Merge pull request #318 from sabre1041/exclude-invalid-names

Support for excluding invalid group names

Author: raffaelespazzoli

Makefile

@@ -79,6 +79,17 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 # example.com/memcached-operator-bundle:$VERSION and example.com/memcached-operator-catalog:$VERSION.
 IMAGE_TAG_BASE ?= quay.io/redhat-cop/$(OPERATOR_NAME)
 
+# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
+BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+
+# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
+# You can enable this value if you would like to use SHA Based Digests
+# To enable set flag to true
+USE_IMAGE_DIGESTS ?= false
+ifeq ($(USE_IMAGE_DIGESTS), true)
+	BUNDLE_GEN_FLAGS += --use-image-digests
+endif
+
 # BUNDLE_IMG defines the image:tag used for the bundle.
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
 BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)

api/v1alpha1/groupsync_types.go

@@ -46,6 +46,11 @@ type GroupSyncSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Schedule",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
 	// +kubebuilder:validation:Optional
 	Schedule string `json:"schedule,omitempty"`
+
+	// ExcludeInvalidGroupNames excludes Groups with names that are not RFC 1035 compliant.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Exclude Invalid Group Names",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
+	// +kubebuilder:validation:Optional
+	ExcludeInvalidGroupNames bool `json:"excludeInvalidGroupNames,omitempty"`
 }
 
 // GroupSyncStatus defines the observed state of GroupSync

config/crd/bases/redhatcop.redhat.io_groupsyncs.yaml

@@ -31,6 +31,9 @@ spec:
             spec:
               description: GroupSyncSpec defines the desired state of GroupSync
               properties:
+                excludeInvalidGroupNames:
+                  description: ExcludeInvalidGroupNames excludes Groups with names that are not RFC 1035 compliant.
+                  type: boolean
                 providers:
                   description: List of Providers that can be mounted by containers belonging to the pod.
                   items:

config/manifests/bases/group-sync-operator.clusterserviceversion.yaml

@@ -33,6 +33,12 @@ spec:
       kind: GroupSync
       name: groupsyncs.redhatcop.redhat.io
       specDescriptors:
+      - description: ExcludeInvalidGroupNames excludes Groups with names that are
+          not RFC 1035 compliant.
+        displayName: Exclude Invalid Group Names
+        path: excludeInvalidGroupNames
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: List of Providers that can be mounted by containers belonging
           to the pod.
         displayName: Providers
@@ -721,7 +727,7 @@ spec:
         displayName: Last Sync Success Time
         path: lastSyncSuccessTime
       version: v1alpha1
-  description: |-
+  description: |
     Synchronizes groups from external providers into OpenShift
 
     ## Overview
@@ -881,7 +887,7 @@ spec:
 
     ```shell
     oc create secret generic gitlab-group-sync --from-literal=token=<token> --from-literal=tokenType=personal
-    ``` 
+    ```
 
     The following keys are required for username and password:
 

controllers/groupsync_controller.go

@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -32,6 +33,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	apimachineryvalidation "k8s.io/apimachinery/pkg/util/validation"
 	kubeclock "k8s.io/utils/clock"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -125,6 +127,15 @@ func (r *GroupSyncReconciler) Reconcile(context context.Context, req ctrl.Reques
 
 		for i, group := range groups {
 
+			// Verify valid Group Names
+			if instance.Spec.ExcludeInvalidGroupNames {
+				msgs := apimachineryvalidation.IsDNS1035Label(group.Name)
+				if len(msgs) > 0 {
+					r.Log.Info(fmt.Sprintf("Group '%s' contains invalid name: %s", group.Name, strings.Join(msgs, ",")))
+					continue
+				}
+			}
+
 			ocpGroup := &userv1.Group{}
 			err := r.GetClient().Get(context, types.NamespacedName{Name: group.Name, Namespace: ""}, ocpGroup)