Merge pull request #205 from joelddiaz/unify-constants

unify constants
openshift · Jun 26, 2020 · 20df268 · 20df268
2 parents d58ad49 + 1b384cc
commit 20df268
Show file tree

Hide file tree

Showing 33 changed files with 262 additions and 286 deletions.
diff --git a/pkg/apis/cloudcredential/v1/credentialsrequest_types.go b/pkg/apis/cloudcredential/v1/credentialsrequest_types.go
@@ -138,3 +138,14 @@ const (
 	// CredentialsRequests where the cloud/infra matches.
 	Ignored CredentialsRequestConditionType = "Ignored"
 )
+
+var (
+	// FailureConditionTypes is a list of all conditions where the overall controller status would not
+	// be healthy.
+	FailureConditionTypes = []CredentialsRequestConditionType{
+		InsufficientCloudCredentials,
+		MissingTargetNamespace,
+		CredentialsProvisionFailure,
+		CredentialsDeprovisionFailure,
+	}
+)
diff --git a/pkg/aws/actuator/actuator.go b/pkg/aws/actuator/actuator.go
@@ -27,10 +27,9 @@ import (
 	minterv1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
 	ccaws "github.com/openshift/cloud-credential-operator/pkg/aws"
 	minteraws "github.com/openshift/cloud-credential-operator/pkg/aws"
+	"github.com/openshift/cloud-credential-operator/pkg/operator/constants"
 	actuatoriface "github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/actuator"
-	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/constants"
 	awsannotator "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/aws"
-	annotatorconst "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/constants"
 	"github.com/openshift/cloud-credential-operator/pkg/operator/utils"
 	awsutils "github.com/openshift/cloud-credential-operator/pkg/operator/utils/aws"
 
@@ -284,20 +283,20 @@ func (a *AWSActuator) sync(ctx context.Context, cr *minterv1.CredentialsRequest)
 		return err
 	}
 
-	if cloudCredsSecret.Annotations[annotatorconst.AnnotationKey] == annotatorconst.InsufficientAnnotation {
+	if cloudCredsSecret.Annotations[constants.AnnotationKey] == constants.InsufficientAnnotation {
 		msg := "cloud credentials insufficient to satisfy credentials request"
 		logger.Error(msg)
 		return &actuatoriface.ActuatorError{
 			ErrReason: minterv1.InsufficientCloudCredentials,
 			Message:   msg,
 		}
-	} else if cloudCredsSecret.Annotations[annotatorconst.AnnotationKey] == annotatorconst.PassthroughAnnotation {
+	} else if cloudCredsSecret.Annotations[constants.AnnotationKey] == constants.PassthroughAnnotation {
 		logger.Debugf("provisioning with passthrough")
 		err := a.syncPassthrough(ctx, cr, cloudCredsSecret, logger)
 		if err != nil {
 			return err
 		}
-	} else if cloudCredsSecret.Annotations[annotatorconst.AnnotationKey] == annotatorconst.MintAnnotation {
+	} else if cloudCredsSecret.Annotations[constants.AnnotationKey] == constants.MintAnnotation {
 		logger.Debugf("provisioning with cred minting")
 		err := a.syncMint(ctx, cr, logger)
 		if err != nil {
@@ -309,7 +308,7 @@ func (a *AWSActuator) sync(ctx context.Context, cr *minterv1.CredentialsRequest)
 			}
 		}
 	} else {
-		logger.Infof("unknown or missing %s annotation on admin credentials Secret, skipping reconcile", annotatorconst.AnnotationKey)
+		logger.Infof("unknown or missing %s annotation on admin credentials Secret, skipping reconcile", constants.AnnotationKey)
 	}
 
 	return nil
@@ -397,7 +396,7 @@ func (a *AWSActuator) syncMint(ctx context.Context, cr *minterv1.CredentialsRequ
 			case iam.ErrCodeNoSuchEntityException:
 				logger.WithField("userName", awsStatus.User).Debug("user does not exist, creating")
 				if rootAWSClient == nil {
-					return fmt.Errorf("no root AWS client available, cred secret may not exist: %s/%s", constants.KubeSystemNS, annotatorconst.AWSCloudCredSecretName)
+					return fmt.Errorf("no root AWS client available, cred secret may not exist: %s/%s", constants.CloudCredSecretNamespace, constants.AWSCloudCredSecretName)
 				}
 
