Skip to content

Commit 8f6c902

Browse files
Jayendra Parsaijgwest
Jayendra Parsai
authored and
jgwest
committed
fix: delete existing RBAC resources while switching scope of Rollouts
Signed-off-by: Jayendra Parsai <[email protected]>
1 parent fc2d5cc commit 8f6c902

File tree

2 files changed

+137
-1
lines changed

2 files changed

+137
-1
lines changed

controllers/resources.go

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,14 @@ func (r *RolloutManagerReconciler) reconcileRolloutsRole(ctx context.Context, cr
5252

5353
expectedPolicyRules := GetPolicyRules()
5454

55+
// Delete existing ClusterRole
56+
liveClusterRole := &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName}}
57+
if err := fetchObject(ctx, r.Client, "", liveClusterRole.Name, liveClusterRole); err == nil {
58+
if err := r.Client.Delete(ctx, liveClusterRole); err != nil {
59+
return nil, fmt.Errorf("failed to delete existing ClusterRole %s: %w", liveClusterRole.Name, err)
60+
}
61+
}
62+
5563
role := &rbacv1.Role{
5664
ObjectMeta: metav1.ObjectMeta{
5765
Name: DefaultArgoRolloutsResourceName,
@@ -89,6 +97,13 @@ func (r *RolloutManagerReconciler) reconcileRolloutsClusterRole(ctx context.Cont
8997

9098
expectedPolicyRules := GetPolicyRules()
9199

100+
// Delete existing Role
101+
liveRole := &rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName, Namespace: cr.Namespace}}
102+
if err := fetchObject(ctx, r.Client, cr.Namespace, liveRole.Name, liveRole); err == nil {
103+
if err := r.Client.Delete(ctx, liveRole); err != nil {
104+
return nil, fmt.Errorf("failed to delete existing Role %s for Namespace %s: %w", liveRole.Name, liveRole.Namespace, err)
105+
}
106+
}
92107
clusterRole := &rbacv1.ClusterRole{
93108
ObjectMeta: metav1.ObjectMeta{
94109
Name: DefaultArgoRolloutsResourceName,
@@ -100,7 +115,6 @@ func (r *RolloutManagerReconciler) reconcileRolloutsClusterRole(ctx context.Cont
100115
if !apierrors.IsNotFound(err) {
101116
return nil, fmt.Errorf("failed to Reconcile the ClusterRole for the ServiceAccount associated with %s: %w", clusterRole.Name, err)
102117
}
103-
104118
log.Info(fmt.Sprintf("Creating ClusterRole %s", clusterRole.Name))
105119
clusterRole.Rules = expectedPolicyRules
106120
return clusterRole, r.Client.Create(ctx, clusterRole)
@@ -119,6 +133,14 @@ func (r *RolloutManagerReconciler) reconcileRolloutsClusterRole(ctx context.Cont
119133
// Reconcile Rollouts RoleBinding.
120134
func (r *RolloutManagerReconciler) reconcileRolloutsRoleBinding(ctx context.Context, cr rolloutsmanagerv1alpha1.RolloutManager, role *rbacv1.Role, sa *corev1.ServiceAccount) error {
121135

136+
// Delete existing ClusterRoleBinding
137+
liveClusterRoleBinding := &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName}}
138+
if err := fetchObject(ctx, r.Client, "", liveClusterRoleBinding.Name, liveClusterRoleBinding); err == nil {
139+
if err := r.Client.Delete(ctx, liveClusterRoleBinding); err != nil {
140+
return fmt.Errorf("failed to delete existing ClusterRoleBinding %s: %w", liveClusterRoleBinding.Name, err)
141+
}
142+
}
143+
122144
if role == nil {
123145
return fmt.Errorf("received Role is nil while reconciling RoleBinding")
124146
}
@@ -180,6 +202,14 @@ func (r *RolloutManagerReconciler) reconcileRolloutsRoleBinding(ctx context.Cont
180202
// Reconcile Rollouts ClusterRoleBinding.
181203
func (r *RolloutManagerReconciler) reconcileRolloutsClusterRoleBinding(ctx context.Context, clusterRole *rbacv1.ClusterRole, sa *corev1.ServiceAccount, cr rolloutsmanagerv1alpha1.RolloutManager) error {
182204

205+
// Delete existing RoleBinding
206+
liveRoleBinding := &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName, Namespace: cr.Namespace}}
207+
if err := fetchObject(ctx, r.Client, cr.Namespace, liveRoleBinding.Name, liveRoleBinding); err == nil {
208+
if err := r.Client.Delete(ctx, liveRoleBinding); err != nil {
209+
return fmt.Errorf("failed to delete existing RoleBinding %s for Namespace %s: %w", liveRoleBinding.Name, liveRoleBinding.Namespace, err)
210+
}
211+
}
212+
183213
if clusterRole == nil {
184214
return fmt.Errorf("received ClusterRole is nil while reconciling ClusterRoleBinding")
185215
}

controllers/resources_test.go

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -418,6 +418,112 @@ var _ = Describe("Resource creation and cleanup tests", func() {
418418
})
419419
})
420420

