WIP

On-behalf-of: @SAP [email protected]

Author: xrstf

hack/run-e2e-tests.sh

@@ -85,7 +85,7 @@ export IMG="ghcr.io/kcp-dev/kcp-operator:e2e"
 make --no-print-directory docker-build kind-load deploy
 
 if command -v protokol &> /dev/null; then
-  protokol --namespace 'e2e-*' --output "$DATA_DIR/kind-logs" 2>/dev/null &
+  protokol --namespace 'e2e-*' --namespace kcp-operator-system --output "$DATA_DIR/kind-logs" 2>/dev/null &
   PROTOKOL_PID=$!
 else
   echo "Install https://codeberg.org/xrstf/protokol to automatically"

internal/resources/kubeconfig/certificate.go

@@ -19,6 +19,7 @@ package kubeconfig
 import (
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	certmanagermetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 
 	"github.com/kcp-dev/kcp-operator/internal/reconciling"
 	"github.com/kcp-dev/kcp-operator/internal/resources"
@@ -27,6 +28,9 @@ import (
 )
 
 func ClientCertificateReconciler(kubeConfig *operatorv1alpha1.Kubeconfig, issuerName string) reconciling.NamedCertificateReconcilerFactory {
+	orgs := sets.New(kubeConfig.Spec.Groups...)
+	orgs.Insert(KubeconfigGroup(kubeConfig))
+
 	return func() (string, reconciling.CertificateReconciler) {
 		return kubeConfig.GetCertificateName(), func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(kubeConfig.Labels)
@@ -50,7 +54,7 @@ func ClientCertificateReconciler(kubeConfig *operatorv1alpha1.Kubeconfig, issuer
 
 				CommonName: kubeConfig.Spec.Username,
 				Subject: &certmanagerv1.X509Subject{
-					Organizations: kubeConfig.Spec.Groups,
+					Organizations: sets.List(orgs),
 				},
 
 				IssuerRef: certmanagermetav1.ObjectReference{

test/e2e/frontproxies/frontproxies_test.go

@@ -33,6 +33,7 @@ import (
 
 	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
 	"github.com/kcp-dev/kcp-operator/test/utils"
+	"github.com/kcp-dev/logicalcluster/v3"
 )
 
 func TestCreateFrontProxy(t *testing.T) {
@@ -81,7 +82,7 @@ func TestCreateFrontProxy(t *testing.T) {
 
 	// verify that we can use frontproxy kubeconfig to access rootshard workspaces
 	t.Log("Connecting to FrontProxy...")
-	kcpClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, fpConfig.Name)
+	kcpClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, fpConfig.Name, logicalcluster.None)
 	// proof of life: list something every logicalcluster in kcp has
 	t.Log("Should be able to list Secrets.")
 	secrets := &corev1.SecretList{}

