feat: Resync resources in the namespaces on NamespaceCredential chang…

…es (#1143)

charts/controller/crds/deployments.plural.sh_namespacecredentials.yaml

@@ -138,6 +138,9 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
+              tokenSHA:
+                description: TokenSHA contains SHA of last token seen.
+                type: string
             type: object
         required:
         - spec

controller/api/v1alpha1/clusterrestoretrigger_types.go

@@ -29,12 +29,6 @@ type ClusterRestoreTriggerSpec struct {
 	ClusterRestoreRef *corev1.ObjectReference `json:"clusterRestoreRef,omitempty"`
 }
 
-// ClusterRestoreTriggerStatus defines the observed state of ClusterRestoreTrigger
-type ClusterRestoreTriggerStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-}
-
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 

controller/api/v1alpha1/common_types.go

@@ -142,8 +142,9 @@ func (c ConditionMessage) String() string {
 }
 
 const (
-	ReadonlyTrueConditionMessage         ConditionMessage = "Running in read-only mode"
-	SynchronizedNotFoundConditionMessage ConditionMessage = "Could not find resource in Console API"
+	ReadonlyTrueConditionMessage          ConditionMessage = "Running in read-only mode"
+	SynchronizedNotFoundConditionMessage  ConditionMessage = "Could not find resource in Console API"
+	NamespacedCredentialsConditionMessage ConditionMessage = "Using default credentials"
 )
 
 // GitRef ...

controller/api/v1alpha1/namespacecredentials_types.go

@@ -50,6 +50,11 @@ type NamespaceCredentialsSpec struct {
 }
 
 type NamespaceCredentialsStatus struct {
+	// TokenSHA contains SHA of last token seen.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Type:=string
+	TokenSHA *string `json:"tokenSHA,omitempty"`
+
 	// Conditions represent the observations of a NamespaceCredentials current state.
 	// +patchMergeKey=type
 	// +patchStrategy=merge

controller/config/crd/bases/deployments.plural.sh_namespacecredentials.yaml

@@ -138,6 +138,9 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
+              tokenSHA:
+                description: TokenSHA contains SHA of last token seen.
+                type: string
             type: object
         required:
         - spec

controller/internal/client/console.go

@@ -5,9 +5,8 @@ import (
 	"net/http"
 
 	console "github.com/pluralsh/console-client-go"
-	"github.com/pluralsh/console/controller/internal/credentials"
-
 	"github.com/pluralsh/console/controller/api/v1alpha1"
+	"github.com/pluralsh/console/controller/internal/credentials"
 )
 
 type authedTransport struct {

controller/internal/controller/cluster_controller.go

@@ -42,7 +42,8 @@ type ClusterReconciler struct {
 // SetupWithManager sets up the controller with the Manager.
 func (r *ClusterReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		WithOptions(controller.Options{MaxConcurrentReconciles: 1}). // Hard requirement for current namespace credentials implementation.
+		WithOptions(controller.Options{MaxConcurrentReconciles: 1}).                                                     // Requirement for credentials implementation.
+		Watches(&v1alpha1.NamespaceCredentials{}, credentials.OnCredentialsChange(r.Client, new(v1alpha1.ClusterList))). // Reconcile objects on credentials change.
 		For(&v1alpha1.Cluster{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
 		Complete(r)
 }
@@ -76,7 +77,7 @@ func (r *ClusterReconciler) Reconcile(ctx context.Context, req reconcile.Request
 
