Add support for syncing objects from kubernetes components to cluster

amisevsk · amisevsk · commit a06a91fd8bdd · 2022-12-16T14:40:57.000-05:00
Add support for syncing Kubernetes/OpenShift DevWorkspace components to
the cluster. If the object is one "recognized" by DWO, it is synced
using the same procedure as regular DevWorkspace Objects; otherwise the
workspace gets a warning and only the metadata is kept in sync.

Signed-off-by: Angel Misevski &lt;amisevsk@redhat.com&gt;
diff --git a/pkg/library/kubernetes/errors.go b/pkg/library/kubernetes/errors.go
@@ -0,0 +1,53 @@
+// Copyright (c) 2019-2022 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kubernetes
+
+import "github.com/devfile/devworkspace-operator/pkg/provision/sync"
+
+type RetryError struct {
+	Err error
+}
+
+func (e *RetryError) Error() string {
+	return e.Err.Error()
+}
+
+type FailError struct {
+	Err error
+}
+
+func (e *FailError) Error() string {
+	return e.Err.Error()
+}
+
+func wrapSyncError(err error) error {
+	switch syncErr := err.(type) {
+	case *sync.NotInSyncError:
+		return &RetryError{syncErr}
+	case *sync.UnrecoverableSyncError:
+		return &FailError{syncErr}
+	case *sync.WarningError:
+		return &WarningError{syncErr}
+	default:
+		return err
+	}
+}
+
+type WarningError struct {
+	Err error
+}
+
+func (e *WarningError) Error() string {
+	return e.Err.Error()
+}
diff --git a/pkg/library/kubernetes/provision.go b/pkg/library/kubernetes/provision.go
@@ -0,0 +1,112 @@
+// Copyright (c) 2019-2022 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kubernetes
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/devfile/devworkspace-operator/pkg/common"
+	"github.com/devfile/devworkspace-operator/pkg/constants"
+	"github.com/devfile/devworkspace-operator/pkg/provision/sync"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	crclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+)
+
+// HandleKubernetesComponents processes the Kubernetes and OpenShift components of a DevWorkspace,
+// creating/updating objects on the cluster. This function does not verify if the workspace owner
+// has the correct permissions to create/update/delete these objects and instead assumes the
+// workspace owner has all applicable RBAC permissions.
+// Only Kubernetes/OpenShift components that are inlined are supported; components that define
+// a URI will cause a FailError to be returned
+func HandleKubernetesComponents(workspace *common.DevWorkspaceWithConfig, api sync.ClusterAPI) error {
+	kubeComponents, err := filterForKubeLikeComponents(workspace.Spec.Template.Components)
+	if err != nil {
+		return err
+	}
+	if len(kubeComponents) == 0 {
+		return nil
+	}
+	for _, component := range kubeComponents {
+		// Ignore error as we filtered list above
+		k8sLikeComponent, _ := getK8sLikeComponent(component)
+		obj, err := deserializeToObject([]byte(k8sLikeComponent.Inlined), api)
+		if err != nil {
+			return &FailError{fmt.Errorf("could not process component %s: %w", component.Name, err)}
+		}
+		if err := addMetadata(obj, workspace, api); err != nil {
+			return &RetryError{fmt.Errorf("failed to add ownerref for component %s: %w", component.Name, err)}
+		}
+		if err := checkForExistingObject(obj, api); err != nil {
+			return &FailError{fmt.Errorf("could not process component %s: %w", component.Name, err)}
+		}
+		var syncErr error
+		if sync.IsRecognizedObject(obj) {
+			_, syncErr = sync.SyncObjectWithCluster(obj, api)
+		} else {
+			_, syncErr = sync.SyncUnrecognizedObjectWithCluster(obj, api)
+		}
+		if syncErr != nil {
+			return wrapSyncError(syncErr)
+		}
+	}
+	return nil
+}
+
+func checkForExistingObject(obj client.Object, api sync.ClusterAPI) error {
+	objType := reflect.TypeOf(obj).Elem()
+	clusterObj := reflect.New(objType).Interface().(crclient.Object)
+	err := api.Client.Get(api.Ctx, client.ObjectKey{Name: obj.GetName(), Namespace: obj.GetNamespace()}, clusterObj)
+	switch {
+	case err == nil:
+		break
+	case k8sErrors.IsNotFound(err):
+		// Object does not exist yet; safe to create
+		return nil
+	default:
+		return err
+	}
+	existingWorkspaceID := clusterObj.GetLabels()[constants.DevWorkspaceIDLabel]
+	expectedWorkspaceID := obj.GetLabels()[constants.DevWorkspaceIDLabel]
+	if existingWorkspaceID != expectedWorkspaceID {
+		return fmt.Errorf("object %s exists and is not owned by this workspace", obj.GetName())
+	}
+	if err := checkOwnerrefs(clusterObj.GetOwnerReferences(), obj.GetOwnerReferences()); err != nil {
+		return fmt.Errorf("object %s exists and is not owned by this workspace", obj.GetName())
+	}
+	return nil
+}
+
+func addMetadata(obj client.Object, workspace *common.DevWorkspaceWithConfig, api sync.ClusterAPI) error {
+	obj.SetNamespace(workspace.Namespace)
+	if err := controllerutil.SetOwnerReference(workspace.DevWorkspace, obj, api.Scheme); err != nil {
+		return err
+	}
+	newLabels := map[string]string{}
+	for k, v := range obj.GetLabels() {
+		newLabels[k] = v
+	}
+	newLabels[constants.DevWorkspaceIDLabel] = workspace.Status.DevWorkspaceId
+	newLabels[constants.DevWorkspaceCreatorLabel] = workspace.Labels[constants.DevWorkspaceCreatorLabel]
+	if obj.GetObjectKind().GroupVersionKind().Kind == "Secret" {
+		newLabels[constants.DevWorkspaceWatchSecretLabel] = "true"
+	}
+	if obj.GetObjectKind().GroupVersionKind().Kind == "ConfigMap" {
+		newLabels[constants.DevWorkspaceWatchConfigMapLabel] = "true"
+	}
+	obj.SetLabels(newLabels)
+	return nil
+}
diff --git a/pkg/library/kubernetes/util.go b/pkg/library/kubernetes/util.go
@@ -0,0 +1,69 @@
+// Copyright (c) 2019-2022 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kubernetes
+
+import (
+	"fmt"
+
+	dw "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func filterForKubeLikeComponents(components []dw.Component) ([]dw.Component, error) {
+	var k8sLikeComponents []dw.Component
+	for _, component := range components {
+		k8sLikeComponent, err := getK8sLikeComponent(component)
+		if err != nil {
+			continue
+		}
+		if k8sLikeComponent.Uri != "" {
+			return nil, &FailError{fmt.Errorf("kubernetes/openshift components that define a URI are unsupported (component %s)", component.Name)}
+		}
+		if k8sLikeComponent.Inlined == "" {
+			continue
+		}
+		k8sLikeComponents = append(k8sLikeComponents, component)
+	}
+	return k8sLikeComponents, nil
+}
+
+// getK8sLikeComponent returns the K8sLikeComponent from a DevWorkspace component,
+// allowing Kubernetes and OpenShift components to be processed in the same way.
+// Returns error if component is not a kube-like component.
+func getK8sLikeComponent(component dw.Component) (*dw.K8sLikeComponent, error) {
+	switch {
+	case component.Kubernetes != nil:
+		return &component.Kubernetes.K8sLikeComponent, nil
+	case component.Openshift != nil:
+		return &component.Openshift.K8sLikeComponent, nil
+	default:
+		return nil, fmt.Errorf("not a kube-like component")
+	}
+}
+
+func checkOwnerrefs(ownerrefs, subset []metav1.OwnerReference) error {
+	for _, checkOwnerref := range subset {
+		found := false
+		for _, ownerref := range ownerrefs {
+			if ownerref.Name == checkOwnerref.Name && ownerref.UID == checkOwnerref.UID {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return fmt.Errorf("ownerref not found")
+		}
+	}
+	return nil
+}
