diff --git a/manifests/01-config-role.yaml b/manifests/01-config-role.yaml index a914914416..75f8070f0a 100644 --- a/manifests/01-config-role.yaml +++ b/manifests/01-config-role.yaml @@ -16,5 +16,3 @@ rules: - cloud-provider-config verbs: - get - - list - - watch diff --git a/pkg/aws/actuator/actuator.go b/pkg/aws/actuator/actuator.go index f3462130bd..42f92ce13d 100644 --- a/pkg/aws/actuator/actuator.go +++ b/pkg/aws/actuator/actuator.go @@ -71,16 +71,14 @@ var _ actuatoriface.Actuator = (*AWSActuator)(nil) type AWSActuator struct { Client client.Client RootCredClient client.Client - LiveClient client.Client AWSClientBuilder func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error) Scheme *runtime.Scheme } // NewAWSActuator creates a new AWSActuator. -func NewAWSActuator(client, rootCredClient, liveClient client.Client, scheme *runtime.Scheme) (*AWSActuator, error) { +func NewAWSActuator(client, rootCredClient client.Client, scheme *runtime.Scheme) (*AWSActuator, error) { return &AWSActuator{ Client: client, - LiveClient: liveClient, RootCredClient: rootCredClient, AWSClientBuilder: awsutils.ClientBuilder, Scheme: scheme, @@ -158,7 +156,7 @@ func (a *AWSActuator) needsUpdate(ctx context.Context, cr *minterv1.CredentialsR // Various checks for the kinds of reasons that would trigger a needed update _, existingAccessKey, existingSecretKey, existingCredentialsKey := a.loadExistingSecret(cr) - awsClient, err := a.AWSClientBuilder([]byte(existingAccessKey), []byte(existingSecretKey), a.LiveClient) + awsClient, err := a.AWSClientBuilder([]byte(existingAccessKey), []byte(existingSecretKey), a.RootCredClient) if err != nil { return true, err } @@ -471,7 +469,7 @@ func (a *AWSActuator) syncPassthrough(ctx context.Context, cr *minterv1.Credenti } // build client with root secret and verify that the creds are good enough to pass through - awsClient, err := a.AWSClientBuilder([]byte(accessKeyID), []byte(secretAccessKey), a.LiveClient) + awsClient, err := a.AWSClientBuilder([]byte(accessKeyID), []byte(secretAccessKey), a.RootCredClient) if err != nil { msg := "error building AWS client" logger.WithError(err).Error(msg) @@ -957,7 +955,7 @@ func (a *AWSActuator) buildRootAWSClient(cr *minterv1.CredentialsRequest) (minte } logger.Debug("creating root AWS client") - return a.AWSClientBuilder(accessKeyID, secretAccessKey, a.LiveClient) + return a.AWSClientBuilder(accessKeyID, secretAccessKey, a.RootCredClient) } // buildReadAWSClient will return an AWS client using the the scaled down read only AWS creds @@ -987,7 +985,7 @@ func (a *AWSActuator) buildReadAWSClient(cr *minterv1.CredentialsRequest) (minte } logger.Debug("creating read AWS client") - client, err := a.AWSClientBuilder(accessKeyID, secretAccessKey, a.LiveClient) + client, err := a.AWSClientBuilder(accessKeyID, secretAccessKey, a.RootCredClient) if err != nil { return nil, err } diff --git a/pkg/cmd/operator/cmd.go b/pkg/cmd/operator/cmd.go index accdde65e5..665667ea84 100644 --- a/pkg/cmd/operator/cmd.go +++ b/pkg/cmd/operator/cmd.go @@ -202,6 +202,9 @@ func NewOperator() *cobra.Command { &corev1.Secret{}: { Field: selectorForRootCredential(platformType), }, + &corev1.ConfigMap{}: { + Field: selectorForCloudConfig(platformType), + }, }, }, }) @@ -359,6 +362,26 @@ func selectorForRootCredential(platformType configv1.PlatformType) fields.Select return selector } +func selectorForCloudConfig(platformType configv1.PlatformType) fields.Selector { + var name, namespace string + switch platformType { + case configv1.AWSPlatformType: + namespace = "openshift-config-managed" + name = "kube-cloud-config" + case configv1.OpenStackPlatformType: + namespace = "openshift-config" + name = "cloud-provider-config" + default: + return fields.Nothing() + } + selector := fields.SelectorFromSet(fields.Set{ + "metadata.namespace": namespace, + "metadata.name": name, + }) + log.WithField("selector", selector.String()).Info("setting up field selector for cloud config ConfigMap") + return selector +} + func initializeGlog(flags *pflag.FlagSet) { golog.SetOutput(glogWriter{}) // Redirect all regular go log output to glog golog.SetFlags(0) diff --git a/pkg/operator/controller.go b/pkg/operator/controller.go index 52089d7eaf..63bc4817bf 100644 --- a/pkg/operator/controller.go +++ b/pkg/operator/controller.go @@ -32,7 +32,6 @@ import ( "github.com/openshift/cloud-credential-operator/pkg/operator/podidentity" "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator" "github.com/openshift/cloud-credential-operator/pkg/operator/status" - "github.com/openshift/cloud-credential-operator/pkg/operator/utils" "github.com/openshift/cloud-credential-operator/pkg/ovirt" "github.com/openshift/cloud-credential-operator/pkg/util" vsphereactuator "github.com/openshift/cloud-credential-operator/pkg/vsphere/actuator" @@ -86,7 +85,7 @@ func AddToManager(m, rootM manager.Manager, explicitKubeconfig string, coreClien switch platformType { case configv1.AWSPlatformType: log.Info("initializing AWS actuator") - a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), utils.LiveClient(m), m.GetScheme()) + a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), m.GetScheme()) if err != nil { return err } diff --git a/pkg/operator/secretannotator/aws/reconciler.go b/pkg/operator/secretannotator/aws/reconciler.go index a136a6cb23..706268f4bb 100644 --- a/pkg/operator/secretannotator/aws/reconciler.go +++ b/pkg/operator/secretannotator/aws/reconciler.go @@ -38,16 +38,15 @@ const ( AwsSecretAccessKeyName = "aws_secret_access_key" ) -func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), - LiveClient: utils.LiveClient(mgr), + Client: client, + RootCredClient: rootCredClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), AWSClientBuilder: awsutils.ClientBuilder, } - s := status.NewSecretStatusHandler(c) + s := status.NewSecretStatusHandler(client) statuscontroller.AddHandler(constants.SecretAnnotatorControllerName, s) return r @@ -97,7 +96,6 @@ var _ reconcile.Reconciler = &ReconcileCloudCredSecret{} type ReconcileCloudCredSecret struct { Client client.Client RootCredClient client.Client - LiveClient client.Client Logger log.FieldLogger AWSClientBuilder func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error) } @@ -185,7 +183,7 @@ func (r *ReconcileCloudCredSecret) validateCloudCredsSecret(secret *corev1.Secre return r.updateSecretAnnotations(secret, constants.InsufficientAnnotation) } - awsClient, err := r.AWSClientBuilder(accessKey, secretKey, r.LiveClient) + awsClient, err := r.AWSClientBuilder(accessKey, secretKey, r.RootCredClient) if err != nil { return fmt.Errorf("error creating aws client: %v", err) } diff --git a/pkg/operator/secretannotator/azure/reconciler.go b/pkg/operator/secretannotator/azure/reconciler.go index e607170376..2d98ee2968 100644 --- a/pkg/operator/secretannotator/azure/reconciler.go +++ b/pkg/operator/secretannotator/azure/reconciler.go @@ -38,14 +38,14 @@ type ReconcileCloudCredSecret struct { Logger log.FieldLogger } -func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), + Client: client, + RootCredClient: rootCredClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), } - s := status.NewSecretStatusHandler(c) + s := status.NewSecretStatusHandler(client) statuscontroller.AddHandler(constants.SecretAnnotatorControllerName, s) return r diff --git a/pkg/operator/secretannotator/gcp/reconciler.go b/pkg/operator/secretannotator/gcp/reconciler.go index