diff --git a/controllers/account_server.go b/controllers/account_server.go index 68d70cc..81ea461 100644 --- a/controllers/account_server.go +++ b/controllers/account_server.go @@ -16,9 +16,9 @@ import ( // NatsAccountServer takes NatsAccount and serves them to a nats server (cluster) type NatsAccountServer struct { client.Client - Scheme *runtime.Scheme - accountMap map[string]string - nc *nats.Conn + Scheme *runtime.Scheme + accounts map[string]string + nc *nats.Conn } //+kubebuilder:rbac:groups=natz.zeiss.com,resources=natsaccounts,verbs=get;list;watch;create;update;patch;delete @@ -26,9 +26,10 @@ type NatsAccountServer struct { // NewNatsAccountServer ... func NewNatsAccountServer(mgr ctrl.Manager, nc *nats.Conn) *NatsAccountServer { return &NatsAccountServer{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), - nc: nc, + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + accounts: make(map[string]string), + nc: nc, } } @@ -41,16 +42,19 @@ func (r *NatsAccountServer) Reconcile(ctx context.Context, req ctrl.Request) (ct if errors.IsNotFound(err) { return ctrl.Result{}, nil } + return ctrl.Result{}, err } + logger.Info("reconciling account", "account", account.Name) + if account.DeletionTimestamp != nil { - delete(r.accountMap, account.Status.PublicKey) + delete(r.accounts, account.Status.PublicKey) return ctrl.Result{}, nil } if account.Status.JWT != "" && account.Status.PublicKey != "" { - r.accountMap[account.Status.PublicKey] = account.Status.JWT + r.accounts[account.Status.PublicKey] = account.Status.JWT if r.nc != nil { go func() { diff --git a/helm/charts/account-server/templates/deployment.yaml b/helm/charts/account-server/templates/deployment.yaml index 64bbfa4..be0bd6d 100644 --- a/helm/charts/account-server/templates/deployment.yaml +++ b/helm/charts/account-server/templates/deployment.yaml @@ -34,6 +34,7 @@ spec: readOnly: true securityContext: allowPrivilegeEscalation: false + {{- toYaml .Values.controller.securityContext | nindent 10 }} volumes: - name: "credentials" secret: @@ -43,5 +44,4 @@ spec: - key: "user.creds" path: "user.creds" mode: 420 - securityContext: - {{- toYaml .Values.controller.securityContext | nindent 8 }} \ No newline at end of file + \ No newline at end of file diff --git a/helm/charts/account-server/templates/rbac.yaml b/helm/charts/account-server/templates/rbac.yaml index 15b0b20..43bd955 100644 --- a/helm/charts/account-server/templates/rbac.yaml +++ b/helm/charts/account-server/templates/rbac.yaml @@ -1,5 +1,5 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: name: {{ include "account-server.fullname" . }} rules: @@ -13,13 +13,14 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: name: {{ include "account-server.fullname" . }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole name: {{ include "account-server.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "account-server.serviceAccountName" . }} \ No newline at end of file + name: {{ include "account-server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/helm/charts/account-server/values.yaml b/helm/charts/account-server/values.yaml index 3365c9f..80308e9 100644 --- a/helm/charts/account-server/values.yaml +++ b/helm/charts/account-server/values.yaml @@ -177,8 +177,6 @@ controller: - NET_BIND_SERVICE drop: - all - runAsUser: 0 - runAsGroup: 0 serviceAccount: # -- Create a service account for the natz controller