chore: sync dev-workspace-container-build CRB on every reconcile loop (#2000)

tolusha · web-flow · commit 8094056c0f40 · 2025-05-30T11:02:01.000+02:00
Signed-off-by: Anatolii Bazko &lt;abazko@redhat.com&gt;
diff --git a/pkg/common/constants/constants.go b/pkg/common/constants/constants.go
@@ -133,6 +133,8 @@ const (
 	PublicCertsDir        = "/public-certs"
 
 	// DevWorkspace
+	DevWorkspaceControllerName     = "devworkspace-controller"
+	DevWorkspaceOperatorName       = "devworkspace-operator"
 	DevWorkspaceServiceAccountName = "devworkspace-controller-serviceaccount"
 	DefaultContainerBuildSccName   = "container-build"
 )
diff --git a/pkg/deploy/container-build/container_build.go b/pkg/deploy/container-build/container_build.go
@@ -16,6 +16,10 @@ import (
 	"context"
 	"fmt"
 
+	"k8s.io/apimachinery/pkg/labels"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
 	"github.com/google/go-cmp/cmp"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -237,22 +241,26 @@ func (cb *ContainerBuildReconciler) getDevWorkspaceSccClusterRoleBindingSpec(ctx
 	}, nil
 }
 
+// getDevWorkspaceServiceAccountNamespace returns the namespace of the DevWorkspace ServiceAccount.
+// It searches for the DevWorkspace Operator Pods by its labels.
 func (cb *ContainerBuildReconciler) getDevWorkspaceServiceAccountNamespace(ctx *chetypes.DeployContext) (string, error) {
-	crb := &rbacv1.ClusterRoleBinding{}
-	if exists, err := deploy.GetClusterObject(ctx, GetDevWorkspaceSccRbacResourcesName(), crb); err != nil {
+	selector, err := labels.Parse(fmt.Sprintf(
+		"%s=%s,%s=%s",
+		constants.KubernetesNameLabelKey, constants.DevWorkspaceControllerName,
+		constants.KubernetesPartOfLabelKey, constants.DevWorkspaceOperatorName))
+	if err != nil {
 		return "", err
-	} else if exists {
-		return crb.Subjects[0].Namespace, nil
-	} else {
-		sas := &corev1.ServiceAccountList{}
-		if err := ctx.ClusterAPI.NonCachingClient.List(context.TODO(), sas); err != nil {
-			return "", err
-		}
+	}
+	options := &client.ListOptions{LabelSelector: selector}
 
-		for _, sa := range sas.Items {
-			if sa.Name == constants.DevWorkspaceServiceAccountName {
-				return sa.Namespace, nil
-			}
+	pods := &corev1.PodList{}
+	if err = ctx.ClusterAPI.NonCachingClient.List(context.TODO(), pods, options); err != nil {
+		return "", err
+	}
+
+	for _, pod := range pods.Items {
+		if pod.Spec.ServiceAccountName == constants.DevWorkspaceServiceAccountName {
+			return pod.Namespace, nil
 		}
 	}
 
diff --git a/pkg/deploy/container-build/container_build_test.go b/pkg/deploy/container-build/container_build_test.go
@@ -33,17 +33,24 @@ import (
 )
 
 func TestContainerBuildReconciler(t *testing.T) {
-	dwSA := &corev1.ServiceAccount{
+	dwPod := &corev1.Pod{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "ServiceAccount",
+			Kind:       "Pod",
 			APIVersion: "v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      constants.DevWorkspaceServiceAccountName,
+			Name:      "devworkspace-controller",
 			Namespace: "eclipse-che",
+			Labels: map[string]string{
+				constants.KubernetesNameLabelKey:   constants.DevWorkspaceControllerName,
+				constants.KubernetesPartOfLabelKey: constants.DevWorkspaceOperatorName,
+			},
+		},
+		Spec: corev1.PodSpec{
+			ServiceAccountName: constants.DevWorkspaceServiceAccountName,
 		},
 	}
-	ctx := test.GetDeployContext(nil, []runtime.Object{dwSA})
+	ctx := test.GetDeployContext(nil, []runtime.Object{dwPod})
 	containerBuildReconciler := NewContainerBuildReconciler()
 
 	_, done, err := containerBuildReconciler.Reconcile(ctx)
@@ -83,18 +90,25 @@ func TestContainerBuildReconciler(t *testing.T) {
 }
 
 func TestSyncAndRemoveRBAC(t *testing.T) {
-	dwSA := &corev1.ServiceAccount{
+	dwPod := &corev1.Pod{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "ServiceAccount",
+			Kind:       "Pod",
 			APIVersion: "v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      constants.DevWorkspaceServiceAccountName,
+			Name:      "devworkspace-controller",
 			Namespace: "eclipse-che",
+			Labels: map[string]string{
+				constants.KubernetesNameLabelKey:   constants.DevWorkspaceControllerName,
+				constants.KubernetesPartOfLabelKey: constants.DevWorkspaceOperatorName,
+			},
+		},
+		Spec: corev1.PodSpec{
+			ServiceAccountName: constants.DevWorkspaceServiceAccountName,
 		},
 	}
-	ctx := test.GetDeployContext(nil, []runtime.Object{dwSA})
-	ctx.CheCluster.Spec.DevEnvironments.DisableContainerBuildCapabilities = pointer.BoolPtr(false)
+	ctx := test.GetDeployContext(nil, []runtime.Object{dwPod})
+	ctx.CheCluster.Spec.DevEnvironments.DisableContainerBuildCapabilities = pointer.Bool(false)
 	ctx.CheCluster.Spec.DevEnvironments.ContainerBuildConfiguration = &chev2.ContainerBuildConfiguration{OpenShiftSecurityContextConstraint: "scc"}
 
 	containerBuildReconciler := NewContainerBuildReconciler()
@@ -118,7 +132,7 @@ func TestSyncAndRemoveRBAC(t *testing.T) {
 
 func TestSyncAndRemoveSCC(t *testing.T) {
 	ctx := test.GetDeployContext(nil, []runtime.Object{})
-	ctx.CheCluster.Spec.DevEnvironments.DisableContainerBuildCapabilities = pointer.BoolPtr(false)
+	ctx.CheCluster.Spec.DevEnvironments.DisableContainerBuildCapabilities = pointer.Bool(false)
 	ctx.CheCluster.Spec.DevEnvironments.ContainerBuildConfiguration = &chev2.ContainerBuildConfiguration{OpenShiftSecurityContextConstraint: "scc"}
 
 	containerBuildReconciler := NewContainerBuildReconciler()

Original file line number	Diff line number	Diff line change
`@@ -133,6 +133,8 @@ const (`
`133`	`133`	`PublicCertsDir = "/public-certs"`
`134`	`134`
`135`	`135`	`// DevWorkspace`
	`136`	`+ DevWorkspaceControllerName = "devworkspace-controller"`
	`137`	`+ DevWorkspaceOperatorName = "devworkspace-operator"`
`136`	`138`	`DevWorkspaceServiceAccountName = "devworkspace-controller-serviceaccount"`
`137`	`139`	`DefaultContainerBuildSccName = "container-build"`
`138`	`140`	`)`