fix clusterrolebinding update (#353)

controllers/datadogagent/agent_rbac.go

@@ -65,7 +65,7 @@ func (r *Reconciler) manageAgentRBACs(logger logr.Logger, dda *datadoghqv1alpha1
 		return reconcile.Result{}, err
 	}
 
-	return r.udpateIfNeededAgentClusterRoleBinding(logger, dda, rbacResourcesName, rbacResourcesName, serviceAccountName, agentVersion, clusterRoleBinding)
+	return r.updateIfNeededClusterRoleBinding(logger, dda, rbacResourcesName, rbacResourcesName, serviceAccountName, agentVersion, clusterRoleBinding)
 }
 
 // cleanupAgentRbacResources deletes ClusterRole, ClusterRoleBindings, and ServiceAccount of the Agent

controllers/datadogagent/clusteragent.go

@@ -820,7 +820,7 @@ func (r *Reconciler) manageClusterAgentRBACs(logger logr.Logger, dda *datadoghqv
 		}
 		return reconcile.Result{}, err
 	}
-	if result, err := r.udpateIfNeededClusterAgentClusterRoleBinding(logger, dda, rbacResourcesName, serviceAccountName, clusterAgentVersion, clusterRoleBinding); err != nil {
+	if result, err := r.updateIfNeededClusterRoleBinding(logger, dda, rbacResourcesName, rbacResourcesName, serviceAccountName, clusterAgentVersion, clusterRoleBinding); err != nil {
 		return result, err
 	}
 
@@ -993,30 +993,6 @@ func (r *Reconciler) updateIfNeededClusterAgentRole(logger logr.Logger, dda *dat
 	return reconcile.Result{}, nil
 }
 
-func (r *Reconciler) udpateIfNeededClusterAgentClusterRoleBinding(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, name, serviceAccountName, agentVersion string, clusterRoleBinding *rbacv1.ClusterRoleBinding) (reconcile.Result, error) {
-	info := roleBindingInfo{
-		name:               name,
-		roleName:           name,
-		serviceAccountName: serviceAccountName,
-	}
-	newClusterRoleBinding := buildClusterRoleBinding(dda, info, agentVersion)
-	if !apiequality.Semantic.DeepEqual(newClusterRoleBinding.Subjects, clusterRoleBinding.Subjects) || !apiequality.Semantic.DeepEqual(newClusterRoleBinding.RoleRef, clusterRoleBinding.RoleRef) {
-		updatedClusterRoleBinding := clusterRoleBinding.DeepCopy()
-		{
-			updatedClusterRoleBinding.Labels = newClusterRoleBinding.Labels
-			updatedClusterRoleBinding.RoleRef = newClusterRoleBinding.RoleRef
-			updatedClusterRoleBinding.Subjects = newClusterRoleBinding.Subjects
-		}
-		logger.V(1).Info("updateClusterAgentClusterRoleBinding", "clusterRoleBinding.name", updatedClusterRoleBinding.Name, "serviceAccount", serviceAccountName)
-		if err := r.client.Update(context.TODO(), updatedClusterRoleBinding); err != nil {
-			return reconcile.Result{}, err
-		}
-		event := buildEventInfo(updatedClusterRoleBinding.Name, updatedClusterRoleBinding.Namespace, clusterRoleKind, datadog.UpdateEvent)
-		r.recordEvent(dda, event)
-	}
-	return reconcile.Result{}, nil
-}
-
 func (r *Reconciler) updateIfNeededAgentClusterRole(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, name, agentVersion string, clusterRole *rbacv1.ClusterRole) (reconcile.Result, error) {
 	newClusterRole := buildAgentClusterRole(dda, name, agentVersion)
 	if !apiequality.Semantic.DeepEqual(newClusterRole.Rules, clusterRole.Rules) {
@@ -1043,30 +1019,6 @@ func (r *Reconciler) updateIfNeededClusterCheckRunnerClusterRole(logger logr.Log
 	return reconcile.Result{}, nil
 }
 
