reconcile service account

Author: odacremolbap

pkg/apis/eventing/v1alpha1/redisbroker_lifecycle.go

@@ -23,6 +23,7 @@ const (
 	RedisBrokerRedisService                         apis.ConditionType = "RedisServiceReady"
 	RedisBrokerRedisServiceEndpointsConditionReady  apis.ConditionType = "RedisEndpointsReady"
 	RedisBrokerBrokerDeployment                     apis.ConditionType = "BrokerDeploymentReady"
+	RedisBrokerBrokerServiceAccount                 apis.ConditionType = "BrokerServiceAccountReady"
 	RedisBrokerBrokerService                        apis.ConditionType = "BrokerServiceReady"
 	RedisBrokerBrokerServiceEndpointsConditionReady apis.ConditionType = "BrokerEndpointsReady"
 	RedisBrokerConfigSecret                         apis.ConditionType = "BrokerConfigSecretReady"
@@ -35,6 +36,7 @@ var redisBrokerCondSet = apis.NewLivingConditionSet(
 	RedisBrokerRedisDeployment,
 	RedisBrokerRedisService,
 	RedisBrokerRedisServiceEndpointsConditionReady,
+	RedisBrokerBrokerServiceAccount,
 	RedisBrokerBrokerDeployment,
 	RedisBrokerBrokerService,
 	RedisBrokerBrokerServiceEndpointsConditionReady,
@@ -122,9 +124,22 @@ func (bs *RedisBrokerStatus) MarkConfigSecretReady() {
 	redisBrokerCondSet.Manage(bs).MarkTrue(RedisBrokerConfigSecret)
 }
 
+
 // Manage Redis server state for both
 // Service and Deployment
 
+func (bs *RedisBrokerStatus) MarkBrokerServiceAccountFailed(reason, messageFormat string, messageA ...interface{}) {
+	redisBrokerCondSet.Manage(bs).MarkFalse(RedisBrokerBrokerServiceAccount, reason, messageFormat, messageA...)
+}
+
+func (bs *RedisBrokerStatus) MarkBrokerServiceAccountUnknown(reason, messageFormat string, messageA ...interface{}) {
+	redisBrokerCondSet.Manage(bs).MarkUnknown(RedisBrokerBrokerServiceAccount, reason, messageFormat, messageA...)
+}
+
+func (bs *RedisBrokerStatus) MarkBrokerServiceAccountReady() {
+	redisBrokerCondSet.Manage(bs).MarkTrue(RedisBrokerBrokerServiceAccount)
+}
+
 func (bs *RedisBrokerStatus) MarkRedisDeploymentFailed(reason, messageFormat string, messageA ...interface{}) {
 	redisBrokerCondSet.Manage(bs).MarkFalse(RedisBrokerRedisDeployment, reason, messageFormat, messageA...)
 }

pkg/reconciler/events.go

@@ -20,6 +20,9 @@ const (
 	ReasonFailedDeploymentCreate = "FailedDeploymentCreate"
 	ReasonFailedDeploymentUpdate = "FailedDeploymentUpdate"
 
+	ReasonFailedServiceAccountGet    = "FailedServiceAccountGet"
+	ReasonFailedServiceAccountCreate = "FailedServiceAccountCreate"
+
 	ReasonServiceCreate       = "CreateService"
 	ReasonServiceUpdate       = "UpdateService"
 	ReasonFailedServiceGet    = "FailedServiceGet"

pkg/reconciler/redisbroker/reconcile_broker.go

@@ -3,7 +3,6 @@ package redisbroker
 import (
 	"context"
 	"fmt"
-	"path"
 
 	"go.uber.org/zap"
 
@@ -32,21 +31,27 @@ const (
 	brokerResourceSuffix = "redisbroker-broker"
 )
 
-var (
-	configMountedPath = path.Join(configSecretPath, configSecretFile)
-)
+// var (
+// 	configMountedPath = path.Join(configSecretPath, configSecretFile)
+// )
 
 type brokerReconciler struct {
 	client           kubernetes.Interface
 	deploymentLister appsv1listers.DeploymentLister
+	serviceAccountLister    corev1listers.ServiceAccountLister
 	serviceLister    corev1listers.ServiceLister
 	endpointsLister  corev1listers.EndpointsLister
 	image            string
 	pullPolicy       corev1.PullPolicy
 }
 
 func (r *brokerReconciler) reconcile(ctx context.Context, rb *eventingv1alpha1.RedisBroker, redis *corev1.Service, secret *corev1.Secret) (*appsv1.Deployment, *corev1.Service, error) {
-	d, err := r.reconcileDeployment(ctx, rb, redis, secret)
+	sa, err := r.reconcileServiceAccount(ctx, rb)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	d, err := r.reconcileDeployment(ctx, rb,sa,  redis, secret)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -64,12 +69,57 @@ func (r *brokerReconciler) reconcile(ctx context.Context, rb *eventingv1alpha1.R
 	return d, svc, nil
 }
 