 				createOut, err := a.createUser(logger, rootAWSClient, awsStatus.User)
@@ -426,7 +425,7 @@ func (a *AWSActuator) syncMint(ctx context.Context, cr *minterv1.CredentialsRequ
 	// Check if the user has the expected tags:
 	if !userHasExpectedTags(logger, userOut, infraName, string(clusterUUID)) {
 		if rootAWSClient == nil {
-			return fmt.Errorf("no root AWS client available, cred secret may not exist: %s/%s", constants.KubeSystemNS, annotatorconst.AWSCloudCredSecretName)
+			return fmt.Errorf("no root AWS client available, cred secret may not exist: %s/%s", constants.CloudCredSecretNamespace, constants.AWSCloudCredSecretName)
 		}
 
 		err = a.tagUser(logger, rootAWSClient, awsStatus.User, infraName, string(clusterUUID))
@@ -444,7 +443,7 @@ func (a *AWSActuator) syncMint(ctx context.Context, cr *minterv1.CredentialsRequ
 	policyEqual, err := a.awsPolicyEqualsDesiredPolicy(desiredUserPolicy, awsSpec, awsStatus, userOut, readAWSClient, logger)
 	if !policyEqual {
 		if rootAWSClient == nil {
-			return fmt.Errorf("no root AWS client available, cred secret may not exist: %s/%s", constants.KubeSystemNS, annotatorconst.AWSCloudCredSecretName)
+			return fmt.Errorf("no root AWS client available, cred secret may not exist: %s/%s", constants.CloudCredSecretNamespace, constants.AWSCloudCredSecretName)
 		}
 		err = a.setUserPolicy(logger, rootAWSClient, awsStatus.User, awsStatus.Policy, desiredUserPolicy)
 		if err != nil {
@@ -485,7 +484,7 @@ func (a *AWSActuator) syncMint(ctx context.Context, cr *minterv1.CredentialsRequ
 		// we should cleanup all pre-existing access keys. This will allow deleting the
 		// secret in Kubernetes to revoke old credentials and create new.
 		if rootAWSClient == nil {
-			return fmt.Errorf("no root AWS client available, cred secret may not exist: %s/%s", constants.KubeSystemNS, annotatorconst.AWSCloudCredSecretName)
+			return fmt.Errorf("no root AWS client available, cred secret may not exist: %s/%s", constants.CloudCredSecretNamespace, constants.AWSCloudCredSecretName)
 		}
 		err := a.deleteAllAccessKeys(logger, rootAWSClient, awsStatus.User, allUserKeys)
 		if err != nil {
@@ -725,12 +724,12 @@ func (a *AWSActuator) tagUser(logger log.FieldLogger, awsClient minteraws.Client
 // buildRootAWSClient will return an AWS client using the "root" AWS creds which are expected to
 // live in kube-system/aws-creds.
 func (a *AWSActuator) buildRootAWSClient(cr *minterv1.CredentialsRequest) (minteraws.Client, error) {
-	logger := a.getLogger(cr).WithField("secret", fmt.Sprintf("%s/%s", constants.KubeSystemNS, annotatorconst.AWSCloudCredSecretName))
+	logger := a.getLogger(cr).WithField("secret", fmt.Sprintf("%s/%s", constants.CloudCredSecretNamespace, constants.AWSCloudCredSecretName))
 
 	logger.Debug("loading AWS credentials from secret")
 	// TODO: Running in a 4.0 cluster we expect this secret to exist. When we run in a Hive
 	// cluster, we need to load different secrets for each cluster.
-	accessKeyID, secretAccessKey, err := utils.LoadCredsFromSecret(a.Client, constants.KubeSystemNS, annotatorconst.AWSCloudCredSecretName)
+	accessKeyID, secretAccessKey, err := utils.LoadCredsFromSecret(a.Client, constants.CloudCredSecretNamespace, constants.AWSCloudCredSecretName)
 	if err != nil {
 		return nil, err
 	}
@@ -897,7 +896,7 @@ func (a *AWSActuator) getDesiredUserPolicy(entries []minterv1.StatementEntry, us
 
