Skip to content

Commit

Permalink
Merge pull request #692 from lmm/lmm-pick-v1.5
Browse files Browse the repository at this point in the history 
release-v1.5 - Cherry-pick status and RBAC changes #668 and #691
  • Loading branch information
@tmjd
tmjd committed Jul 13, 2020
2 parents 4b1232f + bfd1364 commit d7c768f
Show file tree
Hide file tree
Showing 3 changed files with 167 additions and 35 deletions.
136 changes: 109 additions & 27 deletions deploy/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,20 @@ rules:
- secrets
- serviceaccounts
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
# Need to update node labels when migrating nodes.
- 'get'
- 'patch'
- 'list'
# We need this for Typha autoscaling
- 'watch'
Expand All @@ -35,21 +43,27 @@ rules:
- rolebindings
- roles
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- bind
- escalate
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- apps
resourceNames:
Expand All @@ -63,13 +77,24 @@ rules:
resources:
- '*'
verbs:
- '*'
- create
- get
- list
- update
- patch
- delete
- watch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- monitoring.coreos.com
resources:
Expand All @@ -78,77 +103,134 @@ rules:
- get
- create
- apiGroups:
- policy
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
# When running in OpenShift, we need to update networking config.
- apiGroups:
- config.openshift.io
resources:
- networks/status
verbs:
- 'update'
- '*'
- get
- list
- update
- apiGroups:
- config.openshift.io
resources:
- networks
- infrastructures
verbs:
- 'get'
- '*'
- get
- list
- patch
- watch
# On OpenShift, we need to modify SCCs.
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- '*'
# Permissions below this point are required for TSEE only.
- create
- get
- list
- update
- delete
- watch
# For host network access.
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- hostnetwork
verbs:
- use
# Permissions below this point are required for TSEE only.
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- "batch"
resources:
- jobs
- cronjobs
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- projectcalico.org
resources:
- globalreporttypes
- licensekeys
- globalalerttemplates
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- elasticsearch.k8s.elastic.co
resources:
- elasticsearches
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- kibana.k8s.elastic.co
resources:
- kibanas
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- '*'
- create
- get
- list
- update
- delete
- watch
22 changes: 22 additions & 0 deletions pkg/controller/installation/core_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"fmt"
"net"
"os"
"reflect"
"strings"
"time"

Expand Down Expand Up @@ -387,6 +388,16 @@ func (r *ReconcileInstallation) Reconcile(request reconcile.Request) (reconcile.

ctx := context.Background()

// Get the installation object if it exists so that we can save the original
// status before we merge/fill that object with other values.
instance := &operator.Installation{}
if err := r.client.Get(ctx, utils.DefaultInstanceKey, instance); err != nil && apierrors.IsNotFound(err) {
reqLogger.Info("Installation config not found")
r.status.OnCRNotFound()
return reconcile.Result{}, nil
}
status := instance.Status

// Query for the installation object.
instance, err := GetInstallation(ctx, r.client, r.autoDetectedProvider)
if err != nil {
Expand Down Expand Up @@ -417,6 +428,17 @@ func (r *ReconcileInstallation) Reconcile(request reconcile.Request) (reconcile.
return reconcile.Result{}, err
}

// A status is needed at this point for operator scorecard tests.
// status.variant is written later but for some tests the reconciliation
// does not get to that point.
if reflect.DeepEqual(status, operator.InstallationStatus{}) {
instance.Status = operator.InstallationStatus{}
if err = r.client.Status().Update(ctx, instance); err != nil {
r.SetDegraded("Failed to write default status", err, reqLogger)
return reconcile.Result{}, err
}
}

// The operator supports running in a "Calico only" mode so that it doesn't need to run TSEE specific controllers.
// If we are switching from this mode to one that enables TSEE, we need to restart the operator to enable the other controllers.
if !r.requiresTSEE && instance.Spec.Variant == operator.TigeraSecureEnterprise {
Expand Down
44 changes: 36 additions & 8 deletions test/mainline_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package test
import (
"context"
"fmt"
"reflect"
"strings"
"time"

Expand All @@ -40,7 +41,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client/config"
"sigs.k8s.io/controller-runtime/pkg/manager"

"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
)

var _ = Describe("Mainline component function tests", func() {
Expand Down Expand Up @@ -72,13 +73,13 @@ var _ = Describe("Mainline component function tests", func() {

// Clean up Calico data that might be left behind.
Eventually(func() error {
patchF := func(n *corev1.Node) {
for k, _ := range n.ObjectMeta.Annotations {
if strings.Contains(k, "projectcalico") {
delete(n.ObjectMeta.Annotations, k)
}
}
}
patchF := func(n *corev1.Node) {
for k, _ := range n.ObjectMeta.Annotations {
if strings.Contains(k, "projectcalico") {
delete(n.ObjectMeta.Annotations, k)
}
}
}

cs := kubernetes.NewForConfigOrDie(mgr.GetConfig())
nodes, err := cs.CoreV1().Nodes().List(metav1.ListOptions{})
Expand Down Expand Up @@ -171,6 +172,33 @@ var _ = Describe("Mainline component function tests", func() {
}
return assertAvailable(ts)
}, 60*time.Second).Should(BeNil())

By("Checking that the installation status is set correctly")
Eventually(func() error {
err := GetResource(c, instance)
if err != nil {
return err
}
if instance.Status.Variant != operator.Calico {
return fmt.Errorf("installation status not Calico yet")
}
return nil
}, 60*time.Second).Should(BeNil())

By("Checking that the installation status does not change")
Consistently(func() error {
err := GetResource(c, instance)
if err != nil {
return err
}
if reflect.DeepEqual(instance.Status, operator.InstallationStatus{}) {
return fmt.Errorf("installation status is empty")
}
if instance.Status.Variant != operator.Calico {
return fmt.Errorf("installation status was %v, expected: %v", instance.Status, operator.Calico)
}
return nil
}, 30*time.Second, 50*time.Millisecond).Should(BeNil())
})
})

Expand Down

0 comments on commit d7c768f

Please sign in to comment.