 	// Switch to namespace credentials if configured. This has to be done before sending any request to the console.
 	nc, err := r.ConsoleClient.UseCredentials(req.Namespace, r.CredentialsCache)
-	utils.MarkCredentialsCondition(cluster.SetCondition, nc, err)
+	credentials.SyncCredentialsInfo(cluster, cluster.SetCondition, nc, err)
 	if err != nil {
 		logger.Error(err, "failed to use namespace credentials", "namespaceCredentials", nc, "namespacedName", req.NamespacedName)
 		utils.MarkCondition(cluster.SetCondition, v1alpha1.SynchronizedConditionType, v1.ConditionFalse, v1alpha1.SynchronizedConditionReasonError, fmt.Sprintf("failed to use %s namespace credentials: %s", nc, err.Error()))

controller/internal/controller/cluster_controller_test.go

@@ -176,7 +176,7 @@ var _ = Describe("Cluster Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:   v1alpha1.ReadonlyConditionType.String(),
@@ -229,7 +229,7 @@ var _ = Describe("Cluster Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:   v1alpha1.ReadonlyConditionType.String(),
@@ -283,7 +283,7 @@ var _ = Describe("Cluster Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:   v1alpha1.ReadonlyConditionType.String(),
@@ -327,7 +327,7 @@ var _ = Describe("Cluster Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:    v1alpha1.ReadonlyConditionType.String(),
@@ -384,7 +384,7 @@ var _ = Describe("Cluster Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:    v1alpha1.ReadonlyConditionType.String(),
@@ -432,7 +432,7 @@ var _ = Describe("Cluster Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:    v1alpha1.ReadonlyConditionType.String(),
@@ -482,7 +482,7 @@ var _ = Describe("Cluster Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:    v1alpha1.ReadonlyConditionType.String(),

controller/internal/controller/clusterrestore_controller.go

@@ -76,7 +76,7 @@ func (r *ClusterRestoreReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 
 	// Switch to namespace credentials if configured. This has to be done before sending any request to the console.
 	nc, err := r.ConsoleClient.UseCredentials(req.Namespace, r.CredentialsCache)
-	utils.MarkCredentialsCondition(restore.SetCondition, nc, err)
+	credentials.SyncCredentialsInfo(restore, restore.SetCondition, nc, err)
 	if err != nil {
 		logger.Error(err, "failed to use namespace credentials", "namespaceCredentials", nc, "namespacedName", req.NamespacedName)
 		utils.MarkCondition(restore.SetCondition, v1alpha1.SynchronizedConditionType, v1.ConditionFalse, v1alpha1.SynchronizedConditionReasonError, fmt.Sprintf("failed to use %s namespace credentials: %s", nc, err.Error()))
@@ -149,7 +149,8 @@ func (r *ClusterRestoreReconciler) sync(ctx context.Context, restore *v1alpha1.C
 // SetupWithManager sets up the controller with the Manager.
 func (r *ClusterRestoreReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		WithOptions(controller.Options{MaxConcurrentReconciles: 1}). // Hard requirement for current namespace credentials implementation.
+		WithOptions(controller.Options{MaxConcurrentReconciles: 1}).                                                            // Requirement for credentials implementation.
+		Watches(&v1alpha1.NamespaceCredentials{}, credentials.OnCredentialsChange(r.Client, new(v1alpha1.ClusterRestoreList))). // Reconcile objects on credentials change.
 		For(&v1alpha1.ClusterRestore{}).
 		Complete(r)
 }

controller/internal/controller/clusterrestore_controller_test.go

@@ -95,7 +95,7 @@ var _ = Describe("Cluster Restore Controller", Ordered, func() {
 						Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 						Status:  metav1.ConditionFalse,
 						Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-						Message: "using default credentials",
+						Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 					},
 					{
 						Type:   v1alpha1.ReadyConditionType.String(),

controller/internal/controller/clusterrestoretrigger_controller.go

@@ -94,7 +94,7 @@ func (r *ClusterRestoreTriggerReconciler) Reconcile(ctx context.Context, req ctr
 