-func buildBrokerDeployment(rb *eventingv1alpha1.RedisBroker, redis *corev1.Service, secret *corev1.Secret, image string, pullPolicy corev1.PullPolicy) *appsv1.Deployment {
+func buildBrokerServiceAccount(rb *eventingv1alpha1.RedisBroker) *corev1.ServiceAccount {
+	return resources.NewServiceAccount(rb.Namespace, rb.Name+"-"+brokerResourceSuffix,
+		resources.ServiceAccountWithMetaOptions(
+			resources.MetaAddLabel(appAnnotation, appAnnotationValue),
+			resources.MetaAddLabel("component", brokerResourceSuffix),
+			resources.MetaAddLabel(resourceNameAnnotation, rb.Name+"-"+brokerResourceSuffix),
+			resources.MetaAddOwner(rb, rb.GetGroupVersionKind())))
+}
+
+func (r *brokerReconciler) reconcileServiceAccount(ctx context.Context, rb *eventingv1alpha1.RedisBroker) (*corev1.ServiceAccount, error) {
+	desired := buildBrokerServiceAccount(rb)
+	current, err := r.serviceAccountLister.ServiceAccounts(desired.Namespace).Get(desired.Name)
+
+	switch {
+	case err == nil:
+		// TODO check RoleBinding
+
+	case !apierrs.IsNotFound(err):
+		// An error occurred retrieving current object.
+		fullname := types.NamespacedName{Namespace: desired.Namespace, Name: desired.Name}
+		logging.FromContext(ctx).Error("Unable to get broker ServiceAccount", zap.String("serviceAccount", fullname.String()), zap.Error(err))
+		rb.Status.MarkBrokerServiceAccountFailed(reconciler.ReasonFailedServiceAccountGet, "Failed to get broker ServiceAccount")
+
+		return nil, pkgreconciler.NewEvent(corev1.EventTypeWarning, reconciler.ReasonFailedServiceAccountGet,
+			"Failed to get broker ServiceAccount %s: %w", fullname, err)
+
+	default:
+		// The ServiceAccount has not been found, create it.
+		current, err = r.client.CoreV1().ServiceAccounts(desired.Namespace).Create(ctx, desired, metav1.CreateOptions{})
+		if err != nil {
+			fullname := types.NamespacedName{Namespace: desired.Namespace, Name: desired.Name}
+			logging.FromContext(ctx).Error("Unable to create broker ServiceAccount", zap.String("serviceAccount", fullname.String()), zap.Error(err))
+			rb.Status.MarkBrokerServiceAccountFailed(reconciler.ReasonFailedServiceAccountCreate, "Failed to create broker ServiceAccount")
+
+			return nil, pkgreconciler.NewEvent(corev1.EventTypeWarning, reconciler.ReasonFailedServiceAccountCreate,
+				"Failed to create broker ServiceAccount %s: %w", fullname, err)
+		}
+	}
+
+	// Update status
+	rb.Status.MarkBrokerServiceAccountReady()
+
+	return current, nil
+}
+
+func buildBrokerDeployment(rb *eventingv1alpha1.RedisBroker,sa *corev1.ServiceAccount, redis *corev1.Service, secret *corev1.Secret, image string, pullPolicy corev1.PullPolicy) *appsv1.Deployment {
 
