Skip to content

Commit

Permalink
adds build & deployer controller
Browse files Browse the repository at this point in the history
  • Loading branch information
apoorvajagtap committed Feb 14, 2024
1 parent 1e97268 commit 05138d9
Show file tree
Hide file tree
Showing 8 changed files with 91 additions and 27 deletions.
35 changes: 22 additions & 13 deletions pkg/authorization/defaultrolebindings/defaultrolebindings.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,11 @@ import (
"k8s.io/klog/v2"
)

var defaultRoleBindingNames = GetBootstrapServiceAccountProjectRoleBindingNames()
var RoleBindingNames = GetBootstrapServiceAccountProjectRoleBindingNames(builderEnabled, deployerEnabled)
var builderEnabled, deployerEnabled bool

// DefaultRoleBindingController is a controller to combine cluster roles
type DefaultRoleBindingController struct {
// RoleBindingController is a controller to combine cluster roles
type RoleBindingController struct {
roleBindingClient rbacclient.RoleBindingsGetter

roleBindingLister rbaclisters.RoleBindingLister
Expand All @@ -37,27 +38,34 @@ type DefaultRoleBindingController struct {
queue workqueue.RateLimitingInterface
}

// NewDefaultRoleBinding creates a new controller
func NewDefaultRoleBindingsController(roleBindingInformer rbacinformers.RoleBindingInformer, namespaceInformer coreinformers.NamespaceInformer, roleBindingClient rbacclient.RoleBindingsGetter) *DefaultRoleBindingController {
c := &DefaultRoleBindingController{
// NewRoleBinding creates a new controller
func NewRoleBindingsController(roleBindingInformer rbacinformers.RoleBindingInformer, namespaceInformer coreinformers.NamespaceInformer, roleBindingClient rbacclient.RoleBindingsGetter, controller string) *RoleBindingController {
c := &RoleBindingController{
roleBindingClient: roleBindingClient,

roleBindingLister: roleBindingInformer.Lister(),
roleBindingSynced: roleBindingInformer.Informer().HasSynced,
namespaceLister: namespaceInformer.Lister(),
namespaceSynced: namespaceInformer.Informer().HasSynced,

queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "DefaultRoleBindingsController"),
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), controller),
}
c.syncHandler = c.syncNamespace

if controller == "BuilderRoleBindingsController" {
builderEnabled = true
}
if controller == "DeployerRoleBindingsController" {
deployerEnabled = true
}

roleBindingInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
FilterFunc: func(obj interface{}) bool {
metadata, err := meta.Accessor(obj)
if err != nil {
return false
}
return defaultRoleBindingNames.Has(metadata.GetName())
return RoleBindingNames.Has(metadata.GetName())
},
Handler: cache.ResourceEventHandlerFuncs{
DeleteFunc: func(uncast interface{}) {
Expand Down Expand Up @@ -94,7 +102,7 @@ func NewDefaultRoleBindingsController(roleBindingInformer rbacinformers.RoleBind
return c
}

func (c *DefaultRoleBindingController) syncNamespace(namespaceName string) error {
func (c *RoleBindingController) syncNamespace(namespaceName string) error {
namespace, err := c.namespaceLister.Get(namespaceName)
if errors.IsNotFound(err) {
return nil
Expand All @@ -112,7 +120,8 @@ func (c *DefaultRoleBindingController) syncNamespace(namespaceName string) error
}

errs := []error{}
desiredRoleBindings := GetBootstrapServiceAccountProjectRoleBindings(namespaceName)
fmt.Printf("check1 >>>>> builderEnabled: %v >>>> deployerEnabled: %v \n", builderEnabled, deployerEnabled)
desiredRoleBindings := GetBootstrapServiceAccountProjectRoleBindings(namespaceName, builderEnabled, deployerEnabled)
for i := range desiredRoleBindings {
desiredRoleBinding := desiredRoleBindings[i]
found := false
Expand Down Expand Up @@ -142,7 +151,7 @@ func (c *DefaultRoleBindingController) syncNamespace(namespaceName string) error
}