-func (r *Reconciler) udpateIfNeededAgentClusterRoleBinding(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, name, roleName, serviceAccountName, agentVersion string, clusterRoleBinding *rbacv1.ClusterRoleBinding) (reconcile.Result, error) {
-	info := roleBindingInfo{
-		name:               name,
-		roleName:           roleName,
-		serviceAccountName: serviceAccountName,
-	}
-	newClusterRoleBinding := buildClusterRoleBinding(dda, info, agentVersion)
-	if !apiequality.Semantic.DeepEqual(newClusterRoleBinding.Subjects, clusterRoleBinding.Subjects) || !apiequality.Semantic.DeepEqual(newClusterRoleBinding.RoleRef, clusterRoleBinding.RoleRef) {
-		updatedClusterRoleBinding := clusterRoleBinding.DeepCopy()
-		{
-			updatedClusterRoleBinding.Labels = newClusterRoleBinding.Labels
-			updatedClusterRoleBinding.RoleRef = newClusterRoleBinding.RoleRef
-			updatedClusterRoleBinding.Subjects = newClusterRoleBinding.Subjects
-		}
-		logger.V(1).Info("updateAgentClusterRoleBinding", "clusterRoleBinding.name", updatedClusterRoleBinding.Name, "serviceAccount", serviceAccountName)
-		if err := r.client.Update(context.TODO(), updatedClusterRoleBinding); err != nil {
-			return reconcile.Result{}, err
-		}
-		event := buildEventInfo(updatedClusterRoleBinding.Name, newClusterRoleBinding.Namespace, clusterRoleKind, datadog.UpdateEvent)
-		r.recordEvent(dda, event)
-	}
-	return reconcile.Result{}, nil
-}
-
 // cleanupClusterAgentRbacResources deletes ClusterRole, ClusterRoleBindings, and ServiceAccount of the Cluster Agent
 func (r *Reconciler) cleanupClusterAgentRbacResources(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent) (reconcile.Result, error) {
 	rbacResourcesName := getClusterAgentRbacResourcesName(dda)

controllers/datadogagent/clusterchecksrunner_rbac.go

@@ -66,7 +66,7 @@ func (r *Reconciler) manageClusterChecksRunnerRBACs(logger logr.Logger, dda *dat
 		return reconcile.Result{}, err
 	}
 
-	if result, err := r.udpateIfNeededAgentClusterRoleBinding(logger, dda, rbacResourcesName, rbacResourcesName, serviceAccountName, agentVersion, clusterRoleBinding); err != nil {
+	if result, err := r.updateIfNeededClusterRoleBinding(logger, dda, rbacResourcesName, rbacResourcesName, serviceAccountName, agentVersion, clusterRoleBinding); err != nil {
 		return result, err
 	}
 

controllers/datadogagent/common_rbac.go

@@ -11,6 +11,7 @@ import (
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -161,3 +162,26 @@ func (r *Reconciler) cleanupServiceAccount(logger logr.Logger, client client.Cli
 	r.recordEvent(dda, event)
 	return reconcile.Result{}, client.Delete(context.TODO(), serviceAccount)
 }
+
+func (r *Reconciler) updateIfNeededClusterRoleBinding(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, clusterRoleBindingName, roleName, serviceAccountName, version string, clusterRoleBinding *rbacv1.ClusterRoleBinding) (reconcile.Result, error) {
+	info := roleBindingInfo{
+		name:               clusterRoleBindingName,
+		roleName:           roleName,
+		serviceAccountName: serviceAccountName,
+	}
+	newClusterRoleBinding := buildClusterRoleBinding(dda, info, version)
+	if !apiequality.Semantic.DeepEqual(newClusterRoleBinding.Subjects, clusterRoleBinding.Subjects) || !apiequality.Semantic.DeepEqual(newClusterRoleBinding.RoleRef, clusterRoleBinding.RoleRef) {
+		logger.V(1).Info("updateIfNeededClusterRoleBinding", "clusterRoleBinding.name", clusterRoleBinding.Name, "serviceAccount", serviceAccountName, "roleName", roleName)
+		// ClusterRoleBinding can be updated, if we change the RoleRef in it, we need to delete and recreate
+		if err := r.client.Delete(context.TODO(), clusterRoleBinding); err != nil {
+			return reconcile.Result{}, err
+		}
+		if err := r.client.Create(context.TODO(), newClusterRoleBinding); err != nil {
+			return reconcile.Result{}, err
+		}
+		event := buildEventInfo(newClusterRoleBinding.Name, newClusterRoleBinding.Namespace, clusterRoleKind, datadog.UpdateEvent)
+		r.recordEvent(dda, event)
+	}
+
+	return reconcile.Result{}, nil
+}

controllers/datadogagent/kubestatemetrics.go

@@ -112,25 +112,6 @@ func (r *Reconciler) updateIfNeededKubeStateMetricsClusterRole(logger logr.Logge
 	return reconcile.Result{}, nil
 }
 
