Release 6.2.2 (#6642)

* Release 6.2.2

Signed-off-by: Sebastian Malton <[email protected]>

* fix: getAllowedResources for all namespaces using SelfSubjectRulesReview (#6614)

* fix: getAllowedResources for all namespaces using SelfSubjectRulesReview

Signed-off-by: Andreas Hippler <[email protected]>

* fix: refresh accessibility every 15 min

Signed-off-by: Andreas Hippler <[email protected]>

* chore: remove unused clusterRefreshHandler

Signed-off-by: Andreas Hippler <[email protected]>

* fix: resolve SelfSubjectRulesReview globs

Signed-off-by: Andreas Hippler <[email protected]>

Signed-off-by: Andreas Hippler <[email protected]>
Co-authored-by: Andreas Hippler <[email protected]>
Signed-off-by: Sebastian Malton <[email protected]>

* Add missing gutter between sections in cluster settings (#6631)

Signed-off-by: Janne Savolainen <[email protected]>

Signed-off-by: Janne Savolainen <[email protected]>

* Adding spacing between Metrics Settings sections (#6632)

Signed-off-by: Alex Andreev <[email protected]>

Signed-off-by: Alex Andreev <[email protected]>

* Fix crash when upgrading release (#6626)

* Fix crash when upgrading release

Signed-off-by: Sebastian Malton <[email protected]>

* Fix crash when upgrading helm releases

- Fixes not being able to upgrade helm releases as well.

Signed-off-by: Sebastian Malton <[email protected]>

* Fix tests

Signed-off-by: Sebastian Malton <[email protected]>

* Fix test failures

Signed-off-by: Sebastian Malton <[email protected]>

Signed-off-by: Sebastian Malton <[email protected]>

* Removing big padding after cluster  settings avatar (#6634)

Signed-off-by: Alex Andreev <[email protected]>

Signed-off-by: Alex Andreev <[email protected]>

* Fix KubeApi watch retry on timeout (#6640)

* fix KubeApi watch retry on timeout

Signed-off-by: Jari Kolehmainen <[email protected]>

* Fix tests

Signed-off-by: Sebastian Malton <[email protected]>

Signed-off-by: Jari Kolehmainen <[email protected]>
Signed-off-by: Sebastian Malton <[email protected]>
Co-authored-by: Sebastian Malton <[email protected]>

* Bump electron from 19.1.6 to 19.1.7 (#6637)

Bumps [electron](https://github.com/electron/electron) from 19.1.6 to 19.1.7.
- [Release notes](https://github.com/electron/electron/releases)
- [Changelog](https://github.com/electron/electron/blob/main/docs/breaking-changes.md)
- [Commits](electron/electron@v19.1.6...v19.1.7)

---
updated-dependencies:
- dependency-name: electron
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Sebastian Malton <[email protected]>
Signed-off-by: Andreas Hippler <[email protected]>
Signed-off-by: Janne Savolainen <[email protected]>
Signed-off-by: Alex Andreev <[email protected]>
Signed-off-by: Jari Kolehmainen <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Andreas Hippler <[email protected]>
Co-authored-by: Andreas Hippler <[email protected]>
Co-authored-by: Janne Savolainen <[email protected]>
Co-authored-by: Alex Andreev <[email protected]>
Co-authored-by: Jari Kolehmainen <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

extensions/metrics-cluster-feature/src/metrics-settings.tsx

@@ -190,7 +190,7 @@ export class MetricsSettings extends React.Component<MetricsSettingsProps> {
 
   render() {
     return (
-      <>
+      <section style={{ display: "flex", flexDirection: "column", rowGap: "1.5rem" }}>
         { this.props.cluster.status.phase !== "connected" && (
           <section>
             <p style={ { color: "var(--colorError)" } }>
@@ -270,7 +270,7 @@ export class MetricsSettings extends React.Component<MetricsSettingsProps> {
             )}
           </div>
         </section>
-      </>
+      </section>
     );
   }
 }

integration/__tests__/cluster-pages.tests.ts

@@ -390,12 +390,6 @@ const scenarios = [
     sidebarItemTestId: "sidebar-item-link-for-service-accounts",
   },
 
