feat: add rbac mgmt to gwapi ctrl

Signed-off-by: Shane Utt <[email protected]>

Author: shaneutt

manifests/00-cluster-role.yaml

@@ -164,6 +164,7 @@ rules:
   - gatewayclasses
   - gateways
   - httproutes
+  - grpcroutes
   verbs:
   - '*'
 

pkg/operator/controller/gatewayapi/controller.go

@@ -107,6 +107,10 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 		return reconcile.Result{}, err
 	}
 
+	if err := r.ensureGatewayAPIRBAC(ctx); err != nil {
+		return reconcile.Result{}, err
+	}
+
 	if !r.config.GatewayAPIControllerEnabled {
 		return reconcile.Result{}, nil
 	}

pkg/operator/controller/gatewayapi/controller_test.go

@@ -11,6 +11,7 @@ import (
 
 	configv1 "github.com/openshift/api/config/v1"
 
+	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -30,6 +31,11 @@ func Test_Reconcile(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{Name: name},
 		}
 	}
+	clusterRole := func(name string) *rbacv1.ClusterRole {
+		return &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{Name: name},
+		}
+	}
 	tests := []struct {
 		name                        string
 		gatewayAPIEnabled           bool
@@ -58,6 +64,8 @@ func Test_Reconcile(t *testing.T) {
 				crd("grpcroutes.gateway.networking.k8s.io"),
 				crd("httproutes.gateway.networking.k8s.io"),
 				crd("referencegrants.gateway.networking.k8s.io"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-admin"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-view"),
 			},
 			expectUpdate:    []client.Object{},
 			expectDelete:    []client.Object{},
@@ -73,6 +81,8 @@ func Test_Reconcile(t *testing.T) {
 				crd("grpcroutes.gateway.networking.k8s.io"),
 				crd("httproutes.gateway.networking.k8s.io"),
 				crd("referencegrants.gateway.networking.k8s.io"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-admin"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-view"),
 			},
 			expectUpdate:    []client.Object{},
 			expectDelete:    []client.Object{},
@@ -83,6 +93,7 @@ func Test_Reconcile(t *testing.T) {
 	scheme := runtime.NewScheme()
 	configv1.Install(scheme)
 	apiextensionsv1.AddToScheme(scheme)
+	rbacv1.AddToScheme(scheme)
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
@@ -119,9 +130,10 @@ func Test_Reconcile(t *testing.T) {
 			assert.Equal(t, ctrl.Started, tc.expectStartCtrl, "fake controller should have been started")
 			cmpOpts := []cmp.Option{
 				cmpopts.EquateEmpty(),
-				cmpopts.IgnoreFields(metav1.ObjectMeta{}, "Annotations", "ResourceVersion"),
+				cmpopts.IgnoreFields(metav1.ObjectMeta{}, "Labels", "Annotations", "ResourceVersion"),
 				cmpopts.IgnoreFields(metav1.TypeMeta{}, "Kind", "APIVersion"),
 				cmpopts.IgnoreFields(apiextensionsv1.CustomResourceDefinition{}, "Spec"),
+				cmpopts.IgnoreFields(rbacv1.ClusterRole{}, "Rules", "AggregationRule"),
 			}
 			if diff := cmp.Diff(tc.expectCreate, cl.Added, cmpOpts...); diff != "" {
 				t.Fatalf("found diff between expected and actual creates: %s", diff)
@@ -140,6 +152,7 @@ func TestReconcileOnlyStartsControllerOnce(t *testing.T) {
 	scheme := runtime.NewScheme()
 	configv1.Install(scheme)
 	apiextensionsv1.AddToScheme(scheme)
+	rbacv1.AddToScheme(scheme)
 	fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithRuntimeObjects().Build()
 	cl := &testutil.FakeClientRecorder{fakeClient, t, []client.Object{}, []client.Object{}, []client.Object{}}
 	ctrl := &testutil.FakeController{t, false, make(chan struct{})}

