Drop all arbitrary SSO claim properties and annotations (#393)

* drop all arbitrary SSO claim properties and annotations

* reintroduce the annotations file with specific annotations for the User resource

* removed originalsub

* review comments

* added openapi-gen=true to PropagatedClaims

* fixed annotation value

* use new fields for printcolumns

api/v1alpha1/masteruserrecord_types.go

@@ -41,11 +41,6 @@ const (
 	// MasterUserRecordOwnerLabelKey indicates the label value that contains the owner reference for this resource,
 	// which will be the UserSignup instance with the corresponding resource name
 	MasterUserRecordOwnerLabelKey = OwnerLabelKey
-
-	// #### ANNOTATIONS ####
-	// MasterUserRecordEmailAnnotationKey is used to store the user's email in an annotation
-	// (Note: key is the same as for the UserSignup annotation)
-	MasterUserRecordEmailAnnotationKey = UserSignupUserEmailAnnotationKey
 )
 
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
@@ -56,10 +51,6 @@ type MasterUserRecordSpec struct {
 	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
 	// Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html
 
-	// UserID is the user ID from RHD Identity Provider token (“sub” claim)
-	// +optional
-	UserID string `json:"userID,omitempty"`
-
 	// If set to true then the corresponding user should not be able to login (but the underlying UserAccounts still exists)
 	// "false" is assumed by default
 	// +optional
@@ -70,11 +61,6 @@ type MasterUserRecordSpec struct {
 	// +listMapKey=targetCluster
 	UserAccounts []UserAccountEmbedded `json:"userAccounts,omitempty"`
 
-	// OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to
-	// a new IdP provider client, and contains the user's "original-sub" claim
-	// +optional
-	OriginalSub string `json:"originalSub,omitempty"`
-
 	// TierName is an optional property introduced to retain the name of the tier
 	// for which the Dev Sandbox user is provisioned, so we can still deal with deactivation
 	// once the NSTemplateSet field has been removed from `[]spec.UserAccounts`

api/v1alpha1/useraccount_types.go

@@ -17,10 +17,20 @@ const (
 	UserAccountTerminatingReason            = terminatingReason
 	UserAccountUpdatingReason               = updatingReason
 
-	// #### ANNOTATIONS ####
-	// UserEmailAnnotationKey is used to store the user's email in an annotation of UserAccount and User CRs
-	// (Note: key is the same as for the MasterUserRecord email annotation)
-	UserEmailAnnotationKey = MasterUserRecordEmailAnnotationKey
+	// AnnotationKeyPrefix is the prefix used for annotation key values
+	AnnotationKeyPrefix = LabelKeyPrefix
+
+	// UserIDUserAnnotationKey is used to set an annotation value in the User resource on the member cluster, that
+	// contains the user's User ID as set in the user's JWT token.
+	UserIDUserAnnotationKey = AnnotationKeyPrefix + "sso-user-id"
+
+	// AccountIDUserAnnotationKey is used to set an annotation value in the User resource on the member cluster, that
+	// contains the user's Account ID as set in the user's JWT token.
+	AccountIDUserAnnotationKey = AnnotationKeyPrefix + "sso-account-id"
+
+	// EmailUserAnnotationKey is used to set an annotation value in the User resource on the member cluster, that
+	// contains the user's Email as set in the user's JWT token.
+	EmailUserAnnotationKey = AnnotationKeyPrefix + "user-email"
 )
 
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
@@ -31,21 +41,11 @@ type UserAccountSpec struct {
 	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
 	// Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html
 
-	// UserID is the user ID from RHD Identity Provider token (“sub” claim)
-	// Is to be used to create Identity and UserIdentityMapping resources
-	// +optional
-	UserID string `json:"userID,omitempty"`
-
 	// If set to true then the corresponding user should not be able to login
 	// "false" is assumed by default
 	// +optional
 	Disabled bool `json:"disabled,omitempty"`
 
