adds ownerReference to cluster wide objects (#274)

ClusterRoleBindings, ClusterRoles, PodSecuriryPolicies it should help to deploy operator properly with ArgoCD #255
VictoriaMetrics · Jul 7, 2021 · eebfa4f · eebfa4f
1 parent 431db48
commit eebfa4f
Show file tree

Hide file tree

Showing 13 changed files with 172 additions and 635 deletions.
diff --git a/api/v1beta1/vmagent_types.go b/api/v1beta1/vmagent_types.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/VictoriaMetrics/operator/controllers/factory/crd"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -493,6 +494,11 @@ func (cr *VMAgent) AsURL() string {
 	return fmt.Sprintf("http://%s.%s.svc:%s", cr.PrefixedName(), cr.Namespace, port)
 }
 
+// AsCRDOwner implements interface
+func (cr *VMAgent) AsCRDOwner() []metav1.OwnerReference {
+	return crd.GetCRDAsOwner(crd.VMAgent)
+}
+
 func init() {
 	SchemeBuilder.Register(&VMAgent{}, &VMAgentList{})
 }
diff --git a/api/v1beta1/vmalert_types.go b/api/v1beta1/vmalert_types.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/VictoriaMetrics/operator/controllers/factory/crd"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -438,6 +439,11 @@ func (cr *VMAlert) AsURL() string {
 	return fmt.Sprintf("http://%s.%s.svc:%s", cr.PrefixedName(), cr.Namespace, port)
 }
 
+// AsCRDOwner implements interface
+func (cr *VMAlert) AsCRDOwner() []metav1.OwnerReference {
+	return crd.GetCRDAsOwner(crd.VMAlert)
+}
+
 func init() {
 	SchemeBuilder.Register(&VMAlert{}, &VMAlertList{})
 }
diff --git a/api/v1beta1/vmalertmanager_types.go b/api/v1beta1/vmalertmanager_types.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/VictoriaMetrics/operator/controllers/factory/crd"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -328,6 +329,11 @@ func (cr *VMAlertmanager) AsURL() string {
 	return fmt.Sprintf("http://%s.%s.svc:9093", cr.PrefixedName(), cr.Namespace)
 }
 
+// AsCRDOwner implements interface
+func (cr *VMAlertmanager) AsCRDOwner() []metav1.OwnerReference {
+	return crd.GetCRDAsOwner(crd.VMAlertManager)
+}
+
 func init() {
 	SchemeBuilder.Register(&VMAlertmanager{}, &VMAlertmanagerList{})
 }
diff --git a/api/v1beta1/vmauth_types.go b/api/v1beta1/vmauth_types.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/VictoriaMetrics/operator/controllers/factory/crd"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/api/extensions/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -300,6 +301,11 @@ func (cr VMAuth) GetNSName() string {
 	return cr.GetNamespace()
 }
 
+// AsCRDOwner implements interface
+func (cr *VMAuth) AsCRDOwner() []metav1.OwnerReference {
+	return crd.GetCRDAsOwner(crd.VMAuth)
+}
+
 func init() {
 	SchemeBuilder.Register(&VMAuth{}, &VMAuthList{})
 }
diff --git a/api/v1beta1/vmcluster_types.go b/api/v1beta1/vmcluster_types.go
@@ -5,6 +5,7 @@ import (
 	"path"
 	"strings"
 
+	"github.com/VictoriaMetrics/operator/controllers/factory/crd"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -892,6 +893,11 @@ func (cr *VMCluster) VMStorageURL() string {
 	return fmt.Sprintf("http://%s.%s.svc:%s", cr.Spec.VMStorage.GetNameWithPrefix(cr.Name), cr.Namespace, port)
 }
 
+// AsCRDOwner implements interface
+func (cr *VMCluster) AsCRDOwner() []metav1.OwnerReference {
+	return crd.GetCRDAsOwner(crd.VMCluster)
+}
+
 func (cr VMCluster) GetNSName() string {
 	return cr.GetNamespace()
 }
diff --git a/api/v1beta1/vmsingle_types.go b/api/v1beta1/vmsingle_types.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/VictoriaMetrics/operator/controllers/factory/crd"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -305,6 +306,11 @@ func (cr *VMSingle) AsURL() string {
 	return fmt.Sprintf("http://%s.%s.svc:%s", cr.PrefixedName(), cr.Namespace, port)
 }
 
