feat: migrating to ClusterScope CRD

zakkg3 · Sep 18, 2023 · 2bda119 · 2bda119
1 parent 77602f4
commit 2bda119
Show file tree

Hide file tree

Showing 10 changed files with 21 additions and 38 deletions.
diff --git a/charts/cluster-secret/crds/clustersecret-crd.yaml b/charts/cluster-secret/crds/clustersecret-crd.yaml
@@ -10,7 +10,7 @@ spec:
     shortNames:
     - csec
     singular: clustersecret
-  scope: Namespaced
+  scope: Cluster
   versions:
   - additionalPrinterColumns:
     - description: Secret Type

diff --git a/charts/cluster-secret/templates/role-cluster-rbac.yaml b/charts/cluster-secret/templates/role-cluster-rbac.yaml
@@ -39,9 +39,13 @@ rules:
   resources:
   - clustersecrets
   verbs:
-  - list
   - watch
+  - list
+  - get
   - patch
+  - update
+  - create
+  - delete
 - apiGroups:
   - ""
   resources:

diff --git a/charts/cluster-secret/templates/role-namespaced-rbac.yaml b/charts/cluster-secret/templates/role-namespaced-rbac.yaml
@@ -34,10 +34,3 @@ rules:
   - create
   - update
   - patch
-- apiGroups:
-  - clustersecret.io
-  resources:
-  - clustersecrets
-  verbs:
-  - get
-  - patch
diff --git a/conformance/k8s_utils.py b/conformance/k8s_utils.py
@@ -95,7 +95,6 @@ def _generate_secret_key_ref_dict(secret_key_ref: Dict[str, str]) -> Dict[str, A
     def create_cluster_secret(
             self,
             name: str,
-            namespace: str,
             data: Optional[Dict[str, Any]] = None,
             secret_key_ref: Optional[Dict[str, str]] = None,
             labels: Optional[Dict[str, str]] = None,
@@ -109,7 +108,6 @@ def create_cluster_secret(
         return self.custom_objects_api.create_namespaced_custom_object(
             group="clustersecret.io",
             version="v1",
-            namespace=namespace,
             body={
                 "apiVersion": "clustersecret.io/v1",
                 "kind": "ClusterSecret",
@@ -124,16 +122,14 @@ def create_cluster_secret(
     def update_data_cluster_secret(
             self,
             name: str,
-            namespace: str,
             data: Dict[str, str],
             match_namespace: Optional[List[str]] = None,
             avoid_namespaces: Optional[List[str]] = None,
     ):
-        self.custom_objects_api.patch_namespaced_custom_object(
+        self.custom_objects_api.patch_cluster_custom_object(
             name=name,
             group="clustersecret.io",
             version="v1",
-            namespace=namespace,
             body={
                 "apiVersion": "clustersecret.io/v1",
                 "kind": "ClusterSecret",
@@ -149,11 +145,10 @@ def delete_cluster_secret(
             name: str,
             namespace: str
     ):
-        self.custom_objects_api.delete_namespaced_custom_object(
+        self.custom_objects_api.delete_cluster_custom_object(
             name=name,
             group="clustersecret.io",
             version="v1",
-            namespace=namespace,
             plural="clustersecrets",
         )
 

diff --git a/conformance/tests.py b/conformance/tests.py
@@ -57,7 +57,6 @@ def test_simple_cluster_secret(self):
 
         self.cluster_secret_manager.create_cluster_secret(
             name=name,
-            namespace=USER_NAMESPACES[0],
             data={"username": username_data}
         )
 
@@ -76,7 +75,6 @@ def test_complex_cluster_secret(self):
         # Create a secret in all user namespace expect the first one
         self.cluster_secret_manager.create_cluster_secret(
             name=name,
-            namespace=USER_NAMESPACES[0],
             data={"username": username_data},
             match_namespace=["example-*"],
             avoid_namespaces=[USER_NAMESPACES[0]]
@@ -99,7 +97,6 @@ def test_patch_cluster_secret_data(self):
         # Create a secret with username_data
         self.cluster_secret_manager.create_cluster_secret(
             name=name,
-            namespace=USER_NAMESPACES[0],
             data={"username": username_data},
         )
 
@@ -115,7 +112,6 @@ def test_patch_cluster_secret_data(self):
         self.cluster_secret_manager.update_data_cluster_secret(
             name=name,
             data={"username": updated_data},
-            namespace=USER_NAMESPACES[0],
         )
 
