pick old pr

Author: cjc7373

controllers/apps/component/transformer_component_deletion.go

@@ -158,6 +158,14 @@ func (t *componentDeletionTransformer) deleteCompResources(transCtx *componentTr
 
 func handleRBACResourceDeletion(obj client.Object, transCtx *componentTransformContext, comp *appsv1.Component,
 	graphCli model.GraphClient, dag *graph.DAG, matchLabels map[string]string) (err error) {
+	// for new rule
+	// rolebinding and serviceaccount have the same name
+	newName := constant.GenerateDefaultServiceAccountNameNew(comp.Name)
+	if obj.GetName() == newName {
+		graphCli.Delete(dag, obj)
+		return
+	}
+
 	// orphan a rbac resource so that it can be adopted by another component
 	// this means these resources won't get automatically deleted
 	if err := controllerutil.RemoveControllerReference(comp, obj, model.GetScheme()); err != nil {

controllers/apps/component/transformer_component_rbac.go

@@ -88,6 +88,26 @@ func (t *componentRBACTransformer) Transform(ctx graph.TransformContext, dag *gr
 		return nil
 	}
 
+	// user managed sa
+	if serviceAccountName != "" {
+		return t.handleRBACNewRule(transCtx, dag, serviceAccountName)
+	}
+
+	// check if sa with old naming rule exists
+	newName := constant.GenerateDefaultServiceAccountNameNew(synthesizedComp.FullCompName)
+	newNameExists := true
+	if err := transCtx.Client.Get(transCtx.Context, types.NamespacedName{Namespace: synthesizedComp.Namespace, Name: newName}, sa); err != nil {
+		if !errors.IsNotFound(err) {
+			return err
+		}
+		newNameExists = false
+	}
+
+	if newNameExists || transCtx.RunningWorkload == nil {
+		return t.handleRBACNewRule(transCtx, dag, "")
+	}
+
+	// old code path
 	var err error
 	comp := transCtx.Component
 	lastServiceAccountName := comp.Annotations[constant.ComponentLastServiceAccountNameAnnotationKey]
@@ -153,6 +173,93 @@ func (t *componentRBACTransformer) Transform(ctx graph.TransformContext, dag *gr
 	return nil
 }
 
