resources: reconcile openshift elems by smbshare

When deploying over OpenShift cluster, samba-operator should deploy the
SeviceAccount, Role and RoleBinding which link the SmbShare pod to
samba-SCC within the namespace of the SmbShare itself (unlike previous
code, which deploy them once with the namespace of the operator). In
addition, starting of OpenShift 4.12 certain annotations needs to be
associated with the namespace on which the SmbShare pod runs in order to
elevate its privileges.

The patch is a refactoring to the existing code. The creation of the
relevant objects is done from within the reconcile loop of the SmbShare
itself. It assumes that the user already deployed a well known SCC with
the name 'samba' on the cluster.

Signed-off-by: Shachar Sharon <[email protected]>

Author: synarete

controllers/smbcommonconfig_controller.go

@@ -24,15 +24,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	sambaoperatorv1alpha1 "github.com/samba-in-kubernetes/samba-operator/api/v1alpha1"
-	"github.com/samba-in-kubernetes/samba-operator/internal/conf"
-	"github.com/samba-in-kubernetes/samba-operator/internal/resources"
 )
 
 // SmbCommonConfigReconciler reconciles a SmbCommonConfig object
 type SmbCommonConfigReconciler struct {
 	client.Client
-	Log         logr.Logger
-	ClusterType string
+	Log logr.Logger
 }
 
 //revive:disable kubebuilder directives
@@ -43,43 +40,18 @@ type SmbCommonConfigReconciler struct {
 // +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=pods;endpoints;services;namespaces,verbs=get;list;watch;update
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;delete
-// +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get;list;use
-// +kubebuilder:rbac:groups=security.openshift.io,resourceNames=samba,resources=securitycontextconstraints,verbs=get;list;create;update
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update
 // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;prometheusrules,verbs=get;list;watch;create;update
 
 //revive:enable
 
 // Reconcile SmbCommonConfig resources.
 func (r *SmbCommonConfigReconciler) Reconcile(
-	ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	_ context.Context, req ctrl.Request) (ctrl.Result, error) {
 	// ---
 	log := r.Log.WithValues("smbcommonconfig", req.NamespacedName)
-
-	// Process OpenShift logic in one of two states:
-	// 1) Unknown cluster type due to first-time reconcile
-	// 2) Known to be running over OpenShift by in-memory cached state from
-	//    previous reconcile loop.
-	if r.ClusterType != "" && r.ClusterType != conf.ClusterTypeOpenShift {
-		return ctrl.Result{}, nil
-	}
-
-	mgr := resources.NewOpenShiftManager(r.Client, log, conf.Get())
-	res := mgr.Process(ctx, req.NamespacedName)
-	err := res.Err()
-	if res.Requeue() {
-		return ctrl.Result{Requeue: true}, err
-	}
-
-	// Cache in-memory cluster-type to avoid extra network round-trips in next
-	// reconcile phase.
-	if r.ClusterType == "" {
-		r.Log.Info("Saving discovered cluster type",
-			"ClusterType", mgr.ClusterType)
-		r.ClusterType = mgr.ClusterType
-	}
-
-	return ctrl.Result{}, err
+	log.Info("Reconcile SmbCommonConfig")
+	return ctrl.Result{}, nil
 }
 
 // SetupWithManager sets up resource management.

controllers/smbshare_controller.go

@@ -52,6 +52,9 @@ type SmbShareReconciler struct {
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=events,verbs=create
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;delete
+// +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get;list;use
+// +kubebuilder:rbac:groups=security.openshift.io,resourceNames=samba,resources=securitycontextconstraints,verbs=get;list;create;update
+// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;prometheusrules,verbs=get;list;watch;create;update
 
 //revive:enable
 

internal/resources/deployments.go

@@ -42,6 +42,9 @@ func buildDeployment(cfg *conf.OperatorConfig,
 			Name:      planner.InstanceName(),
 			Namespace: ns,
 			Labels:    labels,
+			Annotations: map[string]string{
+				"openshift.io/scc": sambaSccName,
+			},
 		},
 		Spec: appsv1.DeploymentSpec{
 			Replicas: &size,
@@ -91,6 +94,7 @@ func annotationsForSmbPod(cfg *conf.OperatorConfig) map[string]string {
 	annotations := map[string]string{
 		"kubectl.kubernetes.io/default-logs-container": name,
 		"kubectl.kubernetes.io/default-container":      name,
+		"openshift.io/scc":                             sambaSccName,
 	}
 	if withMetricsExporter(cfg) {
 		for k, v := range annotationsForSmbMetricsPod() {