cdebdd7d8e..80ba10b285 100644 --- a/pkg/operator/secretannotator/gcp/reconciler.go +++ b/pkg/operator/secretannotator/gcp/reconciler.go @@ -40,16 +40,16 @@ const ( GCPAuthJSONKey = "service_account.json" ) -func NewReconciler(c client.Client, mgr manager.Manager, projectName string) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client, projectName string) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), + Client: client, + RootCredClient: rootCredClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), GCPClientBuilder: ccgcp.NewClientFromJSON, ProjectName: projectName, } - s := status.NewSecretStatusHandler(c) + s := status.NewSecretStatusHandler(client) statuscontroller.AddHandler(controllerName, s) return r diff --git a/pkg/operator/secretannotator/openstack/reconciler.go b/pkg/operator/secretannotator/openstack/reconciler.go index fed4db31a6..b8ad662ce1 100644 --- a/pkg/operator/secretannotator/openstack/reconciler.go +++ b/pkg/operator/secretannotator/openstack/reconciler.go @@ -49,15 +49,14 @@ import ( "github.com/openshift/cloud-credential-operator/pkg/operator/utils" ) -func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), - LiveClient: utils.LiveClient(mgr), + Client: client, + RootCredClient: rootCredClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), } - s := status.NewSecretStatusHandler(c) + s := status.NewSecretStatusHandler(client) statuscontroller.AddHandler(constants.SecretAnnotatorControllerName, s) return r @@ -107,7 +106,6 @@ var _ reconcile.Reconciler = &ReconcileCloudCredSecret{} type ReconcileCloudCredSecret struct { Client client.Client RootCredClient client.Client - LiveClient client.Client Logger log.FieldLogger } @@ -172,7 +170,7 @@ func (r *ReconcileCloudCredSecret) Reconcile(ctx context.Context, request reconc // TODO(stephenfin): Remove this syncer in a future release once CCM no longer // relies on the legacy place during bootstrapping. config := &corev1.ConfigMap{} - err = r.LiveClient.Get(context.Background(), types.NamespacedName{Namespace: "openshift-config", Name: "cloud-provider-config"}, config) + err = r.RootCredClient.Get(context.Background(), types.NamespacedName{Namespace: "openshift-config", Name: "cloud-provider-config"}, config) if err != nil { r.Logger.Debugf("cloud provider config not found: %v", err) return reconcile.Result{}, err diff --git a/pkg/operator/secretannotator/openstack/reconciler_test.go b/pkg/operator/secretannotator/openstack/reconciler_test.go index 6d8f24083c..32aab010c0 100644 --- a/pkg/operator/secretannotator/openstack/reconciler_test.go +++ b/pkg/operator/secretannotator/openstack/reconciler_test.go @@ -190,12 +190,10 @@ func TestReconcileCloudCredSecret_Reconcile(t *testing.T) { existing := append(tc.existing, infra, testOperatorConfig(tc.mode)) fakeClient := fake.NewClientBuilder().WithRuntimeObjects(existing...).Build() fakeRootCredClient := fake.NewClientBuilder().WithRuntimeObjects(secret, ccmConfig).Build() - fakeLiveClient := fake.NewClientBuilder().WithRuntimeObjects(ccmConfig).Build() r := &ReconcileCloudCredSecret{ Client: fakeClient, RootCredClient: fakeRootCredClient, - LiveClient: fakeLiveClient, Logger: log.WithField("controller", "testController"), } _, err := r.Reconcile(context.TODO(), reconcile.Request{NamespacedName: types.NamespacedName{ @@ -281,13 +279,11 @@ func TestReconcileCloudCredSecret_Reconcile(t *testing.T) { secret := testSecret(tc.cloudsYAML) fakeClient := fake.NewClientBuilder().WithRuntimeObjects(infra, passthrough).Build() fakeRootCredClient := fake.NewClientBuilder().WithRuntimeObjects(secret, ccmConfig).Build() - fakeLiveClient := fake.NewClientBuilder().WithRuntimeObjects(ccmConfig).Build() t.Logf("clouds.yaml: %s", tc.cloudsYAML) r := &ReconcileCloudCredSecret{ Client: fakeClient, RootCredClient: fakeRootCredClient, - LiveClient: fakeLiveClient, Logger: log.WithField("controller", "testController"), } diff --git a/pkg/operator/secretannotator/secretannotator_controller.go b/pkg/operator/secretannotator/secretannotator_controller.go index e045e76b94..bc4c878e79 100644 --- a/pkg/operator/secretannotator/secretannotator_controller.go +++ b/pkg/operator/secretannotator/secretannotator_controller.go @@ -40,19 +40,19 @@ func Add(mgr, rootCredentialManager manager.Manager, kubeconfig string) error { switch platformType { case configv1.AzurePlatformType: - return azure.Add(mgr, rootCredentialManager, azure.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return azure.Add(mgr, rootCredentialManager, azure.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) case configv1.AWSPlatformType: - return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) case configv1.GCPPlatformType: if infraStatus.PlatformStatus == nil || infraStatus.PlatformStatus.GCP == nil { log.Fatalf("Missing GCP configuration in infrastructure platform status") } - return gcp.Add(mgr, rootCredentialManager, gcp.NewReconciler(mgr.GetClient(), rootCredentialManager, infraStatus.PlatformStatus.GCP.ProjectID)) + return gcp.Add(mgr, rootCredentialManager, gcp.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient(), infraStatus.PlatformStatus.GCP.ProjectID)) case configv1.VSpherePlatformType: - return vsphere.Add(mgr, rootCredentialManager, vsphere.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return vsphere.Add(mgr, rootCredentialManager, vsphere.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) case configv1.OpenStackPlatformType: - return openstack.Add(mgr, rootCredentialManager, openstack.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return openstack.Add(mgr, rootCredentialManager, openstack.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) default: // returning the AWS implementation for default to avoid changing any behavior - return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) } } diff --git a/pkg/operator/secretannotator/vsphere/reconciler.go b/pkg/operator/secretannotator/vsphere/reconciler.go index e220165d9b..5445cefa3e 100644 --- a/pkg/operator/secretannotator/vsphere/reconciler.go +++ b/pkg/operator/secretannotator/vsphere/reconciler.go @@ -58,10 +58,10 @@ type ReconcileCloudCredSecret struct { } // NewReconciler will return a reconciler for handling vSphere cloud cred secrets. -func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler { return &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), + Client: client, + RootCredClient: rootCredClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), } } diff --git a/pkg/operator/utils/client.go b/pkg/operator/utils/client.go deleted file mode 100644 index f7886fa515..0000000000 --- a/pkg/operator/utils/client.go +++ /dev/null @@ -1,32 +0,0 @@ -package utils - -import ( - "context" - - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/manager" -) - -type delegatingClient struct { - reader client.Reader - client.Client -} - -func (d *delegatingClient) Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error { - return d.reader.Get(ctx, key, obj, opts...) -} - -func (d *delegatingClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error { - return d.reader.List(ctx, list, opts...) -} - -var _ client.Client = (*delegatingClient)(nil) - -// LiveClient returns a client.Client that never uses the cache by virtue of using the APIReader() for -// all read operations. -func LiveClient(mgr manager.Manager) client.Client { - return &delegatingClient{ - reader: mgr.GetAPIReader(), - Client: mgr.GetClient(), - } -}