Enqueue PRTBs for RKE clusters to recreate RoleBindings (rancher#47446)

crobby · Oct 10, 2024 · bf39f57 · bf39f57
1 parent 6075394
commit bf39f57
Show file tree

Hide file tree

Showing 3 changed files with 108 additions and 5 deletions.
diff --git a/pkg/controllers/management/authprovisioningv2/authprovisioningv2.go b/pkg/controllers/management/authprovisioningv2/authprovisioningv2.go
@@ -42,6 +42,7 @@ type handler struct {
 	clusterRoleTemplateBindings          mgmtcontrollers.ClusterRoleTemplateBindingCache
 	clusterRoleTemplateBindingController mgmtcontrollers.ClusterRoleTemplateBindingController
 	projectRoleTemplateBindingController mgmtcontrollers.ProjectRoleTemplateBindingController
+	projectRoleTemplateBindings          mgmtcontrollers.ProjectRoleTemplateBindingCache
 	roleTemplatesCache                   mgmtcontrollers.RoleTemplateCache
 	clusters                             provisioningcontrollers.ClusterCache
 	mgmtClusters                         mgmtcontrollers.ClusterCache
@@ -74,6 +75,7 @@ func Register(ctx context.Context, clients *wrangler.Context, management *config
 		clusterRoleTemplateBindings:          clients.Mgmt.ClusterRoleTemplateBinding().Cache(),
 		clusterRoleTemplateBindingController: clients.Mgmt.ClusterRoleTemplateBinding(),
 		projectRoleTemplateBindingController: clients.Mgmt.ProjectRoleTemplateBinding(),
+		projectRoleTemplateBindings:          clients.Mgmt.ProjectRoleTemplateBinding().Cache(),
 		roleTemplatesCache:                   clients.Mgmt.RoleTemplate().Cache(),
 		clusters:                             clients.Provisioning.Cluster().Cache(),
 		mgmtClusters:                         clients.Mgmt.Cluster().Cache(),

diff --git a/pkg/controllers/management/authprovisioningv2/cluster.go b/pkg/controllers/management/authprovisioningv2/cluster.go
@@ -3,15 +3,17 @@ package authprovisioningv2
 import (
 	"fmt"
 	"reflect"
+	"strings"
 
 	"github.com/rancher/kubernetes-provider-detector/providers"
-	v1 "github.com/rancher/rancher/pkg/apis/provisioning.cattle.io/v1"
 	"github.com/rancher/rancher/pkg/controllers/dashboard/kubernetesprovider"
+	"k8s.io/apimachinery/pkg/labels"
+
+	v1 "github.com/rancher/rancher/pkg/apis/provisioning.cattle.io/v1"
 	"github.com/rancher/rancher/pkg/rbac"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
 )
 
 // OnCluster creates the roles required for users to be able to see/manage the
@@ -66,7 +68,7 @@ func (h *handler) createClusterViewRole(cluster *v1.Cluster) error {
 
 		// This is needed for creating RoleBindings when moving rke clusters to a different workspace.
 		// This is only needed for rke because Role and RoleBindings are moved to the new workspace. In other k8s distros they stay in the fleet-default ns.
-		if err = h.enqueueCRTBsForRKEClusters(cluster); err != nil {
+		if err = h.enqueueRoleTemplateBindingsForRKEClusters(cluster); err != nil {
 			return err
 		}
 		return nil
@@ -111,7 +113,7 @@ func (h *handler) cleanClusterAdminRoleBindings(cluster *v1.Cluster) error {
 	return nil
 }
 
-func (h *handler) enqueueCRTBsForRKEClusters(cluster *v1.Cluster) error {
+func (h *handler) enqueueRoleTemplateBindingsForRKEClusters(cluster *v1.Cluster) error {
 	if cluster.Labels[kubernetesprovider.ProviderKey] == providers.RKE {
 		crtbs, err := h.clusterRoleTemplateBindings.List(cluster.Name, labels.Everything())
 		if err != nil {
@@ -120,6 +122,16 @@ func (h *handler) enqueueCRTBsForRKEClusters(cluster *v1.Cluster) error {
 		for _, crtb := range crtbs {
 			h.clusterRoleTemplateBindingController.Enqueue(crtb.Namespace, crtb.Name)
 		}
+		prtbs, err := h.projectRoleTemplateBindings.List("", labels.Everything())
+		if err != nil {
+			return err
+		}
+		for _, prtb := range prtbs {
+			clusterName := strings.Split(prtb.ProjectName, ":")[0]
+			if clusterName == cluster.Name {
+				h.projectRoleTemplateBindingController.Enqueue(prtb.Namespace, prtb.Name)
+			}
+		}
 	}
 
 	return nil

diff --git a/pkg/controllers/management/authprovisioningv2/cluster_test.go b/pkg/controllers/management/authprovisioningv2/cluster_test.go
@@ -34,12 +34,45 @@ func TestOnCluster(t *testing.T) {
 			},
 		},
 	}
+	prtbInCluster := &v3.ProjectRoleTemplateBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "prtb1",
+			Namespace: "ns1",
+		},
+		ProjectName: "cluster:project",
+	}
+	prtbs := []*v3.ProjectRoleTemplateBinding{
+		prtbInCluster,
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "prtb2",
+				Namespace: "ns1",
+			},
+			ProjectName: "invalid",
+		},
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "prtb3",
+				Namespace: "ns1",
+			},
+			ProjectName: "clusterB:project",
+		},
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "prtb4",
+				Namespace: "ns1",
+			},
+			ProjectName: "",
+		},
+	}
 	err := errors.NewBadRequest("error")
 