-	// OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to
-	// a new IdP provider client, and contains the user's "original-sub" claim
-	// +optional
-	OriginalSub string `json:"originalSub,omitempty"`
-
 	// PropagatedClaims contains a selection of claim values from the SSO Identity Provider which are intended to
 	// be "propagated" down the resource dependency chain
 	// +optional

api/v1alpha1/usersignup_types.go

@@ -19,8 +19,6 @@ const (
 
 	// UserSignupLastTargetClusterAnnotationKey is used for tracking the cluster for returning users
 	UserSignupLastTargetClusterAnnotationKey = LabelKeyPrefix + "last-target-cluster"
-	// UserSignupUserEmailAnnotationKey is used for the usersignup email annotations key
-	UserSignupUserEmailAnnotationKey = LabelKeyPrefix + "user-email"
 	// UserSignupVerificationCodeAnnotationKey is used for the usersignup verification code annotation key
 	UserSignupVerificationCodeAnnotationKey = LabelKeyPrefix + "verification-code"
 	// UserSignupVerificationTimestampAnnotationKey is used for the usersignup verification timestamp annotation key
@@ -170,36 +168,11 @@ type UserSignupSpec struct {
 	// +optional
 	TargetCluster string `json:"targetCluster,omitempty"`
 
-	// The user's user ID, obtained from the identity provider from the 'sub' (subject) claim
-	// +optional
-	Userid string `json:"userid,omitempty"`
-
-	// The user's username, obtained from the identity provider.
-	// +optional
-	Username string `json:"username,omitempty"`
-
-	// The user's first name, obtained from the identity provider.
-	// +optional
-	GivenName string `json:"givenName,omitempty"`
-
-	// The user's last name, obtained from the identity provider.
-	// +optional
-	FamilyName string `json:"familyName,omitempty"`
-
-	// The user's company name, obtained from the identity provider.
-	// +optional
-	Company string `json:"company,omitempty"`
-
 	// States contains a number of values that reflect the desired state of the UserSignup.
 	// +optional
 	// +listType=atomic
 	States []UserSignupState `json:"states,omitempty"`
 
-	// OriginalSub is an optional property temporarily introduced for the purpose of migrating the users to
-	// a new IdP provider client, and contains the user's "original-sub" claim
-	// +optional
-	OriginalSub string `json:"originalSub,omitempty"`
-
 	// IdentityClaims contains as-is claim values extracted from the user's access token
 	// +optional
 	IdentityClaims IdentityClaimsEmbedded `json:"identityClaims,omitempty"`
@@ -228,6 +201,7 @@ type IdentityClaimsEmbedded struct {
 	Company string `json:"company,omitempty"`
 }
 
+// +k8s:openapi-gen=true
 type PropagatedClaims struct {
 	// Sub contains the value of the 'sub' claim
 	Sub string `json:"sub"`
@@ -283,10 +257,10 @@ type UserSignupStatus struct {
 // +k8s:openapi-gen=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:scope=Namespaced
-// +kubebuilder:printcolumn:name="Username",type="string",JSONPath=`.spec.username`
-// +kubebuilder:printcolumn:name="First Name",type="string",JSONPath=`.spec.givenName`,priority=1
-// +kubebuilder:printcolumn:name="Last Name",type="string",JSONPath=`.spec.familyName`,priority=1
-// +kubebuilder:printcolumn:name="Company",type="string",JSONPath=`.spec.company`,priority=1
+// +kubebuilder:printcolumn:name="Username",type="string",JSONPath=`.spec.identityClaims.preferredUsername`
+// +kubebuilder:printcolumn:name="First Name",type="string",JSONPath=`.spec.identityClaims.givenName`,priority=1
+// +kubebuilder:printcolumn:name="Last Name",type="string",JSONPath=`.spec.identityClaims.familyName`,priority=1
+// +kubebuilder:printcolumn:name="Company",type="string",JSONPath=`.spec.identityClaims.company`,priority=1
 // +kubebuilder:printcolumn:name="TargetCluster",type="string",JSONPath=`.spec.targetCluster`,priority=1
 // +kubebuilder:printcolumn:name="Complete",type="string",JSONPath=`.status.conditions[?(@.type=="Complete")].status`
 // +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=`.status.conditions[?(@.type=="Complete")].reason`