fix: use infrastructure client if no operator client is set up

Signed-off-by: Chris Laprun <[email protected]>

Author: metacosm

operator-framework-core/src/main/java/io/javaoperatorsdk/operator/ReconcilerUtils.java

@@ -180,6 +180,9 @@ private static IllegalStateException noSpecException(
 
   public static <T> T loadYaml(Class<T> clazz, Class loader, String yaml) {
     try (InputStream is = loader.getResourceAsStream(yaml)) {
+      if (is == null) {
+        throw new IllegalStateException("Cannot find yaml on classpath: " + yaml);
+      }
       if (Builder.class.isAssignableFrom(clazz)) {
         return BuilderUtils.newBuilder(
             clazz, Serialization.unmarshal(is, BuilderUtils.builderTargetType(clazz)));

operator-framework-junit5/src/main/java/io/javaoperatorsdk/operator/junit/AbstractOperatorExtension.java

@@ -60,12 +60,12 @@ protected AbstractOperatorExtension(
       KubernetesClient infrastructureKubernetesClient,
       Function<ExtensionContext, String> namespaceNameSupplier,
       Function<ExtensionContext, String> perClassNamespaceNameSupplier) {
-    this.kubernetesClient =
-        kubernetesClient != null ? kubernetesClient : new KubernetesClientBuilder().build();
     this.infrastructureKubernetesClient =
         infrastructureKubernetesClient != null
             ? infrastructureKubernetesClient
             : new KubernetesClientBuilder().build();
+    this.kubernetesClient =
+        kubernetesClient != null ? kubernetesClient : this.infrastructureKubernetesClient;
     this.infrastructure = infrastructure;
     this.infrastructureTimeout = infrastructureTimeout;
     this.oneNamespacePerClass = oneNamespacePerClass;

operator-framework-junit5/src/main/java/io/javaoperatorsdk/operator/junit/ClusterDeployedOperatorExtension.java

@@ -157,6 +157,12 @@ public Builder withKubernetesClient(KubernetesClient kubernetesClient) {
     }
 
     public ClusterDeployedOperatorExtension build() {
+      infrastructureKubernetesClient =
+          infrastructureKubernetesClient != null
+              ? infrastructureKubernetesClient
+              : new KubernetesClientBuilder().build();
+      kubernetesClient =
+          kubernetesClient != null ? kubernetesClient : infrastructureKubernetesClient;
       return new ClusterDeployedOperatorExtension(
           operatorDeployment,
           deploymentTimeout,
@@ -165,10 +171,8 @@ public ClusterDeployedOperatorExtension build() {
           preserveNamespaceOnError,
           waitForNamespaceDeletion,
           oneNamespacePerClass,
-          kubernetesClient != null ? kubernetesClient : new KubernetesClientBuilder().build(),
-          infrastructureKubernetesClient != null
-              ? infrastructureKubernetesClient
-              : new KubernetesClientBuilder().build(),
+          kubernetesClient,
+          infrastructureKubernetesClient,
           namespaceNameSupplier,
           perClassNamespaceNameSupplier);
     }

operator-framework/src/test/java/io/javaoperatorsdk/operator/baseapi/infrastructureclient/InfrastructureClientIT.java