test/e2e/kubeconfig-rbac/frontproxies_test.go

@@ -0,0 +1,163 @@
+//go:build e2e
+
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubeconfigrbac
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/go-logr/logr"
+
+	kcptenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
+	"github.com/kcp-dev/logicalcluster/v3"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	ctrlruntime "sigs.k8s.io/controller-runtime"
+	ctrlruntimeclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
+	"github.com/kcp-dev/kcp-operator/test/utils"
+)
+
+func TestProvisionFrontProxyRBAC(t *testing.T) {
+	ctrlruntime.SetLogger(logr.Discard())
+
+	client := utils.GetKubeClient(t)
+	ctx := context.Background()
+
+	rootCluster := logicalcluster.NewPath("root")
+	namespace := utils.CreateSelfDestructingNamespace(t, ctx, client, "provision-frontproxy-rbac")
+	externalHostname := fmt.Sprintf("front-proxy-front-proxy.%s.svc.cluster.local", namespace.Name)
+
+	// deploy rootshard
+	rootShard := utils.DeployRootShard(ctx, t, client, namespace.Name, externalHostname)
+
+	// deploy front-proxy
+	frontProxy := utils.DeployFrontProxy(ctx, t, client, namespace.Name, rootShard.Name, externalHostname)
+
+	// create a dummy workspace where we later want to provision RBAC in
+	t.Log("Creating dummy workspace…")
+	workspace := &kcptenancyv1alpha1.Workspace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test",
+		},
+		Spec: kcptenancyv1alpha1.WorkspaceSpec{
+			Type: kcptenancyv1alpha1.WorkspaceTypeReference{
+				Name: "universal",
+			},
+		},
+	}
+
+	dummyCluster := rootCluster.Join(workspace.Name)
+	proxyClient := utils.ConnectWithRootShardProxy(t, ctx, client, &rootShard, rootCluster)
+	if err := proxyClient.Create(ctx, workspace); err != nil {
+		t.Fatalf("Failed to create workspace: %v", err)
+	}
+
+	// wait for workspace to be ready
+	t.Log("Waiting for workspace to be ready…")
+	dummyClient := utils.ConnectWithRootShardProxy(t, ctx, client, &rootShard, dummyCluster)
+
+	err := wait.PollUntilContextTimeout(ctx, 500*time.Millisecond, 30*time.Second, false, func(ctx context.Context) (done bool, err error) {
+		return dummyClient.List(ctx, &corev1.SecretList{}) == nil, nil
+	})
+	if err != nil {
+		t.Fatalf("Failed to wait for workspace to become available: %v", err)
+	}
+
+	// create my-config kubeconfig
+	configSecretName := "kubeconfig-my-config-e2e"
+
+	// as of now, this Kubeconfig will not grant any permissions yet
+	fpConfig := operatorv1alpha1.Kubeconfig{}
+	fpConfig.Name = "my-config"
+	fpConfig.Namespace = namespace.Name
+	fpConfig.Spec = operatorv1alpha1.KubeconfigSpec{
+		Target: operatorv1alpha1.KubeconfigTarget{
+			FrontProxyRef: &corev1.LocalObjectReference{
+				Name: frontProxy.Name,
+			},
+		},
+		Username: "e2e",
+		Validity: metav1.Duration{Duration: 2 * time.Hour},
+		SecretRef: corev1.LocalObjectReference{
+			Name: configSecretName,
+		},
+	}
+
+	t.Log("Creating kubeconfig with no permissions attached…")
+	if err := client.Create(ctx, &fpConfig); err != nil {
+		t.Fatal(err)
+	}
+	utils.WaitForObject(t, ctx, client, &corev1.Secret{}, types.NamespacedName{Namespace: fpConfig.Namespace, Name: fpConfig.Spec.SecretRef.Name})
+
+	t.Log("Connecting to FrontProxy…")
+	kcpClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, fpConfig.Name, dummyCluster)
+
+	// This should not work yet.
+	t.Logf("Should not be able to list Secrets in %v.", dummyCluster)
+	if err := kcpClient.List(ctx, &corev1.SecretList{}); err == nil {
+		t.Fatal("Should not have been able to list Secrets, but was. Where have my permissions come from?")
+	}
+
+	// Now we extend the Kubeconfig with additional permissions.
+	fpConfig.Spec.Authorization = &operatorv1alpha1.KubeconfigAuthorization{
+		ClusterRoleBindings: operatorv1alpha1.KubeconfigClusterRoleBindings{
+			WorkspacePath: dummyCluster.String(),
+			ClusterRoles:  []string{"cluster-admin"},
+		},
+	}
+
+	t.Log("Updating kubeconfig with permissions attached…")
+	if err := client.Update(ctx, &fpConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("Should now be able to list Secrets in %v.", dummyCluster)
+	err = wait.PollUntilContextTimeout(ctx, 500*time.Millisecond, 30*time.Second, false, func(ctx context.Context) (done bool, err error) {
+		return kcpClient.List(ctx, &corev1.SecretList{}) == nil, nil
+	})
+	if err != nil {
+		t.Fatalf("Failed to list Secrets in dummy workspace: %v", err)
+	}
+
+	// And now we remove the permissions again.
+	t.Log("Updating kubeconfig to remove the attached permissions…")
+	if err := client.Get(ctx, ctrlruntimeclient.ObjectKeyFromObject(&fpConfig), &fpConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	fpConfig.Spec.Authorization = nil
+
+	if err := client.Update(ctx, &fpConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("Should no longer be able to list Secrets in %v.", dummyCluster)
+	err = wait.PollUntilContextTimeout(ctx, 500*time.Millisecond, 30*time.Second, false, func(ctx context.Context) (done bool, err error) {
+		return kcpClient.List(ctx, &corev1.SecretList{}) != nil, nil
+	})
+	if err != nil {
+		t.Fatalf("Failed to wait for permissions to be gone: %v", err)
+	}
+}