// Run starts the controller and blocks until stopCh is closed.
func (c *DefaultRoleBindingController) Run(workers int, stopCh <-chan struct{}) {
func (c *RoleBindingController) Run(workers int, stopCh <-chan struct{}) {
defer utilruntime.HandleCrash()
defer c.queue.ShutDown()

Expand All @@ -160,12 +169,12 @@ func (c *DefaultRoleBindingController) Run(workers int, stopCh <-chan struct{})
<-stopCh
}

func (c *DefaultRoleBindingController) runWorker() {
func (c *RoleBindingController) runWorker() {
for c.processNextWorkItem() {
}
}

func (c *DefaultRoleBindingController) processNextWorkItem() bool {
func (c *RoleBindingController) processNextWorkItem() bool {
dsKey, quit := c.queue.Get()
if quit {
return false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ func TestSync(t *testing.T) {
namespaceIndexer.Add(obj)
}
fakeClient := kubeclientfake.NewSimpleClientset(objs...)
c := DefaultRoleBindingController{
c := RoleBindingController{
roleBindingClient: fakeClient.RbacV1(),
roleBindingLister: rbaclisters.NewRoleBindingLister(roleBindingIndexer),
namespaceLister: corelisters.NewNamespaceLister(namespaceIndexer),
Expand Down
29 changes: 17 additions & 12 deletions pkg/authorization/defaultrolebindings/project_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,27 +23,32 @@ const (
DeployerServiceAccountName = "deployer"
)

func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []rbacv1.RoleBinding {
func GetBootstrapServiceAccountProjectRoleBindings(namespace string, builderEnabled bool, deployerEnabled bool) []rbacv1.RoleBinding {
var roleBindings []rbacv1.RoleBinding

imagePuller := newOriginRoleBindingForClusterRoleWithGroup(ImagePullerRoleBindingName, ImagePullerRoleName, namespace, serviceaccount.MakeNamespaceGroupName(namespace))
imagePuller.Annotations[openShiftDescription] = "Allows all pods in this namespace to pull images from this namespace. It is auto-managed by a controller; remove subjects to disable."
roleBindings = append(roleBindings, imagePuller)

imageBuilder := newOriginRoleBindingForClusterRoleWithSA(ImageBuilderRoleBindingName, ImageBuilderRoleName, namespace, BuilderServiceAccountName)
imageBuilder.Annotations[openShiftDescription] = "Allows builds in this namespace to push images to this namespace. It is auto-managed by a controller; remove subjects to disable."

deployer := newOriginRoleBindingForClusterRoleWithSA(DeployerRoleBindingName, DeployerRoleName, namespace, DeployerServiceAccountName)
deployer.Annotations[openShiftDescription] = "Allows deploymentconfigs in this namespace to rollout pods in this namespace. It is auto-managed by a controller; remove subjects to disable."
if builderEnabled {
imageBuilder := newOriginRoleBindingForClusterRoleWithSA(ImageBuilderRoleBindingName, ImageBuilderRoleName, namespace, BuilderServiceAccountName)
imageBuilder.Annotations[openShiftDescription] = "Allows builds in this namespace to push images to this namespace. It is auto-managed by a controller; remove subjects to disable."
roleBindings = append(roleBindings, imageBuilder)
}

return []rbacv1.RoleBinding{
imagePuller,
imageBuilder,
deployer,
if deployerEnabled {
deployer := newOriginRoleBindingForClusterRoleWithSA(DeployerRoleBindingName, DeployerRoleName, namespace, DeployerServiceAccountName)
deployer.Annotations[openShiftDescription] = "Allows deploymentconfigs in this namespace to rollout pods in this namespace. It is auto-managed by a controller; remove subjects to disable."
roleBindings = append(roleBindings, deployer)
}

return roleBindings
}

func GetBootstrapServiceAccountProjectRoleBindingNames() sets.String {
func GetBootstrapServiceAccountProjectRoleBindingNames(builderEnabled, deployerEnabled bool) sets.String {
names := sets.NewString()

for _, roleBinding := range GetBootstrapServiceAccountProjectRoleBindings("default") {
for _, roleBinding := range GetBootstrapServiceAccountProjectRoleBindings("default", builderEnabled, deployerEnabled) {
names.Insert(roleBinding.Name)
}