 // GetCredentialsRootSecretLocation returns the namespace and name where the parent credentials secret is stored.
 func (a *AWSActuator) GetCredentialsRootSecretLocation() types.NamespacedName {
-	return types.NamespacedName{Namespace: constants.KubeSystemNS, Name: annotatorconst.AWSCloudCredSecretName}
+	return types.NamespacedName{Namespace: constants.CloudCredSecretNamespace, Name: constants.AWSCloudCredSecretName}
 }
 
 func (a *AWSActuator) getCloudCredentialsSecret(ctx context.Context, logger log.FieldLogger) (*corev1.Secret, error) {
@@ -912,7 +911,7 @@ func (a *AWSActuator) getCloudCredentialsSecret(ctx context.Context, logger log.
 	}
 
 	if !isSecretAnnotated(cloudCredSecret) {
-		logger.WithField("secret", fmt.Sprintf("%s/%s", constants.KubeSystemNS, annotatorconst.AWSCloudCredSecretName)).Error("cloud cred secret not yet annotated")
+		logger.WithField("secret", fmt.Sprintf("%s/%s", constants.CloudCredSecretNamespace, constants.AWSCloudCredSecretName)).Error("cloud cred secret not yet annotated")
 		return nil, &actuatoriface.ActuatorError{
 			ErrReason: minterv1.CredentialsProvisionFailure,
 			Message:   fmt.Sprintf("cannot proceed without cloud cred secret annotation"),
@@ -927,7 +926,7 @@ func isSecretAnnotated(secret *corev1.Secret) bool {
 		return false
 	}
 
-	if _, ok := secret.ObjectMeta.Annotations[annotatorconst.AnnotationKey]; !ok {
+	if _, ok := secret.ObjectMeta.Annotations[constants.AnnotationKey]; !ok {
 		return false
 	}
 

diff --git a/pkg/aws/actuator/actuator_test.go b/pkg/aws/actuator/actuator_test.go
@@ -36,8 +36,7 @@ import (
 	minterv1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
 	ccaws "github.com/openshift/cloud-credential-operator/pkg/aws"
 	mockaws "github.com/openshift/cloud-credential-operator/pkg/aws/mock"
-	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/constants"
-	annotatorconst "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/constants"
+	"github.com/openshift/cloud-credential-operator/pkg/operator/constants"
 )
 
 const (
@@ -288,8 +287,8 @@ func testReadOnlySecret() *corev1.Secret {
 func testRootSecret() *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      annotatorconst.AWSCloudCredSecretName,
-			Namespace: constants.KubeSystemNS,
+			Name:      constants.AWSCloudCredSecretName,
+			Namespace: constants.CloudCredSecretNamespace,
 		},
 		Data: map[string][]byte{
 			"aws_access_key_id":     []byte(testRootAccessKeyID),

diff --git a/pkg/azure/actuator.go b/pkg/azure/actuator.go
@@ -24,7 +24,6 @@ import (
 	"time"
 
 	minterv1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
-	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/constants"
 
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
@@ -33,9 +32,9 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 
+	"github.com/openshift/cloud-credential-operator/pkg/operator/constants"
 	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/actuator"
 	actuatoriface "github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/actuator"
-	annotatorconst "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/constants"
 	"github.com/openshift/cloud-credential-operator/pkg/operator/utils"
 	log "github.com/sirupsen/logrus"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -93,9 +92,9 @@ func (a *Actuator) IsValidMode() error {
 	}
 
 	switch mode {
-	case annotatorconst.MintAnnotation:
+	case constants.MintAnnotation:
 		return nil
-	case annotatorconst.PassthroughAnnotation:
+	case constants.PassthroughAnnotation:
 		return nil
 	}
 
@@ -165,7 +164,7 @@ func (a *Actuator) Delete(ctx context.Context, cr *minterv1.CredentialsRequest)
 		return fmt.Errorf("unable to get secret %v/%v: %v", cr.Spec.SecretRef.Namespace, cr.Spec.SecretRef.Name, err)
 	}
 
-	if cloudCredsSecret.Annotations[annotatorconst.AnnotationKey] == annotatorconst.PassthroughAnnotation {
+	if cloudCredsSecret.Annotations[constants.AnnotationKey] == constants.PassthroughAnnotation {
 		return nil
 	}
 
@@ -231,7 +230,7 @@ func (a *Actuator) sync(ctx context.Context, cr *minterv1.CredentialsRequest) er
 		return err
 	}
 