test/e2e/rootshards/proxy_test.go

@@ -45,10 +45,9 @@ func TestRootShardProxy(t *testing.T) {
 
 	client := utils.GetKubeClient(t)
 	ctx := context.Background()
-	namespaceSuffix := "rootshard-proxy"
 
-	namespace := utils.CreateSelfDestructingNamespace(t, ctx, client, namespaceSuffix)
-	externalHostname := fmt.Sprintf("front-proxy-front-proxy.e2e-%s.svc.cluster.local", namespaceSuffix)
+	namespace := utils.CreateSelfDestructingNamespace(t, ctx, client, "rootshard-proxy")
+	externalHostname := fmt.Sprintf("front-proxy-front-proxy.e2e-%s.svc.cluster.local", namespace.Name)
 
 	// deploy a root shard incl. etcd
 	rootShard := utils.DeployRootShard(ctx, t, client, namespace.Name, externalHostname)
@@ -87,7 +86,7 @@ func TestRootShardProxy(t *testing.T) {
 	utils.WaitForObject(t, ctx, client, &corev1.Secret{}, types.NamespacedName{Namespace: rsConfig.Namespace, Name: rsConfig.Spec.SecretRef.Name})
 
 	t.Log("Connecting to RootShard...")
-	rootShardClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, rsConfig.Name)
+	rootShardClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, rsConfig.Name, logicalcluster.None)
 
 	// wait until the 2nd shard has registered itself successfully at the root shard
 	shardKey := types.NamespacedName{Name: shardName}
@@ -131,9 +130,6 @@ func TestRootShardProxy(t *testing.T) {
 
 	// build a client through the proxy to the new workspace
 	proxyClient := utils.ConnectWithRootShardProxy(t, ctx, client, &rootShard, logicalcluster.NewPath("root").Join(workspace.Name))
-	if err != nil {
-		t.Fatalf("Failed to create root shard proxy client: %v", err)
-	}
 
 	// proof of life: list something every logicalcluster in kcp has
 	t.Log("Should be able to list Secrets in the new workspace.")

test/e2e/rootshards/rootshards_test.go

@@ -32,6 +32,7 @@ import (
 
 	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
 	"github.com/kcp-dev/kcp-operator/test/utils"
+	"github.com/kcp-dev/logicalcluster/v3"
 )
 
 func TestCreateRootShard(t *testing.T) {
@@ -70,7 +71,7 @@ func TestCreateRootShard(t *testing.T) {
 	utils.WaitForObject(t, ctx, client, &corev1.Secret{}, types.NamespacedName{Namespace: rsConfig.Namespace, Name: rsConfig.Spec.SecretRef.Name})
 
 	t.Log("Connecting to RootShard...")
-	kcpClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, rsConfig.Name)
+	kcpClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, rsConfig.Name, logicalcluster.None)
 
 	// proof of life: list something every logicalcluster in kcp has
 	t.Log("Should be able to list Secrets.")

test/e2e/shards/shards_test.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/go-logr/logr"
 	kcpcorev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
+	"github.com/kcp-dev/logicalcluster/v3"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -80,7 +81,7 @@ func TestCreateShard(t *testing.T) {
 	utils.WaitForObject(t, ctx, client, &corev1.Secret{}, types.NamespacedName{Namespace: rsConfig.Namespace, Name: rsConfig.Spec.SecretRef.Name})
 
 	t.Log("Connecting to RootShard...")
-	rootShardClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, rsConfig.Name)
+	rootShardClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, rsConfig.Name, logicalcluster.None)
 
