feat(teamrolebindings): teamrbac supports single users #927
Conversation
github-actions
bot
added
feature
core-apis
helm-charts
documentation
gciezkowski-acc
changed the title
gciezkowski-acc
force-pushed
the
feat/920_teamrbac_supports_single_users
branch
from
00cc0ac to
d24741b
Compare
gciezkowski-acc
requested review from
IvoGoman,
uwe-mayer and
abhijith-darshan
| @@ -17,13 +17,18 @@ type TeamRoleBindingSpec struct { | |||
| TeamRoleRef string `json:"teamRoleRef,omitempty"` | |||
| // TeamRef references a Greenhouse Team by name | |||
| TeamRef string `json:"teamRef,omitempty"` | |||
| // Usernames define list of users with team role | |||
There was a problem hiding this comment.
| // Usernames define list of users with team role | |
| // Usernames defines list of users to add to the (Cluster-)RoleBindings |
| for _, nampespaceName := range teamRoleBinding.Spec.Namespaces { | ||
| namespace := new(corev1.Namespace) | ||
| err := r.Client.Get(ctx, types.NamespacedName{Name: nampespaceName}, namespace) | ||
| if err == nil { | ||
| continue | ||
| } | ||
| if apierrors.IsNotFound(err) { | ||
| err := r.Client.Create(ctx, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: nampespaceName}}) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| } else { | ||
| return err | ||
| } | ||
| } | ||
|
|
||
| return nil |
There was a problem hiding this comment.
This creates the namespaces on the Greenhouse cluster. The namespaces should be created on the remote cluster.
It should return a not found error here, when trying to create a RoleBinding in a Namespace that does not exist. It should be fine to create the namespace if there is a NotFound error and then return the original error.
This way the controller will try again and now the namespace exists. This way there is no need for an additional retry logic.
| By("checking that the Namespace is created") | ||
| namespace := &corev1.Namespace{} | ||
| Eventually(func(g Gomega) { | ||
| err := test.K8sClient.Get(test.Ctx, types.NamespacedName{Name: "non-existing-namespace"}, namespace) |
There was a problem hiding this comment.
The used client is for the greenhouse cluster, this test should verify that the namespace was created on the remote cluster.
| } | ||
| } | ||
|
|
||
| func joinUsernamesWithDefault(usernames []string, mappedIDPGroup string) []rbacv1.Subject { |
There was a problem hiding this comment.
| func joinUsernamesWithDefault(usernames []string, mappedIDPGroup string) []rbacv1.Subject { | |
| // generateSubjects returns a list of subjects with mappedIDPGroup as a rbacv1.GroupKind, and any usernames as rbacv1.UserKind | |
| func generateSubjects(usernames []string, mappedIDPGroup string) []rbacv1.Subject { |
gciezkowski-acc
force-pushed
the
feat/920_teamrbac_supports_single_users
branch
from
c0b8307 to
5018f56
Compare
gciezkowski-acc
force-pushed
the
feat/920_teamrbac_supports_single_users
branch
3 times, most recently
from
34ddcfb to
80657c3
Compare
|
|
||
| err = createNamespaces(ctx, trb, cl) |
There was a problem hiding this comment.
The reconcileClusterRoleBinding is called only when there are no namespaces set on the ClusterRoleBindings. The ClusterRoleBindings that are created by this method are cluster scoped resources. It will never be the case that the namespace of the TeamRoleBinding will be filled.
There was a problem hiding this comment.
This logic will also not work, as the namespace needs to be created before the rolebinding can be created.
It would require something like
if err != nil{
if apierrors.IsNotFound(err){
// create the namespace for the RoleBinding that is currently reconciled
}
return err
}
gciezkowski-acc
force-pushed
the
feat/920_teamrbac_supports_single_users
branch
2 times, most recently
from
1d9011b to
16e5449
Compare
| err = createNamespaces(ctx, trb, remoteRestClient) | ||
| if err != nil { | ||
| trb.SetPropagationStatus(cluster.GetName(), metav1.ConditionFalse, greenhousev1alpha1.CreateNamespacesFailed, "Failed to create namespaces: "+err.Error()) | ||
| continue | ||
| } |
There was a problem hiding this comment.
This will try to create the namespaces on every reconciliation of the TeamRoleBinding. This will result in at least one get request per namespace.
Please move the creation of the individual namespaces into this part of the creation of the rolebinding on the remote cluster
greenhouse/pkg/controllers/teamrbac/teamrolebinding_controller.go
Lines 568 to 570 in 2827d24
The create of a RoleBinding will fail with an NotFound error if the namespace does not exists.
That error can be caught as previously suggested with apierrors.IsNotFound(..).
In case it is such an error the namespace can be created. It should still return an error so that the TeamRoleBinding is reconciled once more. In the second reconciliation the create should succeed since the namespace was created.
something like
if err != nil{
if apierrors.IsNotFound(err){
// create the namespace for the RoleBinding that is currently reconciled
}
return err
}
gciezkowski-acc
force-pushed
the
feat/920_teamrbac_supports_single_users
branch
from
16e5449 to
5a25362
Compare
Description
What type of PR is this? (check all applicable)
Related Tickets & Documents
Added tests?
Added to documentation?
Checklist