 	// Switch to namespace credentials if configured. This has to be done before sending any request to the console.
 	nc, err := r.ConsoleClient.UseCredentials(req.Namespace, r.CredentialsCache)
-	utils.MarkCredentialsCondition(trigger.SetCondition, nc, err)
+	credentials.SyncCredentialsInfo(trigger, trigger.SetCondition, nc, err)
 	if err != nil {
 		logger.Error(err, "failed to use namespace credentials", "namespaceCredentials", nc, "namespacedName", req.NamespacedName)
 		utils.MarkCondition(trigger.SetCondition, v1alpha1.SynchronizedConditionType, v1.ConditionFalse, v1alpha1.SynchronizedConditionReasonError, fmt.Sprintf("failed to use %s namespace credentials: %s", nc, err.Error()))
@@ -149,7 +149,8 @@ func (r *ClusterRestoreTriggerReconciler) isAlreadyExists(ctx context.Context, t
 // SetupWithManager sets up the controller with the Manager.
 func (r *ClusterRestoreTriggerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		WithOptions(controller.Options{MaxConcurrentReconciles: 1}). // Hard requirement for current namespace credentials implementation.
+		WithOptions(controller.Options{MaxConcurrentReconciles: 1}).                                                                   // Requirement for credentials implementation.
+		Watches(&v1alpha1.NamespaceCredentials{}, credentials.OnCredentialsChange(r.Client, new(v1alpha1.ClusterRestoreTriggerList))). // Reconcile objects on credentials change.
 		For(&v1alpha1.ClusterRestoreTrigger{}).
 		Complete(r)
 }

controller/internal/controller/customstackrun_controller.go

@@ -79,7 +79,7 @@ func (r *CustomStackRunReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 
 	// Switch to namespace credentials if configured. This has to be done before sending any request to the console.
 	nc, err := r.ConsoleClient.UseCredentials(req.Namespace, r.CredentialsCache)
-	utils.MarkCredentialsCondition(stack.SetCondition, nc, err)
+	credentials.SyncCredentialsInfo(stack, stack.SetCondition, nc, err)
 	if err != nil {
 		logger.Error(err, "failed to use namespace credentials", "namespaceCredentials", nc, "namespacedName", req.NamespacedName)
 		utils.MarkCondition(stack.SetCondition, v1alpha1.SynchronizedConditionType, v1.ConditionFalse, v1alpha1.SynchronizedConditionReasonError, fmt.Sprintf("failed to use %s namespace credentials: %s", nc, err.Error()))
@@ -141,7 +141,8 @@ func (r *CustomStackRunReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 // SetupWithManager sets up the controller with the Manager.
 func (r *CustomStackRunReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		WithOptions(controller.Options{MaxConcurrentReconciles: 1}). // Hard requirement for current namespace credentials implementation.
+		WithOptions(controller.Options{MaxConcurrentReconciles: 1}).                                                            // Requirement for credentials implementation.
+		Watches(&v1alpha1.NamespaceCredentials{}, credentials.OnCredentialsChange(r.Client, new(v1alpha1.CustomStackRunList))). // Reconcile objects on credentials change.
 		For(&v1alpha1.CustomStackRun{}).
 		Complete(r)
 }

controller/internal/controller/customstackrun_test.go

@@ -133,7 +133,7 @@ var _ = Describe("Custom Stack Run Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:   v1alpha1.ReadyConditionType.String(),
@@ -188,7 +188,7 @@ var _ = Describe("Custom Stack Run Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:   v1alpha1.ReadyConditionType.String(),

controller/internal/controller/deploymentsettings_controller.go

@@ -86,7 +86,7 @@ func (r *DeploymentSettingsReconciler) Reconcile(ctx context.Context, req ctrl.R
 
 	// Switch to namespace credentials if configured. This has to be done before sending any request to the console.
 	nc, err := r.ConsoleClient.UseCredentials(req.Namespace, r.CredentialsCache)
-	utils.MarkCredentialsCondition(settings.SetCondition, nc, err)
+	credentials.SyncCredentialsInfo(settings, settings.SetCondition, nc, err)
 	if err != nil {
 		logger.Error(err, "failed to use namespace credentials", "namespaceCredentials", nc, "namespacedName", req.NamespacedName)
 		utils.MarkCondition(settings.SetCondition, v1alpha1.SynchronizedConditionType, v1.ConditionFalse, v1alpha1.SynchronizedConditionReasonError, fmt.Sprintf("failed to use %s namespace credentials: %s", nc, err.Error()))
@@ -131,7 +131,8 @@ func (r *DeploymentSettingsReconciler) Reconcile(ctx context.Context, req ctrl.R
 // SetupWithManager sets up the controller with the Manager.
 func (r *DeploymentSettingsReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		WithOptions(controller.Options{MaxConcurrentReconciles: 1}). // Hard requirement for current namespace credentials implementation.
+		WithOptions(controller.Options{MaxConcurrentReconciles: 1}).                                                                // Requirement for credentials implementation.
+		Watches(&v1alpha1.NamespaceCredentials{}, credentials.OnCredentialsChange(r.Client, new(v1alpha1.DeploymentSettingsList))). // Reconcile objects on credentials change.
 		For(&v1alpha1.DeploymentSettings{}).
 		Complete(r)
 }