 	// wait until the 2nd shard has registered itself successfully at the root shard
 	shardKey := types.NamespacedName{Name: shardName}
@@ -115,7 +116,7 @@ func TestCreateShard(t *testing.T) {
 	utils.WaitForObject(t, ctx, client, &corev1.Secret{}, types.NamespacedName{Namespace: shardConfig.Namespace, Name: shardConfig.Spec.SecretRef.Name})
 
 	t.Log("Connecting to Shard...")
-	kcpClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, shardConfig.Name)
+	kcpClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, shardConfig.Name, logicalcluster.None)
 
 	// proof of life: list something every logicalcluster in kcp has
 	t.Log("Should be able to list Secrets.")

test/utils/utils.go

@@ -22,6 +22,7 @@ import (
 	"net"
 	"net/url"
 	"os/exec"
+	"regexp"
 	"strconv"
 	"strings"
 	"testing"
@@ -110,12 +111,12 @@ func CreateSelfDestructingNamespace(t *testing.T, ctx context.Context, client ct
 		t.Fatal(err)
 	}
 
-	t.Cleanup(func() {
-		t.Logf("Deleting namespace %s...", name)
-		if err := client.Delete(ctx, &ns); err != nil {
-			t.Fatal(err)
-		}
-	})
+	// t.Cleanup(func() {
+	// 	t.Logf("Deleting namespace %s...", name)
+	// 	if err := client.Delete(ctx, &ns); err != nil {
+	// 		t.Fatal(err)
+	// 	}
+	// })
 
 	return &ns
 }
@@ -169,6 +170,7 @@ func ConnectWithKubeconfig(
 	client ctrlruntimeclient.Client,
 	namespace string,
 	kubeconfigName string,
+	cluster logicalcluster.Path,
 ) ctrlruntimeclient.Client {
 	t.Helper()
 
@@ -219,6 +221,11 @@ func ConnectWithKubeconfig(
 	parsed.Host = net.JoinHostPort("localhost", fmt.Sprintf("%d", localPort))
 	clientConfig.Host = parsed.String()
 
+	// switch to another workspace is desired
+	if !cluster.Empty() {
+		clientConfig.Host = changeClusterInURL(clientConfig.Host, cluster)
+	}
+
 	// create a client through the tunnel
 	kcpClient, err := ctrlruntimeclient.New(clientConfig, ctrlruntimeclient.Options{Scheme: NewScheme(t)})
 	if err != nil {
@@ -259,7 +266,7 @@ func ConnectWithRootShardProxy(
 	proxyUrl := fmt.Sprintf("https://%s", net.JoinHostPort("localhost", fmt.Sprintf("%d", localPort)))
 
 	if !cluster.Empty() {
-		proxyUrl = fmt.Sprintf("%s/clusters/%s", proxyUrl, cluster.String())
+		proxyUrl = changeClusterInURL(proxyUrl, cluster)
 	}
 
 	cfg := &rest.Config{
@@ -279,3 +286,19 @@ func ConnectWithRootShardProxy(
 
 	return kcpClient
 }
+
+var clusterRegexp = regexp.MustCompile(`/clusters/([^/]+)`)
+
+func changeClusterInURL(u string, newCluster logicalcluster.Path) string {
+	newPath := fmt.Sprintf("/clusters/%s", newCluster)
+
+	matches := clusterRegexp.FindAllString(u, 1)
+	if len(matches) == 0 {
+		return u + newPath
+	}
+
+	// make sure that if a URL is "/clusters/root/apis/example.com/v1/namespaces/bla/clusters/mycluster",
+	// we only replace the first match, especially important if the URL was "/clusters/X/apis/example.com/v1/clusters/X"
+	// (i.e. accessing the cluster resource X in the kcp cluster also called X)
+	return strings.Replace(u, matches[0], newPath, 1)
+}