Validate LastUsedAt for Token and ClusterAuthToken (#520)

Ref: rancher/rancher#45732
rancher · Oct 9, 2024 · 7faaa62 · 7faaa62
1 parent be481b7
commit 7faaa62
Show file tree

Hide file tree

Showing 9 changed files with 578 additions and 51 deletions.
diff --git a/docs.md b/docs.md
@@ -1,6 +1,6 @@
-# catalog.cattle.io/v1 
+# catalog.cattle.io/v1
 
-## ClusterRepo 
+## ClusterRepo
 
 ### Validation Checks
 
@@ -16,9 +16,27 @@ Users cannot update a ClusterRepo which violates the following constraints:
 
 - Fields GitRepo and URL are mutually exclusive and so both cannot be filled at once.
 
-# core/v1 
+# cluster.cattle.io/v3
 
-## Namespace 
+## ClusterAuthToken
+
+### Validation Checks
+
+#### Invalid Fields - Create
+
+When a ClusterAuthToken is created, the following checks take place:
+
+- If set, `lastUsedAt` must be a valid date time according to RFC3339 (e.g. `2023-11-29T00:00:00Z`).
+
+#### Invalid Fields - Update
+
+When a ClusterAuthToken is updated, the following checks take place:
+
+- If set, `lastUsedAt` must be a valid date time according to RFC3339 (e.g. `2023-11-29T00:00:00Z`).
+
+# core/v1
+
+## Namespace
 
 ### Validation Checks
 
@@ -42,7 +60,7 @@ The following labels are considered relevant for PSA enforcement:
 - pod-security.kubernetes.io/warn
 - pod-security.kubernetes.io/warn-version
 
-## Secret 
+## Secret
 
 ### Validation Checks
 
@@ -63,9 +81,9 @@ If `field.cattle.io/no-creator-rbac` annotation is set, `field.cattle.io/creator
 Checks if there are any RoleBindings owned by this secret which provide access to a role granting access to this secret.
 If yes, the webhook redacts the role, so that it only grants a deletion permission.
 
-# management.cattle.io/v3 
+# management.cattle.io/v3
 
-## Cluster 
+## Cluster
 
 ### Validation Checks
 
@@ -77,7 +95,7 @@ When a cluster is updated `field.cattle.io/creator-principal-name` and `field.ca
 
 If `field.cattle.io/no-creator-rbac` annotation is set, `field.cattle.io/creatorId` cannot be set.
 
-## ClusterProxyConfig 
+## ClusterProxyConfig
 
 ### Validation Checks
 
@@ -86,7 +104,7 @@ If `field.cattle.io/no-creator-rbac` annotation is set, `field.cattle.io/creator
 When creating a clusterproxyconfig, we check to make sure that one does not already exist for the given cluster.
 Only 1 clusterproxyconfig per downstream cluster is ever permitted.
 
-## ClusterRoleTemplateBinding 
+## ClusterRoleTemplateBinding
 
 ### Validation Checks
 
@@ -126,7 +144,7 @@ Users can update the following fields if they have not been set, but after they
 
 In addition, as in the create validation, both a user subject and a group subject cannot be specified.
 
-## Feature 
+## Feature
 
 ### Validation Checks
 
@@ -135,7 +153,7 @@ In addition, as in the create validation, both a user subject and a group subjec
 The desired value must not change on new spec unless it's equal to the `lockedValue` or `lockedValue` is nil.
 Due to the security impact of the `external-rules` feature flag, only users with admin permissions (`*` verbs on `*` resources in `*` APIGroups in all namespaces) can enable or disable this feature flag.
 
-## FleetWorkspace 
+## FleetWorkspace
 
 ### Validation Checks
 
@@ -150,7 +168,7 @@ When a `FleetWorkspace` is created, it will create the following resources:
 2. `ClusterRole`. It will create the cluster role that has * permission only to the current workspace.
 3. Two `RoleBindings` to bind the current user to fleet-admin roles and `FleetWorkspace` roles.
 
