From e5659882dfa0b5b3b75b20ee74d117a0285f9d37 Mon Sep 17 00:00:00 2001 From: rasel Date: Thu, 7 Mar 2024 12:20:32 +0600 Subject: [PATCH] Add cluster name and uid as cluster controller identifier Signed-off-by: rasel --- .../clusterbinding_reconcile.go | 80 ------------------- .../clusterbinding_reconcile.go | 1 + pkg/konnector/konnector_reconcile.go | 14 +--- 3 files changed, 2 insertions(+), 93 deletions(-) diff --git a/contrib/example-backend/controllers/clusterbinding/clusterbinding_reconcile.go b/contrib/example-backend/controllers/clusterbinding/clusterbinding_reconcile.go index b87057c7..d8281c48 100644 --- a/contrib/example-backend/controllers/clusterbinding/clusterbinding_reconcile.go +++ b/contrib/example-backend/controllers/clusterbinding/clusterbinding_reconcile.go @@ -30,7 +30,6 @@ import ( "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" utilerrors "k8s.io/apimachinery/pkg/util/errors" - "k8s.io/klog/v2" "k8s.io/utils/ptr" conditionsapi "kmodules.xyz/client-go/api/v1" "kmodules.xyz/client-go/conditions" @@ -60,9 +59,6 @@ type reconciler struct { func (r *reconciler) reconcile(ctx context.Context, clusterBinding *v1alpha1.ClusterBinding) error { var errs []error - //if err := r.ensureKubeSystemNSAccess(ctx, clusterBinding); err != nil { - // errs = append(errs, err) - //} r.ensureClusterBindingConditions(clusterBinding) if err := r.ensureRBACRoleBinding(ctx, clusterBinding); err != nil { errs = append(errs, err) @@ -117,82 +113,6 @@ func (r *reconciler) ensureClusterBindingConditions(clusterBinding *v1alpha1.Clu } } -func (r *reconciler) ensureKubeSystemNSAccess(ctx context.Context, clusterBinding *v1alpha1.ClusterBinding) error { - roleName := "kube-binder-namespace" - clusterRole, err := r.getClusterRole(roleName) - if err != nil && !errors.IsNotFound(err) { - return fmt.Errorf("failed to get ClusterRole %s: %w", roleName, err) - } - ns, err := r.getNamespace(clusterBinding.Namespace) - if err != nil { - return fmt.Errorf("failed to get Namespace %s: %w", clusterBinding.Namespace, err) - } - - expectedRole := &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: roleName, - }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{""}, - Resources: []string{"namespaces"}, - Verbs: []string{"get"}, - ResourceNames: []string{"kube-system"}, - }, - }, - } - if clusterRole == nil { - _, err = r.createClusterRole(ctx, expectedRole) - if err != nil { - return err - } - klog.Infof(fmt.Sprintf("clusterrole %s created", roleName)) - } - - rbName := roleName + "-" + clusterBinding.Namespace - - expectedRB := &rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: rbName, - OwnerReferences: []metav1.OwnerReference{ - { - APIVersion: "v1", - Kind: "Namespace", - Name: clusterBinding.Namespace, - Controller: ptr.To(true), - UID: ns.UID, - }, - }, - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Namespace: clusterBinding.Namespace, - Name: kuberesources.ServiceAccountName, - }, - }, - RoleRef: rbacv1.RoleRef{ - Kind: "ClusterRole", - Name: roleName, - APIGroup: "rbac.authorization.k8s.io", - }, - } - - rb, err := r.getClusterRoleBinding(rbName) - if err != nil && !errors.IsNotFound(err) { - return err - } - if rb == nil { - _, err = r.createClusterRoleBinding(ctx, expectedRB) - if err != nil { - return err - } - klog.Infof(fmt.Sprintf("clusterrolebinding %s created", rbName)) - - } - return nil -} - func (r *reconciler) ensureRBACClusterRole(ctx context.Context, clusterBinding *v1alpha1.ClusterBinding) error { name := "kube-binder-" + clusterBinding.Namespace role, err := r.getClusterRole(name) diff --git a/pkg/konnector/controllers/cluster/clusterbinding/clusterbinding_reconcile.go b/pkg/konnector/controllers/cluster/clusterbinding/clusterbinding_reconcile.go index 8ed014a6..7bb520be 100644 --- a/pkg/konnector/controllers/cluster/clusterbinding/clusterbinding_reconcile.go +++ b/pkg/konnector/controllers/cluster/clusterbinding/clusterbinding_reconcile.go @@ -94,6 +94,7 @@ func (r *reconciler) ensureRightScopedServiceBinding(ctx context.Context, bindin sb.Spec.Providers[i].ClusterUID = binding.Status.Provider.ClusterUID sb.Spec.Providers[i].ClusterName = binding.Status.Provider.ClusterName if err = r.updateServiceBinding(ctx, &sb); err != nil { + klog.Errorf(err.Error()) return err } break diff --git a/pkg/konnector/konnector_reconcile.go b/pkg/konnector/konnector_reconcile.go index f0198a6f..7cca8240 100644 --- a/pkg/konnector/konnector_reconcile.go +++ b/pkg/konnector/konnector_reconcile.go @@ -69,7 +69,7 @@ func (r *reconciler) reconcile(ctx context.Context, binding *kubebindv1alpha1.AP } else if errors.IsNotFound(err) { logger.V(2).Info("secret not found", "secret", p.Kubeconfig.Namespace+"/"+p.Kubeconfig.Name) } else { - kubeconfigs = append(kubeconfigs, string(secret.Data[p.Kubeconfig.Key])) + kubeconfigs = append(kubeconfigs, string(secret.Data[p.Kubeconfig.Key])+p.ClusterName+p.ClusterUID) idf := providerIdentifier{ kubeconfig: string(secret.Data[p.Kubeconfig.Key]), secretRefName: p.Kubeconfig.Name, @@ -141,18 +141,6 @@ func (r *reconciler) reconcile(ctx context.Context, binding *kubebindv1alpha1.AP } provider.ConsumerSecretRefKey = identifier.secretRefNamespace + "/" + identifier.secretRefName - // set cluster uid - //kubeclient, err := kubernetesclient.NewForConfig(provider.Config) - //if err != nil { - // return err - //} - //ns, err := kubeclient.CoreV1().Namespaces().Get(ctx, namespaceKubeSystem, metav1.GetOptions{}) - //if err != nil { - // klog.Error(err.Error()) - // return err - //} - //provider.ClusterID = string(ns.GetUID()) - provider.ClusterID = identifier.clusterUID providerInfos = append(providerInfos, &provider)