refactor: fail early when no tier mapping configmap is found (#137)

bartoszmajsak · web-flow · commit 4ca3983dd963 · 2025-10-03T20:46:03.000+02:00
Previously, missing tier mapping configmaps were silently defaulted to `free`,
which could mislead users and hide configuration issues. By failing fast, cluster operators
are immediately informed of the problem and can correct it, avoiding confusion
and unintended behavior.

The component now explicitly fails when the configmap is missing instead of
falling back to the `free` tier.

Signed-off-by: Bartosz Majsak &lt;bartosz.majsak@gmail.com&gt;
diff --git a/maas-api/internal/tier/handler_test.go b/maas-api/internal/tier/handler_test.go
@@ -170,7 +170,7 @@ func TestHandler_PostTierLookup_BadRequest(t *testing.T) {
 	}
 }
 
-func TestHandler_PostTierLookup_ConfigMapMissing_ShouldDefaultEveryUserToFreeTier(t *testing.T) {
+func TestHandler_PostTierLookup_ConfigMapMissing_ShouldError(t *testing.T) {
 	mapper := createTestMapper(false) // No ConfigMap
 	router := fixtures.SetupTierTestRouter(mapper)
 
@@ -182,16 +182,7 @@ func TestHandler_PostTierLookup_ConfigMapMissing_ShouldDefaultEveryUserToFreeTie
 	req.Header.Set("Content-Type", "application/json")
 	router.ServeHTTP(w, req)
 
-	if w.Code != http.StatusOK {
-		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
-	}
-
-	var response tier.LookupResponse
-	if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil {
-		t.Fatalf("failed to unmarshal response: %v", err)
-	}
-
-	if response.Tier != "free" {
-		t.Errorf("expected tier 'free', got %s", response.Tier)
+	if w.Code == http.StatusOK {
+		t.Errorf("expected status %d, got %d", http.StatusServiceUnavailable, w.Code)
 	}
 }
diff --git a/maas-api/internal/tier/mapper.go b/maas-api/internal/tier/mapper.go
@@ -17,14 +17,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 )
 
-var defaultTier = Tier{
-	Name:  "free",
-	Level: 0,
-	Groups: []string{
-		"system:authenticated",
-	},
-}
-
 // Mapper handles tier-to-group mapping lookups
 type Mapper struct {
 	tenantName      string
@@ -38,22 +30,19 @@ func NewMapper(clientset kubernetes.Interface, tenantName, namespace string) *Ma
 	}
 }
 
-func (m *Mapper) Namespaces(ctx context.Context) map[string]string {
+func (m *Mapper) Namespace(ctx context.Context, tier string) (string, error) {
 	tiers, err := m.loadTierConfig(ctx)
 	if err != nil {
-		if errors.IsNotFound(err) {
-			tiers = []Tier{defaultTier}
-		}
+		return "", err
 	}
 
-	namespaces := make(map[string]string, len(tiers))
-
 	for i := range tiers {
-		tier := &tiers[i]
-		namespaces[tier.Name] = m.projectedNsName(tier)
+		if tiers[i].Name == tier {
+			return m.ProjectedNsName(&tiers[i]), nil
+		}
 	}
 
-	return namespaces
+	return "", fmt.Errorf("tier %s not found", tier)
 }
 
 // GetTierForGroups returns the highest level tier for a user with multiple group memberships.
@@ -68,8 +57,7 @@ func (m *Mapper) GetTierForGroups(ctx context.Context, groups ...string) (string
 	tiers, err := m.loadTierConfig(ctx)
 	if err != nil {
 		if errors.IsNotFound(err) {
-			log.Printf("tier mapping %s not found, defaulting to 'free' tier", constant.TierMappingConfigMap)
-			return "free", nil
+			return "", fmt.Errorf("tier mapping not found, provide configuration in %s", constant.TierMappingConfigMap)
 		}
 		log.Printf("Failed to load tier configuration from ConfigMap %s: %v", constant.TierMappingConfigMap, err)
 		return "", fmt.Errorf("failed to load tier configuration: %w", err)
@@ -90,6 +78,15 @@ func (m *Mapper) GetTierForGroups(ctx context.Context, groups ...string) (string
 	return "", &GroupNotFoundError{Group: fmt.Sprintf("groups [%s]", strings.Join(groups, ", "))}
 }
 
