resources: reconcile openshift elems by smbshare

When deploying over OpenShift cluster, samba-operator should deploy the SeviceAccount, Role and RoleBinding which link the SmbShare pod to samba-SCC within the namespace of the SmbShare itself (unlike previous code, which deploy them once with the namespace of the operator). In addition, starting of OpenShift 4.12 certain annotations needs to be associated with the namespace on which the SmbShare pod runs in order to elevate its privileges. The patch is a refactoring to the existing code. The creation of the relevant objects is done from within the reconcile loop of the SmbShare itself. It assumes that the user already deployed a well known SCC with the name 'samba' on the cluster. Signed-off-by: Shachar Sharon <[email protected]>
phlogistonjohn · Mar 23, 2023 · 70df8a1 · 70df8a1
1 parent 5903b74
commit 70df8a1
Show file tree

Hide file tree

Showing 6 changed files with 198 additions and 222 deletions.
diff --git a/controllers/smbcommonconfig_controller.go b/controllers/smbcommonconfig_controller.go
@@ -24,15 +24,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	sambaoperatorv1alpha1 "github.com/samba-in-kubernetes/samba-operator/api/v1alpha1"
-	"github.com/samba-in-kubernetes/samba-operator/internal/conf"
-	"github.com/samba-in-kubernetes/samba-operator/internal/resources"
 )
 
 // SmbCommonConfigReconciler reconciles a SmbCommonConfig object
 type SmbCommonConfigReconciler struct {
 	client.Client
-	Log         logr.Logger
-	ClusterType string
+	Log logr.Logger
 }
 
 //revive:disable kubebuilder directives
@@ -43,43 +40,18 @@ type SmbCommonConfigReconciler struct {
 // +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=pods;endpoints;services;namespaces,verbs=get;list;watch;update
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;delete
-// +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get;list;use
-// +kubebuilder:rbac:groups=security.openshift.io,resourceNames=samba,resources=securitycontextconstraints,verbs=get;list;create;update
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update
 // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;prometheusrules,verbs=get;list;watch;create;update
 
 //revive:enable
 
 // Reconcile SmbCommonConfig resources.
 func (r *SmbCommonConfigReconciler) Reconcile(
-	ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	_ context.Context, req ctrl.Request) (ctrl.Result, error) {
 	// ---
 	log := r.Log.WithValues("smbcommonconfig", req.NamespacedName)
-
-	// Process OpenShift logic in one of two states:
-	// 1) Unknown cluster type due to first-time reconcile
-	// 2) Known to be running over OpenShift by in-memory cached state from
-	//    previous reconcile loop.
-	if r.ClusterType != "" && r.ClusterType != conf.ClusterTypeOpenShift {
-		return ctrl.Result{}, nil
-	}
-
-	mgr := resources.NewOpenShiftManager(r.Client, log, conf.Get())
-	res := mgr.Process(ctx, req.NamespacedName)
-	err := res.Err()
-	if res.Requeue() {
-		return ctrl.Result{Requeue: true}, err
-	}
-
-	// Cache in-memory cluster-type to avoid extra network round-trips in next
-	// reconcile phase.
-	if r.ClusterType == "" {
-		r.Log.Info("Saving discovered cluster type",
-			"ClusterType", mgr.ClusterType)
-		r.ClusterType = mgr.ClusterType
-	}
-
-	return ctrl.Result{}, err
+	log.Info("Reconcile SmbCommonConfig")
+	return ctrl.Result{}, nil
 }
 
 // SetupWithManager sets up resource management.

diff --git a/controllers/smbshare_controller.go b/controllers/smbshare_controller.go
@@ -52,6 +52,9 @@ type SmbShareReconciler struct {
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=events,verbs=create
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;delete
+// +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get;list;use
+// +kubebuilder:rbac:groups=security.openshift.io,resourceNames=samba,resources=securitycontextconstraints,verbs=get;list;create;update
+// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;prometheusrules,verbs=get;list;watch;create;update
 
 //revive:enable
 

diff --git a/internal/resources/deployments.go b/internal/resources/deployments.go
@@ -42,6 +42,9 @@ func buildDeployment(cfg *conf.OperatorConfig,
 			Name:      planner.InstanceName(),
 			Namespace: ns,
 			Labels:    labels,
+			Annotations: map[string]string{
+				"openshift.io/scc": sambaSccName,
+			},
 		},
 		Spec: appsv1.DeploymentSpec{
 			Replicas: &size,
@@ -91,6 +94,7 @@ func annotationsForSmbPod(cfg *conf.OperatorConfig) map[string]string {
 	annotations := map[string]string{
 		"kubectl.kubernetes.io/default-logs-container": name,
 		"kubectl.kubernetes.io/default-container":      name,
+		"openshift.io/scc":                             sambaSccName,
 	}
 	if withMetricsExporter(cfg) {
 		for k, v := range annotationsForSmbMetricsPod() {