-## GlobalRole 
+## GlobalRole
 
 ### Validation Checks
 
@@ -181,7 +199,7 @@ The `globalroles.builtin` field is immutable, and new builtIn GlobalRoles cannot
 If `globalroles.builtin` is true then all fields are immutable except  `metadata` and `newUserDefault`.
 If `globalroles.builtin` is true then the GlobalRole can not be deleted.
 
-## GlobalRoleBinding 
+## GlobalRoleBinding
 
 ### Validation Checks
 
@@ -214,7 +232,7 @@ All RoleTemplates which are referred to in the `inheritedClusterRoles` field mus
 
 When a GlobalRoleBinding is created an owner reference is created on the binding referring to the backing GlobalRole defined by `globalRoleName`.
 
-## NodeDriver 
+## NodeDriver
 
 ### Validation Checks
 
@@ -224,7 +242,7 @@ Note: checks only run if a node driver is being disabled or deleted
 
 This admission webhook prevents the disabling or deletion of a NodeDriver if there are any Nodes that are under management by said driver. If there are _any_ nodes that use the driver the request will be denied.
 
-## Project 
+## Project
 
 ### Validation Checks
 
@@ -261,7 +279,7 @@ If `field.cattle.io/no-creator-rbac` annotation is set, `field.cattle.io/creator
 
 Adds the authz.management.cattle.io/creator-role-bindings annotation.
 
-## ProjectRoleTemplateBinding 
+## ProjectRoleTemplateBinding
 
 ### Validation Checks
 
@@ -308,7 +326,7 @@ changed:
 
 In addition, as in the create validation, both a user subject and a group subject cannot be specified.
 
-## RoleTemplate 
+## RoleTemplate
 
 ### Validation Checks
 
@@ -347,7 +365,7 @@ If `roletemplates.builtin` is true then all fields are immutable except:
 
 RoleTemplate can not be deleted if they are referenced by other RoleTemplates via `roletemplates.roleTemplateNames` or by GlobalRoles via `globalRoles.inheritedClusterRoles`
 
-## Setting 
+## Setting
 
 ### Validation Checks
 
@@ -369,7 +387,23 @@ When settings are updated, the following additional checks take place:
   have a status condition `AgentTlsStrictCheck` set to `True`, unless the new setting has an overriding
   annotation `cattle.io/force=true`.
 
-## UserAttribute 
+## Token
+
+### Validation Checks
+
+#### Invalid Fields - Create
+
+When a Token is created, the following checks take place:
+
+- If set, `lastUsedAt` must be a valid date time according to RFC3339 (e.g. `2023-11-29T00:00:00Z`).
+
+#### Invalid Fields - Update
+
+When a Token is updated, the following checks take place:
+
+- If set, `lastUsedAt` must be a valid date time according to RFC3339 (e.g. `2023-11-29T00:00:00Z`).
+
+## UserAttribute
 
 ### Validation Checks
 
@@ -389,9 +423,9 @@ When a UserAttribute is updated, the following checks take place:
 - If set, `disableAfter` must be zero or a positive duration (e.g. `240h`).
 - If set, `deleteAfter` must be zero or a positive duration (e.g. `240h`).
 
-# provisioning.cattle.io/v1 
+# provisioning.cattle.io/v1
 
-## Cluster 
+## Cluster
 
 ### Validation Checks
 
@@ -447,43 +481,43 @@ perform no mutations. If the value is not present or not `"true"`, compare the v
 for each `machinePool`, to its' previous value. If the values are not identical, revert the value for the
 `dynamicSchemaSpec` for the specific `machinePool`, but do not reject the request.
 