@@ -0,0 +1,142 @@
+package io.javaoperatorsdk.operator.baseapi.infrastructureclient;
+
+import java.util.HashMap;
+import java.util.UUID;
+import java.util.concurrent.TimeUnit;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.fabric8.kubernetes.api.model.ObjectMetaBuilder;
+import io.fabric8.kubernetes.api.model.rbac.ClusterRole;
+import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding;
+import io.fabric8.kubernetes.client.ConfigBuilder;
+import io.fabric8.kubernetes.client.KubernetesClientBuilder;
+import io.fabric8.kubernetes.client.KubernetesClientException;
+import io.javaoperatorsdk.operator.ReconcilerUtils;
+import io.javaoperatorsdk.operator.junit.LocallyRunOperatorExtension;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.awaitility.Awaitility.await;
+
+class InfrastructureClientIT {
+
+  private static final String RBAC_TEST_ROLE = "rbac-test-role.yaml";
+  private static final String RBAC_TEST_ROLE_BINDING = "rbac-test-role-binding.yaml";
+  private static final String RBAC_TEST_USER = "rbac-test-user";
+
+  @RegisterExtension
+  LocallyRunOperatorExtension operator =
+      LocallyRunOperatorExtension.builder()
+          .withReconciler(new InfrastructureClientTestReconciler())
+          .withKubernetesClient(
+              new KubernetesClientBuilder()
+                  .withConfig(new ConfigBuilder().withImpersonateUsername(RBAC_TEST_USER).build())
+                  .build())
+          .withInfrastructureKubernetesClient(
+              new KubernetesClientBuilder().build()) // no limitations
+          .build();
+
+  /**
+   * We need to apply the cluster role also before the CRD deployment so the rbac-test-user is
+   * permitted to deploy it
+   */
+  public InfrastructureClientIT() {
+    applyClusterRole(RBAC_TEST_ROLE);
+    applyClusterRoleBinding(RBAC_TEST_ROLE_BINDING);
+  }
+
+  @BeforeEach
+  void setup() {
+    applyClusterRole(RBAC_TEST_ROLE);
+    applyClusterRoleBinding(RBAC_TEST_ROLE_BINDING);
+  }
+
+  @AfterEach
+  void cleanup() {
+    removeClusterRoleBinding(RBAC_TEST_ROLE_BINDING);
+    removeClusterRole(RBAC_TEST_ROLE);
+  }
+
+  @Test
+  void canCreateInfrastructure() {
+    var resource = new InfrastructureClientTestCustomResource();
+    resource.setMetadata(
+        new ObjectMetaBuilder()
+            .withName("infrastructure-client-resource")
+            .withUid(UUID.randomUUID().toString())
+            .withGeneration(1L)
+            .build());
+    resource.getMetadata().setAnnotations(new HashMap<>());
+    resource.setKind("InfrastructureClientTestCustomResource");
+    operator.create(resource);
+
+    await()
+        .atMost(5, TimeUnit.SECONDS)
+        .untilAsserted(
+            () -> {
+              InfrastructureClientTestCustomResource r =
+                  operator.get(
+                      InfrastructureClientTestCustomResource.class,
+                      "infrastructure-client-resource");
+              assertThat(r).isNotNull();
+            });
+
+    assertThat(
+            operator
+                .getReconcilerOfType(InfrastructureClientTestReconciler.class)
+                .getNumberOfExecutions())
+        .isEqualTo(1);
+  }
+
+  @Test
+  void shouldNotAccessNotPermittedResources() {
+    assertThatThrownBy(
+            () ->
+                operator
+                    .getKubernetesClient()
+                    .apiextensions()
+                    .v1()
+                    .customResourceDefinitions()
+                    .list())
+        .isInstanceOf(KubernetesClientException.class)
+        .hasMessageContaining(
+            "User \"%s\" cannot list resource \"customresourcedefinitions\""
+                .formatted(RBAC_TEST_USER));
+
+    // but we should be able to access all resources with the infrastructure client
+    var deploymentList =
+        operator
+            .getInfrastructureKubernetesClient()
+            .apiextensions()
+            .v1()
+            .customResourceDefinitions()
+            .list();
+    assertThat(deploymentList).isNotNull();
+  }
+
+  private void applyClusterRoleBinding(String filename) {
+    var clusterRoleBinding =
+        ReconcilerUtils.loadYaml(ClusterRoleBinding.class, this.getClass(), filename);
+    operator.getInfrastructureKubernetesClient().resource(clusterRoleBinding).serverSideApply();
+  }
+
+  private void applyClusterRole(String filename) {
+    var clusterRole = ReconcilerUtils.loadYaml(ClusterRole.class, this.getClass(), filename);
+    operator.getInfrastructureKubernetesClient().resource(clusterRole).serverSideApply();
+  }
+
+  private void removeClusterRoleBinding(String filename) {
+    var clusterRoleBinding =
+        ReconcilerUtils.loadYaml(ClusterRoleBinding.class, this.getClass(), filename);
+    operator.getInfrastructureKubernetesClient().resource(clusterRoleBinding).delete();
+  }
+
+  private void removeClusterRole(String filename) {
+    var clusterRoleBinding = ReconcilerUtils.loadYaml(ClusterRole.class, this.getClass(), filename);
+    operator.getInfrastructureKubernetesClient().resource(clusterRoleBinding).delete();
+  }
+}

