20240416145024-0f34a8815650 // indirect oras.land/oras-go/v2 v2.6.0 // indirect diff --git a/test/go.sum b/test/go.sum index b44385affe..8a9bc5fb09 100644 --- a/test/go.sum +++ b/test/go.sum @@ -19,8 +19,8 @@ cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHOb cloud.google.com/go v0.66.0/go.mod h1:dgqGAjKCDxyhGTtC9dAREQGUJpkceNm1yt590Qno0Ko= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= cloud.google.com/go v0.73.0/go.mod h1:BkDh9dFvGjCitVw03TNjKbBxXNKULXXIq6orU6HrJ4Q= -cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE= -cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U= +cloud.google.com/go v0.118.0 h1:tvZe1mgqRxpiVa3XlIGMiPcEUbP1gNXELgD4y/IXmeQ= +cloud.google.com/go v0.118.0/go.mod h1:zIt2pkedt/mo+DQjcT4/L3NDxzHPR29j5HcclNH+9PM= cloud.google.com/go/auth v0.15.0 h1:Ly0u4aA5vG/fsSsxu98qCQBemXtAtJf+95z9HK+cxps= cloud.google.com/go/auth v0.15.0/go.mod h1:WJDGqZ1o9E9wKIL+IwStfyn/+s59zl4Bi+1KQNVXLZ8= cloud.google.com/go/auth/oauth2adapt v0.2.7 h1:/Lc7xODdqcEw8IrZ9SvwnlLX6j9FHQM74z6cBk9Rw6M= @@ -35,14 +35,14 @@ cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeO cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/iam v1.2.2 h1:ozUSofHUGf/F4tCNy/mu9tHLTaxZFLOUiKzjcgWHGIA= -cloud.google.com/go/iam v1.2.2/go.mod h1:0Ys8ccaZHdI1dEUilwzqng/6ps2YB6vRsjIe00/+6JY= -cloud.google.com/go/logging v1.12.0 h1:ex1igYcGFd4S/RZWOCU51StlIEuey5bjqwH9ZYjHibk= -cloud.google.com/go/logging v1.12.0/go.mod h1:wwYBt5HlYP1InnrtYI0wtwttpVU1rifnMT7RejksUAM= -cloud.google.com/go/longrunning v0.6.2 h1:xjDfh1pQcWPEvnfjZmwjKQEcHnpz6lHjfy7Fo0MK+hc= -cloud.google.com/go/longrunning v0.6.2/go.mod h1:k/vIs83RN4bE3YCswdXC5PFfWVILjm3hpEUlSko4PiI= -cloud.google.com/go/monitoring v1.21.2 h1:FChwVtClH19E7pJ+e0xUhJPGksctZNVOk2UhMmblmdU= -cloud.google.com/go/monitoring v1.21.2/go.mod h1:hS3pXvaG8KgWTSz+dAdyzPrGUYmi2Q+WFX8g2hqVEZU= +cloud.google.com/go/iam v1.3.1 h1:KFf8SaT71yYq+sQtRISn90Gyhyf4X8RGgeAVC8XGf3E= +cloud.google.com/go/iam v1.3.1/go.mod h1:3wMtuyT4NcbnYNPLMBzYRFiEfjKfJlLVLrisE7bwm34= +cloud.google.com/go/logging v1.13.0 h1:7j0HgAp0B94o1YRDqiqm26w4q1rDMH7XNRU34lJXHYc= +cloud.google.com/go/logging v1.13.0/go.mod h1:36CoKh6KA/M0PbhPKMq6/qety2DCAErbhXT62TuXALA= +cloud.google.com/go/longrunning v0.6.4 h1:3tyw9rO3E2XVXzSApn1gyEEnH2K9SynNQjMlBi3uHLg= +cloud.google.com/go/longrunning v0.6.4/go.mod h1:ttZpLCe6e7EXvn9OxpBRx7kZEB0efv8yBO6YnVMfhJs= +cloud.google.com/go/monitoring v1.22.1 h1:KQbnAC4IAH+5x3iWuPZT5iN9VXqKMzzOgqcYB6fqPDE= +cloud.google.com/go/monitoring v1.22.1/go.mod h1:AuZZXAoN0WWWfsSvET1Cpc4/1D8LXq8KRDU87fMS6XY= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -56,8 +56,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 cloud.google.com/go/storage v1.12.0/go.mod h1:fFLk2dp2oAhDz8QFKwqrjdJvxSp/W2g7nillojlL5Ho= cloud.google.com/go/storage v1.49.0 h1:zenOPBOWHCnojRd9aJZAyQXBYqkJkdQS42dxL55CIMw= cloud.google.com/go/storage v1.49.0/go.mod h1:k1eHhhpLvrPjVGfo0mOUPEJ4Y2+a/Hv5PiwehZI9qGU= -cloud.google.com/go/trace v1.11.2 h1:4ZmaBdL8Ng/ajrgKqY5jfvzqMXbrDcBsUGXOT9aqTtI= -cloud.google.com/go/trace v1.11.2/go.mod h1:bn7OwXd4pd5rFuAnTrzBuoZ4ax2XQeG3qNgYmfCy0Io= +cloud.google.com/go/trace v1.11.3 h1:c+I4YFjxRQjvAhRmSsmjpASUKq88chOX854ied0K/pE= +cloud.google.com/go/trace v1.11.3/go.mod h1:pt7zCYiDSQjC9Y2oqCsh9jF4GStB/hmjrYLsxRR27q8= contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d h1:LblfooH1lKOpp1hIhukktmSAxFkqMPFk9KR6iZ0MJNI= contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d/go.mod h1:IshRmMJBhDfFj5Y67nVhMYTTIze91RUeT73ipWKs/GY= contrib.go.opencensus.io/exporter/prometheus v0.4.2 h1:sqfsYl5GIY/L570iT+l93ehxaWJs2/OwXtiWwew3oAg= @@ -84,8 +84,8 @@ github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDo github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2 h1:qiir/pptnHqp6hV8QwV+IExYIf6cPsXBfUDUXQ27t2Y= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2/go.mod