+func (t *componentRBACTransformer) handleRBACNewRule(transCtx *componentTransformContext, dag *graph.DAG, userDefinedSAName string) error {
+	synthesizedComp := transCtx.SynthesizeComponent
+	graphCli, _ := transCtx.Client.(model.GraphClient)
+	saName := userDefinedSAName
+	var sa *corev1.ServiceAccount
+	var err error
+	if userDefinedSAName == "" {
+		saName = constant.GenerateDefaultServiceAccountNameNew(synthesizedComp.FullCompName)
+		// if no rolebinding is needed, sa will be created anyway, because other modules may reference it.
+		sa, err = createOrUpdateServiceAccount(transCtx, saName, graphCli, dag)
+		if err != nil {
+			return err
+		}
+	}
+	synthesizedComp.PodSpec.ServiceAccountName = saName
+	rbs, err := createOrUpdateRoleBindingNew(transCtx, transCtx.CompDef, saName, graphCli, dag)
+	if err != nil {
+		return err
+	}
+	objs := []client.Object{sa}
+	if sa != nil {
+		// serviceAccount should be created before roleBinding and role
+		for _, rb := range rbs {
+			objs = append(objs, rb)
+			graphCli.DependOn(dag, rb, sa)
+		}
+		// serviceAccount should be created before workload
+		itsList := graphCli.FindAll(dag, &workloads.InstanceSet{})
+		for _, its := range itsList {
+			graphCli.DependOn(dag, its, sa)
+		}
+	}
+
+	t.rbacInstanceAssistantObjects(graphCli, dag, objs)
+	return nil
+}
+
+func createOrUpdateRoleBindingNew(transCtx *componentTransformContext,
+	cmpd *appsv1.ComponentDefinition, serviceAccountName string, graphCli model.GraphClient, dag *graph.DAG) ([]*rbacv1.RoleBinding, error) {
+	cmpRoleBinding := func(old, new *rbacv1.RoleBinding) bool {
+		return labelAndAnnotationEqual(old, new) &&
+			equality.Semantic.DeepEqual(old.Subjects, new.Subjects) &&
+			equality.Semantic.DeepEqual(old.RoleRef, new.RoleRef)
+	}
+	res := make([]*rbacv1.RoleBinding, 0)
+
+	if len(cmpd.Spec.PolicyRules) != 0 {
+		// cluster role is handled by cmpd controller
+		cmpdRoleBinding := factory.BuildRoleBinding(transCtx.SynthesizeComponent, serviceAccountName, &rbacv1.RoleRef{
+			APIGroup: rbacv1.GroupName,
+			Kind:     "ClusterRole",
+			Name:     constant.GenerateDefaultRoleName(cmpd.Name),
+		}, serviceAccountName)
+		if err := intctrlutil.SetOwnership(transCtx.Component, cmpdRoleBinding, model.GetScheme(), ""); err != nil {
+			return nil, err
+		}
+		rb, err := createOrUpdate(transCtx, cmpdRoleBinding, graphCli, dag, cmpRoleBinding)
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, rb)
+	}
+
+	if isLifecycleActionsEnabled(transCtx.CompDef) {
+		clusterPodRoleBinding := factory.BuildRoleBinding(
+			transCtx.SynthesizeComponent,
+			fmt.Sprintf("%v-pod", serviceAccountName),
+			&rbacv1.RoleRef{
+				APIGroup: rbacv1.GroupName,
+				Kind:     "ClusterRole",
+				Name:     constant.RBACRoleName,
+			},
+			serviceAccountName,
+		)
+		if err := intctrlutil.SetOwnership(transCtx.Component, clusterPodRoleBinding, model.GetScheme(), ""); err != nil {
+			return nil, err
+		}
+		rb, err := createOrUpdate(transCtx, clusterPodRoleBinding, graphCli, dag, cmpRoleBinding)
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, rb)
+	}
+
+	return res, nil
+}
+
 func (t *componentRBACTransformer) rbacInstanceAssistantObjects(graphCli model.GraphClient, dag *graph.DAG, objs []client.Object) {
 	itsList := graphCli.FindAll(dag, &workloads.InstanceSet{})
 	for _, itsObj := range itsList {

controllers/apps/componentdefinition_controller.go

@@ -30,6 +30,9 @@ import (
 
 	k8sappsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -40,8 +43,11 @@ import (
 
 	appsv1 "github.com/apecloud/kubeblocks/apis/apps/v1"
 	"github.com/apecloud/kubeblocks/pkg/constant"
+	"github.com/apecloud/kubeblocks/pkg/controller/builder"
 	"github.com/apecloud/kubeblocks/pkg/controller/component"
+	"github.com/apecloud/kubeblocks/pkg/controller/model"
 	intctrlutil "github.com/apecloud/kubeblocks/pkg/controllerutil"
+	viper "github.com/apecloud/kubeblocks/pkg/viperx"
 )
 
 const (
@@ -89,9 +95,14 @@ func (r *ComponentDefinitionReconciler) Reconcile(ctx context.Context, req ctrl.
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *ComponentDefinitionReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return intctrlutil.NewControllerManagedBy(mgr).
-		For(&appsv1.ComponentDefinition{}).
-		Complete(r)
+	b := intctrlutil.NewControllerManagedBy(mgr).
+		For(&appsv1.ComponentDefinition{})
+
+	if viper.GetBool(constant.EnableRBACManager) {
+		b.Owns(&rbacv1.ClusterRole{})
+	}
+
+	return b.Complete(r)
 }
 
 func (r *ComponentDefinitionReconciler) reconcile(rctx intctrlutil.RequestCtx,
@@ -117,6 +128,10 @@ func (r *ComponentDefinitionReconciler) reconcile(rctx intctrlutil.RequestCtx,
 		return intctrlutil.CheckedRequeueWithError(err, rctx.Log, "")
 	}
 
+	if err = r.clusterRole(r.Client, rctx, cmpd); err != nil {
+		return intctrlutil.RequeueWithError(err, rctx.Log, "")
+	}
+
 	if err = r.available(r.Client, rctx, cmpd); err != nil {
 		return intctrlutil.CheckedRequeueWithError(err, rctx.Log, "")
 	}
@@ -181,6 +196,39 @@ func (r *ComponentDefinitionReconciler) immutableHash(cli client.Client, rctx in
 	return cli.Patch(rctx.Ctx, cmpd, patch)
 }
 