Expand Down
1 change: 1 addition & 0 deletions pkg/build/controller/build/build_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -1194,6 +1194,7 @@ func (bc *BuildController) createBuildPod(build *buildv1.Build) (*buildUpdate, e
imageName = build.Spec.Strategy.CustomStrategy.From.Name
}

fmt.Println("############## check: pullsecret: ", build.Spec.Strategy.CustomStrategy.PullSecret)
// Only look up a pull secret if the user hasn't explicitly provided one
// if we don't know what image they are referencing, we'll end up using the
// docker secret associated w/ the build's service account.
Expand Down
2 changes: 2 additions & 0 deletions pkg/build/controller/strategy/custom.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,8 @@ func (bs *CustomBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
if strategy.ExposeDockerSocket {
setupDockerSocket(pod)
}
fmt.Println("########### check: checking pullsecret in custom.go >> ", strategy.PullSecret)
fmt.Println("######### pod name in custom.go: ", pod.ObjectMeta)
setupDockerSecrets(pod, &pod.Spec.Containers[0], build.Spec.Output.PushSecret, strategy.PullSecret, build.Spec.Source.Images)
setOwnerReference(pod, build)
setupSourceSecrets(pod, &pod.Spec.Containers[0], build.Spec.Source.SourceSecret)
Expand Down
10 changes: 10 additions & 0 deletions pkg/build/controller/strategy/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ func mountConfigMapVolume(pod *corev1.Pod, container *corev1.Container, configMa
// mountSecretVolume is a helper method responsible for actual mounting secret
// volumes into a pod.
func mountSecretVolume(pod *corev1.Pod, container *corev1.Container, secretName, mountPath, volumeSuffix string, volumeSource *corev1.VolumeSource) {
fmt.Println("########### secret name insider mountSecretVolume")
mountVolume(pod, container, secretName, mountPath, volumeSuffix, policy.Secret, volumeSource)
}

Expand All @@ -142,6 +143,7 @@ func mountVolume(pod *corev1.Pod, container *corev1.Container, objName, mountPat
volumeName = strings.Replace(volumeName, ".", "-", -1)

volumeExists := false
fmt.Println("########### check volume name and status: ", volumeName, " , ", volumeExists)
for _, v := range pod.Spec.Volumes {
if v.Name == volumeName {
volumeExists = true
Expand All @@ -153,6 +155,7 @@ func mountVolume(pod *corev1.Pod, container *corev1.Container, objName, mountPat
mode = int32(0o644) // make sure unprivileged builders can read them
}
if !volumeExists {
fmt.Println("#### check for volumeExistance")
volume := makeVolume(volumeName, objName, mode, fsType, volumeSource)
pod.Spec.Volumes = append(pod.Spec.Volumes, volume)
}
Expand Down Expand Up @@ -191,8 +194,10 @@ func makeVolume(volumeName, refName string, mode int32, fsType policy.FSType, vo
}
case policy.Secret:
if volumeSource != nil && volumeSource.Secret != nil {
fmt.Println("### Insider policy.Secret:: >> ", volumeSource)
vol.VolumeSource.Secret = volumeSource.Secret.DeepCopy()
} else {
fmt.Println("#### or heree ????")
vol.VolumeSource.Secret = &corev1.SecretVolumeSource{
SecretName: refName,
DefaultMode: &mode,
Expand Down Expand Up @@ -223,16 +228,21 @@ func setupDockerSecrets(pod *corev1.Pod, container *corev1.Container, pushSecret
klog.V(3).Infof("%s will be used for docker push in %s", DockerPushSecretMountPath, pod.Name)
}

fmt.Println("############# check for pullSecret inside controller/strategt/util >> ", pullSecret)
if pullSecret != nil {
fmt.Println("############# entered the check, all good")
mountSecretVolume(pod, container, pullSecret.Name, DockerPullSecretMountPath, "pull", nil)
container.Env = append(container.Env, []corev1.EnvVar{
{Name: "PULL_DOCKERCFG_PATH", Value: DockerPullSecretMountPath},
}...)
klog.V(3).Infof("%s will be used for docker pull in %s", DockerPullSecretMountPath, pod.Name)
}

fmt.Println("########## imagesourcess :: ", imageSources)

