fix: restrict configmap lookup to the provider namespace

Fedosin · Fedosin · commit 82d765504b24 · 2024-02-15T12:29:00.000+01:00
When we use configmaps as a provider source, we filter them by provided
labels and then take the latest version. Unfortunatelly, we list configmaps
in all namespaces, which is not correct.

This PR restricts the search by the provider namespace only.
diff --git a/internal/controller/manifests_downloader.go b/internal/controller/manifests_downloader.go
@@ -127,6 +127,7 @@ func (p *phaseReconciler) checkConfigMapExists(ctx context.Context, labelSelecto
 	labelSet := labels.Set(labelSelector.MatchLabels)
 	listOpts := []client.ListOption{
 		client.MatchingLabelsSelector{Selector: labels.SelectorFromSet(labelSet)},
+		client.InNamespace(p.provider.GetNamespace()),
 	}
 
 	var configMapList corev1.ConfigMapList
diff --git a/internal/controller/phases.go b/internal/controller/phases.go
@@ -176,7 +176,7 @@ func (p *phaseReconciler) load(ctx context.Context) (reconcile.Result, error) {
 		return reconcile.Result{}, wrapPhaseError(err, "failed to load additional manifests", operatorv1.ProviderInstalledCondition)
 	}
 
-	p.repo, err = p.configmapRepository(ctx, labelSelector, additionalManifests)
+	p.repo, err = p.configmapRepository(ctx, labelSelector, p.provider.GetNamespace(), additionalManifests)
 	if err != nil {
 		return reconcile.Result{}, wrapPhaseError(err, "failed to load the repository", operatorv1.ProviderInstalledCondition)
 	}
@@ -269,7 +269,7 @@ func (p *phaseReconciler) secretReader(ctx context.Context, providers ...configc
 
 // configmapRepository use clusterctl NewMemoryRepository structure to store the manifests
 // and metadata from a given configmap.
-func (p *phaseReconciler) configmapRepository(ctx context.Context, labelSelector *metav1.LabelSelector, additionalManifests string) (repository.Repository, error) {
+func (p *phaseReconciler) configmapRepository(ctx context.Context, labelSelector *metav1.LabelSelector, namespace, additionalManifests string) (repository.Repository, error) {
 	mr := repository.NewMemoryRepository()
 	mr.WithPaths("", "components.yaml")
 
@@ -280,7 +280,7 @@ func (p *phaseReconciler) configmapRepository(ctx context.Context, labelSelector
 		return nil, err
 	}
 
-	if err = p.ctrlClient.List(ctx, cml, &client.ListOptions{LabelSelector: selector}); err != nil {
+	if err = p.ctrlClient.List(ctx, cml, &client.ListOptions{LabelSelector: selector, Namespace: namespace}); err != nil {
 		return nil, err
 	}
 
diff --git a/internal/controller/phases_test.go b/internal/controller/phases_test.go
@@ -388,7 +388,7 @@ metadata:
 				g.Expect(fakeclient.Create(ctx, &tt.configMaps[i])).To(Succeed())
 			}
 
-			got, err := p.configmapRepository(context.TODO(), p.provider.GetSpec().FetchConfig.Selector, tt.additionalManifests)
+			got, err := p.configmapRepository(context.TODO(), p.provider.GetSpec().FetchConfig.Selector, "ns1", tt.additionalManifests)
 			if len(tt.wantErr) > 0 {
 				g.Expect(err).Should(MatchError(tt.wantErr))
 				return
diff --git a/test/e2e/air_gapped_test.go b/test/e2e/air_gapped_test.go
@@ -54,6 +54,14 @@ var _ = Describe("Install Core Provider in an air-gapped environment", func() {
 			configMaps = append(configMaps, configMap)
 		}
 
+		By("Creating capi-system namespace")
+		namespace := &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: capiSystemNamespace,
+			},
+		}
+		Expect(bootstrapCluster.Create(ctx, namespace)).To(Succeed())
+
 		By("Applying core provider manifests to the cluster")
 		for _, cm := range configMaps {
 			Expect(bootstrapCluster.Create(ctx, &cm)).To(Succeed())
@@ -65,7 +73,7 @@ var _ = Describe("Install Core Provider in an air-gapped environment", func() {
 		coreProvider := &operatorv1.CoreProvider{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      coreProviderName,
-				Namespace: operatorNamespace,
+				Namespace: capiSystemNamespace,
 			},
 			Spec: operatorv1.CoreProviderSpec{
 				ProviderSpec: operatorv1.ProviderSpec{
@@ -87,7 +95,7 @@ var _ = Describe("Install Core Provider in an air-gapped environment", func() {
 		By("Waiting for the core provider deployment to be ready")
 		framework.WaitForDeploymentsAvailable(ctx, framework.WaitForDeploymentsAvailableInput{
 			Getter:     bootstrapClusterProxy.GetClient(),
-			Deployment: &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: coreProviderDeploymentName, Namespace: operatorNamespace}},
+			Deployment: &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: coreProviderDeploymentName, Namespace: capiSystemNamespace}},
 		}, e2eConfig.GetIntervals(bootstrapClusterProxy.GetName(), "wait-controllers")...)
 
