You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by as...@apache.org on 2021/08/04 16:32:40 UTC
[camel-k] branch release-1.5.x updated (8a736e9 -> be736c4)
This is an automated email from the ASF dual-hosted git repository.
astefanutti pushed a change to branch release-1.5.x
in repository https://gitbox.apache.org/repos/asf/camel-k.git.
from 8a736e9 fix(cmd/bind): nullable error-handler
new 1c74469 Fix #2530: fix type and do not add cross-namespace owner references
new 07b52bd Fix #2530: revert direct creation of image puller and use platform as owner
new be736c4 Fix #2530: fix test to check actual resources on the namespace
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
pkg/trait/owner.go | 25 +++++++-----
pkg/trait/pull_secret.go | 42 +++++++++++++++++--
pkg/trait/pull_secret_test.go | 94 ++++++++++++++++++++++++++++++++++---------
3 files changed, 127 insertions(+), 34 deletions(-)
[camel-k] 03/03: Fix #2530: fix test to check actual resources on
the namespace
Posted by as...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
astefanutti pushed a commit to branch release-1.5.x
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit be736c4090bc10b267aa408209e41f46941f07ef
Author: nicolaferraro <ni...@gmail.com>
AuthorDate: Thu Jul 29 13:46:46 2021 +0200
Fix #2530: fix test to check actual resources on the namespace
---
pkg/trait/pull_secret_test.go | 94 ++++++++++++++++++++++++++++++++++---------
1 file changed, 74 insertions(+), 20 deletions(-)
diff --git a/pkg/trait/pull_secret_test.go b/pkg/trait/pull_secret_test.go
index a1499e0..44ee3ef 100644
--- a/pkg/trait/pull_secret_test.go
+++ b/pkg/trait/pull_secret_test.go
@@ -18,32 +18,23 @@ limitations under the License.
package trait
import (
+ "context"
"testing"
v1 "github.com/apache/camel-k/pkg/apis/camel/v1"
"github.com/apache/camel-k/pkg/util/kubernetes"
+ "github.com/apache/camel-k/pkg/util/test"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ rbacv1 "k8s.io/api/rbac/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "sigs.k8s.io/controller-runtime/pkg/client"
"github.com/stretchr/testify/assert"
)
func TestPullSecret(t *testing.T) {
- e := &Environment{}
- e.Integration = &v1.Integration{
- Status: v1.IntegrationStatus{
- Phase: v1.IntegrationPhaseDeploying,
- },
- }
-
- deployment := appsv1.Deployment{
- Spec: appsv1.DeploymentSpec{
- Template: corev1.PodTemplateSpec{
- Spec: corev1.PodSpec{},
- },
- },
- }
- e.Resources = kubernetes.NewCollection(&deployment)
+ e, deployment := getEnvironmentAndDeployment(t)
trait := newPullSecretTrait().(*pullSecretTrait)
trait.SecretName = "xxxy"
@@ -57,15 +48,66 @@ func TestPullSecret(t *testing.T) {
}
func TestPullSecretDoesNothingWhenNotSetOnPlatform(t *testing.T) {
+ e, _ := getEnvironmentAndDeployment(t)
+ e.Platform = &v1.IntegrationPlatform{}
+
+ trait := newPullSecretTrait()
+ enabled, err := trait.Configure(e)
+ assert.Nil(t, err)
+ assert.False(t, enabled)
+}
+
+func TestPullSecretAuto(t *testing.T) {
+ e, _ := getEnvironmentAndDeployment(t)
+
+ trait := newPullSecretTrait().(*pullSecretTrait)
+ trait.Auto = newFalse()
+ enabled, err := trait.Configure(e)
+ assert.Nil(t, err)
+ assert.False(t, enabled)
+}
+
+func TestPullSecretImagePullerDelegation(t *testing.T) {
+ e, _ := getEnvironmentAndDeployment(t)
+
+ trait := newPullSecretTrait().(*pullSecretTrait)
+ trait.Auto = newFalse()
+ trait.ImagePullerDelegation = newTrue()
+ enabled, err := trait.Configure(e)
+ assert.Nil(t, err)
+ assert.True(t, enabled)
+ assert.True(t, *trait.ImagePullerDelegation)
+
+ err = trait.Apply(e)
+ assert.NoError(t, err)
+
+ var roleBinding rbacv1.RoleBinding
+ roleBindingKey := client.ObjectKey{
+ Namespace: "test",
+ Name: "camel-k-puller-test-default",
+ }
+ err = e.Client.Get(e.C, roleBindingKey, &roleBinding)
+ assert.NoError(t, err)
+ assert.Len(t, roleBinding.Subjects, 1)
+}
+
+func getEnvironmentAndDeployment(t *testing.T) (*Environment, *appsv1.Deployment) {
e := &Environment{}
e.Integration = &v1.Integration{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: "test",
+ Name: "myit",
+ },
Status: v1.IntegrationStatus{
Phase: v1.IntegrationPhaseDeploying,
},
}