h1:jVRrRDLCOuif95HDYC23ADTMlvahB7tMdl519m9Iyjc= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.6.0 h1:ui3YNbxfW7J3tTFIZMH6LIGRjCngp+J+nIFlnizfNTE= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.6.0/go.mod h1:gZmgV+qBqygoznvqo2J9oKZAFziqhLZ2xE/WVUmzkHA= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0 h1:LkHbJbgF3YyvC53aqYGR+wWQDn2Rdp9AQdGndf9QvY4= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0/go.mod h1:QyiQdW4f4/BIfB8ZutZ2s+28RAgfa/pT+zS++ZHyM1I= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice v1.0.0 h1:figxyQZXzZQIcP3njhC68bYUiTw45J8/SsHaLW8Ax0M= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice v1.0.0/go.mod h1:TmlMW4W5OvXOmOyKNnor8nlMMiO1ctIyzmHme/VHsrA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do= @@ -156,14 +156,14 @@ github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8V github.com/andygrunwald/go-jira v1.17.0 h1:bbu5H676l6MaNcV6A7VDIAjIOQVgzNGEhNAwNI/Cjgo= github.com/andygrunwald/go-jira v1.17.0/go.mod h1:tiZsPUu9824bwcI2BUXatE4hJbs9rUOif0nv1lkq1hQ= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= -github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= -github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= +github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= +github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU= -github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= +github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= github.com/aws/aws-sdk-go-v2 v1.38.1 h1:j7sc33amE74Rz0M/PoCpsZQ6OunLqys/m5antM0J+Z8= github.com/aws/aws-sdk-go-v2 v1.38.1/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.0 h1:6GMWV6CNpA/6fbFHnoAjrv4+LGfyTqZz2LtCHnspgDg= @@ -225,8 +225,8 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= -github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80= +github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs= github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs= github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww= @@ -238,8 +238,8 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= github.com/cjwagner/httpcache v0.0.0-20230907212505-d4841bbad466 h1:eUjwn08FDjbj8vBM31026tjBraJCu+qpDvo/q0EAvQk= github.com/cjwagner/httpcache v0.0.0-20230907212505-d4841bbad466/go.mod h1:f7xZ2fRr8CqTp834KCxLW2pOXC/raqwhTbEvtxu/lRo= -github.com/clarketm/json v1.13.4 h1:0JketcMdLC16WGnRGJiNmTXuQznDEQaiknxSPRBxg+k= -github.com/clarketm/json v1.13.4/go.mod h1:ynr2LRfb0fQU34l07csRNBTcivjySLLiY1YzQqKVfdo= +github.com/clarketm/json v1.17.1 h1:U1IxjqJkJ7bRK4L6dyphmoO840P6bdhPdbbLySourqI= +github.com/clarketm/json v1.17.1/go.mod h1:ynr2LRfb0fQU34l07csRNBTcivjySLLiY1YzQqKVfdo= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudevents/sdk-go/v2 v2.15.2 h1:54+I5xQEnI73RBhWHxbI1XJcqOFOVJN85vb41+8mHUc= github.com/cloudevents/sdk-go/v2 v2.15.2/go.mod h1:lL7kSWAE/V8VI4Wh0jbL2v/jvqsm6tjmaQBSvxcv4uE= @@ -503,8 +503,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/wire v0.6.0 h1:HBkoIh4BdSxoyo9PveV8giw7ZsaBOvzWKfcg/6MrVwI= github.com/google/wire v0.6.0/go.mod h1:F4QhpQ9EDIdJ1Mbop/NZBRB+5yrR6qg3BnctaoUk6NA= -github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw= -github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA= +github.com/googleapis/enterprise-certificate-proxy v0.3.5 h1:VgzTY2jogw3xt39CusEnFJWm7rlsq5yL5q9XdLOuP5g= +github.com/googleapis/enterprise-certificate-proxy v0.3.5/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.14.1 h1:hb0FFeiPaQskmvakKu5EbCbpntQn48jyHuvrkurSS/Q= @@ -669,8 +669,8 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -730,8 +730,9 @@ github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1 github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= -github.com/prometheus/statsd_exporter v0.22.7 