421+
Context("Verify correct RBAC permissions are assigned while switching between namespace and cluster scoped Rollouts", func() {
422+
var (
423+
ctx context.Context
424+
a v1alpha1.RolloutManager
425+
r *RolloutManagerReconciler
426+
)
427+
428+
BeforeEach(func() {
429+
ctx = context.Background()
430+
a = *makeTestRolloutManager()
431+
r = makeTestReconciler(&a)
432+
err := createNamespace(r, a.Namespace)
433+
Expect(err).ToNot(HaveOccurred())
434+
})
435+
436+
It("Should delete existing Role when ClusterRole is reconciled", func() {
437+
By("Reconcile Role.")
438+
role, err := r.reconcileRolloutsRole(ctx, a)
439+
Expect(err).ToNot(HaveOccurred())
440+
441+
By("Verify Role is created")
442+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(role), role)).To(Succeed())
443+
444+
By("Reconcile ClusterRole")
445+
clusterRole, err := r.reconcileRolloutsClusterRole(ctx, a)
446+
Expect(err).ToNot(HaveOccurred())
447+
448+
By("Verify ClusterRole is created")
449+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(Succeed())
450+
451+
By("Verify existing Role is deleted")
452+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(role), role)).To(HaveOccurred())
453+
})
454+
455+
It("Should delete existing ClusterRole when Role is reconciled", func() {
456+
457+
By("Reconcile ClusterRole")
458+
clusterRole, err := r.reconcileRolloutsClusterRole(ctx, a)
459+
Expect(err).ToNot(HaveOccurred())
460+
461+
By("Verify ClusterRole is created")
462+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(Succeed())
463+
464+
By("Reconcile Role.")
465+
role, err := r.reconcileRolloutsRole(ctx, a)
466+
Expect(err).ToNot(HaveOccurred())
467+
468+
By("Verify Role is created")
469+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(role), role)).To(Succeed())
470+
471+
By("Verify existing ClusterRole is deleted")
472+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(HaveOccurred())
473+
})
474+
475+
It("Should delete existing RoleBinding when ClusterRoleBinding is reconciled", func() {
476+
477+
By("Reconcile RoleBinding")
478+
sa, err := r.reconcileRolloutsServiceAccount(ctx, a)
479+
Expect(err).ToNot(HaveOccurred())
480+
role, err := r.reconcileRolloutsRole(ctx, a)
481+
Expect(err).ToNot(HaveOccurred())
482+
Expect(r.reconcileRolloutsRoleBinding(ctx, a, role, sa)).To(Succeed())
483+
484+
By("Verify RoleBinding is created")
485+
roleBinding := &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName, Namespace: a.Namespace}}
486+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(roleBinding), roleBinding)).To(Succeed())
487+
488+
By("Reconcile ClusterRoleBinding")
489+
clusterRole, err := r.reconcileRolloutsClusterRole(ctx, a)
490+
Expect(err).ToNot(HaveOccurred())
491+
Expect(r.reconcileRolloutsClusterRoleBinding(ctx, clusterRole, sa, a)).To(Succeed())
492+
493+
By("Verify ClusterRoleBinding is created")
494+
clusterRoleBinding := &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName}}
495+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRoleBinding), clusterRoleBinding)).To(Succeed())
496+
497+
By("Verify RoleBinding is deleted")
498+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(roleBinding), roleBinding)).To(HaveOccurred())
499+
})
500+
501+
It("Should delete existing ClusterRoleBinding when RoleBinding is reconciled", func() {
502+
503+
By("Reconcile ClusterRoleBinding")
504+
sa, err := r.reconcileRolloutsServiceAccount(ctx, a)
505+
Expect(err).ToNot(HaveOccurred())
506+
clusterRole, err := r.reconcileRolloutsClusterRole(ctx, a)
507+
Expect(err).ToNot(HaveOccurred())
508+
Expect(r.reconcileRolloutsClusterRoleBinding(ctx, clusterRole, sa, a)).To(Succeed())
509+
510+
By("Verify ClusterRoleBinding is created")
511+
clusterRoleBinding := &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName}}
512+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRoleBinding), clusterRoleBinding)).To(Succeed())
513+
514+
By("Reconcile RoleBinding")
515+
role, err := r.reconcileRolloutsRole(ctx, a)
516+
Expect(err).ToNot(HaveOccurred())
517+
Expect(r.reconcileRolloutsRoleBinding(ctx, a, role, sa)).To(Succeed())
518+
519+
By("Verify RoleBinding is created")
520+
roleBinding := &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName, Namespace: a.Namespace}}
521+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(roleBinding), roleBinding)).To(Succeed())
522+
523+
By("Verify ClusterRoleBinding is deleted")
524+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(HaveOccurred())
525+
})
526+
})
421527
})
422528

423529
func serviceMonitor() *monitoringv1.ServiceMonitor {

0 commit comments

Comments
 (0)