Use build rbac resources from operator-rs (#342)

# Description





Co-authored-by: Malte Sander <malte.sander.it@gmail.com>

CHANGELOG.md

@@ -19,7 +19,8 @@ All notable changes to this project will be documented in this file.
   This change is breaking, because - for security reasons - we default to the `cluster-internal` `ListenerClass`.
   If you need your cluster to be accessible from outside of Kubernetes you need to set `clusterConfig.listenerClass`
   to `external-unstable` ([#340]).
-  - `operator-rs` `0.36.0` -> `0.39.1` ([#326], [#337], [#341]).
+- `operator-rs` `0.36.0` -> `0.40.2` ([#326], [#337], [#341], [#342]).
+- Use `build_rbac_resources` from operator-rs ([#342]).
 
 ### Fixed
 
@@ -38,6 +39,7 @@ All notable changes to this project will be documented in this file.
 [#339]: https://github.com/stackabletech/hdfs-operator/pull/339
 [#340]: https://github.com/stackabletech/hdfs-operator/pull/340
 [#341]: https://github.com/stackabletech/hdfs-operator/pull/341
+[#342]: https://github.com/stackabletech/hdfs-operator/pull/342
 
 
 ## [23.1.0] - 2023-01-23

rust/crd/Cargo.toml

@@ -9,7 +9,7 @@ version = "0.0.0-dev"
 publish = false
 
 [dependencies]
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.39.1" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.40.2" }
 
 semver = "1.0"
 serde = { version = "1.0", features = ["derive"] }

rust/operator-binary/Cargo.toml

@@ -10,7 +10,7 @@ build = "build.rs"
 publish = false
 
 [dependencies]
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.39.1" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.40.2" }
 stackable-hdfs-crd = { path = "../crd" }
 stackable-hdfs-operator = { path = "../operator" }
 anyhow = "1.0"
@@ -20,7 +20,7 @@ tracing = "0.1"
 
 [build-dependencies]
 built = { version =  "0.5", features = ["chrono", "git2"] }
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.39.1" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.40.2" }
 stackable-hdfs-crd = { path = "../crd" }
 
 [[bin]]

rust/operator/Cargo.toml

@@ -9,7 +9,7 @@ version = "0.0.0-dev"
 publish = false
 
 [dependencies]
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.39.1" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.40.2" }
 stackable-hdfs-crd = { path = "../crd" }
 
 futures = "0.3"

rust/operator/src/container.rs

@@ -646,7 +646,7 @@ impl ContainerConfig {
                         .iter()
                         .flatten()
                     {
-                        let pvc_name = pvc.name_unchecked();
+                        let pvc_name = pvc.name_any();
                         volume_mounts.push(VolumeMount {
                             mount_path: format!("{DATANODE_ROOT_DATA_DIR_PREFIX}{pvc_name}"),
                             name: pvc_name,

rust/operator/src/hdfs_controller.rs

@@ -5,7 +5,7 @@ use crate::{
     discovery::build_discovery_configmap,
     event::{build_invalid_replica_message, publish_event},
     product_logging::{extend_role_group_config_map, resolve_vector_aggregator_address},
-    rbac, OPERATOR_NAME,
+    OPERATOR_NAME,
 };
 
 use snafu::{OptionExt, ResultExt, Snafu};
@@ -16,7 +16,10 @@ use stackable_operator::{
     builder::{ConfigMapBuilder, ObjectMetaBuilder, PodBuilder, PodSecurityContextBuilder},
     client::Client,
     cluster_resources::{ClusterResourceApplyStrategy, ClusterResources},
-    commons::product_image_selection::ResolvedProductImage,
+    commons::{
+        product_image_selection::ResolvedProductImage,
+        rbac::{build_rbac_resources, service_account_name},
+    },
     k8s_openapi::{
         api::{
             apps::v1::{StatefulSet, StatefulSetSpec},
@@ -107,12 +110,10 @@ pub enum Error {
     #[snafu(display("Failed to patch service account"))]
     ApplyServiceAccount {
         source: stackable_operator::error::Error,
-        name: String,
     },
     #[snafu(display("Failed to patch role binding"))]
     ApplyRoleBinding {
         source: stackable_operator::error::Error,
-        name: String,
     },
     #[snafu(display("Failed to create cluster resources"))]
     CreateClusterResources {
@@ -145,6 +146,10 @@ pub enum Error {
     ApplyStatus {
         source: stackable_operator::error::Error,
     },
+    #[snafu(display("failed to build RBAC resources"))]
+    BuildRbacResources {
+        source: stackable_operator::error::Error,
+    },
 }
 
