Skip to content

Commit

Permalink
backport of commit 7d08e79
Browse files Browse the repository at this point in the history
  • Loading branch information
@philrenaud
philrenaud authored Feb 25, 2025
1 parent db5022b commit d5cde51
Show file tree
Hide file tree
Showing 440 changed files with 4,008 additions and 19,629 deletions.
3 changes: 0 additions & 3 deletions .changelog/18530.txt
View file

This file was deleted.

3 changes: 0 additions & 3 deletions .changelog/24415.txt
View file

This file was deleted.

3 changes: 0 additions & 3 deletions .changelog/24601.txt
View file

This file was deleted.

3 changes: 0 additions & 3 deletions .changelog/24724.txt
View file

This file was deleted.

11 changes: 0 additions & 11 deletions .changelog/24785.txt
View file

This file was deleted.

3 changes: 0 additions & 3 deletions .changelog/24909.txt
View file

This file was deleted.

3 changes: 0 additions & 3 deletions .changelog/24997.txt
View file

This file was deleted.

3 changes: 0 additions & 3 deletions .changelog/25109.txt
View file

This file was deleted.

3 changes: 0 additions & 3 deletions .changelog/25173.txt
View file

This file was deleted.

10 changes: 10 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,13 @@ updates:
labels:
- "theme/dependencies"
- "theme/website"
- package-ecosystem: github-actions
open-pull-requests-limit: 5
directory: /
labels:
- "theme/dependencies"
- "theme/ci"
schedule:
interval: "weekly"
day: "sunday"
time: "09:00"
35 changes: 0 additions & 35 deletions .github/pull_request_template.md
View file

This file was deleted.

2 changes: 1 addition & 1 deletion .github/workflows/checks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
cache: ${{ contains(runner.name, 'Github Actions') }}
cache: true
go-version-file: .go-version
cache-dependency-path: '**/go.sum'
- name: Run make check
Expand Down
7 changes: 0 additions & 7 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,10 +137,3 @@ tools/missing/missing

# allow security scanner file
!scan.hcl

# generated variables for upgrade tests
enos.vars.hcl
enos/modules/*/*.tfvars

# local license files
*.hclic
161 changes: 3 additions & 158 deletions CHANGELOG.md
View file

Large diffs are not rendered by default.

17 changes: 0 additions & 17 deletions CODEOWNERS
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,3 @@

/.release/ @hashicorp/github-nomad-core @hashicorp/nomad-eng
/.github/workflows/build.yml @hashicorp/github-nomad-core @hashicorp/nomad-eng

# codeowner default
* @hashicorp/github-nomad-core @hashicorp/nomad-eng


# engineering and web presence get notified of, and can approve changes to web tooling, but not content.

/website/ @hashicorp/web-presence @hashicorp/github-nomad-core @hashicorp/nomad-eng
/website/data/
/website/public/
/website/content/

# education and engineering get notified of, and can approve changes to web content.

/website/data/ @hashicorp/nomad-docs @hashicorp/github-nomad-core @hashicorp/nomad-eng
/website/public/ @hashicorp/nomad-docs @hashicorp/github-nomad-core @hashicorp/nomad-eng
/website/content/ @hashicorp/nomad-docs @hashicorp/github-nomad-core @hashicorp/nomad-eng
2 changes: 1 addition & 1 deletion GNUmakefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ ifndef BIN
BIN := $(GOPATH)/bin
endif

GO_TAGS := hashicorpmetrics $(GO_TAGS)
GO_TAGS := $(GO_TAGS)

ifeq ($(CI),true)
GO_TAGS := codegen_generated $(GO_TAGS)
Expand Down
4 changes: 0 additions & 4 deletions acl/acl_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,12 +79,10 @@ func TestACLManagement(t *testing.T) {
// Check default namespace rights
must.True(t, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
must.True(t, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
must.True(t, acl.AllowNamespaceOperation("default", NamespaceCapabilityHostVolumeCreate))
must.True(t, acl.AllowNamespace("default"))

// Check non-specified namespace
must.True(t, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
must.True(t, acl.AllowNamespaceOperation("foo", NamespaceCapabilityHostVolumeCreate))
must.True(t, acl.AllowNamespace("foo"))

// Check node pool rights.
Expand Down Expand Up @@ -157,11 +155,9 @@ func TestACLMerge(t *testing.T) {
// Check default namespace rights
must.True(t, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
must.False(t, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
must.False(t, acl.AllowNamespaceOperation("default", NamespaceCapabilityHostVolumeRegister))

// Check non-specified namespace
must.False(t, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
must.False(t, acl.AllowNamespaceOperation("foo", NamespaceCapabilityHostVolumeCreate))

