diff --git a/pkg/helpers/testing/testinghelpers.go b/pkg/helpers/testing/testinghelpers.go index 79473ff14..f2e931b6b 100644 --- a/pkg/helpers/testing/testinghelpers.go +++ b/pkg/helpers/testing/testinghelpers.go @@ -233,11 +233,12 @@ func NewManifestWork(namespace, name string, finalizers []string, deletionTimest return work } -func NewRole(namespace, name string, finalizers []string, terminated bool) *rbacv1.Role { +func NewRole(namespace, name string, finalizers []string, labels map[string]string, terminated bool) *rbacv1.Role { role := &rbacv1.Role{} role.Namespace = namespace role.Name = name role.Finalizers = finalizers + role.Labels = labels if terminated { now := metav1.Now() role.DeletionTimestamp = &now @@ -245,11 +246,12 @@ func NewRole(namespace, name string, finalizers []string, terminated bool) *rbac return role } -func NewRoleBinding(namespace, name string, finalizers []string, terminated bool) *rbacv1.RoleBinding { +func NewRoleBinding(namespace, name string, finalizers []string, labels map[string]string, terminated bool) *rbacv1.RoleBinding { rolebinding := &rbacv1.RoleBinding{} rolebinding.Namespace = namespace rolebinding.Name = name rolebinding.Finalizers = finalizers + rolebinding.Labels = labels if terminated { now := metav1.Now() rolebinding.DeletionTimestamp = &now diff --git a/pkg/hub/managedcluster/controller.go b/pkg/hub/managedcluster/controller.go index e81363c0a..25a188cf9 100644 --- a/pkg/hub/managedcluster/controller.go +++ b/pkg/hub/managedcluster/controller.go @@ -5,6 +5,7 @@ import ( "embed" "encoding/json" "fmt" + corev1 "k8s.io/api/core/v1" clientset "open-cluster-management.io/api/client/cluster/clientset/versioned" informerv1 "open-cluster-management.io/api/client/cluster/informers/externalversions/cluster/v1" @@ -142,8 +143,21 @@ func (c *managedClusterController) sync(ctx context.Context, syncCtx factory.Syn // TODO consider to add the managedcluster-namespace.yaml back to staticFiles, // currently, we keep the namespace after the managed cluster is deleted. - applyFiles := []string{"manifests/managedcluster-namespace.yaml"} - applyFiles = append(applyFiles, staticFiles...) + // apply namespace at first + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: managedClusterName, + Labels: map[string]string{ + "open-cluster-management.io/cluster-name": managedClusterName, + }, + }, + } + + errs := []error{} + _, _, err = resourceapply.ApplyNamespace(ctx, c.kubeClient.CoreV1(), syncCtx.Recorder(), namespace) + if err != nil { + errs = append(errs, err) + } // Hub cluster-admin accepts the spoke cluster, we apply // 1. clusterrole and clusterrolebinding for this spoke cluster. @@ -155,9 +169,9 @@ func (c *managedClusterController) sync(ctx context.Context, syncCtx factory.Syn syncCtx.Recorder(), c.cache, helpers.ManagedClusterAssetFn(manifestFiles, managedClusterName), - applyFiles..., + staticFiles..., ) - errs := []error{} + for _, result := range resourceResults { if result.Error != nil { errs = append(errs, fmt.Errorf("%q (%T): %v", result.File, result.Type, result.Error)) diff --git a/pkg/hub/managedcluster/manifests/managedcluster-namespace.yaml b/pkg/hub/managedcluster/manifests/managedcluster-namespace.yaml deleted file mode 100644 index fbb6ab8bc..000000000 --- a/pkg/hub/managedcluster/manifests/managedcluster-namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: "{{ .ManagedClusterName }}" diff --git a/pkg/hub/managedcluster/manifests/managedcluster-registration-rolebinding.yaml b/pkg/hub/managedcluster/manifests/managedcluster-registration-rolebinding.yaml index 0e05a9fb6..128416775 100644 --- a/pkg/hub/managedcluster/manifests/managedcluster-registration-rolebinding.yaml +++ b/pkg/hub/managedcluster/manifests/managedcluster-registration-rolebinding.yaml @@ -3,6 +3,8 @@ kind: RoleBinding metadata: name: open-cluster-management:managedcluster:{{ .ManagedClusterName }}:registration namespace: "{{ .ManagedClusterName }}" + labels: + open-cluster-management.io/cluster-name: {{ .ManagedClusterName }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/pkg/hub/managedcluster/manifests/managedcluster-work-rolebinding.yaml b/pkg/hub/managedcluster/manifests/managedcluster-work-rolebinding.yaml index fa67f7f6c..c1b111861 100644 --- a/pkg/hub/managedcluster/manifests/managedcluster-work-rolebinding.yaml +++ b/pkg/hub/managedcluster/manifests/managedcluster-work-rolebinding.yaml @@ -3,6 +3,8 @@ kind: RoleBinding metadata: name: open-cluster-management:managedcluster:{{ .ManagedClusterName }}:work namespace: "{{ .ManagedClusterName }}" + labels: + open-cluster-management.io/cluster-name: {{ .ManagedClusterName }} finalizers: - cluster.open-cluster-management.io/manifest-work-cleanup roleRef: diff --git a/pkg/hub/manager.go b/pkg/hub/manager.go index c65f51266..1b7fc1a52 100644 --- a/pkg/hub/manager.go +++ b/pkg/hub/manager.go @@ -4,6 +4,7 @@ import ( "context" certv1 "k8s.io/api/certificates/v1" certv1beta1 "k8s.io/api/certificates/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "time" ocmfeature "open-cluster-management.io/api/feature" @@ -154,11 +155,22 @@ func (m *HubManagerOptions) RunControllerManager(ctx context.Context, controller controllerContext.EventRecorder, ) + rbacFinalizerKubeInfomers := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute, kubeinformers.WithTweakListOptions( + func(listOptions *metav1.ListOptions) { + selector := &metav1.LabelSelector{ + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: "open-cluster-management.io/cluster-name", + Operator: metav1.LabelSelectorOpExists, + }, + }, + } + listOptions.LabelSelector = metav1.FormatLabelSelector(selector) + })) rbacFinalizerController := rbacfinalizerdeletion.NewFinalizeController( - kubeInfomers.Rbac().V1().Roles(), - kubeInfomers.Rbac().V1().RoleBindings(), - kubeInfomers.Core().V1().Namespaces().Lister(), - clusterInformers.Cluster().V1().ManagedClusters().Lister(), + rbacFinalizerKubeInfomers.Rbac().V1().RoleBindings().Lister(), + rbacFinalizerKubeInfomers.Core().V1().Namespaces(), + clusterInformers.Cluster().V1().ManagedClusters(), workInformers.Work().V1().ManifestWorks().Lister(), kubeClient.RbacV1(), controllerContext.EventRecorder, @@ -217,6 +229,7 @@ func (m *HubManagerOptions) RunControllerManager(ctx context.Context, controller go workInformers.Start(ctx.Done()) go kubeInfomers.Start(ctx.Done()) go addOnInformers.Start(ctx.Done()) + go rbacFinalizerKubeInfomers.Start(ctx.Done()) go managedClusterController.Run(ctx, 1) go taintController.Run(ctx, 1) diff --git a/pkg/hub/rbacfinalizerdeletion/controller.go b/pkg/hub/rbacfinalizerdeletion/controller.go index 01a68cf54..1fb387f5a 100644 --- a/pkg/hub/rbacfinalizerdeletion/controller.go +++ b/pkg/hub/rbacfinalizerdeletion/controller.go @@ -2,37 +2,36 @@ package rbacfinalizerdeletion import ( "context" - "fmt" + "k8s.io/apimachinery/pkg/selection" + corev1informers "k8s.io/client-go/informers/core/v1" + "k8s.io/klog/v2" + informerv1 "open-cluster-management.io/api/client/cluster/informers/externalversions/cluster/v1" "reflect" - - clusterv1listers "open-cluster-management.io/api/client/cluster/listers/cluster/v1" - worklister "open-cluster-management.io/api/client/work/listers/work/v1" - clusterv1 "open-cluster-management.io/api/cluster/v1" + "time" "github.com/openshift/library-go/pkg/controller/factory" "github.com/openshift/library-go/pkg/operator/events" + clusterv1listers "open-cluster-management.io/api/client/cluster/listers/cluster/v1" + worklister "open-cluster-management.io/api/client/work/listers/work/v1" - corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" - rbacv1informers "k8s.io/client-go/informers/rbac/v1" rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1" corelisters "k8s.io/client-go/listers/core/v1" rbacv1listers "k8s.io/client-go/listers/rbac/v1" "k8s.io/client-go/tools/cache" - "k8s.io/klog/v2" ) const ( manifestWorkFinalizer = "cluster.open-cluster-management.io/manifest-work-cleanup" + clusterLabelKey = "open-cluster-management.io/cluster-name" ) type finalizeController struct { - roleLister rbacv1listers.RoleLister roleBindingLister rbacv1listers.RoleBindingLister rbacClient rbacv1client.RbacV1Interface clusterLister clusterv1listers.ManagedClusterLister @@ -44,20 +43,18 @@ type finalizeController struct { // NewFinalizeController ensures all manifestworks are deleted before role/rolebinding for work // agent are deleted in a terminating cluster namespace. func NewFinalizeController( - roleInformer rbacv1informers.RoleInformer, - roleBindingInformer rbacv1informers.RoleBindingInformer, - namespaceLister corelisters.NamespaceLister, - clusterLister clusterv1listers.ManagedClusterLister, + roleBindingLister rbacv1listers.RoleBindingLister, + namespaceInformer corev1informers.NamespaceInformer, + clusterInformer informerv1.ManagedClusterInformer, manifestWorkLister worklister.ManifestWorkLister, rbacClient rbacv1client.RbacV1Interface, eventRecorder events.Recorder, ) factory.Controller { controller := &finalizeController{ - roleLister: roleInformer.Lister(), - roleBindingLister: roleBindingInformer.Lister(), - namespaceLister: namespaceLister, - clusterLister: clusterLister, + roleBindingLister: roleBindingLister, + namespaceLister: namespaceInformer.Lister(), + clusterLister: clusterInformer.Lister(), manifestWorkLister: manifestWorkLister, rbacClient: rbacClient, eventRecorder: eventRecorder, @@ -67,105 +64,77 @@ func NewFinalizeController( WithInformersQueueKeyFunc(func(obj runtime.Object) string { key, _ := cache.MetaNamespaceKeyFunc(obj) return key - }, roleInformer.Informer(), roleBindingInformer.Informer()). + }, clusterInformer.Informer(), namespaceInformer.Informer()). WithSync(controller.sync).ToController("FinalizeController", eventRecorder) } func (m *finalizeController) sync(ctx context.Context, controllerContext factory.SyncContext) error { key := controllerContext.QueueKey() - namespace, name, err := cache.SplitMetaNamespaceKey(key) - if err != nil { - // ignore role/rolebinding whose key is not in format: namespace/name + if key == "" { return nil } - cluster, err := m.clusterLister.Get(namespace) - if err != nil && !errors.IsNotFound(err) { - return err - } - ns, err := m.namespaceLister.Get(namespace) + _, clusterName, err := cache.SplitMetaNamespaceKey(key) if err != nil { - return err + return nil } - // cluster is deleted or being deleted - role, rolebinding, err := m.getRoleAndRoleBinding(namespace, name) - if err != nil { + cluster, err := m.clusterLister.Get(clusterName) + if err != nil && !errors.IsNotFound(err) { return err } - err = m.syncRoleAndRoleBinding(ctx, controllerContext, role, rolebinding, ns, cluster) - - if err != nil { - klog.Errorf("Reconcile role/rolebinding %s fails with err: %v", key, err) - } - return err -} - -func (m *finalizeController) syncRoleAndRoleBinding(ctx context.Context, controllerContext factory.SyncContext, - role *rbacv1.Role, rolebinding *rbacv1.RoleBinding, ns *corev1.Namespace, cluster *clusterv1.ManagedCluster) error { - // Skip if neither role nor rolebinding has the finalizer - if !hasFinalizer(role, manifestWorkFinalizer) && !hasFinalizer(rolebinding, manifestWorkFinalizer) { + ns, err := m.namespaceLister.Get(clusterName) + if errors.IsNotFound(err) { return nil } + if err != nil { + return err + } // There are two possible cases that we need to remove finalizers on role/rolebindings based on // clean