Skip to content

Commit acd04d8

Browse files
Jayendra Parsaijgwest
authored andcommitted
fix: delete existing RBAC resources while switching scope of Rollouts
Signed-off-by: Jayendra Parsai <[email protected]>
1 parent aea86d7 commit acd04d8

File tree

2 files changed

+139
-3
lines changed

2 files changed

+139
-3
lines changed

controllers/resources.go

Lines changed: 33 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,16 @@ func (r *RolloutManagerReconciler) reconcileRolloutsServiceAccount(ctx context.C
6464

6565
// Reconciles Rollouts Role.
6666
func (r *RolloutManagerReconciler) reconcileRolloutsRole(ctx context.Context, cr rolloutsmanagerv1alpha1.RolloutManager) (*rbacv1.Role, error) {
67-
expectedPolicyRules := GetPolicyRules()
6867

68+
// Delete existing ClusterRole
69+
liveClusterRole := &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName}}
70+
if err := fetchObject(ctx, r.Client, "", liveClusterRole.Name, liveClusterRole); err == nil {
71+
if err := r.Client.Delete(ctx, liveClusterRole); err != nil {
72+
return nil, fmt.Errorf("failed to delete existing ClusterRole %s: %w", liveClusterRole.Name, err)
73+
}
74+
}
75+
76+
expectedPolicyRules := GetPolicyRules()
6977
expectedRole := &rbacv1.Role{
7078
ObjectMeta: metav1.ObjectMeta{
7179
Name: DefaultArgoRolloutsResourceName,
@@ -121,8 +129,15 @@ func (r *RolloutManagerReconciler) reconcileRolloutsRole(ctx context.Context, cr
121129

122130
// Reconciles Rollouts ClusterRole.
123131
func (r *RolloutManagerReconciler) reconcileRolloutsClusterRole(ctx context.Context, cr rolloutsmanagerv1alpha1.RolloutManager) (*rbacv1.ClusterRole, error) {
124-
expectedPolicyRules := GetPolicyRules()
125132

133+
// Delete existing Role
134+
liveRole := &rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName, Namespace: cr.Namespace}}
135+
if err := fetchObject(ctx, r.Client, cr.Namespace, liveRole.Name, liveRole); err == nil {
136+
if err := r.Client.Delete(ctx, liveRole); err != nil {
137+
return nil, fmt.Errorf("failed to delete existing Role %s for Namespace %s: %w", liveRole.Name, liveRole.Namespace, err)
138+
}
139+
}
140+
expectedPolicyRules := GetPolicyRules()
126141
expectedClusterRole := &rbacv1.ClusterRole{
127142
ObjectMeta: metav1.ObjectMeta{
128143
Name: DefaultArgoRolloutsResourceName,
@@ -134,7 +149,6 @@ func (r *RolloutManagerReconciler) reconcileRolloutsClusterRole(ctx context.Cont
134149
if !apierrors.IsNotFound(err) {
135150
return nil, fmt.Errorf("failed to Reconcile the ClusterRole for the ServiceAccount associated with %s: %w", liveClusterRole.Name, err)
136151
}
137-
138152
log.Info(fmt.Sprintf("Creating ClusterRole %s", liveClusterRole.Name))
139153
expectedClusterRole.Rules = expectedPolicyRules
140154
return expectedClusterRole, r.Client.Create(ctx, expectedClusterRole)
@@ -169,6 +183,14 @@ func (r *RolloutManagerReconciler) reconcileRolloutsClusterRole(ctx context.Cont
169183
// Reconcile Rollouts RoleBinding.
170184
func (r *RolloutManagerReconciler) reconcileRolloutsRoleBinding(ctx context.Context, cr rolloutsmanagerv1alpha1.RolloutManager, role *rbacv1.Role, sa *corev1.ServiceAccount) error {
171185

186+
// Delete existing ClusterRoleBinding
187+
liveClusterRoleBinding := &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName}}
188+
if err := fetchObject(ctx, r.Client, "", liveClusterRoleBinding.Name, liveClusterRoleBinding); err == nil {
189+
if err := r.Client.Delete(ctx, liveClusterRoleBinding); err != nil {
190+
return fmt.Errorf("failed to delete existing ClusterRoleBinding %s: %w", liveClusterRoleBinding.Name, err)
191+
}
192+
}
193+
172194
if role == nil {
173195
return fmt.Errorf("received Role is nil while reconciling RoleBinding")
174196
}
@@ -247,6 +269,14 @@ func (r *RolloutManagerReconciler) reconcileRolloutsRoleBinding(ctx context.Cont
247269
// Reconcile Rollouts ClusterRoleBinding.
248270
func (r *RolloutManagerReconciler) reconcileRolloutsClusterRoleBinding(ctx context.Context, clusterRole *rbacv1.ClusterRole, sa *corev1.ServiceAccount, cr rolloutsmanagerv1alpha1.RolloutManager) error {
249271

272+
// Delete existing RoleBinding
273+
liveRoleBinding := &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName, Namespace: cr.Namespace}}
274+
if err := fetchObject(ctx, r.Client, cr.Namespace, liveRoleBinding.Name, liveRoleBinding); err == nil {
275+
if err := r.Client.Delete(ctx, liveRoleBinding); err != nil {
276+
return fmt.Errorf("failed to delete existing RoleBinding %s for Namespace %s: %w", liveRoleBinding.Name, liveRoleBinding.Namespace, err)
277+
}
278+
}
279+
250280
if clusterRole == nil {
251281
return fmt.Errorf("received ClusterRole is nil while reconciling ClusterRoleBinding")
252282
}

controllers/resources_test.go

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1110,6 +1110,112 @@ var _ = Describe("Resource creation and cleanup tests", func() {
11101110
})
11111111
})
11121112

