fix: SCC user update should work correctly

Signed-off-by: Jakob Möller <jmoller@redhat.com>
openshift · Mar 15, 2024 · e8f810c · e8f810c
1 parent 5189528
commit e8f810c
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/internal/controllers/lvmcluster/controller_integration_test.go b/internal/controllers/lvmcluster/controller_integration_test.go
@@ -18,10 +18,12 @@ package lvmcluster
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	secv1 "github.com/openshift/api/security/v1"
 	lvmv1alpha1 "github.com/openshift/lvm-operator/api/v1alpha1"
 	"github.com/openshift/lvm-operator/internal/controllers/constants"
 	"github.com/openshift/lvm-operator/internal/controllers/lvmcluster/resource"
@@ -174,6 +176,31 @@ var _ = Describe("LVMCluster controller", func() {
 				}).WithContext(ctx).Should(Succeed())
 				scOut = &storagev1.StorageClass{}
 			}
+
+			By("confirming creation of the SecurityContextConstraints")
+			// we only have one SCC for vg-manager
+			scc := &secv1.SecurityContextConstraints{}
+			Eventually(func(ctx context.Context) error {
+				return k8sClient.Get(ctx, types.NamespacedName{Name: constants.SCCPrefix + "vgmanager"}, scc)
+			}).WithContext(ctx).Should(Succeed())
+			Expect(scc.Users).ToNot(BeEmpty())
+			Expect(scc.Users).To(ContainElement(
+				fmt.Sprintf("system:serviceaccount:%s:%s", testLvmClusterNamespace, constants.VGManagerServiceAccount)))
+			scc = nil
+
+			By("confirming overwriting the SCC User gets reset")
+			Eventually(func(ctx context.Context) []string {
+				oldSCC := &secv1.SecurityContextConstraints{}
+				Expect(k8sClient.Get(ctx, types.NamespacedName{Name: constants.SCCPrefix + "vgmanager"}, oldSCC)).To(Succeed())
+				Expect(k8sClient.Patch(ctx, oldSCC, client.RawPatch(types.MergePatchType, []byte(`{"users": []}`)))).To(Succeed())
+				return oldSCC.Users
+			}).WithContext(ctx).Should(BeEmpty())
+
+			Eventually(func(ctx context.Context) []string {
+				scc := &secv1.SecurityContextConstraints{}
+				Expect(k8sClient.Get(ctx, types.NamespacedName{Name: constants.SCCPrefix + "vgmanager"}, scc)).To(Succeed())
+				return scc.Users
+			}).WithContext(ctx).WithTimeout(5 * time.Second).Should(Not(BeEmpty()))
 		})
 	})
 

diff --git a/internal/controllers/lvmcluster/resource/scc.go b/internal/controllers/lvmcluster/resource/scc.go
@@ -54,10 +54,19 @@ func (c openshiftSccs) GetName() string {
 func (c openshiftSccs) EnsureCreated(r Reconciler, ctx context.Context, cluster *lvmv1alpha1.LVMCluster) error {
 	logger := log.FromContext(ctx).WithValues("resourceManager", c.GetName())
 	sccs := getAllSCCs(r.GetNamespace())
-	for _, scc := range sccs {
+	for _, template := range sccs {
+		scc := &secv1.SecurityContextConstraints{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: template.Name,
+			},
+		}
+
 		result, err := cutil.CreateOrUpdate(ctx, r, scc, func() error {
+			if scc.CreationTimestamp.IsZero() {
+				template.DeepCopyInto(scc)
+			}
 			labels.SetManagedLabels(r.Scheme(), scc, cluster)
-			// no need to mutate any field
+			scc.Users = template.Users
 			return nil
 		})
 		if err != nil {