Skip to content

Commit

Permalink
Merge pull request openshift#1662 from alvaroaleman/io2
Browse files Browse the repository at this point in the history 
Add rbac so route-to-ingress controller can do its leader election
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot authored Aug 8, 2022
2 parents 8ef6453 + a6e107c commit c5df260
Show file tree
Hide file tree
Showing 115 changed files with 2,647 additions and 2,487 deletions.
6 changes: 6 additions & 0 deletions ...-plane-operator/hostedclusterconfigoperator/controllers/resources/manifests/namespaces.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,9 @@ func NamespaceAuthentication() *corev1.Namespace {
},
}
}

func NamespaceRouteControllerManager() *corev1.Namespace {
return &corev1.Namespace{
ObjectMeta: metav1.ObjectMeta{Name: "openshift-route-controller-manager"},
}
}
18 changes: 18 additions & 0 deletions control-plane-operator/hostedclusterconfigoperator/controllers/resources/manifests/rbac.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,15 @@ func IngressToRouteControllerClusterRole() *rbacv1.ClusterRole {
}
}

func IngressToRouteControllerRole() *rbacv1.Role {
return &rbacv1.Role{
ObjectMeta: metav1.ObjectMeta{
Namespace: "openshift-route-controller-manager",
Name: "openshift-route-controllers",
},
}
}

func IngressToRouteControllerClusterRoleBinding() *rbacv1.ClusterRoleBinding {
return &rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -37,6 +46,15 @@ func IngressToRouteControllerClusterRoleBinding() *rbacv1.ClusterRoleBinding {
}
}

func IngressToRouteControllerRoleBinding() *rbacv1.RoleBinding {
return &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Namespace: "openshift-route-controller-manager",
Name: "openshift-route-controllers",
},
}
}

func NamespaceSecurityAllocationControllerClusterRole() *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Expand Down
40 changes: 37 additions & 3 deletions control-plane-operator/hostedclusterconfigoperator/controllers/resources/rbac/reconcile.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package rbac

import (
hccomanifests "github.com/openshift/hypershift/control-plane-operator/hostedclusterconfigoperator/controllers/resources/manifests"
rbacv1 "k8s.io/api/rbac/v1"
)

Expand Down Expand Up @@ -52,7 +53,7 @@ func ReconcileCSRApproverClusterRoleBinding(r *rbacv1.ClusterRoleBinding) error
r.RoleRef = rbacv1.RoleRef{
APIGroup: rbacv1.SchemeGroupVersion.Group,
Kind: "ClusterRole",
Name: "system:openshift:controller:cluster-csr-approver-controller",
Name: hccomanifests.CSRApproverClusterRoleBinding().Name,
}
r.Subjects = []rbacv1.Subject{
{
Expand Down Expand Up @@ -125,11 +126,44 @@ func ReconcileIngressToRouteControllerClusterRole(r *rbacv1.ClusterRole) error {
return nil
}

func ReconcileReconcileIngressToRouteControllerRole(r *rbacv1.Role) error {
r.Rules = []rbacv1.PolicyRule{
{
APIGroups: []string{"coordination.k8s.io"},
Resources: []string{"leases"},
ResourceNames: []string{"openshift-route-controllers"},
Verbs: []string{"get", "update"},
},
{
APIGroups: []string{"coordination.k8s.io"},
Resources: []string{"leases"},
Verbs: []string{"create"},
},
}
return nil
}

func ReconcileIngressToRouteControllerClusterRoleBinding(r *rbacv1.ClusterRoleBinding) error {
r.RoleRef = rbacv1.RoleRef{
APIGroup: rbacv1.SchemeGroupVersion.Group,
Kind: "ClusterRole",
Name: "system:openshift:openshift-controller-manager:ingress-to-route-controller",
Name: hccomanifests.IngressToRouteControllerClusterRole().Name,
}
r.Subjects = []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: "ingress-to-route-controller",
Namespace: "openshift-infra",
},
}
return nil
}

func ReconcileIngressToRouteControllerRoleBinding(r *rbacv1.RoleBinding) error {
r.RoleRef = rbacv1.RoleRef{
APIGroup: rbacv1.SchemeGroupVersion.Group,
Kind: "Role",
Name: hccomanifests.IngressToRouteControllerRole().Name,
}
r.Subjects = []rbacv1.Subject{
{
Expand Down Expand Up @@ -183,7 +217,7 @@ func ReconcileNamespaceSecurityAllocationControllerClusterRoleBinding(r *rbacv1.
r.RoleRef = rbacv1.RoleRef{
APIGroup: rbacv1.SchemeGroupVersion.Group,
Kind: "ClusterRole",
Name: "system:openshift:controller:namespace-security-allocation-controller",
Name: hccomanifests.NamespaceSecurityAllocationControllerClusterRole().Name,
}
r.Subjects = []rbacv1.Subject{
{
Expand Down
71 changes: 38 additions & 33 deletions control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -554,6 +554,7 @@ func (r *reconciler) reconcileNamespaces(ctx context.Context) error {
{manifest: manifests.NamespaceEtcd},
{manifest: manifests.NamespaceIngress, reconcile: namespaces.ReconcileOpenShiftIngressNamespace},
{manifest: manifests.NamespaceAuthentication},
{manifest: manifests.NamespaceRouteControllerManager},
}

