Replicating SyncTarget-related rbac objects

Signed-off-by: David Festal <[email protected]>

Author: davidfestal

pkg/reconciler/workload/replicateclusterrole/replicateclusterrole_controller.go

@@ -0,0 +1,65 @@
+/*
+Copyright 2023 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package replicateclusterrole
+
+import (
+	kcprbacinformers "github.com/kcp-dev/client-go/informers/rbac/v1"
+	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
+	"github.com/kcp-dev/logicalcluster/v3"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/kube-openapi/pkg/util/sets"
+
+	"github.com/kcp-dev/kcp/pkg/reconciler/cache/labelclusterroles"
+	"github.com/kcp-dev/kcp/sdk/apis/workload"
+)
+
+const (
+	ControllerName = "kcp-workloads-replicate-clusterrole"
+)
+
+// NewController returns a new controller for labelling ClusterRole that should be replicated.
+func NewController(
+	kubeClusterClient kcpkubernetesclientset.ClusterInterface,
+	clusterRoleInformer kcprbacinformers.ClusterRoleClusterInformer,
+	clusterRoleBindingInformer kcprbacinformers.ClusterRoleBindingClusterInformer,
+) labelclusterroles.Controller {
+	return labelclusterroles.NewController(
+		ControllerName,
+		workload.GroupName,
+		HasSyncRule,
+		func(clusterName logicalcluster.Name, crb *rbacv1.ClusterRoleBinding) bool { return false },
+		kubeClusterClient,
+		clusterRoleInformer,
+		clusterRoleBindingInformer,
+	)
+}
+
+func HasSyncRule(clusterName logicalcluster.Name, cr *rbacv1.ClusterRole) bool {
+	for _, rule := range cr.Rules {
+		apiGroups := sets.NewString(rule.APIGroups...)
+		if !apiGroups.Has(workload.GroupName) {
+			continue
+		}
+		resources := sets.NewString(rule.Resources...)
+		verbs := sets.NewString(rule.Verbs...)
+		if resources.Has("synctargets") && verbs.Has("sync") && len(rule.ResourceNames) == 1 {
+			return true
+		}
+	}
+	return false
+}

pkg/reconciler/workload/replicateclusterrolebinding/replicateclusterrolebinding_controller.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2023 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package replicateclusterrolebinding
+
+import (
+	kcprbacinformers "github.com/kcp-dev/client-go/informers/rbac/v1"
+	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
+	"github.com/kcp-dev/logicalcluster/v3"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+
+	"github.com/kcp-dev/kcp/pkg/reconciler/cache/labelclusterrolebindings"
+	"github.com/kcp-dev/kcp/pkg/reconciler/workload/replicateclusterrole"
+	"github.com/kcp-dev/kcp/sdk/apis/workload"
+)
+
+const (
+	ControllerName = "kcp-workloads-replicate-clusterrolebinding"
+)
+
+// NewController returns a new controller for labelling ClusterRoleBinding that should be replicated.
+func NewController(
+	kubeClusterClient kcpkubernetesclientset.ClusterInterface,
+	clusterRoleBindingInformer kcprbacinformers.ClusterRoleBindingClusterInformer,
+	clusterRoleInformer kcprbacinformers.ClusterRoleClusterInformer,
+) labelclusterrolebindings.Controller {
+	return labelclusterrolebindings.NewController(
+		ControllerName,
+		workload.GroupName,
+		replicateclusterrole.HasSyncRule,
+		func(clusterName logicalcluster.Name, crb *rbacv1.ClusterRoleBinding) bool { return false },
+		kubeClusterClient,
+		clusterRoleBindingInformer,
+		clusterRoleInformer,
+	)
+}