1113+
Context("Verify correct RBAC permissions are assigned while switching between namespace and cluster scoped Rollouts", func() {
1114+
var (
1115+
ctx context.Context
1116+
a v1alpha1.RolloutManager
1117+
r *RolloutManagerReconciler
1118+
)
1119+
1120+
BeforeEach(func() {
1121+
ctx = context.Background()
1122+
a = *makeTestRolloutManager()
1123+
r = makeTestReconciler(&a)
1124+
err := createNamespace(r, a.Namespace)
1125+
Expect(err).ToNot(HaveOccurred())
1126+
})
1127+
1128+
It("Should delete existing Role when ClusterRole is reconciled", func() {
1129+
By("Reconcile Role.")
1130+
role, err := r.reconcileRolloutsRole(ctx, a)
1131+
Expect(err).ToNot(HaveOccurred())
1132+
1133+
By("Verify Role is created")
1134+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(role), role)).To(Succeed())
1135+
1136+
By("Reconcile ClusterRole")
1137+
clusterRole, err := r.reconcileRolloutsClusterRole(ctx, a)
1138+
Expect(err).ToNot(HaveOccurred())
1139+
1140+
By("Verify ClusterRole is created")
1141+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(Succeed())
1142+
1143+
By("Verify existing Role is deleted")
1144+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(role), role)).To(HaveOccurred())
1145+
})
1146+
1147+
It("Should delete existing ClusterRole when Role is reconciled", func() {
1148+
1149+
By("Reconcile ClusterRole")
1150+
clusterRole, err := r.reconcileRolloutsClusterRole(ctx, a)
1151+
Expect(err).ToNot(HaveOccurred())
1152+
1153+
By("Verify ClusterRole is created")
1154+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(Succeed())
1155+
1156+
By("Reconcile Role.")
1157+
role, err := r.reconcileRolloutsRole(ctx, a)
1158+
Expect(err).ToNot(HaveOccurred())
1159+
1160+
By("Verify Role is created")
1161+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(role), role)).To(Succeed())
1162+
1163+
By("Verify existing ClusterRole is deleted")
1164+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(HaveOccurred())
1165+
})
1166+
1167+
It("Should delete existing RoleBinding when ClusterRoleBinding is reconciled", func() {
1168+
1169+
By("Reconcile RoleBinding")
1170+
sa, err := r.reconcileRolloutsServiceAccount(ctx, a)
1171+
Expect(err).ToNot(HaveOccurred())
1172+
role, err := r.reconcileRolloutsRole(ctx, a)
1173+
Expect(err).ToNot(HaveOccurred())
1174+
Expect(r.reconcileRolloutsRoleBinding(ctx, a, role, sa)).To(Succeed())
1175+
1176+
By("Verify RoleBinding is created")
1177+
roleBinding := &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName, Namespace: a.Namespace}}
1178+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(roleBinding), roleBinding)).To(Succeed())
1179+
1180+
By("Reconcile ClusterRoleBinding")
1181+
clusterRole, err := r.reconcileRolloutsClusterRole(ctx, a)
1182+
Expect(err).ToNot(HaveOccurred())
1183+
Expect(r.reconcileRolloutsClusterRoleBinding(ctx, clusterRole, sa, a)).To(Succeed())
1184+
1185+
By("Verify ClusterRoleBinding is created")
1186+
clusterRoleBinding := &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName}}
1187+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRoleBinding), clusterRoleBinding)).To(Succeed())
1188+
1189+
By("Verify RoleBinding is deleted")
1190+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(roleBinding), roleBinding)).To(HaveOccurred())
1191+
})
1192+
1193+
It("Should delete existing ClusterRoleBinding when RoleBinding is reconciled", func() {
1194+
1195+
By("Reconcile ClusterRoleBinding")
1196+
sa, err := r.reconcileRolloutsServiceAccount(ctx, a)
1197+
Expect(err).ToNot(HaveOccurred())
1198+
clusterRole, err := r.reconcileRolloutsClusterRole(ctx, a)
1199+
Expect(err).ToNot(HaveOccurred())
1200+
Expect(r.reconcileRolloutsClusterRoleBinding(ctx, clusterRole, sa, a)).To(Succeed())
1201+
1202+
By("Verify ClusterRoleBinding is created")
1203+
clusterRoleBinding := &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName}}
1204+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRoleBinding), clusterRoleBinding)).To(Succeed())
1205+
1206+
By("Reconcile RoleBinding")
1207+
role, err := r.reconcileRolloutsRole(ctx, a)
1208+
Expect(err).ToNot(HaveOccurred())
1209+
Expect(r.reconcileRolloutsRoleBinding(ctx, a, role, sa)).To(Succeed())
1210+
1211+
By("Verify RoleBinding is created")
1212+
roleBinding := &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: DefaultArgoRolloutsResourceName, Namespace: a.Namespace}}
1213+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(roleBinding), roleBinding)).To(Succeed())
1214+
1215+
By("Verify ClusterRoleBinding is deleted")
1216+
Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(HaveOccurred())
1217+
})
1218+
})
11131219
})
11141220

11151221
func serviceMonitor() *monitoringv1.ServiceMonitor {

0 commit comments

Comments
 (0)