+func (r *ComponentDefinitionReconciler) clusterRole(cli client.Client, rctx intctrlutil.RequestCtx,
+	cmpd *appsv1.ComponentDefinition) error {
+	if !viper.GetBool(constant.EnableRBACManager) {
+		return nil
+	}
+
+	if len(cmpd.Spec.PolicyRules) == 0 {
+		return nil
+	}
+
+	clusterRole := builder.NewClusterRoleBuilder(constant.GenerateDefaultRoleName(cmpd.Name)).
+		AddLabelsInMap(cmpd.Labels).
+		AddAnnotationsInMap(cmpd.Annotations).
+		AddPolicyRules(cmpd.Spec.PolicyRules).
+		GetObject()
+	if err := intctrlutil.SetOwnership(cmpd, clusterRole, model.GetScheme(), ""); err != nil {
+		return err
+	}
+	oldClusterRole := &rbacv1.ClusterRole{}
+	if err := cli.Get(rctx.Ctx, client.ObjectKeyFromObject(clusterRole), oldClusterRole); err != nil {
+		if errors.IsNotFound(err) {
+			return cli.Create(rctx.Ctx, clusterRole)
+		}
+		return err
+	}
+	if equality.Semantic.DeepEqual(oldClusterRole.Labels, clusterRole.Labels) &&
+		equality.Semantic.DeepEqual(oldClusterRole.Annotations, clusterRole.Annotations) &&
+		equality.Semantic.DeepEqual(oldClusterRole.Rules, clusterRole.Rules) {
+		return nil
+	}
+	return cli.Update(rctx.Ctx, clusterRole)
+}
+
 func (r *ComponentDefinitionReconciler) validate(cli client.Client, rctx intctrlutil.RequestCtx,
 	cmpd *appsv1.ComponentDefinition) error {
 	for _, validator := range []func(client.Client, intctrlutil.RequestCtx, *appsv1.ComponentDefinition) error{
@@ -409,8 +457,8 @@ func (r *ComponentDefinitionReconciler) validateAvailable(cli client.Client, rct
 }
 
 func (r *ComponentDefinitionReconciler) validateAvailableWithPhases(cmpd *appsv1.ComponentDefinition) error {
-	phases := sets.New[string](strings.Split(strings.ToLower(*cmpd.Spec.Available.WithPhases), ",")...)
-	supported := sets.New[string](
+	phases := sets.New(strings.Split(strings.ToLower(*cmpd.Spec.Available.WithPhases), ",")...)
+	supported := sets.New(
 		strings.ToLower(string(appsv1.CreatingComponentPhase)),
 		strings.ToLower(string(appsv1.RunningComponentPhase)),
 		strings.ToLower(string(appsv1.UpdatingComponentPhase)),

pkg/constant/pattern.go

@@ -83,6 +83,10 @@ func GenerateDefaultServiceAccountName(cmpdName string) string {
 	return fmt.Sprintf("%s-%s", KBLowerPrefix, cmpdName)
 }
 
+func GenerateDefaultServiceAccountNameNew(fullCompName string) string {
+	return fmt.Sprintf("%s-%s", KBLowerPrefix, fullCompName)
+}
+
 // GenerateDefaultRoleName generates default role name for a component.
 func GenerateDefaultRoleName(cmpdName string) string {
 	return fmt.Sprintf("%s-%s", KBLowerPrefix, cmpdName)

pkg/controller/builder/builder_cluster_role.go

@@ -0,0 +1,39 @@
+/*
+Copyright (C) 2022-2025 ApeCloud Co., Ltd
+
+This file is part of KubeBlocks project
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package builder
+
+import (
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+type ClusterRoleBuilder struct {
+	BaseBuilder[rbacv1.ClusterRole, *rbacv1.ClusterRole, ClusterRoleBuilder]
+}
+
+func NewClusterRoleBuilder(name string) *ClusterRoleBuilder {
+	builder := &ClusterRoleBuilder{}
+	builder.init("", name, &rbacv1.ClusterRole{}, builder)
+	return builder
+}
+
+func (builder *ClusterRoleBuilder) AddPolicyRules(rules []rbacv1.PolicyRule) *ClusterRoleBuilder {
+	builder.get().Rules = append(builder.get().Rules, rules...)
+	return builder
+}