Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
Signed-off-by: Massimiliano Giovagnoli <[email protected]>
  • Loading branch information
maxgio92 committed Jan 29, 2024
1 parent d1c255d commit 7c717e7
Show file tree
Hide file tree
Showing 8 changed files with 34 additions and 10 deletions.
7 changes: 7 additions & 0 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,16 @@ linters-settings:
list-mode: lax
allow:
- $gostd
- k8s.io/api
- k8s.io/apimachinery
- k8s.io/client-go
- github.com/projectcapsule
- github.com/go-logr/logr
- github.com/pkg/errors
- github.com/spf13/cobra
- sigs.k8s.io/controller-runtime
funlen:
lines: 110
gci:
sections:
- standard # Captures all standard packages if they do not match another section.
Expand Down
10 changes: 9 additions & 1 deletion cmd/manager/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ package manager
import (
"flag"
"fmt"
"os"

"github.com/go-logr/logr"
"github.com/pkg/errors"

Check failure on line 12 in cmd/manager/manager.go

View workflow job for this annotation

GitHub Actions / lint

File is not `gci`-ed with --skip-generated -s standard -s default -s prefix(github.com/projectcapsule/capsule-addon-fluxcd) (gci)
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
Expand All @@ -14,7 +16,7 @@ import (
"k8s.io/apimachinery/pkg/runtime"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/rest"
"os"

Check failure on line 19 in cmd/manager/manager.go

View workflow job for this annotation

GitHub Actions / lint

File is not `gci`-ed with --skip-generated -s standard -s default -s prefix(github.com/projectcapsule/capsule-addon-fluxcd) (gci)
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/healthz"
Expand Down Expand Up @@ -59,6 +61,7 @@ func New() *cobra.Command {

// Add Zap options.
var fs flag.FlagSet

opts.Zo.BindFlags(&fs)
cmd.Flags().AddGoFlagSet(&fs)

Expand All @@ -70,6 +73,7 @@ func (o *Options) Run(_ *cobra.Command, _ []string) error {
if err := clientgoscheme.AddToScheme(scheme); err != nil {
return errors.Wrap(err, "unable to add client-go types to the manager's scheme")
}

if err := capsulev1beta2.AddToScheme(scheme); err != nil {
return errors.Wrap(err, "unable to add Capsule types to the manager's scheme")
}
Expand All @@ -90,6 +94,7 @@ func (o *Options) Run(_ *cobra.Command, _ []string) error {
})
if err != nil {
o.SetupLog.Error(err, "unable to create manager")

return errors.Wrap(err, "unable to create manager")
}

Expand All @@ -105,6 +110,7 @@ func (o *Options) Run(_ *cobra.Command, _ []string) error {

if err = indexer.AddToManager(ctx, o.SetupLog, mgr); err != nil {
o.SetupLog.Error(err, "unable to setup indexers")

return errors.Wrap(err, "unable to setup indexers")
}

Expand All @@ -115,11 +121,13 @@ func (o *Options) Run(_ *cobra.Command, _ []string) error {
serviceaccount.WithProxyURL(o.ProxyURL),
).SetupWithManager(ctx, mgr); err != nil {
o.SetupLog.Error(err, "unable to create manager", "controller", "ServiceAccount")

return errors.Wrap(err, "unable to setup the service account controller")
}

if err = mgr.Start(ctx); err != nil {
o.SetupLog.Error(err, "problem running manager")

return errors.Wrap(err, "unable to start the manager")
}

Expand Down
1 change: 1 addition & 0 deletions cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@ func New() *cobra.Command {

func Execute() error {
cmd := New()

return cmd.Execute()
}
1 change: 1 addition & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (

func main() {
if err := cmd.Execute(); err != nil {
//nolint:forbidigo
fmt.Println(err)
os.Exit(1)
}
Expand Down
1 change: 1 addition & 0 deletions pkg/controller/serviceaccount/globaltenantresources.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package serviceaccount

import (
"context"

capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
Expand Down
1 change: 1 addition & 0 deletions pkg/controller/serviceaccount/rolebindings.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package serviceaccount
import (
"context"
"fmt"

rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
Expand Down
16 changes: 10 additions & 6 deletions pkg/controller/serviceaccount/serviceaccount.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/reconcile"
)

//nolint:revive
type ServiceAccountReconciler struct {
proxyURL string
proxyCA string
Expand Down Expand Up @@ -86,6 +87,7 @@ func (r *ServiceAccountReconciler) Reconcile(ctx context.Context, request ctrl.R

return reconcile.Result{}, nil
}

r.Log.Error(err, "Error reading the object")

return ctrl.Result{}, err
Expand All @@ -105,16 +107,15 @@ func (r *ServiceAccountReconciler) Reconcile(ctx context.Context, request ctrl.R
if err != nil {
return reconcile.Result{}, errors.Wrap(err, "error getting token of the service account")
}

if tokenSecret.Data == nil {
r.Log.Info("ServiceAccount token data is missing. Requeueing.")