operator-framework/src/test/java/io/javaoperatorsdk/operator/baseapi/infrastructureclient/InfrastructureClientTestCustomResource.java

@@ -0,0 +1,13 @@
+package io.javaoperatorsdk.operator.baseapi.infrastructureclient;
+
+import io.fabric8.kubernetes.api.model.Namespaced;
+import io.fabric8.kubernetes.client.CustomResource;
+import io.fabric8.kubernetes.model.annotation.Group;
+import io.fabric8.kubernetes.model.annotation.ShortNames;
+import io.fabric8.kubernetes.model.annotation.Version;
+
+@Group("sample.javaoperatorsdk")
+@Version("v1")
+@ShortNames("ict")
+public class InfrastructureClientTestCustomResource extends CustomResource<Void, Void>
+    implements Namespaced {}

operator-framework/src/test/java/io/javaoperatorsdk/operator/baseapi/infrastructureclient/InfrastructureClientTestReconciler.java

@@ -0,0 +1,37 @@
+package io.javaoperatorsdk.operator.baseapi.infrastructureclient;
+
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.javaoperatorsdk.operator.api.reconciler.Context;
+import io.javaoperatorsdk.operator.api.reconciler.ControllerConfiguration;
+import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
+import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
+import io.javaoperatorsdk.operator.processing.event.ResourceID;
+import io.javaoperatorsdk.operator.support.TestExecutionInfoProvider;
+
+@ControllerConfiguration(name = InfrastructureClientTestReconciler.TEST_RECONCILER)
+public class InfrastructureClientTestReconciler
+    implements Reconciler<InfrastructureClientTestCustomResource>, TestExecutionInfoProvider {
+
+  private static final Logger log =
+      LoggerFactory.getLogger(InfrastructureClientTestReconciler.class);
+
+  public static final String TEST_RECONCILER = "InfrastructureClientTestReconciler";
+  private final AtomicInteger numberOfExecutions = new AtomicInteger(0);
+
+  @Override
+  public UpdateControl<InfrastructureClientTestCustomResource> reconcile(
+      InfrastructureClientTestCustomResource resource,
+      Context<InfrastructureClientTestCustomResource> context) {
+    numberOfExecutions.addAndGet(1);
+    log.info("Reconciled for: {}", ResourceID.fromResource(resource));
+    return UpdateControl.noUpdate();
+  }
+
+  public int getNumberOfExecutions() {
+    return numberOfExecutions.get();
+  }
+}

operator-framework/src/test/resources/io/javaoperatorsdk/operator/baseapi/infrastructureclient/rbac-test-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rbac-test-role-binding
+subjects:
+  - kind: User
+    name: rbac-test-user
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: rbac-test-role
+  apiGroup: rbac.authorization.k8s.io

operator-framework/src/test/resources/io/javaoperatorsdk/operator/baseapi/infrastructureclient/rbac-test-role.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rbac-test-role
+rules:
+  - apiGroups: [ "apiextensions.k8s.io"]
+    resources: [ "customresourcedefinitions" ]
+    verbs: [ "create", "update", "patch", "delete", "deletecollection" ] # explicitly don't include "list" for the test
+  - apiGroups: [ "sample.javaoperatorsdk" ]
+    resources: [ "infrastructureclienttestcustomresources" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]