controller/internal/controller/deploymentsettings_test.go

@@ -91,7 +91,7 @@ var _ = Describe("DeploymentSettings Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:   v1alpha1.ReadyConditionType.String(),

controller/internal/controller/globalservice_controller.go

@@ -21,7 +21,11 @@ import (
 	"fmt"
 
 	console "github.com/pluralsh/console-client-go"
+	"github.com/pluralsh/console/controller/api/v1alpha1"
+	consoleclient "github.com/pluralsh/console/controller/internal/client"
 	"github.com/pluralsh/console/controller/internal/credentials"
+	"github.com/pluralsh/console/controller/internal/errors"
+	"github.com/pluralsh/console/controller/internal/utils"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -32,11 +36,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
-
-	"github.com/pluralsh/console/controller/api/v1alpha1"
-	consoleclient "github.com/pluralsh/console/controller/internal/client"
-	"github.com/pluralsh/console/controller/internal/errors"
-	"github.com/pluralsh/console/controller/internal/utils"
 )
 
 const (
@@ -81,7 +80,7 @@ func (r *GlobalServiceReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 
 	// Switch to namespace credentials if configured. This has to be done before sending any request to the console.
 	nc, err := r.ConsoleClient.UseCredentials(req.Namespace, r.CredentialsCache)
-	utils.MarkCredentialsCondition(globalService.SetCondition, nc, err)
+	credentials.SyncCredentialsInfo(globalService, globalService.SetCondition, nc, err)
 	if err != nil {
 		logger.Error(err, "failed to use namespace credentials", "namespaceCredentials", nc, "namespacedName", req.NamespacedName)
 		utils.MarkCondition(globalService.SetCondition, v1alpha1.SynchronizedConditionType, v1.ConditionFalse, v1alpha1.SynchronizedConditionReasonError, fmt.Sprintf("failed to use %s namespace credentials: %s", nc, err.Error()))
@@ -275,7 +274,8 @@ func (r *GlobalServiceReconciler) handleDelete(ctx context.Context, service *v1a
 // SetupWithManager sets up the controller with the Manager.
 func (r *GlobalServiceReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		WithOptions(controller.Options{MaxConcurrentReconciles: 1}). // Hard requirement for current namespace credentials implementation.
+		WithOptions(controller.Options{MaxConcurrentReconciles: 1}).                                                           // Requirement for credentials implementation.
+		Watches(&v1alpha1.NamespaceCredentials{}, credentials.OnCredentialsChange(r.Client, new(v1alpha1.GlobalServiceList))). // Reconcile objects on credentials change.
 		For(&v1alpha1.GlobalService{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
 		Owns(&v1alpha1.ServiceDeployment{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
 		Complete(r)

controller/internal/controller/globalservice_test.go

@@ -147,7 +147,7 @@ var _ = Describe("Global Service Controller", Ordered, func() {
 							Type:    v1alpha1.NamespacedCredentialsConditionType.String(),
 							Status:  metav1.ConditionFalse,
 							Reason:  v1alpha1.NamespacedCredentialsReasonDefault.String(),
-							Message: "using default credentials",
+							Message: v1alpha1.NamespacedCredentialsConditionMessage.String(),
 						},
 						{
 							Type:   v1alpha1.SynchronizedConditionType.String(),