of manifestworks. // 1. The namespace is finalizing. - // 2. The cluster is finalizing but namespace fails to be deleted. - if !ns.DeletionTimestamp.IsZero() || (cluster != nil && !cluster.DeletionTimestamp.IsZero()) { + // 2. The cluster is finalizing or not found. + if !ns.DeletionTimestamp.IsZero() || cluster == nil || + (cluster != nil && !cluster.DeletionTimestamp.IsZero()) { works, err := m.manifestWorkLister.ManifestWorks(ns.Name).List(labels.Everything()) if err != nil { return err } if len(works) != 0 { - return fmt.Errorf("still having %d works in the cluster namespace %s", len(works), ns.Name) - } - } - - // remove finalizer from role/rolebinding - if pendingFinalization(role) { - if err := m.removeFinalizerFromRole(ctx, role, manifestWorkFinalizer); err != nil { - return err - } - } - - if pendingFinalization(rolebinding) { - if err := m.removeFinalizerFromRoleBinding(ctx, rolebinding, manifestWorkFinalizer); err != nil { - return err + controllerContext.Queue().AddAfter(clusterName, 10*time.Second) + klog.Warningf("still having %d works in the cluster namespace %s", len(works), ns.Name) + return nil } + return m.syncRoleBindings(ctx, controllerContext, clusterName) } return nil } -func (m *finalizeController) getRoleAndRoleBinding(namespace, name string) (*rbacv1.Role, *rbacv1.RoleBinding, error) { - role, err := m.roleLister.Roles(namespace).Get(name) - if err != nil && !errors.IsNotFound(err) { - return nil, nil, err - } - - rolebinding, err := m.roleBindingLister.RoleBindings(namespace).Get(name) +func (m *finalizeController) syncRoleBindings(ctx context.Context, controllerContext factory.SyncContext, + namespace string) error { + requirement, _ := labels.NewRequirement(clusterLabelKey, selection.Exists, []string{}) + selector := labels.NewSelector().Add(*requirement) + roleBindings, err := m.roleBindingLister.RoleBindings(namespace).List(selector) if err != nil && !errors.IsNotFound(err) { - return nil, nil, err - } - - return role, rolebinding, nil -} - -// removeFinalizerFromRole removes the particular finalizer from role -func (m *finalizeController) removeFinalizerFromRole(ctx context.Context, role *rbacv1.Role, finalizer string) error { - if role == nil { - return nil + return err } - role = role.DeepCopy() - if changed := removeFinalizer(role, finalizer); !changed { - return nil + for _, roleBinding := range roleBindings { + // Skip if roleBinding has no the finalizer + if !hasFinalizer(roleBinding, manifestWorkFinalizer) { + continue + } + // remove finalizer from roleBinding + if pendingFinalization(roleBinding) { + if err := m.removeFinalizerFromRoleBinding(ctx, roleBinding, manifestWorkFinalizer); err != nil { + return err + } + } } - - _, err := m.rbacClient.Roles(role.Namespace).Update(ctx, role, metav1.UpdateOptions{}) - return err + return nil } // removeFinalizerFromRoleBinding removes the particular finalizer from rolebinding diff --git a/pkg/hub/rbacfinalizerdeletion/controller_test.go b/pkg/hub/rbacfinalizerdeletion/controller_test.go index 4fc653cbd..1daf32d9d 100644 --- a/pkg/hub/rbacfinalizerdeletion/controller_test.go +++ b/pkg/hub/rbacfinalizerdeletion/controller_test.go @@ -6,23 +6,18 @@ import ( "testing" "time" - fakeclusterclient "open-cluster-management.io/api/client/cluster/clientset/versioned/fake" - clusterinformers "open-cluster-management.io/api/client/cluster/informers/externalversions" - fakeworkclient "open-cluster-management.io/api/client/work/clientset/versioned/fake" - workinformers "open-cluster-management.io/api/client/work/informers/externalversions" - clusterv1 "open-cluster-management.io/api/cluster/v1" - workapiv1 "open-cluster-management.io/api/work/v1" - testinghelpers "open-cluster-management.io/registration/pkg/helpers/testing" - "github.com/openshift/library-go/pkg/operator/events" - - corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" kubeinformers "k8s.io/client-go/informers" fakeclient "k8s.io/client-go/kubernetes/fake" clienttesting "k8s.io/client-go/testing" + fakeclusterclient "open-cluster-management.io/api/client/cluster/clientset/versioned/fake" + clusterinformers "open-cluster-management.io/api/client/cluster/informers/externalversions" + fakeworkclient "open-cluster-management.io/api/client/work/clientset/versioned/fake" + workinformers "open-cluster-management.io/api/client/work/informers/externalversions" + testinghelpers "open-cluster-management.io/registration/pkg/helpers/testing" ) var roleName = fmt.Sprintf("%s:spoke-work", testinghelpers.TestManagedClusterName) @@ -33,29 +28,37 @@ func TestSync(t *testing.T) { key string clusters []runtime.Object namespaces []runtime.Object - roles []runtime.Object roleBindings []runtime.Object works []runtime.Object expectedErr string }{ { name: "managed cluster namespace is not found", - key: fmt.Sprintf("%s/%s", testinghelpers.TestManagedClusterName, roleName), - expectedErr: "namespace \"testmanagedcluster\" not found", + key: testinghelpers.TestManagedClusterName, + expectedErr: "", }, + { - name: "there are no resources in managed cluster namespace", - key: fmt.Sprintf("%s/%s", testinghelpers.TestManagedClusterName, roleName), - namespaces: []runtime.Object{testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, true)}, + name: "there are no resources in managed cluster namespace", + key: testinghelpers.TestManagedClusterName, + namespaces: []runtime.Object{testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, true)}, + expectedErr: "", + }, + { + name: "cluster and ns are not deleting", + key: testinghelpers.TestManagedClusterName, + namespaces: []runtime.Object{testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, false)}, + clusters: []runtime.Object{testinghelpers.NewManagedCluster()}, + expectedErr: "", }, { - name: "still have works in deleting managed cluster namespace", - key: fmt.Sprintf("%s/%s", testinghelpers.TestManagedClusterName, roleName), - namespaces: []runtime.Object{testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, true)}, - roles: []runtime.Object{testinghelpers.NewRole(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, true)}, - roleBindings: []runtime.Object{testinghelpers.NewRoleBinding(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, true)}, - works: []runtime.Object{testinghelpers.NewManifestWork(testinghelpers.TestManagedClusterName, "work1", []string{manifestWorkFinalizer}, nil)}, - expectedErr: "still having 1 works in the cluster namespace testmanagedcluster", + name: "still have works in deleting managed cluster namespace", + key: testinghelpers.TestManagedClusterName, + namespaces: []runtime.Object{testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, true)}, + roleBindings: []runtime.Object{testinghelpers.NewRoleBinding(testinghelpers.TestManagedClusterName, roleName, + []string{manifestWorkFinalizer}, map[string]string{clusterLabelKey: testinghelpers.TestManagedClusterName}, true)}, + works: []runtime.Object{testinghelpers.NewManifestWork(testinghelpers.TestManagedClusterName, "work1", []string{manifestWorkFinalizer}, nil)}, + expectedErr: "", }, } for _, c := range cases { @@ -68,12 +71,7 @@ func TestSync(t *testing.T) { t.Fatal(err) } } - roleStore := kubeInformerFactory.Rbac().V1().Roles().Informer().GetStore() - for _, role := range c.roles { - if err := roleStore.Add(role); err != nil { - t.Fatal(err) - } - } + roleBindingStore := kubeInformerFactory.Rbac().V1().RoleBindings().Informer().GetStore() for _, roleBinding := range c.roleBindings { if err := roleBindingStore.Add(roleBinding); err != nil { @@ -94,7 +92,6 @@ func TestSync(t *testing.T) { } ctrl := &finalizeController{ - roleLister: kubeInformerFactory.Rbac().V1().Roles().Lister(), roleBindingLister: kubeInformerFactory.Rbac().V1().RoleBindings().Lister(), namespaceLister: kubeInformerFactory.Core().V1().Namespaces().Lister(), clusterLister: clusterInformerFactory.Cluster().V1().ManagedClusters().Lister(), @@ -111,64 +108,39 @@ func TestSync(t *testing.T) { func TestSyncRoleAndRoleBinding(t *testing.T) { cases := []struct { name string - role *rbacv1.Role roleBinding *rbacv1.RoleBinding - cluster *clusterv1.ManagedCluster - namespace *corev1.Namespace - work *workapiv1.ManifestWork + namespace string expectedRoleFinalizers []string expectedRoleBindingFinalizers []string expectedWorkFinalizers []string - expectedQueueLen int validateRbacActions func(t *testing.T, actions []clienttesting.Action) }{ { - name: "skip if neither role nor rolebinding exists", - cluster: testinghelpers.NewManagedCluster(), - namespace: testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, false), - work: testinghelpers.NewManifestWork(testinghelpers.TestManagedClusterName, "work1", nil, nil), + name: "skip if rolebinding does not exists", + namespace: testinghelpers.TestManagedClusterName, validateRbacActions: testinghelpers.AssertNoActions, }, { - name: "skip if neither role nor rolebinding has finalizer", - role: testinghelpers.NewRole(testinghelpers.TestManagedClusterName, roleName, nil, false), - roleBinding: testinghelpers.NewRoleBinding(testinghelpers.TestManagedClusterName, roleName, nil, false), - cluster: testinghelpers.NewManagedCluster(), - namespace: testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, false), - work: testinghelpers.NewManifestWork(testinghelpers.TestManagedClusterName, "work1", []string{manifestWorkFinalizer}, nil), - expectedWorkFinalizers: []string{manifestWorkFinalizer}, - validateRbacActions: testinghelpers.AssertNoActions, + name: "skip if rolebinding has no finalizer", + roleBinding: testinghelpers.NewRoleBinding(testinghelpers.TestManagedClusterName, roleName, nil, nil, false), + namespace: testinghelpers.TestManagedClusterName, + validateRbacActions: testinghelpers.AssertNoActions, }, { - name: "remove finalizer from deleting role within non-terminating namespace", - role: testinghelpers.NewRole(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, true), - roleBinding: testinghelpers.NewRoleBinding(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, false), - cluster: testinghelpers.NewManagedCluster(), - namespace: testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, false), - work: testinghelpers.NewManifestWork(testinghelpers.TestManagedClusterName, "work1", []string{manifestWorkFinalizer}, nil), + name: "skip if rolebinding has no labels", + roleBinding: testinghelpers.NewRoleBinding(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, nil, false), + namespace: testinghelpers.TestManagedClusterName, expectedRoleBindingFinalizers: []string{manifestWorkFinalizer}, - expectedWorkFinalizers: []string{manifestWorkFinalizer}, - validateRbacActions: func(t *testing.T, actions []clienttesting.Action) { - testinghelpers.AssertActions(t, actions, "update") - }, - }, - { - name: "remove finalizer from role/rolebinding within terminating cluster", - role: testinghelpers.NewRole(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, true), - roleBinding: testinghelpers.NewRoleBinding(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, true), - cluster: testinghelpers.NewDeletingManagedCluster(), - namespace: testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, false), - validateRbacActions: func(t *testing.T, actions []clienttesting.Action) { - testinghelpers.AssertActions(t, actions, "update", "update") - }, + validateRbacActions: testinghelpers.AssertNoActions, }, { - name: "remove