adds build & deployer controller

openshift · Feb 14, 2024 · 05138d9 · 05138d9
1 parent 1e97268
commit 05138d9
Show file tree

Hide file tree

Showing 8 changed files with 91 additions and 27 deletions.
diff --git a/pkg/authorization/defaultrolebindings/defaultrolebindings.go b/pkg/authorization/defaultrolebindings/defaultrolebindings.go
@@ -22,10 +22,11 @@ import (
 	"k8s.io/klog/v2"
 )
 
-var defaultRoleBindingNames = GetBootstrapServiceAccountProjectRoleBindingNames()
+var RoleBindingNames = GetBootstrapServiceAccountProjectRoleBindingNames(builderEnabled, deployerEnabled)
+var builderEnabled, deployerEnabled bool
 
-// DefaultRoleBindingController is a controller to combine cluster roles
-type DefaultRoleBindingController struct {
+// RoleBindingController is a controller to combine cluster roles
+type RoleBindingController struct {
 	roleBindingClient rbacclient.RoleBindingsGetter
 
 	roleBindingLister rbaclisters.RoleBindingLister
@@ -37,27 +38,34 @@ type DefaultRoleBindingController struct {
 	queue       workqueue.RateLimitingInterface
 }
 
-// NewDefaultRoleBinding creates a new controller
-func NewDefaultRoleBindingsController(roleBindingInformer rbacinformers.RoleBindingInformer, namespaceInformer coreinformers.NamespaceInformer, roleBindingClient rbacclient.RoleBindingsGetter) *DefaultRoleBindingController {
-	c := &DefaultRoleBindingController{
+// NewRoleBinding creates a new controller
+func NewRoleBindingsController(roleBindingInformer rbacinformers.RoleBindingInformer, namespaceInformer coreinformers.NamespaceInformer, roleBindingClient rbacclient.RoleBindingsGetter, controller string) *RoleBindingController {
+	c := &RoleBindingController{
 		roleBindingClient: roleBindingClient,
 
 		roleBindingLister: roleBindingInformer.Lister(),
 		roleBindingSynced: roleBindingInformer.Informer().HasSynced,
 		namespaceLister:   namespaceInformer.Lister(),
 		namespaceSynced:   namespaceInformer.Informer().HasSynced,
 
-		queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "DefaultRoleBindingsController"),
+		queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), controller),
 	}
 	c.syncHandler = c.syncNamespace
 
+	if controller == "BuilderRoleBindingsController" {
+		builderEnabled = true
+	}
+	if controller == "DeployerRoleBindingsController" {
+		deployerEnabled = true
+	}
+
 	roleBindingInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
 		FilterFunc: func(obj interface{}) bool {
 			metadata, err := meta.Accessor(obj)
 			if err != nil {
 				return false
 			}
-			return defaultRoleBindingNames.Has(metadata.GetName())
+			return RoleBindingNames.Has(metadata.GetName())
 		},
 		Handler: cache.ResourceEventHandlerFuncs{
 			DeleteFunc: func(uncast interface{}) {
@@ -94,7 +102,7 @@ func NewDefaultRoleBindingsController(roleBindingInformer rbacinformers.RoleBind
 	return c
 }
 
-func (c *DefaultRoleBindingController) syncNamespace(namespaceName string) error {
+func (c *RoleBindingController) syncNamespace(namespaceName string) error {
 	namespace, err := c.namespaceLister.Get(namespaceName)
 	if errors.IsNotFound(err) {
 		return nil
@@ -112,7 +120,8 @@ func (c *DefaultRoleBindingController) syncNamespace(namespaceName string) error
 	}
 
 	errs := []error{}
-	desiredRoleBindings := GetBootstrapServiceAccountProjectRoleBindings(namespaceName)
+	fmt.Printf("check1 >>>>> builderEnabled: %v >>>> deployerEnabled: %v \n", builderEnabled, deployerEnabled)
+	desiredRoleBindings := GetBootstrapServiceAccountProjectRoleBindings(namespaceName, builderEnabled, deployerEnabled)
 	for i := range desiredRoleBindings {
 		desiredRoleBinding := desiredRoleBindings[i]
 		found := false
@@ -142,7 +151,7 @@ func (c *DefaultRoleBindingController) syncNamespace(namespaceName string) error
 }
 
 // Run starts the controller and blocks until stopCh is closed.
-func (c *DefaultRoleBindingController) Run(workers int, stopCh <-chan struct{}) {
+func (c *RoleBindingController) Run(workers int, stopCh <-chan struct{}) {
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
@@ -160,12 +169,12 @@ func (c *DefaultRoleBindingController) Run(workers int, stopCh <-chan struct{})
 	<-stopCh
 }
 