for i, imageSource := range imageSources {
if imageSource.PullSecret == nil {
fmt.Println("######## Should enter here!!")
continue
}
mountPath := filepath.Join(SourceImagePullSecretMountPath, strconv.Itoa(i))
Expand Down
35 changes: 34 additions & 1 deletion pkg/cmd/controller/authorization.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,43 @@ func RunDefaultRoleBindingController(ctx *ControllerContext) (bool, error) {
return true, err
}

go defaultrolebindings.NewDefaultRoleBindingsController(
go defaultrolebindings.NewRoleBindingsController(
ctx.KubernetesInformers.Rbac().V1().RoleBindings(),
ctx.KubernetesInformers.Core().V1().Namespaces(),
kubeClient.RbacV1(),
"DefaultRoleBindingsController",
).Run(5, ctx.Stop)

return true, nil
}

func RunBuilderRoleBindingController(ctx *ControllerContext) (bool, error) {
kubeClient, err := ctx.ClientBuilder.Client(infraBuilderRoleBindingsControllerServiceAccountName)
if err != nil {
return true, err
}

go defaultrolebindings.NewRoleBindingsController(
ctx.KubernetesInformers.Rbac().V1().RoleBindings(),
ctx.KubernetesInformers.Core().V1().Namespaces(),
kubeClient.RbacV1(),
"BuilderRoleBindingsController",
).Run(5, ctx.Stop)

return true, nil
}

func RunDeployerRoleBindingController(ctx *ControllerContext) (bool, error) {
kubeClient, err := ctx.ClientBuilder.Client(infraDeployerRoleBindingsControllerServiceAccountName)
if err != nil {
return true, err
}

go defaultrolebindings.NewRoleBindingsController(
ctx.KubernetesInformers.Rbac().V1().RoleBindings(),
ctx.KubernetesInformers.Core().V1().Namespaces(),
kubeClient.RbacV1(),
"DeployerRoleBindingsController",
).Run(5, ctx.Stop)

return true, nil
Expand Down
4 changes: 4 additions & 0 deletions pkg/cmd/controller/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,12 @@ var ControllerInitializers = map[openshiftcontrolplanev1.OpenShiftControllerName
openshiftcontrolplanev1.OpenshiftOriginNamespaceController: RunOriginNamespaceController,

openshiftcontrolplanev1.OpenShiftBuilderServiceAccountController: RunBuilderServiceAccountController,
openshiftcontrolplanev1.OpenShiftBuilderRoleBindingsController: RunBuilderRoleBindingController,
openshiftcontrolplanev1.OpenshiftBuildController: RunBuildController,
openshiftcontrolplanev1.OpenshiftBuildConfigChangeController: RunBuildConfigChangeController,

openshiftcontrolplanev1.OpenShiftDeployerServiceAccountController: RunDeployerServiceAccountController,
openshiftcontrolplanev1.OpenShiftDeployerRoleBindingsController: RunDeployerRoleBindingController,
openshiftcontrolplanev1.OpenshiftDeployerController: RunDeployerController,
openshiftcontrolplanev1.OpenshiftDeploymentConfigController: RunDeploymentConfigController,

Expand All @@ -35,9 +37,11 @@ const (
infraServiceAccountControllerServiceAccountName = "serviceaccount-controller"
iInfraServiceAccountPullSecretsControllerServiceAccountName = "serviceaccount-pull-secrets-controller"
infraBuildControllerServiceAccountName = "build-controller"
infraBuilderRoleBindingsControllerServiceAccountName = "builder-rolebindings-controller"
infraBuildConfigChangeControllerServiceAccountName = "build-config-change-controller"
infraDeploymentConfigControllerServiceAccountName = "deploymentconfig-controller"
infraDeployerControllerServiceAccountName = "deployer-controller"
infraDeployerRoleBindingsControllerServiceAccountName = "deployer-rolebindings-controller"
infraImageTriggerControllerServiceAccountName = "image-trigger-controller"
infraImageImportControllerServiceAccountName = "image-import-controller"
infraUnidlingControllerServiceAccountName = "unidling-controller"
Expand Down

0 comments on commit 05138d9

Please sign in to comment.