h1:7Pji/i2GuhK6Lu7DHrtTkFmNBCudCPT1pX2CziuyQR0= github.com/prometheus/statsd_exporter v0.22.7/go.mod h1:N/TevpjkIh9ccs6nuzY3jQn9dFqnUakOjnEuMPJJJnI= +github.com/prometheus/statsd_exporter v0.24.0 h1:aZmN6CzS2H1Non1JKZdjkQlAkDtGoQBYIESk2SlU1OI= +github.com/prometheus/statsd_exporter v0.24.0/go.mod h1:+dQiRTqn9DnPmN5mI5Xond+k8nuRKzdgh1omxh9OgFY= github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho= github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U= github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc= @@ -898,8 +899,8 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= go4.org v0.0.0-20201209231011-d4a079459e60 h1:iqAGo78tVOJXELHQFRjR6TMwItrvXH4hrGJ32I/NFF8= @@ -1216,8 +1217,8 @@ google.golang.org/api v0.31.0/go.mod h1:CL+9IBCa2WWU6gRuBWaKqGWLFFwbEUXkfeMkHLQW google.golang.org/api v0.32.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.223.0 h1:JUTaWEriXmEy5AhvdMgksGGPEFsYfUKaPEYXd4c3Wvc= -google.golang.org/api v0.223.0/go.mod h1:C+RS7Z+dDwds2b+zoAk5hN/eSfsiCn0UDrYof/M4d2M= +google.golang.org/api v0.224.0 h1:Ir4UPtDsNiwIOHdExr3fAj4xZ42QjK7uQte3lORLJwU= +google.golang.org/api v0.224.0/go.mod h1:3V39my2xAGkodXy0vEqcEtkqgw2GtrFL5WuBZlCTCOQ= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1264,8 +1265,8 @@ google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201203001206-6486ece9c497/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201209185603-f92720507ed4/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk= -google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc= +google.golang.org/genproto v0.0.0-20250115164207-1a7da9e5054f h1:387Y+JbxF52bmesc8kq1NyYIp33dnxCw6eiA7JMsTmw= +google.golang.org/genproto v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:0joYwWwLQh18AOj8zMYeZLjzuqcYTU3/nC5JdCvC3JI= google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY= google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE= google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE= @@ -1311,8 +1312,8 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= -gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= @@ -1371,12 +1372,12 @@ k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-aggregator v0.34.0 h1:XE4u+HOYkj0g44sblhTtPv+QyIIK7sJxrIlia0731kE= k8s.io/kube-aggregator v0.34.0/go.mod h1:GIUqdChXVC448Vp2Wgxf0m6fir7Xt3A2TAZcs2JNG1Y= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/kubectl v0.34.1 h1:1qP1oqT5Xc93K+H8J7ecpBjaz511gan89KO9Vbsh/OI= k8s.io/kubectl v0.34.1/go.mod h1:JRYlhJpGPyk3dEmJ+BuBiOB9/dAvnrALJEiY/C5qa6A= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= knative.dev/pkg v0.0.0-20240416145024-0f34a8815650 h1:m2ahFUO0L2VrgGDYdyOUFdE6xBd3pLXAJozLJwqLRQM= knative.dev/pkg v0.0.0-20240416145024-0f34a8815650/go.mod h1:soFw5ss08G4PU3JiFDKqiZRd2U7xoqcfNpJP1coIXkY= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= diff --git a/tooling/hcpctl/go.mod b/tooling/hcpctl/go.mod index de46c92641..0f5f4e840d 100644 --- a/tooling/hcpctl/go.mod +++ b/tooling/hcpctl/go.mod @@ -13,7 +13,7 @@ require ( github.com/go-logr/logr v1.4.3 github.com/google/go-cmp v0.7.0 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 - github.com/openshift/hypershift/api v0.0.0-20240604072534-cd2d5291e2b7 + github.com/openshift/hypershift/api v0.0.0-20251113182218-95835694eb99 github.com/spf13/cobra v1.10.2 github.com/stretchr/testify v1.11.1 golang.org/x/sync v0.19.0 @@ -42,7 +42,7 @@ require ( github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/chai2010/gettext-go v1.0.2 // indirect + github.com/chai2010/gettext-go v1.0.3 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.12.2 // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect @@ -77,12 +77,9 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect - github.com/onsi/ginkgo/v2 v2.23.4 // indirect - github.com/onsi/gomega v1.37.0 // indirect github.com/openshift/api