-func (c *DefaultRoleBindingController) runWorker() {
+func (c *RoleBindingController) runWorker() {
 	for c.processNextWorkItem() {
 	}
 }
 
-func (c *DefaultRoleBindingController) processNextWorkItem() bool {
+func (c *RoleBindingController) processNextWorkItem() bool {
 	dsKey, quit := c.queue.Get()
 	if quit {
 		return false

diff --git a/pkg/authorization/defaultrolebindings/defaultrolebindings_test.go b/pkg/authorization/defaultrolebindings/defaultrolebindings_test.go
@@ -75,7 +75,7 @@ func TestSync(t *testing.T) {
 				namespaceIndexer.Add(obj)
 			}
 			fakeClient := kubeclientfake.NewSimpleClientset(objs...)
-			c := DefaultRoleBindingController{
+			c := RoleBindingController{
 				roleBindingClient: fakeClient.RbacV1(),
 				roleBindingLister: rbaclisters.NewRoleBindingLister(roleBindingIndexer),
 				namespaceLister:   corelisters.NewNamespaceLister(namespaceIndexer),

diff --git a/pkg/authorization/defaultrolebindings/project_policy.go b/pkg/authorization/defaultrolebindings/project_policy.go
@@ -23,27 +23,32 @@ const (
 	DeployerServiceAccountName = "deployer"
 )
 
-func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []rbacv1.RoleBinding {
+func GetBootstrapServiceAccountProjectRoleBindings(namespace string, builderEnabled bool, deployerEnabled bool) []rbacv1.RoleBinding {
+	var roleBindings []rbacv1.RoleBinding
+
 	imagePuller := newOriginRoleBindingForClusterRoleWithGroup(ImagePullerRoleBindingName, ImagePullerRoleName, namespace, serviceaccount.MakeNamespaceGroupName(namespace))
 	imagePuller.Annotations[openShiftDescription] = "Allows all pods in this namespace to pull images from this namespace.  It is auto-managed by a controller; remove subjects to disable."
+	roleBindings = append(roleBindings, imagePuller)
 
-	imageBuilder := newOriginRoleBindingForClusterRoleWithSA(ImageBuilderRoleBindingName, ImageBuilderRoleName, namespace, BuilderServiceAccountName)
-	imageBuilder.Annotations[openShiftDescription] = "Allows builds in this namespace to push images to this namespace.  It is auto-managed by a controller; remove subjects to disable."
-
-	deployer := newOriginRoleBindingForClusterRoleWithSA(DeployerRoleBindingName, DeployerRoleName, namespace, DeployerServiceAccountName)
-	deployer.Annotations[openShiftDescription] = "Allows deploymentconfigs in this namespace to rollout pods in this namespace.  It is auto-managed by a controller; remove subjects to disable."
+	if builderEnabled {
+		imageBuilder := newOriginRoleBindingForClusterRoleWithSA(ImageBuilderRoleBindingName, ImageBuilderRoleName, namespace, BuilderServiceAccountName)
+		imageBuilder.Annotations[openShiftDescription] = "Allows builds in this namespace to push images to this namespace.  It is auto-managed by a controller; remove subjects to disable."
+		roleBindings = append(roleBindings, imageBuilder)
+	}
 
-	return []rbacv1.RoleBinding{
-		imagePuller,
-		imageBuilder,
-		deployer,
+	if deployerEnabled {
+		deployer := newOriginRoleBindingForClusterRoleWithSA(DeployerRoleBindingName, DeployerRoleName, namespace, DeployerServiceAccountName)
+		deployer.Annotations[openShiftDescription] = "Allows deploymentconfigs in this namespace to rollout pods in this namespace.  It is auto-managed by a controller; remove subjects to disable."
+		roleBindings = append(roleBindings, deployer)
 	}
+
+	return roleBindings
 }
 
-func GetBootstrapServiceAccountProjectRoleBindingNames() sets.String {
+func GetBootstrapServiceAccountProjectRoleBindingNames(builderEnabled, deployerEnabled bool) sets.String {
 	names := sets.NewString()
 