-  {
-    expectedSelector: "h5.title",
-    parentSidebarItemTestId: "sidebar-item-link-for-user-management",
-    sidebarItemTestId: "sidebar-item-link-for-roles",
-  },
-
   {
     expectedSelector: "h5.title",
     parentSidebarItemTestId: "sidebar-item-link-for-user-management",
@@ -405,7 +399,7 @@ const scenarios = [
   {
     expectedSelector: "h5.title",
     parentSidebarItemTestId: "sidebar-item-link-for-user-management",
-    sidebarItemTestId: "sidebar-item-link-for-role-bindings",
+    sidebarItemTestId: "sidebar-item-link-for-roles",
   },
 
   {
@@ -417,7 +411,7 @@ const scenarios = [
   {
     expectedSelector: "h5.title",
     parentSidebarItemTestId: "sidebar-item-link-for-user-management",
-    sidebarItemTestId: "sidebar-item-link-for-pod-security-policies",
+    sidebarItemTestId: "sidebar-item-link-for-role-bindings",
   },
 
   {

package.json

@@ -3,7 +3,7 @@
   "productName": "OpenLens",
   "description": "OpenLens - Open Source IDE for Kubernetes",
   "homepage": "https://github.com/lensapp/lens",
-  "version": "6.2.1",
+  "version": "6.2.2",
   "main": "static/build/main.js",
   "copyright": "© 2022 OpenLens Authors",
   "license": "MIT",
@@ -375,7 +375,7 @@
     "css-loader": "^6.7.1",
     "deepdash": "^5.3.9",
     "dompurify": "^2.4.1",
-    "electron": "^19.1.6",
+    "electron": "^19.1.7",
     "electron-builder": "^23.6.0",
     "electron-notarize": "^0.3.0",
     "esbuild": "^0.15.14",

src/common/cluster-types.ts

@@ -195,13 +195,6 @@ export enum ClusterMetricsResourceType {
  */
 export const initialNodeShellImage = "docker.io/alpine:3.13";
 
-/**
- * The arguments for requesting to refresh a cluster's metadata
- */
-export interface ClusterRefreshOptions {
-  refreshMetadata?: boolean;
-}
-
 /**
  * The data representing a cluster's state, for passing between main and renderer
  */

src/common/cluster/authorization-namespace-review.injectable.ts

@@ -0,0 +1,87 @@
+/**
+ * Copyright (c) OpenLens Authors. All rights reserved.
+ * Licensed under MIT License. See LICENSE in root directory for more information.
+ */
+
+import type { KubeConfig } from "@kubernetes/client-node";
+import { AuthorizationV1Api } from "@kubernetes/client-node";
+import { getInjectable } from "@ogre-tools/injectable";
+import type { Logger } from "../logger";
+import loggerInjectable from "../logger.injectable";
+import type { KubeApiResource } from "../rbac";
+
+/**
+ * Requests the permissions for actions on the kube cluster
+ * @param namespace The namespace of the resources
+ * @param availableResources List of available resources in the cluster to resolve glob values fir api groups
+ * @returns list of allowed resources names
+ */
+export type RequestNamespaceResources = (namespace: string, availableResources: KubeApiResource[]) => Promise<string[]>; 
+
+/**
+ * @param proxyConfig This config's `currentContext` field must be set, and will be used as the target cluster
+ */
+export type AuthorizationNamespaceReview = (proxyConfig: KubeConfig) => RequestNamespaceResources; 
+
+interface Dependencies { 
+  logger: Logger;
+}
+
+const authorizationNamespaceReview = ({ logger }: Dependencies): AuthorizationNamespaceReview => {
+  return (proxyConfig) => {
+
+    const api = proxyConfig.makeApiClient(AuthorizationV1Api);
+
+    return async (namespace, availableResources) => {
+      try {
+        const { body } = await api.createSelfSubjectRulesReview({
+          apiVersion: "authorization.k8s.io/v1",
+          kind: "SelfSubjectRulesReview",
+          spec: { namespace },
+        });
+
+        const resources = new Set<string>();
+
+        body.status?.resourceRules.forEach(resourceRule => {
+          if (!resourceRule.verbs.some(verb => ["*", "list"].includes(verb)) || !resourceRule.resources) {
+            return;
+          }
+
+          const apiGroups = resourceRule.apiGroups;
+
+          if (resourceRule.resources.length === 1 && resourceRule.resources[0] === "*" && apiGroups) {
+            if (apiGroups[0] === "*") {
+              availableResources.forEach(resource => resources.add(resource.apiName));
+            } else {
+              availableResources.forEach((apiResource)=> {
+                if (apiGroups.includes(apiResource.group || "")) {
+                  resources.add(apiResource.apiName);
+                }
+              });
+            }
+          } else {
+            resourceRule.resources.forEach(resource => resources.add(resource));
+          }
+
+        });
+
+        return [...resources];
+      } catch (error) {
+        logger.error(`[AUTHORIZATION-NAMESPACE-REVIEW]: failed to create subject rules review: ${error}`, { namespace });
+
+        return [];
+      }
+    };
+  };
+};
+
+const authorizationNamespaceReviewInjectable = getInjectable({
+  id: "authorization-namespace-review",
+  instantiate: (di) => {
+    const logger = di.inject(loggerInjectable);
+
+    return authorizationNamespaceReview({ logger });
+  },
+});
+
+export default authorizationNamespaceReviewInjectable;

