feat: Implement AppProject watch to retrigger reconciliation (#18)

leoluz · web-flow · commit 73f661dc069d · 2024-09-24T16:49:36.000-04:00
* feat: Implement AppProject watch to retrigger reconciliation

Signed-off-by: Leonardo Luz Almeida &lt;leonardo_almeida@intuit.com&gt;

* add integration tests

Signed-off-by: Leonardo Luz Almeida &lt;leonardo_almeida@intuit.com&gt;

* address review comments

Signed-off-by: Leonardo Luz Almeida &lt;leonardo_almeida@intuit.com&gt;

---------

Signed-off-by: Leonardo Luz Almeida &lt;leonardo_almeida@intuit.com&gt;
diff --git a/api/ephemeral-access/v1alpha1/roletemplate_types.go b/api/ephemeral-access/v1alpha1/roletemplate_types.go
@@ -57,6 +57,9 @@ type RoleTemplateStatus struct {
 	SyncHash string `json:"syncHash"`
 }
 
+// Render will return a new RoleTemplate instance with the templates replaced by
+// the given projName, appName and appNs. The RoleTemplate fields that accept
+// templated values are 'rt.Spec.Description' and 'rt.Spec.Policies'.
 func (rt *RoleTemplate) Render(projName, appName, appNs string) (*RoleTemplate, error) {
 	rendered := rt.DeepCopy()
 	descTmpl, err := template.New("description").Parse(rt.Spec.Description)
diff --git a/internal/controller/accessrequest_controller.go b/internal/controller/accessrequest_controller.go
@@ -55,6 +55,7 @@ const (
 	// managed by this controller
 	AccessRequestFinalizerName = "accessrequest.ephemeral-access.argoproj-labs.io/finalizer"
 	roleTemplateField          = ".spec.roleTemplateName"
+	projectField               = ".status.targetProject"
 )
 
 // +kubebuilder:rbac:groups=ephemeral-access.argoproj-labs.io,resources=accessrequests,verbs=get;list;watch;create;update;patch;delete
@@ -281,13 +282,18 @@ func (r *AccessRequestReconciler) handleFinalizer(ctx context.Context, ar *api.A
 // controller. Only non-concluded AccessRequests will be added to the reconciliation
 // list. An AccessRequest is defined as concluded if their status is Expired or Denied.
 func (r *AccessRequestReconciler) findObjectsForRoleTemplate(ctx context.Context, roleTemplate client.Object) []reconcile.Request {
+	logger := log.FromContext(ctx)
+	logger.Debug(fmt.Sprintf("RoleTemplate %s updated: searching for associated AccessRequests...", roleTemplate.GetName()))
 	attachedAccessRequests := &api.AccessRequestList{}
 	listOps := &client.ListOptions{
 		FieldSelector: fields.OneTermEqualSelector(roleTemplateField, roleTemplate.GetName()),
-		Namespace:     roleTemplate.GetNamespace(),
+		// This makes a requirement that the AccessRequest has to live in the
+		// same namespace as the AppProject.
+		Namespace: roleTemplate.GetNamespace(),
 	}
 	err := r.List(ctx, attachedAccessRequests, listOps)
 	if err != nil {
+		logger.Error(err, "findObjectsForRoleTemplate error: list k8s resources error")
 		return []reconcile.Request{}
 	}
 
@@ -302,16 +308,74 @@ func (r *AccessRequestReconciler) findObjectsForRoleTemplate(ctx context.Context
 			}
 		}
 	}
-	if len(requests) == 0 {
+	totalRequests := len(requests)
+	if totalRequests == 0 {
 		return nil
 	}
+	logger.Debug(fmt.Sprintf("Found %d associated AccessRequests with RoleTemplate %s. Reconciling...", totalRequests, roleTemplate.GetName()))
 	return requests
 }
 