tmc/pkg/server/controllers.go

@@ -37,6 +37,8 @@ import (
 	"github.com/kcp-dev/kcp/pkg/reconciler/workload/heartbeat"
 	workloadnamespace "github.com/kcp-dev/kcp/pkg/reconciler/workload/namespace"
 	workloadplacement "github.com/kcp-dev/kcp/pkg/reconciler/workload/placement"
+	workloadreplicateclusterrole "github.com/kcp-dev/kcp/pkg/reconciler/workload/replicateclusterrole"
+	workloadreplicateclusterrolebinding "github.com/kcp-dev/kcp/pkg/reconciler/workload/replicateclusterrolebinding"
 	workloadresource "github.com/kcp-dev/kcp/pkg/reconciler/workload/resource"
 	synctargetcontroller "github.com/kcp-dev/kcp/pkg/reconciler/workload/synctarget"
 	"github.com/kcp-dev/kcp/pkg/reconciler/workload/synctargetexports"
@@ -403,3 +405,57 @@ func (s *Server) installSyncTargetController(ctx context.Context, config *rest.C
 		return nil
 	})
 }
+
+func (s *Server) installWorkloadReplicateClusterRoleControllers(ctx context.Context, config *rest.Config) error {
+	config = rest.CopyConfig(config)
+	config = rest.AddUserAgent(config, workloadreplicateclusterrole.ControllerName)
+	kubeClusterClient, err := kcpkubernetesclientset.NewForConfig(config)
+	if err != nil {
+		return err
+	}
+
+	c := workloadreplicateclusterrole.NewController(
+		kubeClusterClient,
+		s.Core.KubeSharedInformerFactory.Rbac().V1().ClusterRoles(),
+		s.Core.KubeSharedInformerFactory.Rbac().V1().ClusterRoleBindings(),
+	)
+
+	return s.Core.AddPostStartHook(postStartHookName(workloadreplicateclusterrole.ControllerName), func(hookContext genericapiserver.PostStartHookContext) error {
+		logger := klog.FromContext(ctx).WithValues("postStartHook", postStartHookName(workloadreplicateclusterrole.ControllerName))
+		if err := s.Core.WaitForSync(hookContext.StopCh); err != nil {
+			logger.Error(err, "failed to finish post-start-hook")
+			return nil // don't klog.Fatal. This only happens when context is cancelled.
+		}
+
+		go c.Start(goContext(hookContext), 2)
+
+		return nil
+	})
+}
+
+func (s *Server) installWorkloadReplicateClusterRoleBindingControllers(ctx context.Context, config *rest.Config) error {
+	config = rest.CopyConfig(config)
+	config = rest.AddUserAgent(config, workloadreplicateclusterrolebinding.ControllerName)
+	kubeClusterClient, err := kcpkubernetesclientset.NewForConfig(config)
+	if err != nil {
+		return err
+	}
+
+	c := workloadreplicateclusterrolebinding.NewController(
+		kubeClusterClient,
+		s.Core.KubeSharedInformerFactory.Rbac().V1().ClusterRoleBindings(),
+		s.Core.KubeSharedInformerFactory.Rbac().V1().ClusterRoles(),
+	)
+
+	return s.Core.AddPostStartHook(postStartHookName(workloadreplicateclusterrolebinding.ControllerName), func(hookContext genericapiserver.PostStartHookContext) error {
+		logger := klog.FromContext(ctx).WithValues("postStartHook", postStartHookName(workloadreplicateclusterrolebinding.ControllerName))
+		if err := s.Core.WaitForSync(hookContext.StopCh); err != nil {
+			logger.Error(err, "failed to finish post-start-hook")
+			return nil // don't klog.Fatal. This only happens when context is cancelled.
+		}
+
+		go c.Start(goContext(hookContext), 2)
+
+		return nil
+	})
+}

tmc/pkg/server/server.go

@@ -102,6 +102,14 @@ func (s *Server) Run(ctx context.Context) error {
 		if err := s.installWorkloadsSyncTargetExportController(ctx, controllerConfig); err != nil {
 			return err
 		}
+
+		if err := s.installWorkloadReplicateClusterRoleControllers(ctx, controllerConfig); err != nil {
+			return err
+		}
+
+		if err := s.installWorkloadReplicateClusterRoleBindingControllers(ctx, controllerConfig); err != nil {
+			return err
+		}
 	}
 
 	if s.Options.Core.Controllers.EnableAll || enabled.Has("resource-scheduler") {