 		By("Waiting for core provider to be ready")
@@ -104,7 +112,7 @@ var _ = Describe("Install Core Provider in an air-gapped environment", func() {
 	It("should successfully upgrade a CoreProvider (v1.5.4 -> latest)", func() {
 		bootstrapCluster := bootstrapClusterProxy.GetClient()
 		coreProvider := &operatorv1.CoreProvider{}
-		key := client.ObjectKey{Namespace: operatorNamespace, Name: coreProviderName}
+		key := client.ObjectKey{Namespace: capiSystemNamespace, Name: coreProviderName}
 		Expect(bootstrapCluster.Get(ctx, key, coreProvider)).To(Succeed())
 
 		coreProvider.Spec.Version = ""
@@ -114,7 +122,7 @@ var _ = Describe("Install Core Provider in an air-gapped environment", func() {
 		By("Waiting for the core provider deployment to be ready")
 		framework.WaitForDeploymentsAvailable(ctx, framework.WaitForDeploymentsAvailableInput{
 			Getter:     bootstrapClusterProxy.GetClient(),
-			Deployment: &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: coreProviderDeploymentName, Namespace: operatorNamespace}},
+			Deployment: &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: coreProviderDeploymentName, Namespace: capiSystemNamespace}},
 		}, e2eConfig.GetIntervals(bootstrapClusterProxy.GetName(), "wait-controllers")...)
 
 		By("Waiting for core provider to be ready")
@@ -132,15 +140,15 @@ var _ = Describe("Install Core Provider in an air-gapped environment", func() {
 		bootstrapCluster := bootstrapClusterProxy.GetClient()
 		coreProvider := &operatorv1.CoreProvider{ObjectMeta: metav1.ObjectMeta{
 			Name:      coreProviderName,
-			Namespace: operatorNamespace,
+			Namespace: capiSystemNamespace,
 		}}
 
 		Expect(bootstrapCluster.Delete(ctx, coreProvider)).To(Succeed())
 
 		By("Waiting for the core provider deployment to be deleted")
 		WaitForDelete(ctx, For(&appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{
 			Name:      coreProviderDeploymentName,
-			Namespace: operatorNamespace,
+			Namespace: capiSystemNamespace,
 		}}).In(bootstrapCluster), e2eConfig.GetIntervals(bootstrapClusterProxy.GetName(), "wait-controllers")...)
 
 		By("Waiting for the core provider object to be deleted")
@@ -168,5 +176,13 @@ var _ = Describe("Install Core Provider in an air-gapped environment", func() {
 		for _, cm := range configMaps {
 			Expect(bootstrapCluster.Delete(ctx, &cm)).To(Succeed())
 		}
+
+		By("Deleting capi-system namespace")
+		namespace := &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: capiSystemNamespace,
+			},
+		}
+		Expect(bootstrapCluster.Delete(ctx, namespace)).To(Succeed())
 	})
 })
diff --git a/test/e2e/helpers_test.go b/test/e2e/helpers_test.go
@@ -28,7 +28,8 @@ var (
 )
 
 const (
-	operatorNamespace = "capi-operator-system"
+	operatorNamespace   = "capi-operator-system"
+	capiSystemNamespace = "capi-system"
 
 	previousCAPIVersion = "v1.5.4"
 
diff --git a/test/e2e/resources/core-cluster-api-v1.5.4.yaml b/test/e2e/resources/core-cluster-api-v1.5.4.yaml
@@ -1,14 +1,6 @@
 apiVersion: v1
 data:
   components: |
-    apiVersion: v1
-    kind: Namespace
-    metadata:
-      labels:
-        cluster.x-k8s.io/provider: cluster-api
-        control-plane: controller-manager
-      name: capi-system
-    ---
     apiVersion: apiextensions.k8s.io/v1
     kind: CustomResourceDefinition
     metadata:
@@ -11797,4 +11789,4 @@ metadata:
     provider.cluster.x-k8s.io/type: core
     provider.cluster.x-k8s.io/version: v1.5.4
   name: core-cluster-api-v1.5.4
-  namespace: capi-operator-system
+  namespace: capi-system
diff --git a/test/e2e/resources/core-cluster-api-v1.6.0.yaml b/test/e2e/resources/core-cluster-api-v1.6.0.yaml
@@ -1,14 +1,6 @@
 apiVersion: v1
 data:
   components: |
-    apiVersion: v1
-    kind: Namespace
-    metadata:
-      labels:
-        cluster.x-k8s.io/provider: cluster-api
-        control-plane: controller-manager
-      name: capi-system
-    ---
     apiVersion: apiextensions.k8s.io/v1
     kind: CustomResourceDefinition
     metadata:
@@ -9860,4 +9852,4 @@ metadata:
     provider.cluster.x-k8s.io/type: core
     provider.cluster.x-k8s.io/version: v1.6.0
   name: core-cluster-api-v1.6.0
-  namespace: capi-operator-system
+  namespace: capi-system