v0.0.0-20250609083529-2b129d95495e // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect - github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.23.2 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -93,7 +90,7 @@ require ( github.com/stretchr/objx v0.5.2 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xlab/treeprint v1.2.0 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/crypto v0.46.0 // indirect golang.org/x/net v0.47.0 // indirect @@ -103,13 +100,13 @@ require ( golang.org/x/text v0.32.0 // indirect golang.org/x/time v0.14.0 // indirect google.golang.org/protobuf v1.36.10 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect k8s.io/component-base v0.34.1 // indirect k8s.io/component-helpers v0.34.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect + k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/kustomize/api v0.20.1 // indirect sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect diff --git a/tooling/hcpctl/go.sum b/tooling/hcpctl/go.sum index 96ccac8cb0..45c23b3903 100644 --- a/tooling/hcpctl/go.sum +++ b/tooling/hcpctl/go.sum @@ -40,6 +40,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2 github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -48,8 +50,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= -github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80= +github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= @@ -151,20 +153,18 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/openshift/api v0.0.0-20250609083529-2b129d95495e h1:QjdoupNBBgSMDypMWsbhb+/yfyv27b3mqT9eVj8g0h4= github.com/openshift/api v0.0.0-20250609083529-2b129d95495e/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw= -github.com/openshift/hypershift/api v0.0.0-20240604072534-cd2d5291e2b7 h1:RxPiVgFstgDDK/W4djXU6/w8zfX6pFVXIe6+z6m61nk= -github.com/openshift/hypershift/api v0.0.0-20240604072534-cd2d5291e2b7/go.mod h1:IDXXroBJeH+nIHkA17S3Yq2QDQg02tMnCWOXoyZVOLY= +github.com/openshift/hypershift/api v0.0.0-20251113182218-95835694eb99 h1:SBw+YbcPyy+1gkvyl74bycv+CZIKy8Xwyuy3pqXCLvo= +github.com/openshift/hypershift/api v0.0.0-20251113182218-95835694eb99/go.mod h1:JiaoBwTsYtBVKKPgHcajChZCu20KdM97W2xc0MeBCBA= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -214,16 +214,14 @@ github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -238,6 +236,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -311,8 +311,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/dnaeon/go-vcr.v4 v4.0.2 h1:7T5VYf2ifyK01ETHbJPl5A6XTpUljD4Trw3GEDcdedk= gopkg.in/dnaeon/go-vcr.v4 v4.0.2/go.mod h1:65yxh9goQVrudqofKtHA4JNFWd6XZRkWfKN4YpMx7KI= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= -gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -336,12 +336,12 @@ k8s.io/component-helpers v0.34.1 h1:gWhH3CCdwAx5P3oJqZKb4Lg5FYZTWVbdWtOI8n9U4XY= k8s.io/component-helpers v0.34.1/go.mod h1:4VgnUH7UA/shuBur+OWoQC0xfb69sy/93ss0ybZqm3c= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/kubectl v0.34.1 h1:1qP1oqT5Xc93K+H8J7ecpBjaz511gan89KO9Vbsh/OI= k8s.io/kubectl v0.34.1/go.mod h1:JRYlhJpGPyk3dEmJ+BuBiOB9/dAvnrALJEiY/C5qa6A= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= sigs.k8s.io/controller-runtime v0.22.3/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= diff --git a/tooling/helmtest/go.mod b/tooling/helmtest/go.mod index f89fec592e..e9c6b3c49b 100644 --- a/tooling/helmtest/go.mod +++ b/tooling/helmtest/go.mod @@ -26,7 +26,7 @@ require ( github.com/ProtonMail/go-crypto v1.3.