- e.Platform = &v1.IntegrationPlatform{}
deployment := appsv1.Deployment{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: "test",
+ Name: "myit",
+ },
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{},
@@ -74,8 +116,20 @@ func TestPullSecretDoesNothingWhenNotSetOnPlatform(t *testing.T) {
}
e.Resources = kubernetes.NewCollection(&deployment)
- trait := newPullSecretTrait()
- enabled, err := trait.Configure(e)
- assert.Nil(t, err)
- assert.False(t, enabled)
+ var err error
+ e.C = context.TODO()
+ e.Client, err = test.NewFakeClient(e.Integration, &deployment)
+ assert.NoError(t, err)
+
+ return e, &deployment
+}
+
+func newFalse() *bool {
+ b := false
+ return &b
+}
+
+func newTrue() *bool {
+ b := true
+ return &b
}
[camel-k] 01/03: Fix #2530: fix type and do not add cross-namespace
owner references
Posted by as...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
astefanutti pushed a commit to branch release-1.5.x
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit 1c74469b4ff95d4635376a6a503786e1e09838f4
Author: nicolaferraro <ni...@gmail.com>
AuthorDate: Wed Jul 28 17:58:10 2021 +0200
Fix #2530: fix type and do not add cross-namespace owner references
---
pkg/trait/owner.go | 23 +++++++++++++----------
pkg/trait/pull_secret.go | 4 ++++
2 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/pkg/trait/owner.go b/pkg/trait/owner.go
index c821e02..e6abc6d 100644
--- a/pkg/trait/owner.go
+++ b/pkg/trait/owner.go
@@ -78,17 +78,20 @@ func (t *ownerTrait) Apply(e *Environment) error {
}
e.Resources.VisitMetaObject(func(res metav1.Object) {
- references := []metav1.OwnerReference{
- {
- APIVersion: e.Integration.APIVersion,
- Kind: e.Integration.Kind,
- Name: e.Integration.Name,
- UID: e.Integration.UID,
- Controller: &controller,
- BlockOwnerDeletion: &blockOwnerDeletion,
- },
+ // Avoid setting owner references across namespaces (resources are asynchronously refused by the api server)
+ if res.GetNamespace() == "" || res.GetNamespace() == e.Integration.Namespace {
+ references := []metav1.OwnerReference{
+ {
+ APIVersion: e.Integration.APIVersion,
+ Kind: e.Integration.Kind,
+ Name: e.Integration.Name,
+ UID: e.Integration.UID,
+ Controller: &controller,
+ BlockOwnerDeletion: &blockOwnerDeletion,
+ },
+ }
+ res.SetOwnerReferences(references)
}
- res.SetOwnerReferences(references)
// Transfer annotations
t.propagateLabelAndAnnotations(res, targetLabels, targetAnnotations)
diff --git a/pkg/trait/pull_secret.go b/pkg/trait/pull_secret.go
index 115d601..b1612ce 100644
--- a/pkg/trait/pull_secret.go
+++ b/pkg/trait/pull_secret.go
@@ -122,6 +122,10 @@ func (t *pullSecretTrait) newImagePullerRoleBinding(e *Environment) *rbacv1.Role
serviceAccount = "default"
}
return &rbacv1.RoleBinding{
+ TypeMeta: metav1.TypeMeta{
+ Kind: "RoleBinding",
+ APIVersion: rbacv1.SchemeGroupVersion.String(),
+ },
ObjectMeta: metav1.ObjectMeta{
Namespace: e.Integration.GetIntegrationKitNamespace(e.Platform),
Name: fmt.Sprintf("camel-k-puller-%s", e.Integration.Namespace),
[camel-k] 02/03: Fix #2530: revert direct creation of image puller
and use platform as owner
Posted by as...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
astefanutti pushed a commit to branch release-1.5.x
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit 07b52bd29689419e7ada129d144c1dcce1b8604a
Author: nicolaferraro <ni...@gmail.com>
AuthorDate: Thu Jul 29 12:58:58 2021 +0200
Fix #2530: revert direct creation of image puller and use platform as owner
---
pkg/trait/owner.go | 4 +++-
pkg/trait/pull_secret.go | 38 ++++++++++++++++++++++++++++++++++----
2 files changed, 37 insertions(+), 5 deletions(-)
diff --git a/pkg/trait/owner.go b/pkg/trait/owner.go
index e6abc6d..a95b67a 100644
--- a/pkg/trait/owner.go
+++ b/pkg/trait/owner.go
@@ -78,7 +78,9 @@ func (t *ownerTrait) Apply(e *Environment) error {
}
e.Resources.VisitMetaObject(func(res metav1.Object) {
- // Avoid setting owner references across namespaces (resources are asynchronously refused by the api server)
+ // Cross-namespace references are forbidden and also asynchronously refused
+ // by the api server (sometimes no error is thrown but the resource is not created).