-	v := resources.NewVolume("config",
-		resources.VolumeFromSecretOption(secret.Name, configSecretKey, configSecretFile))
-	vm := resources.NewVolumeMount("config", configSecretPath,
-		resources.VolumeMountWithReadOnlyOption(true))
+	// v := resources.NewVolume("config",
+	// 	resources.VolumeFromSecretOption(secret.Name, configSecretKey, configSecretFile))
+	// vm := resources.NewVolumeMount("config", configSecretPath,
+	// 	resources.VolumeMountWithReadOnlyOption(true))
 
 	var stream string
 	if rb.Spec.Redis != nil && rb.Spec.Redis.Stream != nil && *rb.Spec.Redis.Stream != "" {
@@ -80,8 +130,13 @@ func buildBrokerDeployment(rb *eventingv1alpha1.RedisBroker, redis *corev1.Servi
 
 	opts := []resources.ContainerOption{
 		resources.ContainerAddArgs("start"),
-		resources.ContainerAddVolumeMount(vm),
-		resources.ContainerAddEnvFromValue("BROKER_CONFIG_PATH", configMountedPath),
+		// resources.ContainerAddVolumeMount(vm),
+		// resources.ContainerAddEnvFromValue("BROKER_CONFIG_PATH", configMountedPath),
+		resources.ContainerAddEnvFromFieldRef("KUBERNETES_NAMESPACE", "metadata.namespace"),
+		// resources.ContainerAddEnvFromValue("KUBERNETES_NAMESPACE", rb.Namespace),
+		resources.ContainerAddEnvFromValue("BROKER_CONFIG_KUBERNETES_SECRET_NAME", secret.Name),
+		resources.ContainerAddEnvFromValue("BROKER_CONFIG_KUBERNETES_SECRET_KEY", configSecretKey),
+
 		resources.ContainerAddEnvFromValue("REDIS_STREAM", stream),
 		resources.ContainerWithImagePullPolicy(pullPolicy),
 	}
@@ -127,13 +182,13 @@ func buildBrokerDeployment(rb *eventingv1alpha1.RedisBroker, redis *corev1.Servi
 		resources.DeploymentAddSelectorForTemplate(resourceNameAnnotation, rb.Name+"-"+brokerResourceSuffix),
 		resources.DeploymentSetReplicas(1),
 		resources.DeploymentWithTemplateOptions(
-			resources.PodSpecAddVolume(v),
+			// resources.PodSpecAddVolume(v),
 			resources.PodSpecAddContainer(
 				resources.NewContainer("broker", image, opts...))))
 }
 
-func (r *brokerReconciler) reconcileDeployment(ctx context.Context, rb *eventingv1alpha1.RedisBroker, redis *corev1.Service, secret *corev1.Secret) (*appsv1.Deployment, error) {
-	desired := buildBrokerDeployment(rb, redis, secret, r.image, r.pullPolicy)
+func (r *brokerReconciler) reconcileDeployment(ctx context.Context, rb *eventingv1alpha1.RedisBroker,sa *corev1.ServiceAccount, redis *corev1.Service, secret *corev1.Secret) (*appsv1.Deployment, error) {
+	desired := buildBrokerDeployment(rb,sa, redis, secret, r.image, r.pullPolicy)
 	current, err := r.deploymentLister.Deployments(desired.Namespace).Get(desired.Name)
 	switch {
 	case err == nil:
@@ -154,7 +209,7 @@ func (r *brokerReconciler) reconcileDeployment(ctx context.Context, rb *eventing
 		}
 
 	case !apierrs.IsNotFound(err):
-		// An error ocurred retrieving current deployment.
+		// An error occurred retrieving current deployment.
 		fullname := types.NamespacedName{Namespace: desired.Namespace, Name: desired.Name}
 		logging.FromContext(ctx).Error("Unable to get broker deployment", zap.String("deployment", fullname.String()), zap.Error(err))
 		rb.Status.MarkBrokerDeploymentFailed(reconciler.ReasonFailedDeploymentGet, "Failed to get broker deployment")
@@ -216,7 +271,7 @@ func (r *brokerReconciler) reconcileService(ctx context.Context, rb *eventingv1a
 		}
 
 	case !apierrs.IsNotFound(err):
-		// An error ocurred retrieving current object.
+		// An error occurred retrieving current object.
 		fullname := types.NamespacedName{Namespace: desired.Namespace, Name: desired.Name}
 		logging.FromContext(ctx).Error("Unable to get the service", zap.String("service", fullname.String()), zap.Error(err))
 		rb.Status.MarkBrokerServiceFailed(reconciler.ReasonFailedServiceGet, "Failed to get broker service")

pkg/reconciler/redisbroker/reconcile_redis.go

@@ -97,7 +97,7 @@ func (r *redisReconciler) reconcileDeployment(ctx context.Context, rb *eventingv
 		}
 
