Merge pull request #15 from cybozu-go/add-resourcequota-propagation-t…

…o-default-setting Add ResourceQuota propagation to the default setting
cybozu-go · Oct 14, 2021 · 1d2566a · 1d2566a
2 parents 15ef59a + 473bdd7
commit 1d2566a
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 15 deletions.
diff --git a/charts/accurate/Chart.yaml b/charts/accurate/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.1.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/accurate/values.yaml b/charts/accurate/values.yaml
@@ -51,21 +51,23 @@ controller:
         kind: RoleBinding
       - version: v1
         kind: Secret
+      - version: v1
+        kind: ResourceQuota
 
   additionalRBAC:
     # controller.additionalRBAC.rules -- Specify the RBAC rules to be added to the controller.
     # ClusterRole and ClusterRoleBinding are created with the names `{{ release name }}-additional-resources`.
     # The rules defined here will be used for the ClusterRole rules.
-    rules: []
-    # - apiGroups:
-    #     - ""
-    #   resources:
-    #     - resourcequotas
-    #   verbs:
-    #     - get
-    #     - list
-    #     - watch
-    #     - create
-    #     - update
-    #     - patch
-    #     - delete
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - resourcequotas
+        verbs:
+          - get
+          - list
+          - watch
+          - create
+          - update
+          - patch
+          - delete
diff --git a/config.yaml b/config.yaml
@@ -23,3 +23,5 @@ watches:
   kind: RoleBinding
 - version: v1
   kind: Secret
+- version: v1
+  kind: ResourceQuota
diff --git a/docs/config.md b/docs/config.md
@@ -54,7 +54,7 @@ controller:
 
 ## ClusterRoleBindings
 
-A built-in ClusterRole `admin` is bound by default to allow `accurate-controller` to watch and propagate namespace-scope resources.  However, `admin` does not contain verbs for [ResourceQuota][] and may not contain custom resources.
+A built-in ClusterRole `admin` is bound by default to allow `accurate-controller` to watch and propagate namespace-scope resources. However, `admin` does not contain verbs for [ResourceQuota][] and may not contain custom resources.
 
 If you need to watch and propagate resources not included in `admin` ClusterRole, add additional ClusterRole/ClusterRoleBinding to `accurate-controller-manager` ServiceAccount.
 Set the `controller.additionalRBAC.rules` in the Helm Chart values.

diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
@@ -16,6 +16,9 @@ import (
 //go:embed testdata/role.yaml
 var roleYAML []byte
 
+//go:embed testdata/resourceQuota.yaml
+var resourceQuota []byte
+
 var sealedJSON []byte
 
 func init() {
@@ -70,13 +73,15 @@ var _ = Describe("kubectl accurate", func() {
 
 		kubectlSafe(roleYAML, "apply", "-f", "-")
 		kubectlSafe(nil, "create", "-n", "tmpl3", "secret", "generic", "s1", "--from-literal=foo=bar")
+		kubectlSafe(resourceQuota, "apply", "-f", "-")
 
 		By("setting up templates")
 		kubectlSafe(nil, "accurate", "template", "set", "tmpl3", "tmpl2")
 		kubectlSafe(nil, "accurate", "template", "set", "root2", "tmpl3")
 
 		By("checking propagation from templates")
 		kubectlSafe(nil, "annotate", "-n", "tmpl3", "secret", "s1", "accurate.cybozu.com/propagate=update")
+		kubectlSafe(nil, "annotate", "-n", "tmpl3", "quota", "rq1", "accurate.cybozu.com/propagate=update")
 
 		Eventually(func() error {
 			_, err := kubectl(nil, "get", "-n", "root2", "roles", "role1")
@@ -86,6 +91,10 @@ var _ = Describe("kubectl accurate", func() {
 			_, err := kubectl(nil, "get", "-n", "root2", "secrets", "s1")
 			return err
 		}).Should(Succeed())
+		Eventually(func() error {
+			_, err := kubectl(nil, "get", "-n", "root2", "quota", "rq1")
+			return err
+		}).Should(Succeed())
 		Eventually(func() string {
 			out, err := kubectl(nil, "get", "ns", "root2", "-o", "json")
 			if err != nil {
@@ -115,6 +124,20 @@ var _ = Describe("kubectl accurate", func() {
 					return errors.New("s1 exists")
 				}
 			}
+
+			out, err = kubectl(nil, "get", "-n", "root2", "quota", "-o", "json")
+			if err != nil {
+				return err
+			}
+			rql := &corev1.ResourceQuotaList{}
+			if err := json.Unmarshal(out, rql); err != nil {
+				return err
+			}
+			for _, rq := range rql.Items {
+				if rq.Name == "rq1" {
+					return errors.New("rq1 exists")
+				}
+			}
 			return nil
 		}).Should(Succeed())
 		kubectlSafe(nil, "get", "-n", "root2", "roles", "role1")

diff --git a/e2e/testdata/resourceQuota.yaml b/e2e/testdata/resourceQuota.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  namespace: tmpl3
+  name: rq1
+spec:
+  hard:
+    requests.cpu: "1"
+    requests.memory: 1Gi
+    limits.cpu: "2"
+    limits.memory: 2Gi
diff --git a/e2e/values.yaml b/e2e/values.yaml
@@ -23,6 +23,8 @@ controller:
         kind: RoleBinding
       - version: v1
         kind: Secret
+      - version: v1
+        kind: ResourceQuota
 
   additionalRBAC:
     rules:
@@ -34,3 +36,15 @@ controller:
           - get
           - list
           - watch
+      - apiGroups:
+          - ""
+        resources:
+          - resourcequotas
+        verbs:
+          - get
+          - list
+          - watch
+          - create
+          - update
+          - patch
+          - delete