Adjust Node viewing ClusterRole in E2E-on-OCP workflow (#313)

* Adjust Node viewing ClusterRole in E2E-on-OCP workflow

Modify the GHA workflow that does E2E test in our shared OpenShift
cluster so that the name of the ClusterRole includes
`$FMA_RELEASE_NAME`, which in turn includes the workflow run ID.

Document solution for reading Node objects

Also a bit of tidying up from other recent cluster-sharing PRs.

Signed-off-by: Mike Spreitzer <[email protected]>

* Added clarification about ClusterRole name

Signed-off-by: Mike Spreitzer <[email protected]>

---------

Signed-off-by: Mike Spreitzer <[email protected]>

Author: MikeSpreitzer

.github/workflows/ci-e2e-openshift.yaml

@@ -395,8 +395,8 @@ jobs:
 
           # Clean up cluster-scoped resources from previous runs
           echo "Cleaning up cluster-scoped resources..."
-          kubectl delete clusterrolebinding -l app.kubernetes.io/name=fma-controllers --ignore-not-found 2>/dev/null || true
-          kubectl delete clusterrole fma-node-viewer --ignore-not-found || true
+          kubectl delete clusterrole        "${FMA_RELEASE_NAME}-node-view" --ignore-not-found || true
+          kubectl delete clusterrolebinding "${FMA_RELEASE_NAME}-node-view" --ignore-not-found || true
 
           echo "Cleanup complete"
 
@@ -462,8 +462,8 @@ jobs:
 
       - name: Create node-viewer ClusterRole
         run: |
-          echo "Creating node-viewer ClusterRole..."
-          kubectl create clusterrole fma-node-viewer --verb=get,list,watch --resource=nodes
+          echo "Creating ClusterRole ${FMA_RELEASE_NAME}-node-view..."
+          kubectl create clusterrole ${FMA_RELEASE_NAME}-node-view --verb=get,list,watch --resource=nodes
           echo "ClusterRole created"
 
       - name: Detect ValidatingAdmissionPolicy support
@@ -499,7 +499,7 @@ jobs:
             -n "$FMA_NAMESPACE" \
             --set global.imageRegistry="${CONTROLLER_IMAGE%/dual-pods-controller:*}" \
             --set global.imageTag="${CONTROLLER_IMAGE##*:}" \
-            --set global.nodeViewClusterRole=fma-node-viewer \
+            --set global.nodeViewClusterRole=${FMA_RELEASE_NAME}-node-view \
             --set dualPodsController.sleeperLimit=2 \
             --set global.local=false \
             --set dualPodsController.debugAcceleratorMemory=false \
@@ -916,14 +916,9 @@ jobs:
           kubectl delete namespace "$FMA_NAMESPACE" \
             --ignore-not-found --timeout=120s || true
 
-          # Delete CRDs
-          # TODO: Implement safe CRD lifecycle management for tests (e.g., handle shared clusters,
-          #       concurrent test runs, and version upgrades/downgrades) before enabling CRD deletion.
-          # kubectl delete -f config/crd/ --ignore-not-found || true
-
-          # Delete cluster-scoped resources
-          kubectl delete clusterrole fma-node-viewer --ignore-not-found || true
-          kubectl delete clusterrolebinding "$FMA_RELEASE_NAME-node-view" --ignore-not-found || true
+          # Delete cluster-scoped stuff for reading Node objects
+          kubectl delete clusterrole        "${FMA_RELEASE_NAME}-node-view" --ignore-not-found || true
+          kubectl delete clusterrolebinding "${FMA_RELEASE_NAME}-node-view" --ignore-not-found || true
 
           echo "Cleanup complete"
 

docs/cluster-sharing.md

@@ -23,8 +23,6 @@ object.
 - A ClusterRoleBinding that binds the node-reading ClusterRole to an
   FMA ServiceAccount.
 
-- A ClusterRoleBinding that binds ClusterRole `view` to an FMA ServiceAccount.
-
 - A Namespace that FMA is installed in.
 
 ## Solution for the CustomResourceDefinition Objects
@@ -138,3 +136,22 @@ object.
   ValidatingAdmissionPolicy[Binding] objects.
 
 - The Helm chart does nothing about these policy objects.
+
+## Solution for reading Node objects
+
+- The Helm chart can optionally create a ClusterRoleBinding for a
+  ClusterRole with a given name.
+
+- The Helm chart does nothing about creating the ClusterRole for
+  reading Node objects.
+
+- The admin of a shared cluster has several choices about what to
+  maintain on behalf of users vs. authorize users to do.
+
+- For the GHA workflow that does E2E test in a particular shared
+  OpenShift cluster, the solution is as follows. The workflow creates,
+  uses, and deletes a ClusterRole that has the workflow run ID in its
+  name. The name of this ClusterRole is given to the Helm chart, which
+  makes a ClusterRoleBinding for it. The workflow deletes the Helm
+  chart instance and then, for good measure, also deletes the
+  ClusterRoleBinding.