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ func (p *phaseReconciler) checkConfigMapExists(ctx context.Context, labelSelecto`
`127`	`127`	`labelSet := labels.Set(labelSelector.MatchLabels)`
`128`	`128`	`listOpts := []client.ListOption{`
`129`	`129`	`client.MatchingLabelsSelector{Selector: labels.SelectorFromSet(labelSet)},`
	`130`	`+ client.InNamespace(p.provider.GetNamespace()),`
`130`	`131`	`}`
`131`	`132`
`132`	`133`	`var configMapList corev1.ConfigMapList`
Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,7 @@ func (p *phaseReconciler) load(ctx context.Context) (reconcile.Result, error) {`
`176`	`176`	`return reconcile.Result{}, wrapPhaseError(err, "failed to load additional manifests", operatorv1.ProviderInstalledCondition)`
`177`	`177`	`}`
`178`	`178`
`179`		`- p.repo, err = p.configmapRepository(ctx, labelSelector, additionalManifests)`
	`179`	`+ p.repo, err = p.configmapRepository(ctx, labelSelector, p.provider.GetNamespace(), additionalManifests)`
`180`	`180`	`if err != nil {`
`181`	`181`	`return reconcile.Result{}, wrapPhaseError(err, "failed to load the repository", operatorv1.ProviderInstalledCondition)`
`182`	`182`	`}`
`@@ -269,7 +269,7 @@ func (p *phaseReconciler) secretReader(ctx context.Context, providers ...configc`
`269`	`269`
`270`	`270`	`// configmapRepository use clusterctl NewMemoryRepository structure to store the manifests`
`271`	`271`	`// and metadata from a given configmap.`
`272`		`-func (p phaseReconciler) configmapRepository(ctx context.Context, labelSelector metav1.LabelSelector, additionalManifests string) (repository.Repository, error) {`
	`272`	`+func (p phaseReconciler) configmapRepository(ctx context.Context, labelSelector metav1.LabelSelector, namespace, additionalManifests string) (repository.Repository, error) {`
`273`	`273`	`mr := repository.NewMemoryRepository()`
`274`	`274`	`mr.WithPaths("", "components.yaml")`
`275`	`275`
`@@ -280,7 +280,7 @@ func (p *phaseReconciler) configmapRepository(ctx context.Context, labelSelector`
`280`	`280`	`return nil, err`
`281`	`281`	`}`
`282`	`282`
`283`		`- if err = p.ctrlClient.List(ctx, cml, &client.ListOptions{LabelSelector: selector}); err != nil {`
	`283`	`+ if err = p.ctrlClient.List(ctx, cml, &client.ListOptions{LabelSelector: selector, Namespace: namespace}); err != nil {`
`284`	`284`	`return nil, err`
`285`	`285`	`}`
`286`	`286`
Original file line number	Diff line number	Diff line change
`@@ -388,7 +388,7 @@ metadata:`
`388`	`388`	`g.Expect(fakeclient.Create(ctx, &tt.configMaps[i])).To(Succeed())`
`389`	`389`	`}`
`390`	`390`
`391`		`- got, err := p.configmapRepository(context.TODO(), p.provider.GetSpec().FetchConfig.Selector, tt.additionalManifests)`
	`391`	`+ got, err := p.configmapRepository(context.TODO(), p.provider.GetSpec().FetchConfig.Selector, "ns1", tt.additionalManifests)`
`392`	`392`	`if len(tt.wantErr) > 0 {`
`393`	`393`	`g.Expect(err).Should(MatchError(tt.wantErr))`
`394`	`394`	`return`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,8 @@ var (`
`28`	`28`	`)`
`29`	`29`
`30`	`30`	`const (`
`31`		`- operatorNamespace = "capi-operator-system"`
	`31`	`+ operatorNamespace = "capi-operator-system"`
	`32`	`+ capiSystemNamespace = "capi-system"`
`32`	`33`
`33`	`34`	`previousCAPIVersion = "v1.5.4"`
`34`	`35`