Add serviceaccount component

- Remove serviceaccount from template yaml from chart - Add unit tests for serviceaccount component
gardener · Mar 29, 2023 · 4303c81 · 4303c81
1 parent 0299799
commit 4303c81
Show file tree

Hide file tree

Showing 9 changed files with 437 additions and 70 deletions.
diff --git a/api/v1alpha1/types_etcd.go b/api/v1alpha1/types_etcd.go
@@ -20,6 +20,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
 )
 
 // TODO Remove unused constants
@@ -449,3 +450,23 @@ func (e *Etcd) GetDeltaSnapshotLeaseName() string {
 func (e *Etcd) GetFullSnapshotLeaseName() string {
 	return fmt.Sprintf("%s-full-snap", e.Name)
 }
+
+// GetDefaultLabels returns the default labels for etcd.
+func (e *Etcd) GetDefaultLabels() map[string]string {
+	return map[string]string{
+		"name":     "etcd",
+		"instance": e.Name,
+	}
+}
+
+// GetAsOwnerReference returns an OwnerReference object that represents the current Etcd instance.
+func (e *Etcd) GetAsOwnerReference() metav1.OwnerReference {
+	return metav1.OwnerReference{
+		APIVersion:         GroupVersion.String(),
+		Kind:               "Etcd",
+		Name:               e.Name,
+		UID:                e.UID,
+		Controller:         pointer.Bool(true),
+		BlockOwnerDeletion: pointer.Bool(true),
+	}
+}
diff --git a/charts/etcd/templates/etcd-serviceaccount.yaml b/charts/etcd/templates/etcd-serviceaccount.yaml
diff --git a/controllers/etcd/reconciler.go b/controllers/etcd/reconciler.go
@@ -27,6 +27,7 @@ import (
 	componentlease "github.com/gardener/etcd-druid/pkg/component/etcd/lease"
 	componentpdb "github.com/gardener/etcd-druid/pkg/component/etcd/poddisruptionbudget"
 	componentservice "github.com/gardener/etcd-druid/pkg/component/etcd/service"
+	componentserviceaccount "github.com/gardener/etcd-druid/pkg/component/etcd/serviceaccount"
 	componentsts "github.com/gardener/etcd-druid/pkg/component/etcd/statefulset"
 	druidutils "github.com/gardener/etcd-druid/pkg/utils"
 
@@ -262,6 +263,14 @@ func (r *Reconciler) delete(ctx context.Context, etcd *druidv1alpha1.Etcd) (ctrl
 		}, err
 	}
 
+	saValues := componentserviceaccount.GenerateValues(etcd, r.config.DisableEtcdServiceAccountAutomount)
+	saDeployer := componentserviceaccount.New(r.Client, saValues)
+	if err := saDeployer.Destroy(ctx); err != nil {
+		return ctrl.Result{
+			Requeue: true,
+		}, err
+	}
+
 	if sets.NewString(etcd.Finalizers...).Has(common.FinalizerName) {
 		logger.Info("Removing finalizer")
 		if err := controllerutils.RemoveFinalizers(ctx, r.Client, etcd, common.FinalizerName); client.IgnoreNotFound(err) != nil {
@@ -274,51 +283,6 @@ func (r *Reconciler) delete(ctx context.Context, etcd *druidv1alpha1.Etcd) (ctrl
 	return ctrl.Result{}, nil
 }
 