finalizer from role/rolebinding within terminating ns", - role: testinghelpers.NewRole(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, true), - roleBinding: testinghelpers.NewRoleBinding(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, true), - namespace: testinghelpers.NewNamespace(testinghelpers.TestManagedClusterName, true), + name: "remove finalizer from deleting roleBinding", + roleBinding: testinghelpers.NewRoleBinding(testinghelpers.TestManagedClusterName, roleName, []string{manifestWorkFinalizer}, + map[string]string{clusterLabelKey: testinghelpers.TestManagedClusterName}, true), + namespace: testinghelpers.TestManagedClusterName, + expectedRoleFinalizers: []string{manifestWorkFinalizer}, validateRbacActions: func(t *testing.T, actions []clienttesting.Action) { - testinghelpers.AssertActions(t, actions, "update", "update") + testinghelpers.AssertActions(t, actions, "update") }, }, } @@ -176,28 +148,18 @@ func TestSyncRoleAndRoleBinding(t *testing.T) { for _, c := range cases { t.Run(c.name, func(t *testing.T) { objects := []runtime.Object{} - if c.role != nil { - objects = append(objects, c.role) - } if c.roleBinding != nil { objects = append(objects, c.roleBinding) } fakeClient := fakeclient.NewSimpleClientset(objects...) - var fakeManifestWorkClient *fakeworkclient.Clientset - if c.work == nil { - fakeManifestWorkClient = fakeworkclient.NewSimpleClientset() - } else { - fakeManifestWorkClient = fakeworkclient.NewSimpleClientset(c.work) - } - - workInformerFactory := workinformers.NewSharedInformerFactory(fakeManifestWorkClient, 5*time.Minute) + kubeInformerFactory := kubeinformers.NewSharedInformerFactory(fakeClient, time.Minute*10) recorder := events.NewInMemoryRecorder("") controller := finalizeController{ - manifestWorkLister: workInformerFactory.Work().V1().ManifestWorks().Lister(), - eventRecorder: recorder, - rbacClient: fakeClient.RbacV1(), + roleBindingLister: kubeInformerFactory.Rbac().V1().RoleBindings().Lister(), + eventRecorder: recorder, + rbacClient: fakeClient.RbacV1(), } controllerContext := testinghelpers.NewFakeSyncContext(t, "") @@ -206,23 +168,15 @@ func TestSyncRoleAndRoleBinding(t *testing.T) { ctx, cancel := context.WithTimeout(context.TODO(), 15*time.Second) defer cancel() - workInformerFactory.Start(ctx.Done()) - workInformerFactory.WaitForCacheSync(ctx.Done()) - - if err := controller.syncRoleAndRoleBinding(context.TODO(), controllerContext, c.role, c.roleBinding, c.namespace, c.cluster); err != nil { + kubeInformerFactory.Start(ctx.Done()) + kubeInformerFactory.WaitForCacheSync(ctx.Done()) + fakeClient.ClearActions() + if err := controller.syncRoleBindings(context.TODO(), controllerContext, c.namespace); err != nil { t.Fatal(err) } c.validateRbacActions(t, fakeClient.Actions()) - if c.role != nil { - role, err := fakeClient.RbacV1().Roles(c.role.Namespace).Get(context.TODO(), c.role.Name, metav1.GetOptions{}) - if err != nil { - t.Fatal(err) - } - testinghelpers.AssertFinalizers(t, role, c.expectedRoleFinalizers) - } - if c.roleBinding != nil { rolebinding, err := fakeClient.RbacV1().RoleBindings(c.roleBinding.Namespace).Get(context.TODO(), c.roleBinding.Name, metav1.GetOptions{}) if err != nil { @@ -231,18 +185,6 @@ func TestSyncRoleAndRoleBinding(t *testing.T) { testinghelpers.AssertFinalizers(t, rolebinding, c.expectedRoleBindingFinalizers) } - if c.work != nil { - work, err := fakeManifestWorkClient.WorkV1().ManifestWorks(c.work.Namespace).Get(context.TODO(), c.work.Name, metav1.GetOptions{}) - if err != nil { - t.Fatal(err) - } - testinghelpers.AssertFinalizers(t, work, c.expectedWorkFinalizers) - } - - actual := controllerContext.Queue().Len() - if actual != c.expectedQueueLen { - t.Errorf("Expect queue with length: %d, but got %d", c.expectedQueueLen, actual) - } }() }) }