         # Ensure the secrets are updated with the right data (at some point)
@@ -133,7 +129,6 @@ def test_patch_cluster_secret_match_namespaces(self):
 
         self.cluster_secret_manager.create_cluster_secret(
             name=name,
-            namespace=USER_NAMESPACES[0],
             data={"username": username_data},
             match_namespace=[
                 USER_NAMESPACES[0]
@@ -154,7 +149,6 @@ def test_patch_cluster_secret_match_namespaces(self):
         # Update the cluster match_namespace to ALL user namespace
         self.cluster_secret_manager.update_data_cluster_secret(
             name=name,
-            namespace=USER_NAMESPACES[0],
             match_namespace=USER_NAMESPACES,
             data={"username": username_data},
         )
@@ -174,7 +168,6 @@ def test_simple_cluster_secret_deleted(self):
 
         self.cluster_secret_manager.create_cluster_secret(
             name=name,
-            namespace=USER_NAMESPACES[0],
             data={"username": username_data}
         )
 

diff --git a/src/handlers.py b/src/handlers.py
@@ -14,6 +14,8 @@
 
 from os_utils import in_cluster
 
+csecs: Dict[str, Any] = {}
+
 # Loading kubeconfig
 if in_cluster():
     # Loading kubeconfig
@@ -98,7 +100,6 @@ def on_field_match_namespace(
     logger.debug(f'Patching clustersecret {name} in namespace {namespace}')
     patch_clustersecret_status(
         logger=logger,
-        namespace=namespace,
         name=name,
         new_status={'create_fn': {'syncedns': updated_matched}},
         custom_objects_api=custom_objects_api,

diff --git a/src/kubernetes_utils.py b/src/kubernetes_utils.py
@@ -12,7 +12,6 @@
 
 def patch_clustersecret_status(
     logger: logging.Logger,
-    namespace: str,
     name: str,
     new_status,
     custom_objects_api: CustomObjectsApi,
@@ -24,10 +23,9 @@ def patch_clustersecret_status(
     plural = 'clustersecrets'
 
     # Retrieve the clustersecret object
-    clustersecret = custom_objects_api.get_namespaced_custom_object(
+    clustersecret = custom_objects_api.get_cluster_custom_object(
         group=group,
         version=version,
-        namespace=namespace,
         plural=plural,
         name=name,
     )
@@ -37,10 +35,9 @@ def patch_clustersecret_status(
     logger.debug(f'Updated clustersecret manifest: {clustersecret}')
 
     # Perform a patch operation to update the custom resource
-    custom_objects_api.patch_namespaced_custom_object(
+    custom_objects_api.patch_cluster_custom_object(
         group=group,
         version=version,
-        namespace=namespace,
         plural=plural,
         name=name,
         body=clustersecret,

diff --git a/yaml/00_rbac.yaml b/yaml/00_rbac.yaml
@@ -6,7 +6,7 @@ metadata:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  namespace: "clustersecret"
+  namespace: clustersecret
   name: clustersecret-account
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -33,7 +33,7 @@ rules:
   # Application: read-only access for watching cluster-wide.
   - apiGroups: [clustersecret.io]
     resources: [clustersecrets]
-    verbs: [list, watch, patch]
+    verbs: [watch, list, get, patch, update, create, delete]
 
   # Watch namespaces
   - apiGroups: [""]
@@ -70,7 +70,7 @@ rules:
   - apiGroups: [""]
     resources: [secrets]
     verbs: [create,update,patch]
-  
+
   # Application: get and patch clustersecrets for status patching
   - apiGroups: [clustersecret.io]
     resources: [clustersecrets]

diff --git a/yaml/01_crd.yaml b/yaml/01_crd.yaml
@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   name: clustersecrets.clustersecret.io
 spec:
-  scope: Namespaced
+  scope: Cluster
   group: clustersecret.io
   versions:
     - name: v1

diff --git a/yaml/02_deployment.yaml b/yaml/02_deployment.yaml
@@ -17,11 +17,6 @@ spec:
         serviceAccountName: clustersecret-account
         # imagePullSecrets:
         # - name: regcred
-        env:
-          - name: CLUSTER_SECRET_VERSION
-            value: "v0.0.10"
-          - name: REPLACE_EXISTING
-            value: "false"
         containers:
         - name: clustersecret
           image: quay.io/clustersecret/clustersecret:0.0.10
@@ -30,6 +25,11 @@ spec:
               path: /healthz
               port: 8080
             periodSeconds: 120
+          env:
+            - name: CLUSTER_SECRET_VERSION
+              value: "v0.0.10"
+            - name: REPLACE_EXISTING
+              value: "false"
           # imagePullPolicy: Always
           # Uncomment next lines for debug:
           # command: