Handle csr and token based addon registration

RokibulHasan7 · RokibulHasan7 · commit ac568ddfec76 · 2026-02-26T14:20:13.000+06:00
Signed-off-by: RokibulHasan7 &lt;mdrokibulhasan@appscode.com&gt;
diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go
@@ -48,6 +48,8 @@ import (
 	"k8s.io/klog/v2"
 	cu "kmodules.xyz/client-go/client"
 	clustermeta "kmodules.xyz/client-go/cluster"
+	addonv1alpha1 "open-cluster-management.io/api/addon/v1alpha1"
+	addonv1beta1 "open-cluster-management.io/api/addon/v1beta1"
 	clusterv1alpha1 "open-cluster-management.io/api/cluster/v1alpha1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
@@ -70,6 +72,8 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(Scheme))
 	utilruntime.Must(clusterv1alpha1.Install(Scheme))
 	utilruntime.Must(core.AddToScheme(Scheme))
+	utilruntime.Must(addonv1alpha1.Install(Scheme))
+	utilruntime.Must(addonv1beta1.Install(Scheme))
 
 	// we need to add the options to empty v1
 	// TODO fix the server code to avoid this
diff --git a/pkg/manager/manager.go b/pkg/manager/manager.go
@@ -44,6 +44,7 @@ import (
 	"open-cluster-management.io/api/addon/v1alpha1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -52,11 +53,11 @@ import (
 //go:embed all:agent-manifests
 var FS embed.FS
 
-func NewRegistrationOption(kubeConfig *rest.Config, addonName, agentName string) *agent.RegistrationOption {
+func NewRegistrationOption(restConfig *rest.Config, kc client.Client, addonName, agentName string) *agent.RegistrationOption {
 	return &agent.RegistrationOption{
 		CSRConfigurations: agent.KubeClientSignerConfigurations(addonName, agentName),
 		CSRApproveCheck:   agent.ApprovalAllCSRs,
-		PermissionConfig:  rbac.SetupPermission(kubeConfig, agentName),
+		PermissionConfig:  rbac.SetupPermission(restConfig, kc, agentName),
 		AgentInstallNamespace: func(addon *v1alpha1.ManagedClusterAddOn) (string, error) {
 			return common.AddonInstallationNamespace, nil
 		},
@@ -140,7 +141,7 @@ func runManagerController(ctx context.Context, cfg *rest.Config, opts *ManagerOp
 		os.Exit(1)
 	}
 
-	registrationOption := NewRegistrationOption(cfg, common.AddonName, common.AgentName)
+	registrationOption := NewRegistrationOption(cfg, hubManager.GetClient(), common.AddonName, common.AgentName)
 
 	addonManager, err := addonmanager.New(cfg)
 	if err != nil {
diff --git a/pkg/manager/rbac/rbac.go b/pkg/manager/rbac/rbac.go
@@ -19,6 +19,8 @@ package rbac
 import (
 	"context"
 
+	"go.bytebuilders.dev/license-proxyserver/pkg/common"
+
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -27,12 +29,14 @@ import (
 	"k8s.io/utils/ptr"
 	"open-cluster-management.io/addon-framework/pkg/agent"
 	addonv1alpha1 "open-cluster-management.io/api/addon/v1alpha1"
+	addonv1beta1 "open-cluster-management.io/api/addon/v1beta1"
 	clusterv1 "open-cluster-management.io/api/cluster/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func SetupPermission(kubeConfig *rest.Config, agentName string) agent.PermissionConfigFunc {
+func SetupPermission(restConfig *rest.Config, kc client.Client, agentName string) agent.PermissionConfigFunc {
 	return func(cluster *clusterv1.ManagedCluster, addon *addonv1alpha1.ManagedClusterAddOn) error {
-		nativeClient, err := kubernetes.NewForConfig(kubeConfig)
+		nativeClient, err := kubernetes.NewForConfig(restConfig)
 		if err != nil {
 			return err
 		}
@@ -81,12 +85,28 @@ func SetupPermission(kubeConfig *rest.Config, agentName string) agent.Permission
 			},
 			Subjects: []rbacv1.Subject{
 				{
-					Kind: rbacv1.UserKind,
-					Name: agentUser,
+					Kind: "ServiceAccount",
+					Name: common.AddonName + "-agent",
 				},
 			},
 		}
 
+		managedClusterAddon := &addonv1beta1.ManagedClusterAddOn{}
+		if err := kc.Get(context.TODO(), client.ObjectKey{Namespace: namespace, Name: addon.Name}, managedClusterAddon); err != nil {
+			return err
+		}
+
+		for _, reg := range managedClusterAddon.Status.Registrations {
+			if reg.Type == addonv1beta1.KubeClient && reg.KubeClient.Driver == "csr" {
+				roleBinding.Subjects = []rbacv1.Subject{
+					{
+						Kind: "User",
+						Name: agentUser,
+					},
+				}
+			}
+		}
+
 		_, err = nativeClient.RbacV1().Roles(cluster.Name).Get(context.TODO(), role.Name, metav1.GetOptions{})
 		switch {
 		case apierrors.IsNotFound(err):
