refactor: fail early when no tier mapping configmap is found

Previously, missing tier mapping configmaps were silently defaulted to `free`,
which could mislead users and hide configuration issues. By failing fast, users
are immediately informed of the problem and can correct it, avoiding confusion
and unintended behavior.

The component now explicitly fails when the configmap is missing instead of
falling back to the `free` tier.

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>

Author: bartoszmajsak

maas-api/internal/tier/mapper.go

@@ -17,14 +17,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 )
 
-var defaultTier = Tier{
-	Name:  "free",
-	Level: 0,
-	Groups: []string{
-		"system:authenticated",
-	},
-}
-
 // Mapper handles tier-to-group mapping lookups
 type Mapper struct {
 	tenantName      string
@@ -38,22 +30,19 @@ func NewMapper(clientset kubernetes.Interface, tenantName, namespace string) *Ma
 	}
 }
 
-func (m *Mapper) Namespaces(ctx context.Context) map[string]string {
+func (m *Mapper) Namespace(ctx context.Context, tier string) (string, error) {
 	tiers, err := m.loadTierConfig(ctx)
 	if err != nil {
-		if errors.IsNotFound(err) {
-			tiers = []Tier{defaultTier}
-		}
+		return "", err
 	}
 
-	namespaces := make(map[string]string, len(tiers))
-
 	for i := range tiers {
-		tier := &tiers[i]
-		namespaces[tier.Name] = m.projectedNsName(tier)
+		if tiers[i].Name == tier {
+			return m.ProjectedNsName(&tiers[i]), nil
+		}
 	}
 
-	return namespaces
+	return "", fmt.Errorf("tier %s not found", tier)
 }
 
 // GetTierForGroups returns the highest level tier for a user with multiple group memberships.
@@ -68,8 +57,7 @@ func (m *Mapper) GetTierForGroups(ctx context.Context, groups ...string) (string
 	tiers, err := m.loadTierConfig(ctx)
 	if err != nil {
 		if errors.IsNotFound(err) {
-			log.Printf("tier mapping %s not found, defaulting to 'free' tier", constant.TierMappingConfigMap)
-			return "free", nil
+			return "", fmt.Errorf("tier mapping not found, provide configuration in %s", constant.TierMappingConfigMap)
 		}
 		log.Printf("Failed to load tier configuration from ConfigMap %s: %v", constant.TierMappingConfigMap, err)
 		return "", fmt.Errorf("failed to load tier configuration: %w", err)
@@ -90,6 +78,15 @@ func (m *Mapper) GetTierForGroups(ctx context.Context, groups ...string) (string
 	return "", &GroupNotFoundError{Group: fmt.Sprintf("groups [%s]", strings.Join(groups, ", "))}
 }
 
+// ProjectedSAGroup returns the projected SA group for a tier.
+func (m *Mapper) ProjectedSAGroup(tier *Tier) string {
+	return fmt.Sprintf("system:serviceaccounts:%s", m.ProjectedNsName(tier))
+}
+
+func (m *Mapper) ProjectedNsName(tier *Tier) string {
+	return fmt.Sprintf("%s-tier-%s", m.tenantName, tier.Name)
+}
+
 func (m *Mapper) loadTierConfig(ctx context.Context) ([]Tier, error) {
 	cm, err := m.configMapClient.Get(ctx, constant.TierMappingConfigMap, metav1.GetOptions{})
 	if err != nil {
@@ -109,12 +106,8 @@ func (m *Mapper) loadTierConfig(ctx context.Context) ([]Tier, error) {
 
 	for i := range tiers {
 		tier := &tiers[i]
-		tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccounts:%s", m.projectedNsName(tier)))
+		tier.Groups = append(tier.Groups, m.ProjectedSAGroup(tier))
 	}
 
 	return tiers, nil
 }
-
-func (m *Mapper) projectedNsName(tier *Tier) string {
-	return fmt.Sprintf("%s-tier-%s", m.tenantName, tier.Name)
-}

maas-api/internal/tier/mapper_test.go

@@ -155,17 +155,12 @@ func TestMapper_GetTierForGroups(t *testing.T) {
 func TestMapper_GetTierForGroups_MissingConfigMap(t *testing.T) {
 	ctx := t.Context()
 
-	clientset := fake.NewSimpleClientset()
+	clientset := fake.NewClientset()
 	mapper := tier.NewMapper(clientset, testTenant, testNamespace)
 
-	// Should default to free mappedTier when ConfigMap is missing
-	mappedTier, err := mapper.GetTierForGroups(ctx, "any-group", "another-group")
-	if err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	if mappedTier != "free" {
-		t.Errorf("expected default mappedTier 'free', got %s", mappedTier)
+	_, err := mapper.GetTierForGroups(ctx, "any-group", "another-group")
+	if err == nil {
+		t.Errorf("expected error")
 	}
 }
 

maas-api/internal/token/manager.go

@@ -84,7 +84,10 @@ func (m *Manager) RevokeTokens(ctx context.Context, user *UserContext) error {
 		return fmt.Errorf("failed to determine user tier for %s: %w", user.Username, err)
 	}
 
-	namespace := m.tierMapper.Namespaces(ctx)[userTier]
+	namespace, errNS := m.tierMapper.Namespace(ctx, userTier)
+	if errNS != nil {
+		return fmt.Errorf("failed to determine namespace for user %s: %w", user.Username, errNS)
+	}
 
 	saName, errName := m.sanitizeServiceAccountName(user.Username)
 	if errName != nil {
@@ -117,9 +120,9 @@ func (m *Manager) RevokeTokens(ctx context.Context, user *UserContext) error {
 // ensureTierNamespace creates a tier-based namespace if it doesn't exist.
 // It takes a tier name, formats it as {instance}-tier-{tier}, and returns the namespace name.
 func (m *Manager) ensureTierNamespace(ctx context.Context, tier string) (string, error) {
-	namespace := m.tierMapper.Namespaces(ctx)[tier]
-	if namespace == "" {
-		return "", fmt.Errorf("no namespace mapping found for tier %q", tier)
+	namespace, errNs := m.tierMapper.Namespace(ctx, tier)
+	if errNs != nil {
+		return "", fmt.Errorf("failed to determine namespace for tier %q: %w", tier, errNs)
 	}
 
 	_, err := m.namespaceLister.Get(namespace)