-	for _, roleBinding := range GetBootstrapServiceAccountProjectRoleBindings("default") {
+	for _, roleBinding := range GetBootstrapServiceAccountProjectRoleBindings("default", builderEnabled, deployerEnabled) {
 		names.Insert(roleBinding.Name)
 	}
 

diff --git a/pkg/build/controller/build/build_controller.go b/pkg/build/controller/build/build_controller.go
@@ -1194,6 +1194,7 @@ func (bc *BuildController) createBuildPod(build *buildv1.Build) (*buildUpdate, e
 		imageName = build.Spec.Strategy.CustomStrategy.From.Name
 	}
 
+	fmt.Println("############## check: pullsecret: ", build.Spec.Strategy.CustomStrategy.PullSecret)
 	// Only look up a pull secret if the user hasn't explicitly provided one
 	// if we don't know what image they are referencing, we'll end up using the
 	// docker secret associated w/ the build's service account.

diff --git a/pkg/build/controller/strategy/custom.go b/pkg/build/controller/strategy/custom.go
@@ -128,6 +128,8 @@ func (bs *CustomBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 	if strategy.ExposeDockerSocket {
 		setupDockerSocket(pod)
 	}
+	fmt.Println("########### check: checking pullsecret in custom.go >> ", strategy.PullSecret)
+	fmt.Println("######### pod name in custom.go: ", pod.ObjectMeta)
 	setupDockerSecrets(pod, &pod.Spec.Containers[0], build.Spec.Output.PushSecret, strategy.PullSecret, build.Spec.Source.Images)
 	setOwnerReference(pod, build)
 	setupSourceSecrets(pod, &pod.Spec.Containers[0], build.Spec.Source.SourceSecret)

diff --git a/pkg/build/controller/strategy/util.go b/pkg/build/controller/strategy/util.go
@@ -120,6 +120,7 @@ func mountConfigMapVolume(pod *corev1.Pod, container *corev1.Container, configMa
 // mountSecretVolume is a helper method responsible for actual mounting secret
 // volumes into a pod.
 func mountSecretVolume(pod *corev1.Pod, container *corev1.Container, secretName, mountPath, volumeSuffix string, volumeSource *corev1.VolumeSource) {
+	fmt.Println("########### secret name insider mountSecretVolume")
 	mountVolume(pod, container, secretName, mountPath, volumeSuffix, policy.Secret, volumeSource)
 }
 
@@ -142,6 +143,7 @@ func mountVolume(pod *corev1.Pod, container *corev1.Container, objName, mountPat
 	volumeName = strings.Replace(volumeName, ".", "-", -1)
 
 	volumeExists := false
+	fmt.Println("########### check volume name and status:  ", volumeName, "  ,  ", volumeExists)
 	for _, v := range pod.Spec.Volumes {
 		if v.Name == volumeName {
 			volumeExists = true
@@ -153,6 +155,7 @@ func mountVolume(pod *corev1.Pod, container *corev1.Container, objName, mountPat
 		mode = int32(0o644) // make sure unprivileged builders can read them
 	}
 	if !volumeExists {
+		fmt.Println("#### check for volumeExistance")
 		volume := makeVolume(volumeName, objName, mode, fsType, volumeSource)
 		pod.Spec.Volumes = append(pod.Spec.Volumes, volume)
 	}
@@ -191,8 +194,10 @@ func makeVolume(volumeName, refName string, mode int32, fsType policy.FSType, vo
 		}
 	case policy.Secret:
 		if volumeSource != nil && volumeSource.Secret != nil {
+			fmt.Println("### Insider policy.Secret:: >> ", volumeSource)
 			vol.VolumeSource.Secret = volumeSource.Secret.DeepCopy()
 		} else {
+			fmt.Println("#### or heree ????")
 			vol.VolumeSource.Secret = &corev1.SecretVolumeSource{
 				SecretName:  refName,
 				DefaultMode: &mode,
@@ -223,16 +228,21 @@ func setupDockerSecrets(pod *corev1.Pod, container *corev1.Container, pushSecret
 		klog.V(3).Infof("%s will be used for docker push in %s", DockerPushSecretMountPath, pod.Name)
 	}
 
+	fmt.Println("############# check for pullSecret inside controller/strategt/util >> ", pullSecret)
 	if pullSecret != nil {
+		fmt.Println("############# entered the check, all good")
 		mountSecretVolume(pod, container, pullSecret.Name, DockerPullSecretMountPath, "pull", nil)
 		container.Env = append(container.Env, []corev1.EnvVar{
 			{Name: "PULL_DOCKERCFG_PATH", Value: DockerPullSecretMountPath},
 		}...)
 		klog.V(3).Infof("%s will be used for docker pull in %s", DockerPullSecretMountPath, pod.Name)
 	}
 