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/chai2010/gettext-go v1.0.2 // indirect + github.com/chai2010/gettext-go v1.0.3 // indirect github.com/cloudflare/circl v1.6.1 // indirect github.com/coreos/go-systemd/v22 v22.6.0 // indirect github.com/cyphar/filepath-securejoin v0.5.0 // indirect @@ -82,11 +82,12 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect + github.com/onsi/ginkgo/v2 v2.27.2 // indirect + github.com/onsi/gomega v1.38.2 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.1 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect - github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.23.2 // indirect github.com/redis/go-redis/v9 v9.8.0 // indirect @@ -113,7 +114,7 @@ require ( go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.37.0 // indirect go.opentelemetry.io/otel/sdk/log v0.14.0 // indirect go.opentelemetry.io/proto/otlp v1.7.1 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/crypto v0.46.0 // indirect golang.org/x/net v0.47.0 // indirect @@ -125,7 +126,7 @@ require ( golang.org/x/time v0.14.0 // indirect google.golang.org/grpc v1.76.0 // indirect google.golang.org/protobuf v1.36.10 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.34.1 // indirect @@ -136,9 +137,9 @@ require ( k8s.io/client-go v0.34.1 // indirect k8s.io/component-base v0.34.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect + k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect k8s.io/kubectl v0.34.1 // indirect - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect oras.land/oras-go/v2 v2.6.0 // indirect sigs.k8s.io/controller-runtime v0.22.3 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect diff --git a/tooling/helmtest/go.sum b/tooling/helmtest/go.sum index 88c76be8ab..148f241575 100644 --- a/tooling/helmtest/go.sum +++ b/tooling/helmtest/go.sum @@ -50,8 +50,8 @@ github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1x github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= -github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80= +github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= github.com/coreos/go-systemd/v22 v22.6.0 h1:aGVa/v8B7hpb0TKl0MWoAavPDmHvobFe5R5zn0bCJWo= @@ -223,10 +223,10 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -235,8 +235,6 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -346,16 +344,14 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -418,8 +414,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= -gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -448,12 +444,12 @@ k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/kubectl v0.34.1 h1:1qP1oqT5Xc93K+H8J7ecpBjaz511gan89KO9Vbsh/OI= k8s.io/kubectl v0.34.1/go.mod h1:JRYlhJpGPyk3dEmJ+BuBiOB9/dAvnrALJEiY/C5qa6A= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= diff --git a/tooling/olm-bundle-repkg/go.mod b/tooling/olm-bundle-repkg/go.mod index 8aab3d43cc..8cfae6e1be 100644 --- a/tooling/olm-bundle-repkg/go.mod +++ b/tooling/olm-bundle-repkg/go.mod @@ -49,8 +49,8 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/onsi/ginkgo/v2 v2.23.4 // indirect - github.com/onsi/gomega v1.37.0 // indirect + github.com/onsi/ginkgo/v2 v2.27.2 // indirect + github.com/onsi/gomega v1.38.2 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.1 // indirect github.com/pkg/errors v0.9.1 // indirect @@ -63,7 +63,7 @@ require ( github.com/spf13/pflag v1.0.10 // indirect github.com/vbatts/tar-split v0.12.2 // indirect github.com/x448/float16 v0.8.4 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/net v0.47.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect @@ -72,13 +72,14 @@ require ( golang.org/x/term v0.38.0 // indirect golang.org/x/time v0.14.0 // indirect google.golang.org/protobuf v1.36.10 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect gotest.tools/v3 v3.5.2 // indirect k8s.io/client-go v0.34.