Skip to content

Commit

Permalink
Fix RootSyncSet permissions (#3510)
Browse files Browse the repository at this point in the history
  • Loading branch information
mortent authored Aug 29, 2022
1 parent 3bdd180 commit 3a9dd36
Show file tree
Hide file tree
Showing 4 changed files with 104 additions and 8 deletions.
40 changes: 40 additions & 0 deletions porch/controllers/rootsyncset/config/samples/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Simple example

This example adds a RootSync with name `simple` to two GKE clusters
created with Config Connector.

## Setup
Create clusters with Config Connector using the following two manifests:
```
apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
name: gke-one
namespace: config-control
spec:
location: us-central1
initialNodeCount: 1
workloadIdentityConfig:
workloadPool: ${PROJECT-ID}.svc.id.goog
```

```
apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
name: gke-two
namespace: config-control
spec:
location: us-central1
initialNodeCount: 1
workloadIdentityConfig:
workloadPool: ${PROJECT-ID}.svc.id.goog
```

Install Config Management through the Google Cloud console to make sure
Config Sync is available in the cluster.

Apply the `simple.yaml` manifest:
```
k apply -f simple.yaml
```
37 changes: 37 additions & 0 deletions porch/controllers/rootsyncset/config/samples/simple.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: config.porch.kpt.dev/v1alpha1
kind: RootSyncSet
metadata:
name: simple
namespace: default
spec:
clusterRefs:
- apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
name: gke-one
namespace: config-control
- apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
name: gke-two
namespace: config-control
template:
spec:
sourceFormat: unstructured
git:
repo: https://github.com/mortent/csmr-examples.git
branch: main
dir: "multirepo/root"
auth: none
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ import (
var (
rootSyncNamespace = "config-management-system"
rootSyncApiVersion = "configsync.gke.io/v1beta1"
rootSyncName = "root-sync"
rootSyncKind = "RootSync"
)

Expand All @@ -58,6 +57,11 @@ type RootSyncSetReconciler struct {
//+kubebuilder:rbac:groups=config.porch.kpt.dev,resources=rootsyncsets,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=config.porch.kpt.dev,resources=rootsyncsets/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=config.porch.kpt.dev,resources=rootsyncsets/finalizers,verbs=update
//+kubebuilder:rbac:groups=configcontroller.cnrm.cloud.google.com,resources=configcontrollerinstances,verbs=get;list
//+kubebuilder:rbac:groups=container.cnrm.cloud.google.com,resources=containerclusters,verbs=get;list;watch
//+kubebuilder:rbac:groups=core.cnrm.cloud.google.com,resources=configconnectorcontexts,verbs=get;list;watch
//+kubebuilder:rbac:groups=hub.gke.io,resources=memberships,verbs=get;list;watch
//+kubebuilder:rbac:groups=,resources=serviceaccounts/token,verbs=create

// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
Expand Down Expand Up @@ -121,11 +125,11 @@ func (r *RootSyncSetReconciler) Reconcile(ctx context.Context, req ctrl.Request)
patchErrs = append(patchErrs, fmt.Errorf("failed to encode root sync to JSON: %w", err))
continue
}
rs, err := client.Resource(rootSyncRes).Namespace(rootSyncNamespace).Patch(ctx, rootSyncName, types.ApplyPatchType, data, metav1.PatchOptions{FieldManager: req.Name})
rs, err := client.Resource(rootSyncRes).Namespace(rootSyncNamespace).Patch(ctx, req.Name, types.ApplyPatchType, data, metav1.PatchOptions{FieldManager: req.Name})
if err != nil {
patchErrs = append(patchErrs, fmt.Errorf("failed to patch RootSync %s in cluster %s: %w", rootSyncNamespace+"/"+rootSyncName, clusterRefName, err))
patchErrs = append(patchErrs, fmt.Errorf("failed to patch RootSync %s in cluster %s: %w", rootSyncNamespace+"/"+req.Name, clusterRefName, err))
} else {
klog.Infof("Create/Update resource %s as %v", rootSyncName, rs)
klog.Infof("Create/Update resource %s as %v", req.Name, rs)
}
}
if len(patchErrs) != 0 {
Expand All @@ -147,7 +151,7 @@ func BuildObjectsToApply(rootsyncset *v1alpha1.RootSyncSet) (schema.GroupVersion
newRootSync, err := runtime.DefaultUnstructuredConverter.ToUnstructured(rootsyncset.Spec.Template)
newRootSync["apiVersion"] = rootSyncApiVersion
newRootSync["kind"] = rootSyncKind
newRootSync["metadata"] = map[string]string{"name": rootSyncName,
newRootSync["metadata"] = map[string]string{"name": rootsyncset.Name,
"namespace": rootSyncNamespace}
fmt.Printf("rootsync looks like %v", newRootSync)
if err != nil {
Expand Down Expand Up @@ -176,14 +180,14 @@ func (r *RootSyncSetReconciler) deleteExternalResources(ctx context.Context, roo
deleteErrs = append(deleteErrs, fmt.Errorf("failed to get client when delete resource: %w", err))
continue
}
klog.Infof("deleting external resource %s ...", rootSyncName)
klog.Infof("deleting external resource %s ...", rootsyncset.Name)
gv, err := schema.ParseGroupVersion(rootSyncApiVersion)
if err != nil {
deleteErrs = append(deleteErrs, fmt.Errorf("failed to parse group version when deleting external resrouces: %w", err))
continue
}
rootSyncRes := schema.GroupVersionResource{Group: gv.Group, Version: gv.Version, Resource: "rootsyncs"}
err = myClient.Resource(rootSyncRes).Namespace("config-management-system").Delete(ctx, rootSyncName, metav1.DeleteOptions{})
err = myClient.Resource(rootSyncRes).Namespace("config-management-system").Delete(ctx, rootsyncset.Name, metav1.DeleteOptions{})
if err != nil && !apierrors.IsNotFound(err) {
deleteErrs = append(deleteErrs, fmt.Errorf("failed to delete external resource : %w", err))
}
Expand All @@ -194,7 +198,7 @@ func (r *RootSyncSetReconciler) deleteExternalResources(ctx context.Context, roo
}
return deleteErrs[0]
}
klog.Infof("external resource %s delete Done!", rootSyncName)
klog.Infof("external resource %s delete Done!", rootsyncset.Name)
return nil
}

Expand Down
15 changes: 15 additions & 0 deletions porch/deployments/porch/9-controllers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,21 @@ rules:
- apiGroups: ["config.porch.kpt.dev"]
resources: ["workloadidentitybindings/finalizers"]
verbs: ["update"]
- apiGroups: ["configcontroller.cnrm.cloud.google.com"]
resources: ["configcontrollerinstances"]
verbs: ["get", "list", "watch"]
- apiGroups: ["container.cnrm.cloud.google.com"]
resources: ["containerclusters"]
verbs: ["get", "list", "watch"]
- apiGroups: ["core.cnrm.cloud.google.com"]
resources: ["configconnectorcontexts"]
verbs: ["get", "list", "watch"]
- apiGroups: ["hub.gke.io"]
resources: ["memberships"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]

---

Expand Down

0 comments on commit 3a9dd36

Please sign in to comment.