Skip to content

Fixes accidentally deleted serviceaccount and rolebinding objects #909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Nov 23, 2024
Merged

Fixes accidentally deleted serviceaccount and rolebinding objects #909

Changes from 4 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ad2dd70
Potential fix for SUP-148
soenkeliebau Nov 21, 2024
7edfbc2
Expanded comment on build_rbac_resources a bit.
soenkeliebau Nov 21, 2024
35a8c9d
fix rustdocs complaints
soenkeliebau Nov 21, 2024
154ce7e
Adapt tests to the changed behavior.
soenkeliebau Nov 21, 2024
d04b987
Changed role_binding_name and service_account_name to not be public a…
soenkeliebau Nov 22, 2024
90a6c6e
Add legacy name of serviceAccount to roleBinding as well for better t…
soenkeliebau Nov 22, 2024
eaefb1a
Added changelog entry.
soenkeliebau Nov 22, 2024
c219c2a
Update crates/stackable-operator/src/commons/rbac.rs
soenkeliebau Nov 22, 2024
c591125
Merge branch 'main' into fix/SUP-148
siegfriedweber Nov 22, 2024
cd36be7
Fix changelog
siegfriedweber Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions crates/stackable-operator/src/commons/rbac.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,18 @@ pub enum Error {
/// Build RBAC objects for the product workloads.
/// The `rbac_prefix` is meant to be the product name, for example: zookeeper, airflow, etc.
/// and it is a assumed that a ClusterRole named `{rbac_prefix}-clusterrole` exists.
/// 'rbac_prefix' is not used to build the names of the serviceAccount and roleBinding objects,
/// as this caused problems with multiple clusters of the same product within the same namespace
/// see <https://stackable.atlassian.net/browse/SUP-148> for more details.
/// Instead the names for these objects are created by reading the name from the cluster object
/// and appending [-rolebinding|-serviceaccount] to create unique names instead of using the
/// same objects for multiple clusters.
pub fn build_rbac_resources<T: Clone + Resource<DynamicType = ()>>(
resource: &T,
rbac_prefix: &str,
labels: Labels,
) -> Result<(ServiceAccount, RoleBinding)> {
let sa_name = service_account_name(rbac_prefix);
let sa_name = service_account_name(&resource.name_any());
let service_account = ServiceAccount {
metadata: ObjectMetaBuilder::new()
.name_and_namespace(resource)
Expand All @@ -52,7 +58,7 @@ pub fn build_rbac_resources<T: Clone + Resource<DynamicType = ()>>(
let role_binding = RoleBinding {
metadata: ObjectMetaBuilder::new()
.name_and_namespace(resource)
.name(role_binding_name(rbac_prefix))
.name(role_binding_name(&resource.name_any()))
.ownerreference_from_resource(resource, None, Some(true))
.context(RoleBindingOwnerReferenceFromResourceSnafu {
name: resource.name_any(),
Expand Down Expand Up @@ -130,7 +136,7 @@ mod tests {
build_rbac_resources(&cluster, RESOURCE_NAME, Labels::new()).unwrap();

assert_eq!(
Some(service_account_name(RESOURCE_NAME)),
Some(service_account_name(CLUSTER_NAME)),
rbac_sa.metadata.name,
"service account does not match"
);
Expand All @@ -141,7 +147,7 @@ mod tests {
);

assert_eq!(
Some(role_binding_name(RESOURCE_NAME)),
Some(role_binding_name(CLUSTER_NAME)),
rbac_rolebinding.metadata.name,
"rolebinding does not match"
);
Expand Down
Loading