 impl ReconcilerError for Error {
@@ -218,26 +223,22 @@ pub async fn reconcile_hdfs(hdfs: Arc<HdfsCluster>, ctx: Arc<Ctx>) -> HdfsOperat
             name: discovery_cm.metadata.name.clone().unwrap_or_default(),
         })?;
 
-    // The service account and rolebinding will be created per cluster and
-    // deleted if the cluster is removed.
-    // Therefore no cluster / orphaned resources have to be handled here.
-    let (rbac_sa, rbac_rolebinding) = rbac::build_rbac_resources(hdfs.as_ref(), "hdfs-clusterrole")
-        .with_context(|_| ObjectMissingMetadataForOwnerRefSnafu {
-            obj_ref: ObjectRef::from_obj(&*hdfs),
-        })?;
+    // The service account and rolebinding will be created per cluster
+    let (rbac_sa, rbac_rolebinding) = build_rbac_resources(
+        hdfs.as_ref(),
+        APP_NAME,
+        cluster_resources.get_required_labels(),
+    )
+    .context(BuildRbacResourcesSnafu)?;
 
-    client
-        .apply_patch(FIELD_MANAGER_SCOPE, &rbac_sa, &rbac_sa)
+    cluster_resources
+        .add(client, rbac_sa)
         .await
-        .with_context(|_| ApplyServiceAccountSnafu {
-            name: rbac_sa.name_any(),
-        })?;
-    client
-        .apply_patch(FIELD_MANAGER_SCOPE, &rbac_rolebinding, &rbac_rolebinding)
+        .context(ApplyServiceAccountSnafu)?;
+    cluster_resources
+        .add(client, rbac_rolebinding)
         .await
-        .with_context(|_| ApplyRoleBindingSnafu {
-            name: rbac_rolebinding.name_any(),
-        })?;
+        .context(ApplyRoleBindingSnafu)?;
 
     let dfs_replication = hdfs.spec.cluster_config.dfs_replication;
     let mut ss_cond_builder = StatefulSetConditionBuilder::default();
@@ -288,7 +289,6 @@ pub async fn reconcile_hdfs(hdfs: Arc<HdfsCluster>, ctx: Arc<Ctx>) -> HdfsOperat
                 &resolved_product_image,
                 env_overrides,
                 merged_config.as_ref(),
-                &rbac_sa.name_any(),
                 &namenode_podrefs,
             )?;
 
@@ -505,7 +505,6 @@ fn rolegroup_statefulset(
     resolved_product_image: &ResolvedProductImage,
     env_overrides: Option<&BTreeMap<String, String>>,
     merged_config: &(dyn MergedConfig + Send + 'static),
-    rbac_sa: &str,
     namenode_podrefs: &[HdfsPodRef],
 ) -> HdfsOperatorResult<StatefulSet> {
     tracing::info!("Setting up StatefulSet for {:?}", rolegroup_ref);
@@ -519,7 +518,7 @@ fn rolegroup_statefulset(
     })
     .image_pull_secrets_from_product_image(resolved_product_image)
     .affinity(merged_config.affinity())
-    .service_account_name(rbac_sa)
+    .service_account_name(service_account_name(APP_NAME))
     .security_context(
         PodSecurityContextBuilder::new()
             .run_as_user(1000)

rust/operator/src/lib.rs

@@ -5,7 +5,6 @@ mod event;
 mod hdfs_controller;
 mod pod_svc_controller;
 mod product_logging;
-mod rbac;
 
 use std::sync::Arc;