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect + k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/randfill v1.0.0 // indirect sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect diff --git a/tooling/olm-bundle-repkg/go.sum b/tooling/olm-bundle-repkg/go.sum index ed74f86203..688f9c591e 100644 --- a/tooling/olm-bundle-repkg/go.sum +++ b/tooling/olm-bundle-repkg/go.sum @@ -88,10 +88,10 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -136,16 +136,14 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -153,6 +151,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -195,8 +195,8 @@ google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= -gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= @@ -216,10 +216,10 @@ k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= pkg.package-operator.run/cardboard/kubeutils v0.0.3 h1:Zjnrwv1zCC/lrC12HUIahCsT3Z8RodsPkMnZqlapi3Q= pkg.package-operator.run/cardboard/kubeutils v0.0.3/go.mod h1:OuVwlFUlvI51Hnlac6T8iFX2Hr0GLRnLne1EOvHnS90= sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= diff --git a/tooling/pipeline-documentation/go.mod b/tooling/pipeline-documentation/go.mod index 84db9e718a..317c3fec5c 100644 --- a/tooling/pipeline-documentation/go.mod +++ b/tooling/pipeline-documentation/go.mod @@ -14,7 +14,7 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/spf13/pflag v1.0.10 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect k8s.io/apimachinery v0.34.3 // indirect ) diff --git a/tooling/pipeline-documentation/go.sum b/tooling/pipeline-documentation/go.sum index 716e13eabc..3e1671fd53 100644 --- a/tooling/pipeline-documentation/go.sum +++ b/tooling/pipeline-documentation/go.sum @@ -27,8 +27,8 @@ github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiT github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/tooling/prometheus-rules/go.mod b/tooling/prometheus-rules/go.mod index 7e3e5a3337..ad12d413fb 100644 --- a/tooling/prometheus-rules/go.mod +++ b/tooling/prometheus-rules/go.mod @@ -9,7 +9,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.11.1 k8s.io/apimachinery v0.34.3 - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 sigs.k8s.io/yaml v1.6.0 ) @@ -30,7 +30,7 @@ require ( github.com/rogpeppe/go-internal v1.14.1 // indirect github.com/spf13/pflag v1.0.10 // indirect github.com/x448/float16 v0.8.4 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect golang.org/x/crypto v0.46.0 // indirect golang.org/x/net v0.47.0 // indirect golang.org/x/sys v0.39.0 // indirect diff --git a/tooling/prometheus-rules/go.sum b/tooling/prometheus-rules/go.sum index 116baaf0d9..005aaa95de 100644 --- a/tooling/prometheus-rules/go.sum +++ b/tooling/prometheus-rules/go.sum @@ -71,8 +71,8 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -125,8 +125,8 @@ k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/tooling/secret-sync/go.mod b/tooling/secret-sync/go.mod index b1c22e7b20..6154a24180 100644 --- a/tooling/secret-sync/go.mod +++ b/tooling/secret-sync/go.mod @@ -23,7 +23,7 @@ require ( github.com/kylelemons/godebug v1.1.0 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/spf13/pflag v1.0.10 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect golang.org/x/crypto v0.46.0 // indirect golang.org/x/net v0.47.0 // indirect golang.org/x/sync v0.19.0 // indirect diff --git a/tooling/secret-sync/go.sum b/tooling/secret-sync/go.sum index fc17f112e3..0713dce303 100644 --- a/tooling/secret-sync/go.sum +++ b/tooling/secret-sync/go.sum @@ -55,8 +55,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= diff --git a/tooling/templatize/go.mod b/tooling/templatize/go.mod index baa5f6da9c..2f59b81a1a 100644 --- a/tooling/templatize/go.mod +++ b/tooling/templatize/go.mod @@ -27,7 +27,7 @@ require ( golang.org/x/sync v0.19.0 k8s.io/apimachinery v0.34.3 k8s.io/client-go v0.34.1 - k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 sigs.k8s.io/yaml v1.6.0 ) @@ -49,7 +49,7 @@ require ( github.com/ProtonMail/go-crypto v1.3.