-func (r *Reconciler) reconcileServiceAccount(ctx context.Context, logger logr.Logger, etcd *druidv1alpha1.Etcd, values map[string]interface{}) error {
-	logger.Info("Reconciling serviceaccount")
-	var err error
-
-	decoded, err := r.chart.decodeServiceAccount(etcd.Name, etcd.Namespace, values)
-	if err != nil {
-		return err
-	}
-
-	saObj := &corev1.ServiceAccount{}
-	key := client.ObjectKeyFromObject(decoded)
-	if err := r.Get(ctx, key, saObj); err != nil {
-		if !apierrors.IsNotFound(err) {
-			return err
-		}
-		if err := r.Create(ctx, decoded); err != nil {
-			return err
-		}
-		logger.Info("Creating serviceaccount", "serviceaccount", kutil.Key(decoded.Namespace, decoded.Name).String())
-		return nil
-	}
-
-	var (
-		mustPatch bool
-		saObjCopy = saObj.DeepCopy()
-	)
-
-	if !reflect.DeepEqual(decoded.Labels, saObj.Labels) {
-		saObjCopy.Labels = decoded.Labels
-		mustPatch = true
-	}
-
-	if !reflect.DeepEqual(decoded.AutomountServiceAccountToken, saObj.AutomountServiceAccountToken) {
-		saObjCopy.AutomountServiceAccountToken = decoded.AutomountServiceAccountToken
-		mustPatch = true
-	}
-
-	if !mustPatch {
-		return nil
-	}
-
-	logger.Info("Update serviceaccount")
-	return r.Patch(ctx, saObjCopy, client.MergeFrom(saObj))
-}
-
 func (r *Reconciler) reconcileRole(ctx context.Context, logger logr.Logger, etcd *druidv1alpha1.Etcd, values map[string]interface{}) error {
 	logger.Info("Reconciling role")
 	var err error
@@ -427,22 +391,24 @@ func (r *Reconciler) reconcileEtcd(ctx context.Context, logger logr.Logger, etcd
 		return reconcileResult{err: err}
 	}
 
-	values, err := r.getMapFromEtcd(etcd, r.config.DisableEtcdServiceAccountAutomount)
+	saValues := componentserviceaccount.GenerateValues(etcd, r.config.DisableEtcdServiceAccountAutomount)
+	saDeployer := componentserviceaccount.New(r.Client, saValues)
+	err = saDeployer.Deploy(ctx)
 	if err != nil {
 		return reconcileResult{err: err}
 	}
 
-	err = r.reconcileServiceAccount(ctx, logger, etcd, values)
+	roleValues, err := r.getMapFromEtcd(etcd, r.config.DisableEtcdServiceAccountAutomount)
 	if err != nil {
 		return reconcileResult{err: err}
 	}
 
-	err = r.reconcileRole(ctx, logger, etcd, values)
+	err = r.reconcileRole(ctx, logger, etcd, roleValues)
 	if err != nil {
 		return reconcileResult{err: err}
 	}
 
-	err = r.reconcileRoleBinding(ctx, logger, etcd, values)
+	err = r.reconcileRoleBinding(ctx, logger, etcd, roleValues)
 	if err != nil {
 		return reconcileResult{err: err}
 	}

diff --git a/pkg/component/etcd/serviceaccount/serviceaccount.go b/pkg/component/etcd/serviceaccount/serviceaccount.go
@@ -0,0 +1,66 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package serviceaccount
+
+import (
+	"context"
+
+	"github.com/gardener/gardener/pkg/controllerutils"
+
+	gardenercomponent "github.com/gardener/gardener/pkg/operation/botanist/component"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type component struct {
+	client client.Client
+	values *Values
+}
+
+func (c component) Deploy(ctx context.Context) error {
+	serviceAccount := c.emptyServiceAccount()
+	_, err := controllerutils.GetAndCreateOrStrategicMergePatch(ctx, c.client, serviceAccount, func() error {
+		serviceAccount.Name = c.values.Name
+		serviceAccount.Namespace = c.values.Namespace
+		serviceAccount.Labels = c.values.Labels
+		serviceAccount.OwnerReferences = c.values.OwnerReferences
+		serviceAccount.AutomountServiceAccountToken = pointer.Bool(!c.values.DisableAutomount)
+		return nil
+	})
+	return err
+}
+
+func (c component) Destroy(ctx context.Context) error {
+	return client.IgnoreNotFound(c.client.Delete(ctx, c.emptyServiceAccount()))
+}
+
+func (c component) emptyServiceAccount() *corev1.ServiceAccount {
+	return &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      c.values.Name,
+			Namespace: c.values.Namespace,
+		},
+	}
+}
+
+// New creates a new service account deployer instance.
+func New(c client.Client, value *Values) gardenercomponent.Deployer {
+	return &component{
+		client: c,
+		values: value,
+	}
+}
diff --git a/pkg/component/etcd/serviceaccount/serviceaccount_suite_test.go b/pkg/component/etcd/serviceaccount/serviceaccount_suite_test.go
@@ -0,0 +1,27 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package serviceaccount
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestService(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "ServiceAccount Component Suite")
+}