src/common/cluster/authorization-review.injectable.ts

@@ -5,42 +5,55 @@
 
 import type { KubeConfig, V1ResourceAttributes } from "@kubernetes/client-node";
 import { AuthorizationV1Api } from "@kubernetes/client-node";
-import logger from "../logger";
 import { getInjectable } from "@ogre-tools/injectable";
+import type { Logger } from "../logger";
+import loggerInjectable from "../logger.injectable";
 
+/**
+ * Requests the permissions for actions on the kube cluster
+ * @param resourceAttributes The descriptor of the action that is desired to be known if it is allowed
+ * @returns `true` if the actions described are allowed
+ */
 export type CanI = (resourceAttributes: V1ResourceAttributes) => Promise<boolean>;
 
 /**
  * @param proxyConfig This config's `currentContext` field must be set, and will be used as the target cluster
-   */
-export function authorizationReview(proxyConfig: KubeConfig): CanI {
-  const api = proxyConfig.makeApiClient(AuthorizationV1Api);
-
-  /**
-   * Requests the permissions for actions on the kube cluster
-   * @param resourceAttributes The descriptor of the action that is desired to be known if it is allowed
-   * @returns `true` if the actions described are allowed
-   */
-  return async (resourceAttributes: V1ResourceAttributes): Promise<boolean> => {
-    try {
-      const { body } = await api.createSelfSubjectAccessReview({
-        apiVersion: "authorization.k8s.io/v1",
-        kind: "SelfSubjectAccessReview",
-        spec: { resourceAttributes },
-      });
-
-      return body.status?.allowed ?? false;
-    } catch (error) {
-      logger.error(`[AUTHORIZATION-REVIEW]: failed to create access review: ${error}`, { resourceAttributes });
-
-      return false;
-    }
-  };
+ */
+export type AuthorizationReview = (proxyConfig: KubeConfig) => CanI; 
+
+interface Dependencies { 
+  logger: Logger;
 }
 
+const authorizationReview = ({ logger }: Dependencies): AuthorizationReview => {
+  return (proxyConfig) => {
+    const api = proxyConfig.makeApiClient(AuthorizationV1Api);
+
+    return async (resourceAttributes: V1ResourceAttributes): Promise<boolean> => {
+      try {
+        const { body } = await api.createSelfSubjectAccessReview({
+          apiVersion: "authorization.k8s.io/v1",
+          kind: "SelfSubjectAccessReview",
+          spec: { resourceAttributes },
+        });
+
+        return body.status?.allowed ?? false;
+      } catch (error) {
+        logger.error(`[AUTHORIZATION-REVIEW]: failed to create access review: ${error}`, { resourceAttributes });
+
+        return false;
+      }
+    };
+  };
+};
+
 const authorizationReviewInjectable = getInjectable({
   id: "authorization-review",
-  instantiate: () => authorizationReview,
+  instantiate: (di) => {
+    const logger = di.inject(loggerInjectable);
+
+    return authorizationReview({ logger });
+  },
 });
 
 export default authorizationReviewInjectable;