var errs []error
Expand All @@ -572,44 +573,48 @@ func (r *reconciler) reconcileNamespaces(ctx context.Context) error {
return errors.NewAggregate(errs)
}

func (r *reconciler) reconcileRBAC(ctx context.Context) error {
roles := []struct {
manifest func() *rbacv1.ClusterRole
reconcile func(*rbacv1.ClusterRole) error
}{
{manifest: manifests.CSRApproverClusterRole, reconcile: rbac.ReconcileCSRApproverClusterRole},
{manifest: manifests.IngressToRouteControllerClusterRole, reconcile: rbac.ReconcileIngressToRouteControllerClusterRole},
{manifest: manifests.NamespaceSecurityAllocationControllerClusterRole, reconcile: rbac.ReconcileNamespaceSecurityAllocationControllerClusterRole},
}
type manifestAndReconcile[o client.Object] struct {
manifest func() o
reconcile func(o) error
}

roleBindings := []struct {
manifest func() *rbacv1.ClusterRoleBinding
reconcile func(*rbacv1.ClusterRoleBinding) error
}{
{manifest: manifests.CSRApproverClusterRoleBinding, reconcile: rbac.ReconcileCSRApproverClusterRoleBinding},
{manifest: manifests.IngressToRouteControllerClusterRoleBinding, reconcile: rbac.ReconcileIngressToRouteControllerClusterRoleBinding},
{manifest: manifests.NamespaceSecurityAllocationControllerClusterRoleBinding, reconcile: rbac.ReconcileNamespaceSecurityAllocationControllerClusterRoleBinding},
{manifest: manifests.NodeBootstrapperClusterRoleBinding, reconcile: rbac.ReconcileNodeBootstrapperClusterRoleBinding},
{manifest: manifests.CSRRenewalClusterRoleBinding, reconcile: rbac.ReconcileCSRRenewalClusterRoleBinding},
{manifest: manifests.MetricsClientClusterRoleBinding, reconcile: rbac.ReconcileGenericMetricsClusterRoleBinding("system:serviceaccount:hypershift:prometheus")},
func (m manifestAndReconcile[o]) upsert(ctx context.Context, client client.Client, createOrUpdate upsert.CreateOrUpdateFN) error {
obj := m.manifest()
if _, err := createOrUpdate(ctx, client, obj, func() error {
return m.reconcile(obj)
}); err != nil {
return fmt.Errorf("failed to reconcile %T %s: %w", obj, obj.GetName(), err)
}

var errs []error
for _, m := range roles {
role := m.manifest()
if _, err := r.CreateOrUpdate(ctx, r.client, role, func() error {
return m.reconcile(role)
}); err != nil {
errs = append(errs, fmt.Errorf("failed to reconcile role %s: %w", role.Name, err))
}
return nil
}

type manifestReconciler interface {
upsert(ctx context.Context, client client.Client, createOrUpdate upsert.CreateOrUpdateFN) error
}

func (r *reconciler) reconcileRBAC(ctx context.Context) error {
rbac := []manifestReconciler{
manifestAndReconcile[*rbacv1.ClusterRole]{manifest: manifests.CSRApproverClusterRole, reconcile: rbac.ReconcileCSRApproverClusterRole},
manifestAndReconcile[*rbacv1.ClusterRole]{manifest: manifests.IngressToRouteControllerClusterRole, reconcile: rbac.ReconcileIngressToRouteControllerClusterRole},
manifestAndReconcile[*rbacv1.ClusterRole]{manifest: manifests.NamespaceSecurityAllocationControllerClusterRole, reconcile: rbac.ReconcileNamespaceSecurityAllocationControllerClusterRole},

manifestAndReconcile[*rbacv1.Role]{manifest: manifests.IngressToRouteControllerRole, reconcile: rbac.ReconcileReconcileIngressToRouteControllerRole},