+// ProjectedSAGroup returns the projected SA group for a tier.
+func (m *Mapper) ProjectedSAGroup(tier *Tier) string {
+	return fmt.Sprintf("system:serviceaccounts:%s", m.ProjectedNsName(tier))
+}
+
+func (m *Mapper) ProjectedNsName(tier *Tier) string {
+	return fmt.Sprintf("%s-tier-%s", m.tenantName, tier.Name)
+}
+
 func (m *Mapper) loadTierConfig(ctx context.Context) ([]Tier, error) {
 	cm, err := m.configMapClient.Get(ctx, constant.TierMappingConfigMap, metav1.GetOptions{})
 	if err != nil {
@@ -109,12 +106,8 @@ func (m *Mapper) loadTierConfig(ctx context.Context) ([]Tier, error) {
 
 	for i := range tiers {
 		tier := &tiers[i]
-		tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccounts:%s", m.projectedNsName(tier)))
+		tier.Groups = append(tier.Groups, m.ProjectedSAGroup(tier))
 	}
 
 	return tiers, nil
 }
-
-func (m *Mapper) projectedNsName(tier *Tier) string {
-	return fmt.Sprintf("%s-tier-%s", m.tenantName, tier.Name)
-}
diff --git a/maas-api/internal/tier/mapper_test.go b/maas-api/internal/tier/mapper_test.go
@@ -155,17 +155,12 @@ func TestMapper_GetTierForGroups(t *testing.T) {
 func TestMapper_GetTierForGroups_MissingConfigMap(t *testing.T) {
 	ctx := t.Context()
 
-	clientset := fake.NewSimpleClientset()
+	clientset := fake.NewClientset()
 	mapper := tier.NewMapper(clientset, testTenant, testNamespace)
 
-	// Should default to free mappedTier when ConfigMap is missing
-	mappedTier, err := mapper.GetTierForGroups(ctx, "any-group", "another-group")
-	if err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	if mappedTier != "free" {
-		t.Errorf("expected default mappedTier 'free', got %s", mappedTier)
+	_, err := mapper.GetTierForGroups(ctx, "any-group", "another-group")
+	if err == nil {
+		t.Errorf("expected error")
 	}
 }
 
diff --git a/maas-api/internal/token/manager.go b/maas-api/internal/token/manager.go
@@ -84,7 +84,10 @@ func (m *Manager) RevokeTokens(ctx context.Context, user *UserContext) error {
 		return fmt.Errorf("failed to determine user tier for %s: %w", user.Username, err)
 	}
 
-	namespace := m.tierMapper.Namespaces(ctx)[userTier]
+	namespace, errNS := m.tierMapper.Namespace(ctx, userTier)
+	if errNS != nil {
+		return fmt.Errorf("failed to determine namespace for user %s: %w", user.Username, errNS)
+	}
 
 	saName, errName := m.sanitizeServiceAccountName(user.Username)
 	if errName != nil {
@@ -117,9 +120,9 @@ func (m *Manager) RevokeTokens(ctx context.Context, user *UserContext) error {
 // ensureTierNamespace creates a tier-based namespace if it doesn't exist.
 // It takes a tier name, formats it as {instance}-tier-{tier}, and returns the namespace name.
 func (m *Manager) ensureTierNamespace(ctx context.Context, tier string) (string, error) {
-	namespace := m.tierMapper.Namespaces(ctx)[tier]
-	if namespace == "" {
-		return "", fmt.Errorf("no namespace mapping found for tier %q", tier)
+	namespace, errNs := m.tierMapper.Namespace(ctx, tier)
+	if errNs != nil {
+		return "", fmt.Errorf("failed to determine namespace for tier %q: %w", tier, errNs)
 	}
 
 	_, err := m.namespaceLister.Get(namespace)

Original file line number	Diff line number	Diff line change
`@@ -170,7 +170,7 @@ func TestHandler_PostTierLookup_BadRequest(t *testing.T) {`
`170`	`170`	`}`
`171`	`171`	`}`
`172`	`172`
`173`		`-func TestHandler_PostTierLookup_ConfigMapMissing_ShouldDefaultEveryUserToFreeTier(t *testing.T) {`
	`173`	`+func TestHandler_PostTierLookup_ConfigMapMissing_ShouldError(t *testing.T) {`
`174`	`174`	`mapper := createTestMapper(false) // No ConfigMap`
`175`	`175`	`router := fixtures.SetupTierTestRouter(mapper)`
`176`	`176`
`@@ -182,16 +182,7 @@ func TestHandler_PostTierLookup_ConfigMapMissing_ShouldDefaultEveryUserToFreeTie`
`182`	`182`	`req.Header.Set("Content-Type", "application/json")`
`183`	`183`	`router.ServeHTTP(w, req)`
`184`	`184`
`185`		`- if w.Code != http.StatusOK {`
`186`		`- t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)`
`187`		`- }`
`188`		`-`
`189`		`- var response tier.LookupResponse`
`190`		`- if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil {`
`191`		`- t.Fatalf("failed to unmarshal response: %v", err)`
`192`		`- }`
`193`		`-`
`194`		`- if response.Tier != "free" {`
`195`		`- t.Errorf("expected tier 'free', got %s", response.Tier)`
	`185`	`+ if w.Code == http.StatusOK {`
	`186`	`+ t.Errorf("expected status %d, got %d", http.StatusServiceUnavailable, w.Code)`
`196`	`187`	`}`
`197`	`188`	`}`