From 5bbf13495eace759009f61acb88527877f2e20ea Mon Sep 17 00:00:00 2001 From: Josef Karasek Date: Wed, 27 Feb 2019 19:20:18 +0100 Subject: [PATCH] create or update rbac rules --- pkg/k8shandler/rbac.go | 70 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 62 insertions(+), 8 deletions(-) diff --git a/pkg/k8shandler/rbac.go b/pkg/k8shandler/rbac.go index bc99e867b..a1c155a60 100644 --- a/pkg/k8shandler/rbac.go +++ b/pkg/k8shandler/rbac.go @@ -6,7 +6,10 @@ import ( v1alpha1 "github.com/openshift/elasticsearch-operator/pkg/apis/elasticsearch/v1alpha1" "github.com/openshift/elasticsearch-operator/pkg/utils" "github.com/operator-framework/operator-sdk/pkg/sdk" + "github.com/sirupsen/logrus" + rbac "k8s.io/api/rbac/v1" errors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/client-go/util/retry" ) func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error { @@ -29,8 +32,8 @@ func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error { addOwnerRefToObject(elasticsearchRole, owner) - if err := sdk.Create(elasticsearchRole); err != nil && !errors.IsAlreadyExists(err) { - return fmt.Errorf("failed to create ClusterRole %s: %v", "elasticsearch-metrics", err) + if err := createOrUpdateClusterRole(elasticsearchRole); err != nil { + return err } subject := utils.NewSubject( @@ -50,8 +53,8 @@ func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error { addOwnerRefToObject(elasticsearchRoleBinding, owner) - if err := sdk.Create(elasticsearchRoleBinding); err != nil && !errors.IsAlreadyExists(err) { - return fmt.Errorf("failed to create ClusterRoleBinding %s: %v", "elasticsearch-metrics", err) + if err := createOrUpdateClusterRoleBinding(elasticsearchRoleBinding); err != nil { + return err } // proxy RBAC @@ -77,8 +80,8 @@ func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error { addOwnerRefToObject(proxyRole, owner) - if err := sdk.Create(proxyRole); err != nil && !errors.IsAlreadyExists(err) { - return fmt.Errorf("failed to create ClusterRole %s: %v", "oauth-proxy", err) + if err := createOrUpdateClusterRole(proxyRole); err != nil { + return err } subject = utils.NewSubject( @@ -98,9 +101,60 @@ func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error { addOwnerRefToObject(proxyRoleBinding, owner) - if err := sdk.Create(proxyRoleBinding); err != nil && !errors.IsAlreadyExists(err) { - return fmt.Errorf("failed to create ClusterRoleBinding %s: %v", "oauth-proxy", err) + if err := createOrUpdateClusterRoleBinding(proxyRoleBinding); err != nil { + return err } return nil } + +func createOrUpdateClusterRole(role *rbac.ClusterRole) error { + if err := sdk.Create(role); err != nil { + if !errors.IsAlreadyExists(err) { + return fmt.Errorf("failed to create ClusterRole %s: %v", role.Name, err) + } + existingRole := utils.NewClusterRole( + role.Name, + utils.NewPolicyRules(), + ) + return retry.RetryOnConflict(retry.DefaultRetry, func() error { + if getErr := sdk.Get(existingRole); getErr != nil { + logrus.Debugf("could not get ClusterRole %v: %v", existingRole.Name, getErr) + return getErr + } + existingRole.Rules = role.Rules + if updateErr := sdk.Update(existingRole); updateErr != nil { + logrus.Debugf("failed to update ClusterRole %v status: %v", existingRole.Name, updateErr) + return updateErr + } + return nil + }) + } + return nil +} + +func createOrUpdateClusterRoleBinding(roleBinding *rbac.ClusterRoleBinding) error { + if err := sdk.Create(roleBinding); err != nil { + if !errors.IsAlreadyExists(err) { + return fmt.Errorf("failed to create ClusterRoleBindig %s: %v", roleBinding.Name, err) + } + existingRoleBinding := utils.NewClusterRoleBinding( + roleBinding.Name, + roleBinding.RoleRef.Name, + utils.NewSubjects(), + ) + return retry.RetryOnConflict(retry.DefaultRetry, func() error { + if getErr := sdk.Get(existingRoleBinding); getErr != nil { + logrus.Debugf("could not get ClusterRole %v: %v", existingRoleBinding.Name, getErr) + return getErr + } + existingRoleBinding.Subjects = roleBinding.Subjects + if updateErr := sdk.Update(existingRoleBinding); updateErr != nil { + logrus.Debugf("failed to update ClusterRoleBinding %v status: %v", existingRoleBinding.Name, updateErr) + return updateErr + } + return nil + }) + } + return nil +}