manifestAndReconcile[*rbacv1.ClusterRoleBinding]{manifest: manifests.CSRApproverClusterRoleBinding, reconcile: rbac.ReconcileCSRApproverClusterRoleBinding},
manifestAndReconcile[*rbacv1.ClusterRoleBinding]{manifest: manifests.IngressToRouteControllerClusterRoleBinding, reconcile: rbac.ReconcileIngressToRouteControllerClusterRoleBinding},
manifestAndReconcile[*rbacv1.ClusterRoleBinding]{manifest: manifests.NamespaceSecurityAllocationControllerClusterRoleBinding, reconcile: rbac.ReconcileNamespaceSecurityAllocationControllerClusterRoleBinding},
manifestAndReconcile[*rbacv1.ClusterRoleBinding]{manifest: manifests.NodeBootstrapperClusterRoleBinding, reconcile: rbac.ReconcileNodeBootstrapperClusterRoleBinding},
manifestAndReconcile[*rbacv1.ClusterRoleBinding]{manifest: manifests.CSRRenewalClusterRoleBinding, reconcile: rbac.ReconcileCSRRenewalClusterRoleBinding},
manifestAndReconcile[*rbacv1.ClusterRoleBinding]{manifest: manifests.MetricsClientClusterRoleBinding, reconcile: rbac.ReconcileGenericMetricsClusterRoleBinding("system:serviceaccount:hypershift:prometheus")},

manifestAndReconcile[*rbacv1.RoleBinding]{manifest: manifests.IngressToRouteControllerRoleBinding, reconcile: rbac.ReconcileIngressToRouteControllerRoleBinding},
}

for _, m := range roleBindings {
rb := m.manifest()
if _, err := r.CreateOrUpdate(ctx, r.client, rb, func() error {
return m.reconcile(rb)
}); err != nil {
errs = append(errs, fmt.Errorf("failed to reconcile role binding %s: %w", rb.Name, err))
var errs []error
for _, m := range rbac {
if err := m.upsert(ctx, r.client, r.CreateOrUpdate); err != nil {
errs = append(errs, err)
}
}

Expand Down
3 changes: 3 additions & 0 deletions control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (

. "github.com/onsi/gomega"
appsv1 "k8s.io/api/apps/v1"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

Expand Down Expand Up @@ -362,3 +363,5 @@ func TestReconcileUserCertCABundle(t *testing.T) {
})
}
}

var _ manifestReconciler = manifestAndReconcile[*rbacv1.ClusterRole]{}
7 changes: 3 additions & 4 deletions hack/tools/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ require (
github.com/ahmetb/gen-crd-api-reference-docs v0.3.0
github.com/prometheus/prometheus v1.8.2-0.20211019160800-8858a276c2f3
gotest.tools/gotestsum v1.7.0
honnef.co/go/tools v0.3.0-0.dev.0.20220306074811-23e1086441d2
honnef.co/go/tools v0.3.3
sigs.k8s.io/controller-tools v0.9.2
)

Expand Down Expand Up @@ -124,16 +124,15 @@ require (
golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect
golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e // indirect
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
golang.org/x/tools v0.1.11-0.20220513221640-090b14e8501f // indirect
google.golang.org/api v0.56.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect
Expand Down
12 changes: 6 additions & 6 deletions hack/tools/go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1516,9 +1516,9 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o=
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
Expand Down Expand Up @@ -1849,9 +1849,9 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 h1:hI3jKY4Hpf63ns040onEbB3dAkR/H/P83hw1TG8dD3Y=
golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
golang.org/x/tools v0.1.11-0.20220513221640-090b14e8501f h1:OKYpQQVE3DKSc3r3zHVzq46vq5YH7x8xpR3/k9ixmUg=
golang.org/x/tools v0.1.11-0.20220513221640-090b14e8501f/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
Expand Down Expand Up @@ -2080,8 +2080,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.3.0-0.dev.0.20220306074811-23e1086441d2 h1:utiSabORbG/JeX7MlmKMdmsjwom2+v8zmdb6SoBe4UY=
honnef.co/go/tools v0.3.0-0.dev.0.20220306074811-23e1086441d2/go.mod h1:dZI0HmIvwDMW8owtLBJxTHoeX48yuF5p5pDy3y73jGU=
honnef.co/go/tools v0.3.3 h1:oDx7VAwstgpYpb3wv0oxiZlxY+foCpRAwY7Vk6XpAgA=
honnef.co/go/tools v0.3.3/go.mod h1:jzwdWgg7Jdq75wlfblQxO4neNaFFSvgc1tD5Wv8U0Yw=
k8s.io/api v0.17.5/go.mod h1:0zV5/ungglgy2Rlm3QK8fbxkXVs+BSJWpJP/+8gUVLY=
k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
Expand Down
20 changes: 6 additions & 14 deletions hack/tools/vendor/golang.org/x/tools/go/analysis/doc.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 7 additions & 8 deletions hack/tools/vendor/golang.org/x/tools/go/analysis/passes/inspect/inspect.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions hack/tools/vendor/golang.org/x/tools/go/analysis/validate.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit c5df260

Please sign in to comment.