-
Notifications
You must be signed in to change notification settings - Fork 187
/
rbac.go
130 lines (116 loc) · 4.87 KB
/
rbac.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
package resourceapply
import (
"context"
"github.com/google/go-cmp/cmp"
"github.com/openshift/cluster-version-operator/lib/resourcemerge"
rbacv1 "k8s.io/api/rbac/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
rbacclientv1 "k8s.io/client-go/kubernetes/typed/rbac/v1"
"k8s.io/klog/v2"
"k8s.io/utils/ptr"
)
// ApplyClusterRoleBindingv1 applies the required clusterrolebinding to the cluster.
func ApplyClusterRoleBindingv1(ctx context.Context, client rbacclientv1.ClusterRoleBindingsGetter, required *rbacv1.ClusterRoleBinding, reconciling bool) (*rbacv1.ClusterRoleBinding, bool, error) {
existing, err := client.ClusterRoleBindings().Get(ctx, required.Name, metav1.GetOptions{})
if apierrors.IsNotFound(err) {
klog.V(2).Infof("ClusterRoleBinding %s not found, creating", required.Name)
actual, err := client.ClusterRoleBindings().Create(ctx, required, metav1.CreateOptions{})
return actual, true, err
}
if err != nil {
return nil, false, err
}
// if we only create this resource, we have no need to continue further
if IsCreateOnly(required) {
return nil, false, nil
}
modified := ptr.To(false)
resourcemerge.EnsureClusterRoleBinding(modified, existing, *required)
if !*modified {
return existing, false, nil
}
if reconciling {
klog.V(2).Infof("Updating ClusterRoleBinding %s due to diff: %v", required.Name, cmp.Diff(existing, required))
}
actual, err := client.ClusterRoleBindings().Update(ctx, existing, metav1.UpdateOptions{})
return actual, true, err
}
// ApplyClusterRolev1 applies the required clusterrole to the cluster.
func ApplyClusterRolev1(ctx context.Context, client rbacclientv1.ClusterRolesGetter, required *rbacv1.ClusterRole, reconciling bool) (*rbacv1.ClusterRole, bool, error) {
existing, err := client.ClusterRoles().Get(ctx, required.Name, metav1.GetOptions{})
if apierrors.IsNotFound(err) {
klog.V(2).Infof("ClusterRole %s not found, creating", required.Name)
actual, err := client.ClusterRoles().Create(ctx, required, metav1.CreateOptions{})
return actual, true, err
}
if err != nil {
return nil, false, err
}
// if we only create this resource, we have no need to continue further
if IsCreateOnly(required) {
return nil, false, nil
}
modified := ptr.To(false)
resourcemerge.EnsureClusterRole(modified, existing, *required)
if !*modified {
return existing, false, nil
}
if reconciling {
klog.V(2).Infof("Updating ClusterRole %s due to diff: %v", required.Name, cmp.Diff(existing, required))
}
actual, err := client.ClusterRoles().Update(ctx, existing, metav1.UpdateOptions{})
return actual, true, err
}
// ApplyRoleBindingv1 applies the required clusterrolebinding to the cluster.
func ApplyRoleBindingv1(ctx context.Context, client rbacclientv1.RoleBindingsGetter, required *rbacv1.RoleBinding, reconciling bool) (*rbacv1.RoleBinding, bool, error) {
existing, err := client.RoleBindings(required.Namespace).Get(ctx, required.Name, metav1.GetOptions{})
if apierrors.IsNotFound(err) {
klog.V(2).Infof("RoleBinding %s/%s not found, creating", required.Namespace, required.Name)
actual, err := client.RoleBindings(required.Namespace).Create(ctx, required, metav1.CreateOptions{})
return actual, true, err
}
if err != nil {
return nil, false, err
}
// if we only create this resource, we have no need to continue further
if IsCreateOnly(required) {
return nil, false, nil
}
modified := ptr.To(false)
resourcemerge.EnsureRoleBinding(modified, existing, *required)
if !*modified {
return existing, false, nil
}
if reconciling {
klog.V(2).Infof("Updating RoleBinding %s/%s due to diff: %v", required.Namespace, required.Name, cmp.Diff(existing, required))
}
actual, err := client.RoleBindings(required.Namespace).Update(ctx, existing, metav1.UpdateOptions{})
return actual, true, err
}
// ApplyRolev1 applies the required clusterrole to the cluster.
func ApplyRolev1(ctx context.Context, client rbacclientv1.RolesGetter, required *rbacv1.Role, reconciling bool) (*rbacv1.Role, bool, error) {
existing, err := client.Roles(required.Namespace).Get(ctx, required.Name, metav1.GetOptions{})
if apierrors.IsNotFound(err) {
klog.V(2).Infof("Role %s/%s not found, creating", required.Namespace, required.Name)
actual, err := client.Roles(required.Namespace).Create(ctx, required, metav1.CreateOptions{})
return actual, true, err
}
if err != nil {
return nil, false, err
}
// if we only create this resource, we have no need to continue further
if IsCreateOnly(required) {
return nil, false, nil
}
modified := ptr.To(false)
resourcemerge.EnsureRole(modified, existing, *required)
if !*modified {
return existing, false, nil
}
if reconciling {
klog.V(2).Infof("Updating Role %s/%s due to diff: %v", required.Namespace, required.Name, cmp.Diff(existing, required))
}
actual, err := client.Roles(required.Namespace).Update(ctx, existing, metav1.UpdateOptions{})
return actual, true, err
}