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/chai2010/gettext-go v1.0.2 // indirect + github.com/chai2010/gettext-go v1.0.3 // indirect github.com/cloudflare/circl v1.6.1 // indirect github.com/coreos/go-systemd/v22 v22.6.0 // indirect github.com/cyphar/filepath-securejoin v0.5.0 // indirect @@ -111,11 +111,12 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect + github.com/onsi/ginkgo/v2 v2.27.2 // indirect + github.com/onsi/gomega v1.38.2 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.1 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect - github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.23.2 // indirect github.com/redis/go-redis/v9 v9.8.0 // indirect @@ -151,7 +152,7 @@ require ( go.opentelemetry.io/proto/otlp v1.7.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/crypto v0.46.0 // indirect golang.org/x/image v0.25.0 // indirect @@ -163,7 +164,7 @@ require ( golang.org/x/time v0.14.0 // indirect google.golang.org/grpc v1.76.0 // indirect google.golang.org/protobuf v1.36.10 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect helm.sh/helm/v4 v4.0.0-beta.2 // indirect @@ -173,7 +174,7 @@ require ( k8s.io/cli-runtime v0.34.1 // indirect k8s.io/component-base v0.34.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect + k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect k8s.io/kubectl v0.34.1 // indirect oras.land/oras-go/v2 v2.6.0 // indirect sigs.k8s.io/controller-runtime v0.22.3 // indirect diff --git a/tooling/templatize/go.sum b/tooling/templatize/go.sum index 2693548f69..fc59800441 100644 --- a/tooling/templatize/go.sum +++ b/tooling/templatize/go.sum @@ -78,8 +78,8 @@ github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1x github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= -github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80= +github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= github.com/coreos/go-systemd/v22 v22.6.0 h1:aGVa/v8B7hpb0TKl0MWoAavPDmHvobFe5R5zn0bCJWo= @@ -285,10 +285,10 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -297,8 +297,6 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -424,16 +422,14 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -499,8 +495,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= -gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -527,12 +523,12 @@ k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= +k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/kubectl v0.34.1 h1:1qP1oqT5Xc93K+H8J7ecpBjaz511gan89KO9Vbsh/OI= k8s.io/kubectl v0.34.1/go.mod h1:JRYlhJpGPyk3dEmJ+BuBiOB9/dAvnrALJEiY/C5qa6A= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= -k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= +k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= diff --git a/tooling/yamlwrap/go.mod b/tooling/yamlwrap/go.mod index a3544dcfc2..8bb0bc29d9 100644 --- a/tooling/yamlwrap/go.mod +++ b/tooling/yamlwrap/go.mod @@ -13,7 +13,7 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/spf13/pflag v1.0.10 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect golang.org/x/sync v0.19.0 // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect sigs.k8s.io/yaml v1.6.0 // indirect diff --git a/tooling/yamlwrap/go.sum b/tooling/yamlwrap/go.sum index e7e8fe72f1..afa5a0cc4d 100644 --- a/tooling/yamlwrap/go.sum +++ b/tooling/yamlwrap/go.sum @@ -33,8 +33,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= diff --git a/topology.yaml b/topology.yaml index a281a62568..f8cbb1ad8a 100644 --- a/topology.yaml +++ b/topology.yaml @@ -38,6 +38,9 @@ services: - serviceGroup: Microsoft.Azure.ARO.HCP.AdminAPI pipelinePath: admin/pipeline.yaml purpose: Deploy the Admin API. + - serviceGroup: Microsoft.Azure.ARO.HCP.SessionGate + pipelinePath: sessiongate/pipeline.yaml + purpose: Deploy the Session Gate. pipelinePath: dev-infrastructure/svc-pipeline.yaml purpose: Deploy the service cluster and supporting infrastructure. - serviceGroup: Microsoft.Azure.ARO.HCP.Management.Infra