remove concurrency and fix unstability in createResource function for…

… rbac reconciliation for openshift
tektoncd · Sep 26, 2024 · 1b02a97 · 1b02a97
1 parent 63fc6f9
commit 1b02a97
Showing 1 changed file with 39 additions and 26 deletions.
diff --git a/pkg/reconciler/openshift/tektonconfig/rbac.go b/pkg/reconciler/openshift/tektonconfig/rbac.go
@@ -394,49 +394,62 @@ func (r *rbac) createResources(ctx context.Context) error {
 	}
 
 	for _, ns := range namespacesToBeReconciled {
+		var withError bool
+
 		logger.Infow("Inject CA bundle configmap in ", "Namespace", ns.GetName())
 		if err := r.ensureCABundles(ctx, &ns); err != nil {
-			return fmt.Errorf("failed to ensure ca bundles presence in namespace %s, %w", ns.Name, err)
+			withError = true
+			logger.Errorf("failed to ensure ca bundles presence in namespace %s, %v", ns.Name, err)
 		}
 
 		logger.Infow("Ensures Default SA in ", "Namespace", ns.GetName())
 		sa, err := r.ensureSA(ctx, &ns)
 		if err != nil {
-			return fmt.Errorf("failed to ensure default SA in namespace %s, %w", ns.Name, err)
+			withError = true
+			logger.Errorf("failed to ensure default SA in namespace %s, %v", ns.Name, err)
 		}
 
 		// If "operator.tekton.dev/scc" exists in the namespace, then bind
 		// that SCC to the SA
 		err = r.handleSCCInNamespace(ctx, &ns)
 		if err != nil {
-			return fmt.Errorf("failed to bind scc to namespace %s; %w", ns.Name, err)
-		}
-
-		// We use a namespace scoped Role when SCC annotation is present, and
-		// a cluster scoped ClusterRole when the default SCC is used
-		roleRef := r.getSCCRoleInNamespace(&ns)
-		if err := r.ensurePipelinesSCCRoleBinding(ctx, sa, roleRef); err != nil {
-			return fmt.Errorf("failed to create Pipeline Scc Role Binding in namespace %s, %w", ns.Name, err)
+			withError = true
+			logger.Errorf("failed to bind scc to namespace %s, %v", ns.Name, err)
 		}
 
-		if err := r.ensureRoleBindings(ctx, sa); err != nil {
-			return err
-		}
-
-		if err := r.ensureClusterRoleBindings(ctx, sa); err != nil {
-			return err
-		}
+		if sa != nil {
+			// We use a namespace scoped Role when SCC annotation is present, and
+			// a cluster scoped ClusterRole when the default SCC is used
+			roleRef := r.getSCCRoleInNamespace(&ns)
+			if roleRef != nil {
+				if err := r.ensurePipelinesSCCRoleBinding(ctx, sa, roleRef); err != nil {
+					withError = true
+					logger.Errorf("failed to create Pipeline Scc Role Binding in namespace %s, %v", ns.Name, err)
+				}
+			}
+			if err := r.ensureRoleBindings(ctx, sa); err != nil {
+				withError = true
+				logger.Errorf("failed to create rolebinding in namespace %s, %v", ns.Name, err)
+			}
 
-		// Add `openshift-pipelines.tekton.dev/namespace-reconcile-version` label to namespace
-		// so that rbac won't loop on it again
-		nsLabels := ns.GetLabels()
-		if len(nsLabels) == 0 {
-			nsLabels = map[string]string{}
+			if err := r.ensureClusterRoleBindings(ctx, sa); err != nil {
+				withError = true
+				logger.Errorf("failed to create clusterrolebinding in namespace %s, %v", ns.Name, err)
+			}
 		}
-		nsLabels[namespaceVersionLabel] = r.version
-		ns.SetLabels(nsLabels)
-		if _, err := r.kubeClientSet.CoreV1().Namespaces().Update(ctx, &ns, metav1.UpdateOptions{}); err != nil {
-			return fmt.Errorf("failed to update namespace %s with label %s, %w", ns.Name, namespaceVersionLabel, err)
+		if !withError {
+			logger.Infof("namespace %s sucessfully reconciled. Adding label namespace-reconcile-version to mark it as reconciled", ns.Name)
+			// Add `openshift-pipelines.tekton.dev/namespace-reconcile-version` label to namespace
+			// so that rbac won't loop on it again
+			nsLabels := ns.GetLabels()
+			if len(nsLabels) == 0 {
+				nsLabels = map[string]string{}
+			}
+			nsLabels[namespaceVersionLabel] = r.version
+			ns.SetLabels(nsLabels)
+			if _, err := r.kubeClientSet.CoreV1().Namespaces().Update(ctx, &ns, metav1.UpdateOptions{}); err != nil {
+				return fmt.Errorf("failed to update namespace %s with label %s, %v", ns.Name, namespaceVersionLabel, err)
+			}
 		}
 	}