-func (r *Reconciler) updateIfNeededKubeStateMetricsClusterRoleBinding(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, clusterRoleBindingName, roleName, serviceAccountName, version string, clusterRoleBinding *rbacv1.ClusterRoleBinding) (reconcile.Result, error) {
-	info := roleBindingInfo{
-		name:               clusterRoleBindingName,
-		roleName:           roleName,
-		serviceAccountName: serviceAccountName,
-	}
-	newClusterRoleBinding := buildClusterRoleBinding(dda, info, version)
-	if !apiequality.Semantic.DeepEqual(newClusterRoleBinding.Subjects, clusterRoleBinding.Subjects) || !apiequality.Semantic.DeepEqual(newClusterRoleBinding.RoleRef, clusterRoleBinding.RoleRef) {
-		logger.V(1).Info("updateKubeStateMetricsClusterRoleBinding", "clusterRoleBinding.name", clusterRoleBinding.Name)
-		if err := r.client.Update(context.TODO(), newClusterRoleBinding); err != nil {
-			return reconcile.Result{}, err
-		}
-		event := buildEventInfo(newClusterRoleBinding.Name, newClusterRoleBinding.Namespace, clusterRoleKind, datadog.UpdateEvent)
-		r.recordEvent(dda, event)
-	}
-
-	return reconcile.Result{}, nil
-}
-
 func (r *Reconciler) createOrUpdateKubeStateMetricsCoreRBAC(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, serviceAccountName, componentVersion, nameSuffix string) (reconcile.Result, error) {
 	kubeStateMetricsRBACName := kubeStateMetricsRBACPrefix + nameSuffix
 	kubeStateMetricsClusterRole := &rbacv1.ClusterRole{}
@@ -157,7 +138,7 @@ func (r *Reconciler) createOrUpdateKubeStateMetricsCoreRBAC(logger logr.Logger,
 		return reconcile.Result{}, err
 	}
 
-	return r.updateIfNeededKubeStateMetricsClusterRoleBinding(logger, dda, kubeStateMetricsRBACName, kubeStateMetricsRBACName, serviceAccountName, componentVersion, kubeStateMetricsClusterRoleBinding)
+	return r.updateIfNeededClusterRoleBinding(logger, dda, kubeStateMetricsRBACName, kubeStateMetricsRBACName, serviceAccountName, componentVersion, kubeStateMetricsClusterRoleBinding)
 }
 
 func (r *Reconciler) cleanupKubeStateMetricsCoreRBAC(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, nameSuffix string) (reconcile.Result, error) {

controllers/datadogagent/orchestrator.go

@@ -89,25 +89,6 @@ func (r *Reconciler) updateIfNeededOrchestratorExplorerClusterRole(logger logr.L
 	return reconcile.Result{}, nil
 }
 
-func (r *Reconciler) updateIfNeededOrchestratorExplorerClusterRoleBinding(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, clusterRoleBindingName, roleName, serviceAccountName, version string, clusterRoleBinding *rbacv1.ClusterRoleBinding) (reconcile.Result, error) {
-	info := roleBindingInfo{
-		name:               clusterRoleBindingName,
-		roleName:           roleName,
-		serviceAccountName: serviceAccountName,
-	}
-	newClusterRoleBinding := buildClusterRoleBinding(dda, info, version)
-	if !apiequality.Semantic.DeepEqual(newClusterRoleBinding.Subjects, clusterRoleBinding.Subjects) || !apiequality.Semantic.DeepEqual(newClusterRoleBinding.RoleRef, clusterRoleBinding.RoleRef) {
-		logger.V(1).Info("updateOrchestratorClusterRoleBinding", "clusterRoleBinding.name", clusterRoleBinding.Name)
-		if err := r.client.Update(context.TODO(), newClusterRoleBinding); err != nil {
-			return reconcile.Result{}, err
-		}
-		event := buildEventInfo(newClusterRoleBinding.Name, newClusterRoleBinding.Namespace, clusterRoleKind, datadog.UpdateEvent)
-		r.recordEvent(dda, event)
-	}
-
-	return reconcile.Result{}, nil
-}
-
 func (r *Reconciler) createOrUpdateOrchestratorCoreRBAC(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, serviceAccountName, componentVersion, nameSuffix string) (reconcile.Result, error) {
 	orchestratorRBACName := orchestratorExplorerRBACPrefix + nameSuffix
 	orchestratorClusterRole := &rbacv1.ClusterRole{}
@@ -134,7 +115,7 @@ func (r *Reconciler) createOrUpdateOrchestratorCoreRBAC(logger logr.Logger, dda
 		return reconcile.Result{}, err
 	}
 
-	return r.updateIfNeededOrchestratorExplorerClusterRoleBinding(logger, dda, orchestratorRBACName, orchestratorRBACName, serviceAccountName, componentVersion, orchestratorClusterRoleBinding)
+	return r.updateIfNeededClusterRoleBinding(logger, dda, orchestratorRBACName, orchestratorRBACName, serviceAccountName, componentVersion, orchestratorClusterRoleBinding)
 }
 
 func (r *Reconciler) cleanupOrchestratorCoreRBAC(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent, nameSuffix string) (reconcile.Result, error) {