-
Notifications
You must be signed in to change notification settings - Fork 62
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow the name registry to get, list and watch leases
In order to check whether a name has been already reserved by the object being updated (i.e. the lease for the old name does not exist, but a lease owned by the updated object for the new name does), the name registry has to be allowed to get leases. However, when the name registry is using a client with cache, once the lease is got, the client's cache starts watching and listing the lease. Therefore, the client's user (i.e. the controllers user) has to be permitted to watch and list leases as well. This requirement was not covered by our integration tests as webhooks used to be run with the admin client (that is configured by env test). In order to close this gap, webhooks are now run as an user that is bound to the controllers role. Co-authored-by: Danail Branekov <[email protected]> Co-authored-by: Giuseppe Capizzi <[email protected]> Co-authored-by: Georgi Sabev <[email protected]> Co-authored-by: Danail Branekov <[email protected]>
- Loading branch information
1 parent
c979016
commit 07fd745
Showing
10 changed files
with
141 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
package helpers | ||
|
||
import ( | ||
"context" | ||
"os" | ||
"path/filepath" | ||
"runtime" | ||
|
||
. "github.com/onsi/gomega" //lint:ignore ST1001 this is a test file | ||
|
||
. "github.com/onsi/ginkgo/v2" //lint:ignore ST1001 this is a test file | ||
rbacv1 "k8s.io/api/rbac/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/client-go/kubernetes/scheme" | ||
"k8s.io/client-go/rest" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
"sigs.k8s.io/controller-runtime/pkg/envtest" | ||
) | ||
|
||
func SetupControllersUser(testEnv *envtest.Environment) *rest.Config { | ||
controllersUser, err := testEnv.ControlPlane.AddUser(envtest.User{Name: "envtest-controller"}, testEnv.Config) | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
adminClient, err := client.New(testEnv.Config, client.Options{Scheme: scheme.Scheme}) | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
bindUserToControllersRole(adminClient, "envtest-controller") | ||
|
||
return controllersUser.Config() | ||
} | ||
|
||
func bindUserToControllersRole(k8sClient client.Client, userName string) { | ||
GinkgoHelper() | ||
|
||
controllersRole := ensureControllersClusterRole(k8sClient) | ||
|
||
Expect(k8sClient.Create(context.Background(), &rbacv1.ClusterRoleBinding{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "envtest-controller", | ||
}, | ||
Subjects: []rbacv1.Subject{{ | ||
Kind: "User", | ||
Name: userName, | ||
}}, | ||
RoleRef: rbacv1.RoleRef{ | ||
Kind: "ClusterRole", | ||
Name: controllersRole.Name, | ||
}, | ||
})).To(Succeed()) | ||
} | ||
|
||
func ensureControllersClusterRole(k8sClient client.Client) *rbacv1.ClusterRole { | ||
clusterRoleDefinition, err := os.ReadFile(controllersRoleYamlPath()) | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
roleObject, _, err := scheme.Codecs.UniversalDeserializer().Decode(clusterRoleDefinition, nil, new(rbacv1.ClusterRole)) | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
clusterRole, ok := roleObject.(*rbacv1.ClusterRole) | ||
Expect(ok).To(BeTrue()) | ||
|
||
Expect(client.IgnoreAlreadyExists(k8sClient.Create(context.Background(), clusterRole))).To(Succeed()) | ||
|
||
return clusterRole | ||
} | ||
|
||
func controllersRoleYamlPath() string { | ||
_, thisFilePath, _, ok := runtime.Caller(0) | ||
Expect(ok).To(BeTrue()) | ||
thisFileDir := filepath.Dir(thisFilePath) | ||
|
||
return filepath.Join(thisFileDir, "..", "..", "helm", "korifi", "controllers", "role.yaml") | ||
} |