pkg/operator/controller/gatewayapi/rbac.go

@@ -0,0 +1,123 @@
+package gatewayapi
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/openshift/cluster-ingress-operator/pkg/manifests"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+)
+
+var managedClusterRoles = []*rbacv1.ClusterRole{
+	manifests.GatewayAPIAdminClusterRole(),
+	manifests.GatewayAPIViewClusterRole(),
+}
+
+// ensureGatewayAPIRBAC ensures that all RBAC resources for Gateway API are
+// deployed to the cluster, and up to date.
+func (r *reconciler) ensureGatewayAPIRBAC(ctx context.Context) error {
+	var errs []error
+
+	for _, clusterRole := range managedClusterRoles {
+		if err := r.ensureClusterRole(ctx, clusterRole); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	return utilerrors.NewAggregate(errs)
+}
+
+// ensureClusterRole ensures that a specific ClusterRole RBAC resource is
+// deployed to the cluster, and up to date.
+func (r *reconciler) ensureClusterRole(ctx context.Context, desired *rbacv1.ClusterRole) error {
+	clusterRoleAlreadyExists, current, err := r.currentClusterRole(ctx, desired.Name)
+	if err != nil {
+		return err
+	}
+
+	if clusterRoleAlreadyExists {
+		if updated, err := r.updateClusterRole(ctx, current, desired); err != nil {
+			return err
+		} else if updated {
+			if _, _, err := r.currentClusterRole(ctx, desired.Name); err != nil {
+				return err
+			}
+		}
+	} else {
+		return r.createClusterRole(ctx, desired)
+	}
+
+	return nil
+}
+
+// currentClusterRole retrieves a ClusterRole from the cluster, given the name
+// of that role.
+func (r *reconciler) currentClusterRole(ctx context.Context, name string) (bool, *rbacv1.ClusterRole, error) {
+	var existingClusterRole rbacv1.ClusterRole
+
+	if err := r.client.Get(ctx, types.NamespacedName{Name: name}, &existingClusterRole); err != nil {
+		if errors.IsNotFound(err) {
+			return false, nil, nil
+		}
+		return false, nil, fmt.Errorf("failed to get ClusterRole %s: %w", name, err)
+	}
+
+	return true, &existingClusterRole, nil
+}
+
+// createClusterRole creates the desired ClusterRole on the cluster.
+func (r *reconciler) createClusterRole(ctx context.Context, desired *rbacv1.ClusterRole) error {
+	desired.ResourceVersion = ""
+
+	if err := r.client.Create(ctx, desired); err != nil {
+		return fmt.Errorf("failed to create ClusterRole %s: %w", desired.Name, err)
+	}
+
+	log.Info("Created ClusterRole", "name", desired.Name)
+
+	return nil
+}
+
+// updateClusterRole verifies whether the current ClusterRole is up to date with
+// what is desired, and performs an update if not.
+func (r *reconciler) updateClusterRole(ctx context.Context, current, desired *rbacv1.ClusterRole) (bool, error) {
+	changed, updated := clusterRoleChanged(current, desired)
+	if !changed {
+		return false, nil
+	}
+
+	// Diff before updating because the client may mutate the object.
+	diff := cmp.Diff(current, updated, cmpopts.EquateEmpty())
+	if err := r.client.Update(ctx, updated); err != nil {
+		return false, fmt.Errorf("failed to update ClusterRole %s: %w", updated.Name, err)
+	}
+
+	log.Info("updated ClusterRole", "name", updated.Name, "diff", diff)
+
+	return true, nil
+}
+
+// clusterRoleChanged indicates whether there are changes between the current
+// ClusterRole and what is expected, and provides the updated version of the
+// ClusterRole if so.
+func clusterRoleChanged(current, expected *rbacv1.ClusterRole) (bool, *rbacv1.ClusterRole) {
+	if cmp.Equal(current.Rules, expected.Rules) &&
+		cmp.Equal(current.ObjectMeta.Labels, expected.ObjectMeta.Labels) &&
+		cmp.Equal(current.ObjectMeta.Annotations, expected.ObjectMeta.Annotations) {
+		return false, nil
+	}
+
+	updated := current.DeepCopy()
+	updated.ObjectMeta.Labels = expected.ObjectMeta.Labels
+	updated.ObjectMeta.Annotations = expected.ObjectMeta.Annotations
+	updated.Rules = expected.Rules
+
+	return true, updated
+}