GitRepoRestrictions not defaulting the GitRepo #3077
Description
GitRepoRestriction resources can be used to default GitRepos and restrict their values.
Default values for GitRepo resources, configured through a GitRepoRestriction resource are not applied, although the restrictions remain functional.
- defaultServiceAccount
- defaultClientSecretName
Additional QA
Problem
Default values for GitRepo resources, configured through a GitRepoRestriction resource are not applied, although the restrictions remain functional.
See https://fleet.rancher.io/namespaces#restricting-gitrepos and https://fleet.rancher.io/ref-crds#gitreporestriction for all options.
This affects these fields:
- defaultServiceAccount
- defaultClientSecretName
As described in https://fleet.rancher.io/multi-user#restricting-access-to-downstream-clusters one can create GitRepoRestriction resource to limit fields of GitRepo resources.
Solution
Fix the code, so the the GitRepo is mutated once again.
Testing
Automated Testing
The PR adds unit tests.
QA Testing Considerations
When creating a GitRepoRestriction resource in the same namespace as a GitRepo, it should overwrite the values with the defaults. This was broken in 0.11.0
When a disallowed value is used, it should not process the GitRepo at all, this worked before and was not broken.
Please test with a different service account on the downstream cluster, e.g.:
kind: GitRepoRestriction
apiVersion: fleet.cattle.io/v1alpha1
metadata:
name: restriction
namespace: project1
defaultServiceAccount: limited-service-account
That service account must be created manually on the downstream cluster. When it doesn't have enough access to create a resource from the bundle, the deployment would fail.
kind: GitRepoRestriction
apiVersion: fleet.cattle.io/v1alpha1
metadata:
name: restriction
namespace: project1
defaultClientSecretName: basic-auth-secret
This will default the https://fleet.rancher.io/ref-crds#gitrepospec clientSecretName to clone the gitrepo.