Documentation
¶
Index ¶
- func SetupWorkspaceWebhookWithManager(mgr ctrl.Manager, operatorSA string) error
- type WorkspaceCustomDefaulter
- type WorkspaceCustomValidator
- func (v *WorkspaceCustomValidator) ValidateCreate(ctx context.Context, ws *tenantv1alpha1.Workspace) (admission.Warnings, error)
- func (v *WorkspaceCustomValidator) ValidateDelete(ctx context.Context, ws *tenantv1alpha1.Workspace) (admission.Warnings, error)
- func (v *WorkspaceCustomValidator) ValidateUpdate(ctx context.Context, oldWorkspace, newWorkspace *tenantv1alpha1.Workspace) (admission.Warnings, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SetupWorkspaceWebhookWithManager ¶
SetupWorkspaceWebhookWithManager registers the webhook for Workspace in the manager. operatorSA is the full service account identity of the controller-manager (e.g. "system:serviceaccount:otterscale-system:tenant-operator-controller-manager") used to exempt the operator's own reconciliation updates from workspace-level authorization.
Types ¶
type WorkspaceCustomDefaulter ¶
type WorkspaceCustomDefaulter struct{}
WorkspaceCustomDefaulter is responsible for setting default values on the Workspace resource during CREATE and UPDATE operations. It synchronizes member subjects as labels to enable external API label selectors (e.g., "find all workspaces a user belongs to").
NOTE: The +kubebuilder:object:generate=false marker prevents controller-gen from generating DeepCopy methods, as it is used only for temporary operations and does not need to be deeply copied.
func (*WorkspaceCustomDefaulter) Default ¶
func (d *WorkspaceCustomDefaulter) Default(ctx context.Context, ws *tenantv1alpha1.Workspace) error
Default implements admission.Defaulter[*tenantv1alpha1.Workspace] so a webhook will be registered for the Kind Workspace. It ensures that labels with the prefix "user.otterscale.io/" mirror the current member subjects, removing stale entries and preserving all other labels.
type WorkspaceCustomValidator ¶
type WorkspaceCustomValidator struct {
// OperatorSA is the full service account identity of the controller-manager.
// It is injected at startup so the operator works regardless of the namespace it is deployed in.
OperatorSA string
// Reader is used to look up ClusterRoleBindings and existing Workspaces.
Reader client.Reader
}
WorkspaceCustomValidator enforces workspace-level authorization on all mutating operations. Create requests require the caller to list themselves as an admin member. Update and delete requests require workspace-admin (or cluster-level privileged) identity.
The authorization logic itself is kept in internal/workspace/ for testability; this validator is intentionally thin.
func (*WorkspaceCustomValidator) ValidateCreate ¶
func (v *WorkspaceCustomValidator) ValidateCreate(ctx context.Context, ws *tenantv1alpha1.Workspace) (admission.Warnings, error)
ValidateCreate ensures the requesting user is listed as an admin member of the new Workspace. Privileged callers (system:masters, operator SA, cluster-admin) bypass the check.
func (*WorkspaceCustomValidator) ValidateDelete ¶
func (v *WorkspaceCustomValidator) ValidateDelete(ctx context.Context, ws *tenantv1alpha1.Workspace) (admission.Warnings, error)
ValidateDelete ensures only workspace admins (or privileged identities) can delete a Workspace.
func (*WorkspaceCustomValidator) ValidateUpdate ¶
func (v *WorkspaceCustomValidator) ValidateUpdate(ctx context.Context, oldWorkspace, newWorkspace *tenantv1alpha1.Workspace) (admission.Warnings, error)
ValidateUpdate ensures only workspace admins (or privileged identities) can modify an existing Workspace. The check uses oldObj so that a user cannot grant themselves admin and approve in the same request.