-// SetupWithManager sets up the controller with the Manager.
-func (r *AccessRequestReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	// create an AccessRequest index by role template name to allow
-	// fetching all objects referencing a given RoleTemplate
+// findObjectsForProject will retrieve all AccessRequest resources referencing
+// the given project and build a list of reconcile requests to be sent to the
+// controller. Only non-concluded AccessRequests will be added to the reconciliation
+// list. An AccessRequest is defined as concluded if their status is Expired or Denied.
+func (r *AccessRequestReconciler) findObjectsForProject(ctx context.Context, project client.Object) []reconcile.Request {
+	logger := log.FromContext(ctx)
+	logger.Debug(fmt.Sprintf("Project %s updated: searching for associated AccessRequests...", project.GetName()))
+	associatedAccessRequests := &api.AccessRequestList{}
+	listOps := &client.ListOptions{
+		FieldSelector: fields.OneTermEqualSelector(projectField, project.GetName()),
+		// This makes a requirement that the AccessRequest has to live in the
+		// same namespace as the AppProject.
+		Namespace: project.GetNamespace(),
+	}
+	err := r.List(ctx, associatedAccessRequests, listOps)
+	if err != nil {
+		logger.Error(err, "findObjectsForProject error: list k8s resources error")
+		return []reconcile.Request{}
+	}
+
+	requests := make([]reconcile.Request, len(associatedAccessRequests.Items))
+	for i, item := range associatedAccessRequests.Items {
+		if !isConcluded(&item) {
+			requests[i] = reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Name:      item.GetName(),
+					Namespace: item.GetNamespace(),
+				},
+			}
+		}
+	}
+	totalRequests := len(requests)
+	if totalRequests == 0 {
+		return nil
+	}
+	logger.Debug(fmt.Sprintf("Found %d associated AccessRequests with project %s. Reconciling...", totalRequests, project.GetName()))
+	return requests
+}
+
+// createProjectIndex will create an AccessRequest index by project to allow
+// fetching all objects referencing a given AppProject.
+func createProjectIndex(mgr ctrl.Manager) error {
+	err := mgr.GetFieldIndexer().
+		IndexField(context.Background(), &api.AccessRequest{}, projectField,
+			func(rawObj client.Object) []string {
+				ar := rawObj.(*api.AccessRequest)
+				if ar.Status.TargetProject == "" {
+					return nil
+				}
+				return []string{ar.Status.TargetProject}
+			})
+	if err != nil {
+		return fmt.Errorf("error creating project field index: %w", err)
+	}
+	return nil
+}
+
+// createRoleTemplateIndex create an AccessRequest index by role template name
+// to allow fetching all objects referencing a given RoleTemplate.
+func createRoleTemplateIndex(mgr ctrl.Manager) error {
 	err := mgr.GetFieldIndexer().
 		IndexField(context.Background(), &api.AccessRequest{}, roleTemplateField, func(rawObj client.Object) []string {
 			ar := rawObj.(*api.AccessRequest)
@@ -321,12 +385,28 @@ func (r *AccessRequestReconciler) SetupWithManager(mgr ctrl.Manager) error {
 			return []string{ar.Spec.RoleTemplateName}
 		})
 	if err != nil {
-		return fmt.Errorf("error creating index field for roleTemplateName: %w", err)
+		return fmt.Errorf("error creating roleTemplateName field index: %w", err)
+	}
+	return nil
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *AccessRequestReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	err := createProjectIndex(mgr)
+	if err != nil {
+		return fmt.Errorf("create index error: %w", err)
+	}
+	err = createRoleTemplateIndex(mgr)
+	if err != nil {
+		return fmt.Errorf("create index error: %w", err)
 	}
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&api.AccessRequest{}).
 		Watches(&api.RoleTemplate{},
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForRoleTemplate),
 			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{})).
+		Watches(&argocd.AppProject{},
+			handler.EnqueueRequestsFromMapFunc(r.findObjectsForProject),
+			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{})).
 		Complete(r)
 }
diff --git a/internal/controller/accessrequest_controller_test.go b/internal/controller/accessrequest_controller_test.go

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,9 @@ type RoleTemplateStatus struct {`
`57`	`57`	SyncHash string `json:"syncHash"`
`58`	`58`	`}`
`59`	`59`
	`60`	`+// Render will return a new RoleTemplate instance with the templates replaced by`
	`61`	`+// the given projName, appName and appNs. The RoleTemplate fields that accept`
	`62`	`+// templated values are 'rt.Spec.Description' and 'rt.Spec.Policies'.`
`60`	`63`	`func (rt RoleTemplate) Render(projName, appName, appNs string) (RoleTemplate, error) {`
`61`	`64`	`rendered := rt.DeepCopy()`
`62`	`65`	`descTmpl, err := template.New("description").Parse(rt.Spec.Description)`