+// AsCRDOwner implements interface
+func (cr *VMSingle) AsCRDOwner() []metav1.OwnerReference {
+	return crd.GetCRDAsOwner(crd.VMSingle)
+}
+
 func init() {
 	SchemeBuilder.Register(&VMSingle{}, &VMSingleList{})
 }
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -461,5 +461,10 @@ rules:
     - patch
     - update
     - watch
-
-
+- apiGroups:
+    - apiextensions.k8s.io
+  resources:
+    - customresourcedefinitions
+  verbs:
+    - get
+    - list
diff --git a/controllers/factory/crd/owner.go b/controllers/factory/crd/owner.go
@@ -0,0 +1,83 @@
+package crd
+
+import (
+	"context"
+	"fmt"
+
+	metav1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type CRDName int
+
+const (
+	VMAgent CRDName = iota
+	VMAlert
+	VMSingle
+	VMCluster
+	VMAuth
+	VMAlertManager
+)
+
+func (c CRDName) String() string {
+	return []string{"vmagents.operator.victoriametrics.com", "vmalerts.operator.victoriametrics.com", "vmsingles.operator.victoriametrics.com", "vmclusters.operator.victoriametrics.com", "vmauths.operator.victoriametrics.com", "vmalertmanagers.operator.victoriametrics.com"}[c]
+}
+
+type crdInfo struct {
+	uuid       types.UID
+	kind       string
+	apiVersion string
+}
+
+var crdCache map[CRDName]*crdInfo
+
+func Init(ctx context.Context, rclient client.Client) error {
+	crdCache = make(map[CRDName]*crdInfo)
+	var crds metav1.CustomResourceDefinitionList
+	if err := rclient.List(ctx, &crds); err != nil {
+		return fmt.Errorf("cannot list CRDs during init: %w", err)
+	}
+	for _, item := range crds.Items {
+
+		var n CRDName
+		switch item.Name {
+		case "vmagents.operator.victoriametrics.com":
+			n = VMAgent
+		case "vmalerts.operator.victoriametrics.com":
+			n = VMAlert
+		case "vmsingles.operator.victoriametrics.com":
+			n = VMSingle
+		case "vmclusters.operator.victoriametrics.com":
+			n = VMCluster
+		case "vmauths.operator.victoriametrics.com":
+			n = VMAuth
+		case "vmalertmanagers.operator.victoriametrics.com":
+			n = VMAlertManager
+		default:
+			continue
+		}
+		crdCache[n] = &crdInfo{
+			uuid:       item.UID,
+			apiVersion: metav1.SchemeGroupVersion.String(),
+			kind:       "CustomResourceDefinition",
+		}
+	}
+	return nil
+}
+
+func GetCRDAsOwner(name CRDName) []v1.OwnerReference {
+	crdData := crdCache[name]
+	if crdData == nil {
+		return nil
+	}
+	return []v1.OwnerReference{
+		{
+			Name:       name.String(),
+			UID:        crdData.uuid,
+			Kind:       "CustomResourceDefinition",
+			APIVersion: crdData.apiVersion,
+		},
+	}
+}
diff --git a/controllers/factory/psp/psp.go b/controllers/factory/psp/psp.go
@@ -27,6 +27,7 @@ type CRDObject interface {
 	GetPSPName() string
 	GetNSName() string
 	AsOwner() []metav1.OwnerReference
+	AsCRDOwner() []metav1.OwnerReference
 }
 
 // CreateOrUpdateServiceAccountWithPSP - creates psp for api object.
@@ -158,11 +159,12 @@ func buildSA(cr CRDObject) *v1.ServiceAccount {
 func buildClusterRoleForPSP(cr CRDObject) *v12.ClusterRole {
 	return &v12.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace:   cr.GetNSName(),
-			Name:        cr.PrefixedName(),
-			Labels:      cr.Labels(),
-			Annotations: cr.Annotations(),
-			Finalizers:  []string{v1beta12.FinalizerName},
+			Namespace:       cr.GetNSName(),
+			Name:            cr.PrefixedName(),
+			Labels:          cr.Labels(),
+			Annotations:     cr.Annotations(),
+			Finalizers:      []string{v1beta12.FinalizerName},
+			OwnerReferences: cr.AsCRDOwner(),
 		},
 		Rules: []v12.PolicyRule{
 			{
@@ -178,11 +180,12 @@ func buildClusterRoleForPSP(cr CRDObject) *v12.ClusterRole {
 func buildClusterRoleBinding(cr CRDObject) *v12.ClusterRoleBinding {
 	return &v12.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        cr.PrefixedName(),
-			Namespace:   cr.GetNSName(),
-			Labels:      cr.Labels(),
-			Annotations: cr.Annotations(),
-			Finalizers:  []string{v1beta12.FinalizerName},
+			Name:            cr.PrefixedName(),
+			Namespace:       cr.GetNSName(),
+			Labels:          cr.Labels(),
+			Annotations:     cr.Annotations(),
+			Finalizers:      []string{v1beta12.FinalizerName},
+			OwnerReferences: cr.AsCRDOwner(),
 		},
 		Subjects: []v12.Subject{
 			{
@@ -202,11 +205,12 @@ func buildClusterRoleBinding(cr CRDObject) *v12.ClusterRoleBinding {
 func BuildPSP(cr CRDObject) *v1beta1.PodSecurityPolicy {
 	return &v1beta1.PodSecurityPolicy{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        cr.GetPSPName(),
-			Namespace:   cr.GetNSName(),
-			Labels:      cr.Labels(),
-			Annotations: cr.Annotations(),
-			Finalizers:  []string{v1beta12.FinalizerName},
+			Name:            cr.GetPSPName(),
+			Namespace:       cr.GetNSName(),
+			Labels:          cr.Labels(),
+			Annotations:     cr.Annotations(),
+			Finalizers:      []string{v1beta12.FinalizerName},
+			OwnerReferences: cr.AsCRDOwner(),
 		},
 		Spec: v1beta1.PodSecurityPolicySpec{
 			ReadOnlyRootFilesystem: false,