 	tests := map[string]struct {
 		cluster       *v1.Cluster
 		crtbCacheMock func(string) mgmtcontrollers.ClusterRoleTemplateBindingCache
 		crtbMock      func() mgmtcontrollers.ClusterRoleTemplateBindingController
+		prtbCacheMock func(string) mgmtcontrollers.ProjectRoleTemplateBindingCache
+		prtbMock      func() mgmtcontrollers.ProjectRoleTemplateBindingController
 		expectedErr   error
 	}{
 		"no rke doesn't enqueue CRTBs": {
@@ -56,11 +89,18 @@ func TestOnCluster(t *testing.T) {
 			crtbMock: func() mgmtcontrollers.ClusterRoleTemplateBindingController {
 				return fake.NewMockControllerInterface[*v3.ClusterRoleTemplateBinding, *v3.ClusterRoleTemplateBindingList](ctrl)
 			},
+			prtbCacheMock: func(_ string) mgmtcontrollers.ProjectRoleTemplateBindingCache {
+				return fake.NewMockCacheInterface[*v3.ProjectRoleTemplateBinding](ctrl)
+			},
+			prtbMock: func() mgmtcontrollers.ProjectRoleTemplateBindingController {
+				return fake.NewMockControllerInterface[*v3.ProjectRoleTemplateBinding, *v3.ProjectRoleTemplateBindingList](ctrl)
+			},
 			expectedErr: nil,
 		},
-		"rke enqueue CRTBs": {
+		"rke enqueue CRTBs and PRTBs": {
 			cluster: &v1.Cluster{
 				ObjectMeta: metav1.ObjectMeta{
+					Name: "cluster",
 					Labels: map[string]string{
 						kubernetesprovider.ProviderKey: providers.RKE,
 					},
@@ -78,6 +118,17 @@ func TestOnCluster(t *testing.T) {
 				}
 				return mock
 			},
+			prtbCacheMock: func(_ string) mgmtcontrollers.ProjectRoleTemplateBindingCache {
+				mock := fake.NewMockCacheInterface[*v3.ProjectRoleTemplateBinding](ctrl)
+				mock.EXPECT().List("", labels.Everything()).Return(prtbs, nil)
+				return mock
+			},
+			prtbMock: func() mgmtcontrollers.ProjectRoleTemplateBindingController {
+				mock := fake.NewMockControllerInterface[*v3.ProjectRoleTemplateBinding, *v3.ProjectRoleTemplateBindingList](ctrl)
+				mock.EXPECT().Enqueue(prtbInCluster.Namespace, prtbInCluster.Name)
+				return mock
+			},
+
 			expectedErr: nil,
 		},
 		"rke enqueue CRTBs error": {
@@ -96,6 +147,42 @@ func TestOnCluster(t *testing.T) {
 			crtbMock: func() mgmtcontrollers.ClusterRoleTemplateBindingController {
 				return fake.NewMockControllerInterface[*v3.ClusterRoleTemplateBinding, *v3.ClusterRoleTemplateBindingList](ctrl)
 			},
+			prtbCacheMock: func(_ string) mgmtcontrollers.ProjectRoleTemplateBindingCache {
+				return fake.NewMockCacheInterface[*v3.ProjectRoleTemplateBinding](ctrl)
+			},
+			prtbMock: func() mgmtcontrollers.ProjectRoleTemplateBindingController {
+				return fake.NewMockControllerInterface[*v3.ProjectRoleTemplateBinding, *v3.ProjectRoleTemplateBindingList](ctrl)
+			},
+			expectedErr: err,
+		},
+		"rke enqueue PRTBs error": {
+			cluster: &v1.Cluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						kubernetesprovider.ProviderKey: providers.RKE,
+					},
+				},
+			},
+			crtbCacheMock: func(clusterName string) mgmtcontrollers.ClusterRoleTemplateBindingCache {
+				mock := fake.NewMockCacheInterface[*v3.ClusterRoleTemplateBinding](ctrl)
+				mock.EXPECT().List(clusterName, labels.Everything()).Return(crtbs, nil)
+				return mock
+			},
+			crtbMock: func() mgmtcontrollers.ClusterRoleTemplateBindingController {
+				mock := fake.NewMockControllerInterface[*v3.ClusterRoleTemplateBinding, *v3.ClusterRoleTemplateBindingList](ctrl)
+				for _, crtb := range crtbs {
+					mock.EXPECT().Enqueue(crtb.Namespace, crtb.Name)
+				}
+				return mock
+			},
+			prtbCacheMock: func(_ string) mgmtcontrollers.ProjectRoleTemplateBindingCache {
+				mock := fake.NewMockCacheInterface[*v3.ProjectRoleTemplateBinding](ctrl)
+				mock.EXPECT().List("", labels.Everything()).Return(nil, err)
+				return mock
+			},
+			prtbMock: func() mgmtcontrollers.ProjectRoleTemplateBindingController {
+				return fake.NewMockControllerInterface[*v3.ProjectRoleTemplateBinding, *v3.ProjectRoleTemplateBindingList](ctrl)
+			},
 			expectedErr: err,
 		},
 	}
@@ -111,6 +198,8 @@ func TestOnCluster(t *testing.T) {
 			h := handler{
 				clusterRoleTemplateBindings:          test.crtbCacheMock(test.cluster.Name),
 				clusterRoleTemplateBindingController: test.crtbMock(),
+				projectRoleTemplateBindings:          test.prtbCacheMock(test.cluster.Name),
+				projectRoleTemplateBindingController: test.prtbMock(),
 				roleCache:                            roleCacheMock,
 				roleController:                       roleControllerMock,
 			}