 	case !apierrs.IsNotFound(err):
-		// An error ocurred retrieving current deployment.
+		// An error occurred retrieving current deployment.
 		fullname := types.NamespacedName{Namespace: desired.Namespace, Name: desired.Name}
 		logging.FromContext(ctx).Error("Unable to get the deployment", zap.String("deployment", fullname.String()), zap.Error(err))
 		rb.Status.MarkRedisDeploymentFailed(reconciler.ReasonFailedDeploymentGet, "Failed to get Redis deployment")
@@ -158,7 +158,7 @@ func (r *redisReconciler) reconcileService(ctx context.Context, rb *eventingv1al
 		}
 
 	case !apierrs.IsNotFound(err):
-		// An error ocurred retrieving current object.
+		// An error occurred retrieving current object.
 		fullname := types.NamespacedName{Namespace: desired.Namespace, Name: desired.Name}
 		logging.FromContext(ctx).Error("Unable to get the service", zap.String("service", fullname.String()), zap.Error(err))
 		rb.Status.MarkRedisServiceFailed(reconciler.ReasonFailedServiceGet, "Failed to get Redis service")

pkg/reconciler/redisbroker/reconcile_secret.go

@@ -68,7 +68,7 @@ func (r *secretReconciler) reconcile(ctx context.Context, rb *eventingv1alpha1.R
 		}
 
 	case !apierrs.IsNotFound(err):
-		// An error ocurred retrieving current deployment.
+		// An error occurred retrieving current deployment.
 		fullname := types.NamespacedName{Namespace: desired.Namespace, Name: desired.Name}
 		logging.FromContext(ctx).Error("Unable to get the deployment", zap.String("deployment", fullname.String()), zap.Error(err))
 		rb.Status.MarkRedisDeploymentFailed(reconciler.ReasonFailedDeploymentGet, "Failed to get Redis deployment")

pkg/reconciler/resources/common_test.go

@@ -15,6 +15,10 @@ const (
 	tSecretName      = "test-secret"
 	tSecretKey       = "test-key"
 	tVolumeMountFile = "myfile"
+
+	tServiceAccountName = "test-sa-name"
+	tRoleName = "test-role-name"
+	tRoleBindingName = "test-rolebinding-name"
 )
 
 var (

pkg/reconciler/resources/container.go

@@ -55,6 +55,22 @@ func ContainerAddEnvVarFromSecret(name, secretName, secretKey string) ContainerO
 	}
 }
 
+func ContainerAddEnvFromFieldRef(name, path string) ContainerOption {
+	return func(c *corev1.Container) {
+		if c.Env == nil {
+			c.Env = make([]corev1.EnvVar, 0, 1)
+		}
+		c.Env = append(c.Env, corev1.EnvVar{
+			Name: name,
+			ValueFrom: &corev1.EnvVarSource{
+				FieldRef: &corev1.ObjectFieldSelector{
+					FieldPath: path,
+				},
+			},
+		})
+	}
+}
+
 func ContainerAddArgs(s string) ContainerOption {
 	return func(c *corev1.Container) {
 		args := strings.Split(s, " ")

pkg/reconciler/resources/rolebinding.go

@@ -0,0 +1,51 @@
+// Copyright 2022 TriggerMesh Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package resources
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type RoleBindingOption func(*rbacv1.RoleBinding)
+
+func NewRoleBinding(namespace, name, roleName, subjectName string, opts ...RoleBindingOption) *rbacv1.RoleBinding {
+	crGVK := rbacv1.SchemeGroupVersion.WithKind("ClusterRole")
+	saGVK := corev1.SchemeGroupVersion.WithKind("ServiceAccount")
+
+	meta := NewMeta(namespace, name)
+	rb := &rbacv1.RoleBinding{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "RoleBinding",
+			APIVersion: rbacv1.SchemeGroupVersion.String(),
+		},
+		ObjectMeta: *meta,
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: crGVK.Group,
+			Kind:     crGVK.Kind,
+			Name:     roleName,
+		},
+		Subjects: []rbacv1.Subject{{
+			APIGroup:  saGVK.Group,
+			Kind:      saGVK.Kind,
+			Namespace: namespace,
+			Name:      subjectName,
+		}},
+	}
+
+	for _, opt := range opts {
+		opt(rb)
+	}
+
+	return rb
+}
+
+func RoleBindingWithMetaOptions(opts ...MetaOption) RoleBindingOption {
+	return func(s *rbacv1.RoleBinding) {
+		for _, opt := range opts {
+			opt(&s.ObjectMeta)
+		}
+	}
+}