mirror of
https://github.com/kubevirt/containerized-data-importer.git
synced 2025-06-03 06:30:22 +00:00
bfe30a8964
- Split the huge DV controller into smaller op-specific DV controllers - import, clone, upload - Add common watch-adding function so each controller watches only its relevant DVs - Refactor the common Reconcile() to use interface DataVolumeReconciler implemented by each controller - Move all functions, structs, consts to the relevant controller - Split the utests per controller Signed-off-by: Arnon Gilboa <agilboa@redhat.com> Signed-off-by: Arnon Gilboa <agilboa@redhat.com>
150 lines
4.0 KiB
Go
150 lines
4.0 KiB
Go
/*
|
|
Copyright 2018 The CDI Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package controller
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/go-logr/logr"
|
|
secv1 "github.com/openshift/api/security/v1"
|
|
corev1 "k8s.io/api/core/v1"
|
|
apiequality "k8s.io/apimachinery/pkg/api/equality"
|
|
"k8s.io/apimachinery/pkg/api/errors"
|
|
"k8s.io/apimachinery/pkg/api/meta"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
"sigs.k8s.io/controller-runtime/pkg/source"
|
|
|
|
cc "kubevirt.io/containerized-data-importer/pkg/controller/common"
|
|
"kubevirt.io/containerized-data-importer/pkg/operator"
|
|
"kubevirt.io/containerized-data-importer/pkg/util"
|
|
sdk "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk"
|
|
)
|
|
|
|
const sccName = "containerized-data-importer"
|
|
|
|
func setSCC(scc *secv1.SecurityContextConstraints) {
|
|
// Ensure we are just good citizens that don't want to compete against other prioritized SCCs
|
|
scc.Priority = nil
|
|
scc.RunAsUser = secv1.RunAsUserStrategyOptions{
|
|
Type: secv1.RunAsUserStrategyMustRunAsNonRoot,
|
|
}
|
|
scc.SELinuxContext = secv1.SELinuxContextStrategyOptions{
|
|
Type: secv1.SELinuxStrategyMustRunAs,
|
|
}
|
|
scc.SupplementalGroups = secv1.SupplementalGroupsStrategyOptions{
|
|
Type: secv1.SupplementalGroupsStrategyMustRunAs,
|
|
}
|
|
scc.SeccompProfiles = []string{
|
|
"runtime/default",
|
|
}
|
|
scc.DefaultAddCapabilities = nil
|
|
scc.RequiredDropCapabilities = []corev1.Capability{
|
|
"ALL",
|
|
}
|
|
scc.Volumes = []secv1.FSType{
|
|
secv1.FSTypeConfigMap,
|
|
secv1.FSTypeDownwardAPI,
|
|
secv1.FSTypeEmptyDir,
|
|
secv1.FSTypePersistentVolumeClaim,
|
|
secv1.FSProjected,
|
|
secv1.FSTypeSecret,
|
|
}
|
|
}
|
|
|
|
func ensureSCCExists(logger logr.Logger, c client.Client, saNamespace, saName, cronSaName string) error {
|
|
scc := &secv1.SecurityContextConstraints{}
|
|
userName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, saName)
|
|
cronUserName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, cronSaName)
|
|
|
|
err := c.Get(context.TODO(), client.ObjectKey{Name: sccName}, scc)
|
|
if meta.IsNoMatchError(err) {
|
|
// not in openshift
|
|
logger.V(3).Info("No match error for SCC, must not be in openshift")
|
|
return nil
|
|
} else if errors.IsNotFound(err) {
|
|
cr, err := cc.GetActiveCDI(c)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if cr == nil {
|
|
return fmt.Errorf("no active CDI")
|
|
}
|
|
installerLabels := util.GetRecommendedInstallerLabelsFromCr(cr)
|
|
|
|
scc = &secv1.SecurityContextConstraints{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: sccName,
|
|
Labels: map[string]string{
|
|
"cdi.kubevirt.io": "",
|
|
},
|
|
},
|
|
Users: []string{
|
|
userName,
|
|
cronUserName,
|
|
},
|
|
}
|
|
|
|
setSCC(scc)
|
|
|
|
util.SetRecommendedLabels(scc, installerLabels, "cdi-operator")
|
|
|
|
if err = operator.SetOwnerRuntime(c, scc); err != nil {
|
|
return err
|
|
}
|
|
|
|
return c.Create(context.TODO(), scc)
|
|
} else if err != nil {
|
|
return err
|
|
}
|
|
|
|
origSCC := scc.DeepCopy()
|
|
|
|
setSCC(scc)
|
|
|
|
if !sdk.ContainsStringValue(scc.Users, userName) {
|
|
scc.Users = append(scc.Users, userName)
|
|
}
|
|
if !sdk.ContainsStringValue(scc.Users, cronUserName) {
|
|
scc.Users = append(scc.Users, cronUserName)
|
|
}
|
|
|
|
if !apiequality.Semantic.DeepEqual(origSCC, scc) {
|
|
return c.Update(context.TODO(), scc)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (r *ReconcileCDI) watchSecurityContextConstraints() error {
|
|
err := r.uncachedClient.List(context.TODO(), &secv1.SecurityContextConstraintsList{}, &client.ListOptions{
|
|
Limit: 1,
|
|
})
|
|
if err == nil {
|
|
return r.controller.Watch(&source.Kind{Type: &secv1.SecurityContextConstraints{}}, enqueueCDI(r.client))
|
|
}
|
|
if meta.IsNoMatchError(err) {
|
|
log.Info("Not watching SecurityContextConstraints")
|
|
return nil
|
|
}
|
|
|
|
log.Info("GOODBYE SCC")
|
|
|
|
return err
|
|
}
|