+ // Ref: https://github.com/kubernetes/kubernetes/issues/65200
if res.GetNamespace() == "" || res.GetNamespace() == e.Integration.Namespace {
references := []metav1.OwnerReference{
{
diff --git a/pkg/trait/pull_secret.go b/pkg/trait/pull_secret.go
index b1612ce..82b3c64 100644
--- a/pkg/trait/pull_secret.go
+++ b/pkg/trait/pull_secret.go
@@ -23,7 +23,9 @@ import (
v1 "github.com/apache/camel-k/pkg/apis/camel/v1"
"github.com/apache/camel-k/pkg/platform"
"github.com/apache/camel-k/pkg/util"
+ "github.com/apache/camel-k/pkg/util/kubernetes"
"github.com/apache/camel-k/pkg/util/openshift"
+ "github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -109,14 +111,41 @@ func (t *pullSecretTrait) Apply(e *Environment) error {
})
}
if util.IsTrue(t.ImagePullerDelegation) {
- rb := t.newImagePullerRoleBinding(e)
- e.Resources.Add(rb)
+ if err := t.delegateImagePuller(e); err != nil {
+ return err
+ }
}
return nil
}
+func (t *pullSecretTrait) delegateImagePuller(e *Environment) error {
+ // Applying the rolebinding directly because it's a resource in the operator namespace
+ // (different from the integration namespace when delegation is enabled).
+ rb := t.newImagePullerRoleBinding(e)
+ if err := kubernetes.ReplaceResource(e.C, e.Client, rb); err != nil {
+ return errors.Wrap(err, "error during the creation of the system:image-puller delegating role binding")
+ }
+ return nil
+}
+
func (t *pullSecretTrait) newImagePullerRoleBinding(e *Environment) *rbacv1.RoleBinding {
+ targetNamespace := e.Integration.GetIntegrationKitNamespace(e.Platform)
+ var references []metav1.OwnerReference
+ if e.Platform != nil && e.Platform.Namespace == targetNamespace {
+ controller := true
+ blockOwnerDeletion := true
+ references = []metav1.OwnerReference{
+ {
+ APIVersion: e.Platform.APIVersion,
+ Kind: e.Platform.Kind,
+ Name: e.Platform.Name,
+ UID: e.Platform.UID,
+ Controller: &controller,
+ BlockOwnerDeletion: &blockOwnerDeletion,
+ },
+ }
+ }
serviceAccount := e.Integration.Spec.ServiceAccountName
if serviceAccount == "" {
serviceAccount = "default"
@@ -127,8 +156,9 @@ func (t *pullSecretTrait) newImagePullerRoleBinding(e *Environment) *rbacv1.Role
APIVersion: rbacv1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{
- Namespace: e.Integration.GetIntegrationKitNamespace(e.Platform),
- Name: fmt.Sprintf("camel-k-puller-%s", e.Integration.Namespace),
+ Namespace: targetNamespace,
+ Name: fmt.Sprintf("camel-k-puller-%s-%s", e.Integration.Namespace, serviceAccount),
+ OwnerReferences: references,
},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",