diff --git a/controllers/factory/vmagent/rbac.go b/controllers/factory/vmagent/rbac.go
@@ -45,7 +45,7 @@ func ensureVMAgentCRExist(ctx context.Context, cr *v1beta12.VMAgent, rclient cli
 	if existsClusterRole.Name == "" {
 		return rclient.Create(ctx, clusterRole)
 	}
-
+	existsClusterRole.OwnerReferences = clusterRole.OwnerReferences
 	existsClusterRole.Labels = labels.Merge(existsClusterRole.Labels, clusterRole.Labels)
 	existsClusterRole.Annotations = labels.Merge(clusterRole.Annotations, existsClusterRole.Annotations)
 	existsClusterRole.Rules = clusterRole.Rules
@@ -72,6 +72,7 @@ func ensureVMAgentCRBExist(ctx context.Context, cr *v1beta12.VMAgent, rclient cl
 		return rclient.Create(ctx, clusterRoleBinding)
 	}
 
+	existsClusterRoleBinding.OwnerReferences = clusterRoleBinding.OwnerReferences
 	existsClusterRoleBinding.Labels = labels.Merge(existsClusterRoleBinding.Labels, clusterRoleBinding.Labels)
 	existsClusterRoleBinding.Annotations = labels.Merge(clusterRoleBinding.Annotations, existsClusterRoleBinding.Annotations)
 	existsClusterRoleBinding.Subjects = clusterRoleBinding.Subjects
@@ -83,11 +84,12 @@ func ensureVMAgentCRBExist(ctx context.Context, cr *v1beta12.VMAgent, rclient cl
 func buildVMAgentClusterRoleBinding(cr *v1beta12.VMAgent) *v12.ClusterRoleBinding {
 	return &v12.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        cr.GetClusterRoleName(),
-			Namespace:   cr.GetNamespace(),
-			Labels:      cr.Labels(),
-			Annotations: cr.Annotations(),
-			Finalizers:  []string{v1beta12.FinalizerName},
+			Name:            cr.GetClusterRoleName(),
+			Namespace:       cr.GetNamespace(),
+			Labels:          cr.Labels(),
+			Annotations:     cr.Annotations(),
+			Finalizers:      []string{v1beta12.FinalizerName},
+			OwnerReferences: cr.AsCRDOwner(),
 		},
 		Subjects: []v12.Subject{
 			{
@@ -107,11 +109,12 @@ func buildVMAgentClusterRoleBinding(cr *v1beta12.VMAgent) *v12.ClusterRoleBindin
 func buildVMAgentClusterRole(cr *v1beta12.VMAgent) *v12.ClusterRole {
 	return &v12.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        cr.GetClusterRoleName(),
-			Namespace:   cr.GetNamespace(),
-			Labels:      cr.Labels(),
-			Annotations: cr.Annotations(),
-			Finalizers:  []string{v1beta12.FinalizerName},
+			Name:            cr.GetClusterRoleName(),
+			Namespace:       cr.GetNamespace(),
+			Labels:          cr.Labels(),
+			Annotations:     cr.Annotations(),
+			Finalizers:      []string{v1beta12.FinalizerName},
+			OwnerReferences: cr.AsCRDOwner(),
 		},
 		Rules: []v12.PolicyRule{
 			{

diff --git a/go.mod b/go.mod
@@ -21,6 +21,7 @@ require (
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.21.1
+	k8s.io/apiextensions-apiserver v0.21.1 // indirect
 	k8s.io/apimachinery v0.21.1
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/klog/v2 v2.8.0