return reconcile.Result{Requeue: true}, nil
}

// Build the kubeConfig for the ServiceAccount Tenant Owner.
config, err := r.buildKubeconfig(r.proxyURL, string(tokenSecret.Data[corev1.ServiceAccountTokenKey]))
if err != nil {
return reconcile.Result{}, errors.Wrap(err, "error building the tenant owner config")
}
config := r.buildKubeconfig(r.proxyURL, string(tokenSecret.Data[corev1.ServiceAccountTokenKey]))

configRaw, err := clientcmd.Write(*config)
if err != nil {
Expand Down Expand Up @@ -146,9 +147,11 @@ func (r *ServiceAccountReconciler) Reconcile(ctx context.Context, request ctrl.R
// Get the Tenant owned by the ServiceAccount.
ownerName := fmt.Sprintf("system:serviceaccount:%s:%s", sa.GetNamespace(), sa.GetName())
tenantList, err := r.listTenantsOwned(ctx, string(capsulev1beta2.ServiceAccountOwner), ownerName)

Check failure on line 150 in pkg/controller/serviceaccount/serviceaccount.go

View workflow job for this annotation

GitHub Actions / lint

File is not `gofumpt`-ed (gofumpt)
if err != nil {
return reconcile.Result{}, errors.Wrap(err, "error listing Tenants for owner")
}

if tenantList.Items == nil {
return reconcile.Result{}, errors.New("Tenant list for owner is empty")
}
Expand Down Expand Up @@ -179,6 +182,7 @@ func (r *ServiceAccountReconciler) forOption(ctx context.Context) builder.ForOpt
predicate.NewPredicateFuncs(func(object client.Object) bool {
ownerName := fmt.Sprintf("system:serviceaccount:%s:%s", object.GetNamespace(), object.GetName())
tntList, err := r.listTenantsOwned(ctx, string(capsulev1beta2.ServiceAccountOwner), ownerName)

return err == nil && tntList.Items != nil && len(tntList.Items) != 0
}),
),
Expand All @@ -199,7 +203,7 @@ func (r *ServiceAccountReconciler) listTenantsOwned(ctx context.Context, ownerKi

// buildKubeconfig returns a client-go/clientcmd/api.Config with a token and server URL specified as arguments.
// The server set is be the proxy configured at ServiceAccountReconciler-level.
func (r *ServiceAccountReconciler) buildKubeconfig(server, token string) (*clientcmdapi.Config, error) {
func (r *ServiceAccountReconciler) buildKubeconfig(server, token string) *clientcmdapi.Config {
// Build the client API Config.
config := clientcmdapi.NewConfig()
config.APIVersion = clientcmdlatest.Version
Expand Down Expand Up @@ -231,5 +235,5 @@ func (r *ServiceAccountReconciler) buildKubeconfig(server, token string) (*clien
config.Contexts = contexts
config.CurrentContext = KubeconfigContextName

return config, nil
return config
}
7 changes: 4 additions & 3 deletions pkg/controller/serviceaccount/tokens.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ func (r *ServiceAccountReconciler) ensureSATokenSecret(ctx context.Context, name

return nil
}

return err
}

Expand All @@ -48,7 +49,6 @@ func (r *ServiceAccountReconciler) ensureSATokenSecret(ctx context.Context, name
// are specified as arguments.
func (r *ServiceAccountReconciler) getSATokenSecret(ctx context.Context, saName, saNamespace string) (*corev1.Secret, error) {
saTokenList := new(corev1.SecretList)
// TODO: filter by Service Account-type and Namespace. Need index by Secret type.
if err := r.Client.List(ctx, saTokenList); err != nil {
return nil, ErrServiceAccountTokenNotFound
}
Expand All @@ -58,15 +58,16 @@ func (r *ServiceAccountReconciler) getSATokenSecret(ctx context.Context, saName,
}

var tokenSecret *corev1.Secret

for _, v := range saTokenList.Items {
v := v
switch v.Type {
case corev1.SecretTypeServiceAccountToken:
if v.Type == corev1.SecretTypeServiceAccountToken {
if v.Namespace == saNamespace && v.Annotations[corev1.ServiceAccountNameKey] == saName {
return &v, nil
}
}
}

if tokenSecret == nil {
return nil, ErrServiceAccountTokenNotFound
}
Expand Down

0 comments on commit 7c717e7

Please sign in to comment.