Fix workspacerole sync condition (#2142)

* fix: Fixed the issue that role and rolebinding do not trigger synchronization when binding a workspace to a cluster Signed-off-by: peng wu <2030047311@qq.com> * fix: update goimports Signed-off-by: peng wu <2030047311@qq.com> * fix: update workspace sync condition && update list options Signed-off-by: peng wu <2030047311@qq.com> * fix: rename enqueue request map func for workspacerole and workspacerolebinding Signed-off-by: peng wu <2030047311@qq.com> * fix: workspace role sync logic Signed-off-by: peng wu <2030047311@qq.com> --------- Signed-off-by: peng wu <2030047311@qq.com> Signed-off-by: hongming <coder.scala@gmail.com> (cherry picked from commit bc128dcf78)
2024-12-26 13:48:08 +08:00
parent 114f5a6e79
commit 942d3be9d4
3 changed files with 122 additions and 11 deletions
--- a/pkg/controller/workspacerolebinding/workspacerolebinding_controller.go
+++ b/pkg/controller/workspacerolebinding/workspacerolebinding_controller.go
@@ -12,8 +12,6 @@ import (
 	"sort"
 	"strings"

-	kscontroller "kubesphere.io/kubesphere/pkg/controller"
-
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/rbac/v1"
@@ -24,18 +22,24 @@ import (
 	toolscache "k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/klog/v2"
-	clusterv1alpha1 "kubesphere.io/api/cluster/v1alpha1"
-	iamv1beta1 "kubesphere.io/api/iam/v1beta1"
-	tenantv1beta1 "kubesphere.io/api/tenant/v1beta1"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"

+	clusterv1alpha1 "kubesphere.io/api/cluster/v1alpha1"
+	iamv1beta1 "kubesphere.io/api/iam/v1beta1"
+	tenantv1beta1 "kubesphere.io/api/tenant/v1beta1"
+
 	"kubesphere.io/kubesphere/pkg/constants"
+	kscontroller "kubesphere.io/kubesphere/pkg/controller"
+	"kubesphere.io/kubesphere/pkg/controller/cluster/predicate"
 	clusterutils "kubesphere.io/kubesphere/pkg/controller/cluster/utils"
+	workspacetemplatepredicate "kubesphere.io/kubesphere/pkg/controller/workspacetemplate/predicate"
 	"kubesphere.io/kubesphere/pkg/controller/workspacetemplate/utils"
 	"kubesphere.io/kubesphere/pkg/utils/clusterclient"
 	"kubesphere.io/kubesphere/pkg/utils/k8sutil"
@@ -117,9 +121,50 @@ func (r *Reconciler) SetupWithManager(mgr *kscontroller.Manager) error {
 		Named(controllerName).
 		WithOptions(controller.Options{MaxConcurrentReconciles: 2}).
 		For(&iamv1beta1.WorkspaceRoleBinding{}).
+		Watches(
+			&clusterv1alpha1.Cluster{},
+			handler.EnqueueRequestsFromMapFunc(r.clusterSync),
+			builder.WithPredicates(predicate.ClusterStatusChangedPredicate{}),
+		).
+		Watches(&tenantv1beta1.WorkspaceTemplate{},
+			handler.EnqueueRequestsFromMapFunc(r.workspaceSync),
+			builder.WithPredicates(workspacetemplatepredicate.WorkspaceStatusChangedPredicate{})).
 		Complete(r)
 }

+func (r *Reconciler) clusterSync(ctx context.Context, object client.Object) []reconcile.Request {
+	cluster := object.(*clusterv1alpha1.Cluster)
+	if !clusterutils.IsClusterReady(cluster) {
+		return []reconcile.Request{}
+	}
+	workspaceRoleBindings := &iamv1beta1.WorkspaceRoleBindingList{}
+	if err := r.List(ctx, workspaceRoleBindings); err != nil {
+		r.logger.Error(err, "failed to list workspace roles")
+		return []reconcile.Request{}
+	}
+	var result []reconcile.Request
+	for _, workspaceRoleBinding := range workspaceRoleBindings.Items {
+		result = append(result, reconcile.Request{NamespacedName: types.NamespacedName{Name: workspaceRoleBinding.Name}})
+	}
+	return result
+}
+
+func (r *Reconciler) workspaceSync(ctx context.Context, object client.Object) []reconcile.Request {
+	workspaceTemplate := object.(*tenantv1beta1.WorkspaceTemplate)
+	workspaceRoleBindings := &iamv1beta1.WorkspaceRoleBindingList{}
+	if err := r.List(ctx, workspaceRoleBindings, client.MatchingLabels{
+		tenantv1beta1.WorkspaceLabel: workspaceTemplate.Name,
+	}); err != nil {
+		r.logger.Error(err, "failed to list workspace roles")
+		return []reconcile.Request{}
+	}
+	var result []reconcile.Request
+	for _, workspaceRoleBinding := range workspaceRoleBindings.Items {
+		result = append(result, reconcile.Request{NamespacedName: types.NamespacedName{Name: workspaceRoleBinding.Name}})
+	}
+	return result
+}
+
 // +kubebuilder:rbac:groups=iam.kubesphere.io,resources=workspacerolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=types.kubefed.io,resources=federatedworkspacerolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=tenant.kubesphere.io,resources=workspaces,verbs=get;list;watch;