Merge pull request rancher#41380 from rmweir/fix-enqueue

Fix enqueue

pkg/controllers/managementuser/rbac/handler_base.go

@@ -10,13 +10,15 @@ import (
 	"github.com/rancher/norman/objectclient"
 	"github.com/rancher/norman/types/convert"
 	"github.com/rancher/norman/types/slice"
+	wranglerv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	"github.com/rancher/rancher/pkg/controllers/managementuser/resourcequota"
 	typescorev1 "github.com/rancher/rancher/pkg/generated/norman/core/v1"
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
 	typesrbacv1 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1"
 	nsutils "github.com/rancher/rancher/pkg/namespace"
 	pkgrbac "github.com/rancher/rancher/pkg/rbac"
 	"github.com/rancher/rancher/pkg/types/config"
+	"github.com/rancher/wrangler/pkg/relatedresource"
 	"github.com/sirupsen/logrus"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -43,6 +45,7 @@ const (
 	crbByRoleAndSubjectIndex         = "authz.cluster.cattle.io/crb-by-role-and-subject"
 	rtbLabelUpdated                  = "authz.cluster.cattle.io/rtb-label-updated"
 	rtbCrbRbLabelsUpdated            = "authz.cluster.cattle.io/crb-rb-labels-updated"
+	rtByInheritedRTsIndex            = "authz.cluster.cattle.io/rts-by-inherited-rts"
 	impersonationLabel               = "authz.cluster.cattle.io/impersonator"
 
 	rolesCircularSoftLimit = 100
@@ -77,6 +80,13 @@ func Register(ctx context.Context, workload *config.UserContext) {
 	}
 	crbInformer.AddIndexers(crbIndexers)
 
+	// Get RoleTemplates by RoleTemplate they inherit from
+	rtInformer := workload.Management.Wrangler.Mgmt.RoleTemplate().Informer()
+	rtIndexers := map[string]cache.IndexFunc{
+		rtByInheritedRTsIndex: rtByInterhitedRTs,
+	}
+	rtInformer.AddIndexers(rtIndexers)
+
 	r := &manager{
 		workload:            workload,
 		prtbIndexer:         prtbInformer.GetIndexer(),
@@ -123,6 +133,8 @@ func Register(ctx context.Context, workload *config.UserContext) {
 
 	workload.Core.Namespaces("").AddLifecycle(ctx, "namespace-auth", newNamespaceLifecycle(r, sync))
 	management.Management.RoleTemplates("").AddHandler(ctx, "cluster-roletemplate-sync", newRTLifecycle(r))
+	relatedresource.WatchClusterScoped(ctx, "enqueue-beneficiary-roletemplates", newRTEnqueueFunc(rtInformer.GetIndexer()),
+		management.Wrangler.Mgmt.RoleTemplate(), management.Wrangler.Mgmt.RoleTemplate())
 }
 
 type manager struct {
@@ -633,6 +645,14 @@ func rtbByClusterAndRoleTemplateName(obj interface{}) ([]string, error) {
 	return []string{idx}, nil
 }
 
+func rtByInterhitedRTs(obj interface{}) ([]string, error) {
+	rt, ok := obj.(*wranglerv3.RoleTemplate)
+	if !ok {
+		return nil, fmt.Errorf("failed to convert object to *RoleTemplate in indexer [%s]", rtByInheritedRTsIndex)
+	}
+	return rt.RoleTemplateNames, nil
+}
+
 func rtbByClusterAndUserNotDeleting(obj interface{}) ([]string, error) {
 	meta, err := meta.Accessor(obj)
 	if err != nil {

pkg/controllers/managementuser/rbac/roletemplate_handler.go

@@ -2,12 +2,15 @@ package rbac
 
 import (
 	"github.com/pkg/errors"
+	wranglerv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
 	"github.com/rancher/rancher/pkg/rbac"
+	"github.com/rancher/wrangler/pkg/relatedresource"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/cache"
 )
 
 func newRTLifecycle(m *manager) v3.RoleTemplateHandlerFunc {
@@ -24,6 +27,17 @@ type rtSync struct {
 	m *manager
 }
 
+func newRTEnqueueFunc(rtIndxer cache.Indexer) relatedresource.Resolver {
+	return (&rtEnqueue{rtIndexer: rtIndxer}).rtRelatedResources
+}
+
+// rtEnqueue is responsible for returning RoleTemplates names that inherit from a changed roletemplate and should be
+// enqueued as a result. This is to ensure those beneficiary roletemplates make the necessary syncs for their own
+// corresponding clusterRoles.
+type rtEnqueue struct {
+	rtIndexer cache.Indexer
+}
+
 func (c *rtSync) sync(key string, obj *v3.RoleTemplate) (runtime.Object, error) {
 	if obj == nil || obj.DeletionTimestamp != nil {
 		return nil, nil
@@ -134,3 +148,15 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 	}
 	return nil
 }
+
+func (r *rtEnqueue) rtRelatedResources(_, name string, _ runtime.Object) ([]relatedresource.Key, error) {
+	beneficiaryRTs, err := r.rtIndexer.ByIndex(rtByInheritedRTsIndex, name)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]relatedresource.Key, len(beneficiaryRTs))
+	for i, rt := range beneficiaryRTs {
+		result[i] = relatedresource.Key{Name: rt.(*wranglerv3.RoleTemplate).Name}
+	}
+	return result, nil
+}

tests/framework/extensions/kubeapi/rbac/rbac.go

@@ -13,6 +13,14 @@ var RoleGroupVersionResource = schema.GroupVersionResource{
 	Resource: "roles",
 }
 
+// ClusterRoleGroupVersionResource is the required Group Version Resource for accessing clusterroles in a cluster,
+// using the dynamic client.
+var ClusterRoleGroupVersionResource = schema.GroupVersionResource{
+	Group:    rbacv1.SchemeGroupVersion.Group,
+	Version:  rbacv1.SchemeGroupVersion.Version,
+	Resource: "clusterroles",
+}
+
 // RoleBindingGroupVersionResource is the required Group Version Resource for accessing rolebindings in a cluster,
 // using the dynamic client.
 var RoleBindingGroupVersionResource = schema.GroupVersionResource{

tests/framework/extensions/namespaces/create.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"fmt"
 	"strings"
-	kwait "k8s.io/apimachinery/pkg/util/wait"
 	"time"
+
 	"github.com/rancher/rancher/pkg/api/scheme"
 	"github.com/rancher/rancher/tests/framework/clients/rancher"
 	management "github.com/rancher/rancher/tests/framework/clients/rancher/generated/management/v3"
@@ -18,6 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kubeUnstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	kwait "k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 )