-	if cloudCredsSecret.Annotations[annotatorconst.AnnotationKey] == annotatorconst.InsufficientAnnotation {
+	if cloudCredsSecret.Annotations[constants.AnnotationKey] == constants.InsufficientAnnotation {
 		msg := "cloud credentials insufficient to satisfy credentials request"
 		logger.Error(msg)
 		return &actuatoriface.ActuatorError{
@@ -240,13 +239,13 @@ func (a *Actuator) sync(ctx context.Context, cr *minterv1.CredentialsRequest) er
 		}
 	}
 
-	if cloudCredsSecret.Annotations[annotatorconst.AnnotationKey] == annotatorconst.PassthroughAnnotation {
+	if cloudCredsSecret.Annotations[constants.AnnotationKey] == constants.PassthroughAnnotation {
 		logger.Debugf("provisioning with passthrough")
 		err := a.syncPassthrough(ctx, cr, cloudCredsSecret, logger)
 		if err != nil {
 			return err
 		}
-	} else if cloudCredsSecret.Annotations[annotatorconst.AnnotationKey] == annotatorconst.MintAnnotation {
+	} else if cloudCredsSecret.Annotations[constants.AnnotationKey] == constants.MintAnnotation {
 		logger.Debugf("provisioning with cred minting")
 		err := a.syncMint(ctx, cr, cloudCredsSecret, infraName, infraResourceGroups, logger)
 		if err != nil {
@@ -571,7 +570,7 @@ func (a *Actuator) syncCredentialSecrets(ctx context.Context, cr *minterv1.Crede
 
 // GetCredentialsRootSecretLocation returns the namespace and name where the parent credentials secret is stored.
 func (a *Actuator) GetCredentialsRootSecretLocation() types.NamespacedName {
-	return types.NamespacedName{Namespace: constants.KubeSystemNS, Name: annotatorconst.AzureCloudCredSecretName}
+	return types.NamespacedName{Namespace: constants.CloudCredSecretNamespace, Name: constants.AzureCloudCredSecretName}
 }
 
 func (a *Actuator) getRootCloudCredentialsSecret(ctx context.Context, logger log.FieldLogger) (*corev1.Secret, error) {
@@ -586,7 +585,7 @@ func (a *Actuator) getRootCloudCredentialsSecret(ctx context.Context, logger log
 	}
 
 	if !isSecretAnnotated(cloudCredSecret) {
-		logger.WithField("secret", fmt.Sprintf("%s/%s", constants.KubeSystemNS, annotatorconst.AzureCloudCredSecretName)).Error("cloud cred secret not yet annotated")
+		logger.WithField("secret", fmt.Sprintf("%s/%s", constants.CloudCredSecretNamespace, constants.AzureCloudCredSecretName)).Error("cloud cred secret not yet annotated")
 		return nil, &actuatoriface.ActuatorError{
 			ErrReason: minterv1.CredentialsProvisionFailure,
 			Message:   fmt.Sprintf("cannot proceed without cloud cred secret annotation"),
@@ -601,7 +600,7 @@ func isSecretAnnotated(secret *corev1.Secret) bool {
 		return false
 	}
 
-	if _, ok := secret.ObjectMeta.Annotations[annotatorconst.AnnotationKey]; !ok {
+	if _, ok := secret.ObjectMeta.Annotations[constants.AnnotationKey]; !ok {
 		return false
 	}
 

diff --git a/pkg/azure/actuator_test.go b/pkg/azure/actuator_test.go
@@ -31,8 +31,7 @@ import (
 	minterv1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
 	"github.com/openshift/cloud-credential-operator/pkg/azure"
 	azuremock "github.com/openshift/cloud-credential-operator/pkg/azure/mock"
-	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/constants"
-	annotatorconst "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/constants"
+	"github.com/openshift/cloud-credential-operator/pkg/operator/constants"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
@@ -61,10 +60,10 @@ const (
 var (
 	rootSecretMintAnnotation = corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      annotatorconst.AzureCloudCredSecretName,
-			Namespace: constants.KubeSystemNS,
+			Name:      constants.AzureCloudCredSecretName,
+			Namespace: constants.CloudCredSecretNamespace,
 			Annotations: map[string]string{
-				annotatorconst.AnnotationKey: annotatorconst.MintAnnotation,
+				constants.AnnotationKey: constants.MintAnnotation,
 			},
 		},
 	}

diff --git a/pkg/azure/client.go b/pkg/azure/client.go
@@ -21,13 +21,13 @@ import (
 	"fmt"
 
 	minterv1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
+	"github.com/openshift/cloud-credential-operator/pkg/operator/constants"
 	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/actuator"
-	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/constants"
-	annotatorconst "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/constants"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-var RootSecretKey = client.ObjectKey{Name: annotatorconst.AzureCloudCredSecretName, Namespace: constants.KubeSystemNS}
+var RootSecretKey = client.ObjectKey{Name: constants.AzureCloudCredSecretName, Namespace: constants.CloudCredSecretNamespace}
 
 type clientWrapper struct {
 	client.Client
@@ -67,5 +67,5 @@ func (cw *clientWrapper) Mode(ctx context.Context) (string, error) {
 		return "", err
 	}
 
-	return rs.Annotations[annotatorconst.AnnotationKey], nil
+	return rs.Annotations[constants.AnnotationKey], nil
 }
diff --git a/pkg/azure/passthrough.go b/pkg/azure/passthrough.go
@@ -22,10 +22,9 @@ import (
 	"reflect"
 
 	minterv1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
+	"github.com/openshift/cloud-credential-operator/pkg/operator/constants"
 	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/actuator"
 	actuatoriface "github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/actuator"
-	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/constants"
-	annotatorconst "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/constants"
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -79,7 +78,7 @@ func (a *passthrough) Update(ctx context.Context, cr *minterv1.CredentialsReques
 
 // GetCredentialsRootSecretLocation returns the namespace and name where the parent credentials secret is stored.
 func (a *passthrough) GetCredentialsRootSecretLocation() types.NamespacedName {
-	return types.NamespacedName{Namespace: constants.KubeSystemNS, Name: annotatorconst.AzureCloudCredSecretName}
+	return types.NamespacedName{Namespace: constants.CloudCredSecretNamespace, Name: constants.AzureCloudCredSecretName}
 }
 
 func copySecret(cr *minterv1.CredentialsRequest, src *secret, dest *secret) {

diff --git a/pkg/azure/passthrough_test.go b/pkg/azure/passthrough_test.go
@@ -23,8 +23,7 @@ import (
 	openshiftapiv1 "github.com/openshift/api/config/v1"
 	minterv1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
 	"github.com/openshift/cloud-credential-operator/pkg/azure"
-	"github.com/openshift/cloud-credential-operator/pkg/operator/credentialsrequest/constants"
-	annotatorconst "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/constants"
+	"github.com/openshift/cloud-credential-operator/pkg/operator/constants"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -77,10 +76,10 @@ var (
 
 	validRootSecret = corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      annotatorconst.AzureCloudCredSecretName,
-			Namespace: constants.KubeSystemNS,
+			Name:      constants.AzureCloudCredSecretName,
+			Namespace: constants.CloudCredSecretNamespace,
 			Annotations: map[string]string{
-				annotatorconst.AnnotationKey: annotatorconst.PassthroughAnnotation,
+				constants.AnnotationKey: constants.PassthroughAnnotation,
 			},
 		},
 		Data: map[string][]byte{
@@ -96,18 +95,18 @@ var (
 
 	rootSecretBadAnnotation = corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      annotatorconst.AzureCloudCredSecretName,
-			Namespace: constants.KubeSystemNS,
+			Name:      constants.AzureCloudCredSecretName,
+			Namespace: constants.CloudCredSecretNamespace,
 			Annotations: map[string]string{
-				annotatorconst.AnnotationKey: "blah",
+				constants.AnnotationKey: "blah",
 			},
 		},
 	}
 
 	rootSecretNoAnnotation = corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        annotatorconst.AzureCloudCredSecretName,
-			Namespace:   constants.KubeSystemNS,
+			Name:        constants.AzureCloudCredSecretName,
+			Namespace:   constants.CloudCredSecretNamespace,
 			Annotations: map[string]string{},
 		},
 	}

diff --git a/pkg/azure/secret.go b/pkg/azure/secret.go
@@ -17,7 +17,7 @@ limitations under the License.
 package azure
 
 import (
-	annotatorconst "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/constants"
+	"github.com/openshift/cloud-credential-operator/pkg/operator/constants"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -30,7 +30,7 @@ func (s *secret) HasAnnotation() bool {
 		return false
 	}
 
-	if _, ok := s.ObjectMeta.Annotations[annotatorconst.AnnotationKey]; !ok {
+	if _, ok := s.ObjectMeta.Annotations[constants.AnnotationKey]; !ok {
 		return false
 	}