-# rbac.authorization.k8s.io/v1 
+# rbac.authorization.k8s.io/v1
 
-## ClusterRole 
+## ClusterRole
 
 ### Validation Checks
 
 #### Invalid Fields - Update
 Users cannot update or remove the following label after it has been added:
 - authz.management.cattle.io/gr-owner
 
-## ClusterRoleBinding 
+## ClusterRoleBinding
 
 ### Validation Checks
 
 #### Invalid Fields - Update
 Users cannot update or remove the following label after it has been added:
 - authz.management.cattle.io/grb-owner
 
-## Role 
+## Role
 
 ### Validation Checks
 
 #### Invalid Fields - Update
 Users cannot update or remove the following label after it has been added:
 - authz.management.cattle.io/gr-owner
 
-## RoleBinding 
+## RoleBinding
 
 ### Validation Checks
 
 #### Invalid Fields - Update
 Users cannot update or remove the following label after it has been added:
 - authz.management.cattle.io/grb-owner
 
-# rke-machine-config.cattle.io/v1 
+# rke-machine-config.cattle.io/v1
 
-## MachineConfig 
+## MachineConfig
 
 ### Validation Checks
 

diff --git a/pkg/codegen/docs.go b/pkg/codegen/docs.go
@@ -39,16 +39,18 @@ func generateDocs(resourcesBaseDir, outputFilePath string) (err error) {
 	if err != nil {
 		return err
 	}
+
 	docFiles, err := getDocFiles(resourcesBaseDir)
 	if err != nil {
 		return fmt.Errorf("unable to create documentation: %w", err)
 	}
+
 	currentGroup := ""
 	for _, docFile := range docFiles {
 		newGroup := docFile.group
 		if newGroup != currentGroup {
 			// our group has changed, output a new group header
-			groupFormatString := "# %s/%s \n"
+			groupFormatString := "# %s/%s\n"
 			if currentGroup != "" {
 				groupFormatString = "\n" + groupFormatString
 			}
@@ -59,10 +61,11 @@ func generateDocs(resourcesBaseDir, outputFilePath string) (err error) {
 			currentGroup = newGroup
 		}
 
-		_, err = fmt.Fprintf(outputFile, "\n## %s \n\n", docFile.resource)
+		_, err = fmt.Fprintf(outputFile, "\n## %s\n\n", docFile.resource)
 		if err != nil {
 			return fmt.Errorf("unable to write resource header for %s: %w", docFile.resource, err)
 		}
+
 		scanner := bufio.NewScanner(bytes.NewReader(docFile.content))
 		for scanner.Scan() {
 			line := scanner.Bytes()
@@ -81,6 +84,7 @@ func generateDocs(resourcesBaseDir, outputFilePath string) (err error) {
 			return fmt.Errorf("got an error scanning content for %s/%s.%s: %w", docFile.group, docFile.version, docFile.resource, err)
 		}
 	}
+
 	return nil
 }
 
@@ -91,6 +95,7 @@ func getDocFiles(baseDir string) ([]docFile, error) {
 	if err != nil {
 		return nil, fmt.Errorf("unable to list entries in directory %s: %w", baseDir, err)
 	}
+
 	var docFiles []docFile
 	for _, entry := range entries {
 		entryPath := filepath.Join(baseDir, entry.Name())

diff --git a/pkg/resources/cluster.cattle.io/v3/clusterauthtoken/ClusterAuthToken.md b/pkg/resources/cluster.cattle.io/v3/clusterauthtoken/ClusterAuthToken.md
@@ -0,0 +1,13 @@
+## Validation Checks
+
+### Invalid Fields - Create
+
+When a ClusterAuthToken is created, the following checks take place:
+
+- If set, `lastUsedAt` must be a valid date time according to RFC3339 (e.g. `2023-11-29T00:00:00Z`).
+
+### Invalid Fields - Update
+
+When a ClusterAuthToken is updated, the following checks take place:
+
+- If set, `lastUsedAt` must be a valid date time according to RFC3339 (e.g. `2023-11-29T00:00:00Z`).