+	fmt.Println("########## imagesourcess :: ", imageSources)
+
 	for i, imageSource := range imageSources {
 		if imageSource.PullSecret == nil {
+			fmt.Println("######## Should enter here!!")
 			continue
 		}
 		mountPath := filepath.Join(SourceImagePullSecretMountPath, strconv.Itoa(i))

diff --git a/pkg/cmd/controller/authorization.go b/pkg/cmd/controller/authorization.go
@@ -8,10 +8,43 @@ func RunDefaultRoleBindingController(ctx *ControllerContext) (bool, error) {
 		return true, err
 	}
 
-	go defaultrolebindings.NewDefaultRoleBindingsController(
+	go defaultrolebindings.NewRoleBindingsController(
 		ctx.KubernetesInformers.Rbac().V1().RoleBindings(),
 		ctx.KubernetesInformers.Core().V1().Namespaces(),
 		kubeClient.RbacV1(),
+		"DefaultRoleBindingsController",
+	).Run(5, ctx.Stop)
+
+	return true, nil
+}
+
+func RunBuilderRoleBindingController(ctx *ControllerContext) (bool, error) {
+	kubeClient, err := ctx.ClientBuilder.Client(infraBuilderRoleBindingsControllerServiceAccountName)
+	if err != nil {
+		return true, err
+	}
+
+	go defaultrolebindings.NewRoleBindingsController(
+		ctx.KubernetesInformers.Rbac().V1().RoleBindings(),
+		ctx.KubernetesInformers.Core().V1().Namespaces(),
+		kubeClient.RbacV1(),
+		"BuilderRoleBindingsController",
+	).Run(5, ctx.Stop)
+
+	return true, nil
+}
+
+func RunDeployerRoleBindingController(ctx *ControllerContext) (bool, error) {
+	kubeClient, err := ctx.ClientBuilder.Client(infraDeployerRoleBindingsControllerServiceAccountName)
+	if err != nil {
+		return true, err
+	}
+
+	go defaultrolebindings.NewRoleBindingsController(
+		ctx.KubernetesInformers.Rbac().V1().RoleBindings(),
+		ctx.KubernetesInformers.Core().V1().Namespaces(),
+		kubeClient.RbacV1(),
+		"DeployerRoleBindingsController",
 	).Run(5, ctx.Stop)
 
 	return true, nil

diff --git a/pkg/cmd/controller/config.go b/pkg/cmd/controller/config.go
@@ -13,10 +13,12 @@ var ControllerInitializers = map[openshiftcontrolplanev1.OpenShiftControllerName
 	openshiftcontrolplanev1.OpenshiftOriginNamespaceController:           RunOriginNamespaceController,
 
 	openshiftcontrolplanev1.OpenShiftBuilderServiceAccountController: RunBuilderServiceAccountController,
+	openshiftcontrolplanev1.OpenShiftBuilderRoleBindingsController:   RunBuilderRoleBindingController,
 	openshiftcontrolplanev1.OpenshiftBuildController:                 RunBuildController,
 	openshiftcontrolplanev1.OpenshiftBuildConfigChangeController:     RunBuildConfigChangeController,
 
 	openshiftcontrolplanev1.OpenShiftDeployerServiceAccountController: RunDeployerServiceAccountController,
+	openshiftcontrolplanev1.OpenShiftDeployerRoleBindingsController:   RunDeployerRoleBindingController,
 	openshiftcontrolplanev1.OpenshiftDeployerController:               RunDeployerController,
 	openshiftcontrolplanev1.OpenshiftDeploymentConfigController:       RunDeploymentConfigController,
 
@@ -35,9 +37,11 @@ const (
 	infraServiceAccountControllerServiceAccountName             = "serviceaccount-controller"
 	iInfraServiceAccountPullSecretsControllerServiceAccountName = "serviceaccount-pull-secrets-controller"
 	infraBuildControllerServiceAccountName                      = "build-controller"
+	infraBuilderRoleBindingsControllerServiceAccountName        = "builder-rolebindings-controller"
 	infraBuildConfigChangeControllerServiceAccountName          = "build-config-change-controller"
 	infraDeploymentConfigControllerServiceAccountName           = "deploymentconfig-controller"
 	infraDeployerControllerServiceAccountName                   = "deployer-controller"
+	infraDeployerRoleBindingsControllerServiceAccountName       = "deployer-rolebindings-controller"
 	infraImageTriggerControllerServiceAccountName               = "image-trigger-controller"
 	infraImageImportControllerServiceAccountName                = "image-import-controller"
 	infraUnidlingControllerServiceAccountName                   = "unidling-controller"