// Check rights in the node pool specified in policies.
must.True(t, acl.AllowNodePoolOperation("my-pool", NodePoolCapabilityRead))
Expand Down
38 changes: 1 addition & 37 deletions acl/policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,6 @@ const (
NamespaceCapabilityCSIReadVolume = "csi-read-volume"
NamespaceCapabilityCSIListVolume = "csi-list-volume"
NamespaceCapabilityCSIMountVolume = "csi-mount-volume"
NamespaceCapabilityHostVolumeCreate = "host-volume-create"
NamespaceCapabilityHostVolumeRegister = "host-volume-register"
NamespaceCapabilityHostVolumeRead = "host-volume-read"
NamespaceCapabilityHostVolumeWrite = "host-volume-write"
NamespaceCapabilityHostVolumeDelete = "host-volume-delete"
NamespaceCapabilityListScalingPolicies = "list-scaling-policies"
NamespaceCapabilityReadScalingPolicy = "read-scaling-policy"
NamespaceCapabilityReadJobScaling = "read-job-scaling"
Expand Down Expand Up @@ -212,7 +207,7 @@ func isNamespaceCapabilityValid(cap string) bool {
NamespaceCapabilityReadFS, NamespaceCapabilityAllocLifecycle,
NamespaceCapabilityAllocExec, NamespaceCapabilityAllocNodeExec,
NamespaceCapabilityCSIReadVolume, NamespaceCapabilityCSIWriteVolume, NamespaceCapabilityCSIListVolume, NamespaceCapabilityCSIMountVolume, NamespaceCapabilityCSIRegisterPlugin,
NamespaceCapabilityListScalingPolicies, NamespaceCapabilityReadScalingPolicy, NamespaceCapabilityReadJobScaling, NamespaceCapabilityScaleJob, NamespaceCapabilityHostVolumeCreate, NamespaceCapabilityHostVolumeRegister, NamespaceCapabilityHostVolumeWrite, NamespaceCapabilityHostVolumeRead:
NamespaceCapabilityListScalingPolicies, NamespaceCapabilityReadScalingPolicy, NamespaceCapabilityReadJobScaling, NamespaceCapabilityScaleJob:
return true
// Separate the enterprise-only capabilities
case NamespaceCapabilitySentinelOverride, NamespaceCapabilitySubmitRecommendation:
Expand Down Expand Up @@ -246,7 +241,6 @@ func expandNamespacePolicy(policy string) []string {
NamespaceCapabilityReadJobScaling,
NamespaceCapabilityListScalingPolicies,
NamespaceCapabilityReadScalingPolicy,
NamespaceCapabilityHostVolumeRead,
}

write := make([]string, len(read))
Expand All @@ -263,7 +257,6 @@ func expandNamespacePolicy(policy string) []string {
NamespaceCapabilityCSIMountVolume,
NamespaceCapabilityCSIWriteVolume,
NamespaceCapabilitySubmitRecommendation,
NamespaceCapabilityHostVolumeCreate,
}...)

switch policy {
Expand All @@ -285,32 +278,6 @@ func expandNamespacePolicy(policy string) []string {
}
}

// expandNamespaceCapabilities adds extra capabilities implied by fine-grained
// capabilities.
func expandNamespaceCapabilities(ns *NamespacePolicy) {
extraCaps := []string{}
for _, cap := range ns.Capabilities {
switch cap {
case NamespaceCapabilityHostVolumeWrite:
extraCaps = append(extraCaps,
NamespaceCapabilityHostVolumeRegister,
NamespaceCapabilityHostVolumeCreate,
NamespaceCapabilityHostVolumeDelete,
NamespaceCapabilityHostVolumeRead)
case NamespaceCapabilityHostVolumeRegister:
extraCaps = append(extraCaps,
NamespaceCapabilityHostVolumeCreate,
NamespaceCapabilityHostVolumeRead)
case NamespaceCapabilityHostVolumeCreate:
extraCaps = append(extraCaps, NamespaceCapabilityHostVolumeRead)
}
}

// These may end up being duplicated, but they'll get deduplicated in NewACL
// when inserted into the radix tree.
ns.Capabilities = append(ns.Capabilities, extraCaps...)
}

func isNodePoolCapabilityValid(cap string) bool {
switch cap {
case NodePoolCapabilityDelete, NodePoolCapabilityRead, NodePoolCapabilityWrite,
Expand Down Expand Up @@ -421,9 +388,6 @@ func Parse(rules string) (*Policy, error) {
ns.Capabilities = append(ns.Capabilities, extraCap...)
}

// Expand implicit capabilities
expandNamespaceCapabilities(ns)

if ns.Variables != nil {
if len(ns.Variables.Paths) == 0 {
return nil, fmt.Errorf("Invalid variable policy: no variable paths in namespace %s", ns.Name)
Expand Down
Loading

0 comments on commit d5cde51

Please sign in to comment.