admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cfebd96a1fb77909d4734bcfbf68a7206c6d242c
kubesphere/pkg/controller/ksserviceaccount/serviceaccount_controller.go
hongming cfebd96a1f update dependencies (#6267) 
Signed-off-by: hongming <coder.scala@gmail.com>
2024-11-06 10:27:06 +08:00

183 lines
5.7 KiB
Go
Raw Blame History

/*
* Please refer to the LICENSE file in the root directory of the project.
* https://github.com/kubesphere/kubesphere/blob/master/LICENSE
*/
package ksserviceaccount
import (
"context"
"fmt"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/tools/record"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/builder"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
"sigs.k8s.io/controller-runtime/pkg/predicate"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
corev1alpha1 "kubesphere.io/api/core/v1alpha1"
kscontroller "kubesphere.io/kubesphere/pkg/controller"
)
const (
controllerName = "ks-serviceaccount"
finalizer = "finalizers.kubesphere.io/serviceaccount"
messageCreateSecretSuccessfully = "Create token secret successfully"
reasonInvalidSecret = "InvalidSecret"
)
var _ kscontroller.Controller = &Reconciler{}
func (r *Reconciler) Name() string {
return controllerName
}
type Reconciler struct {
client.Client
Scheme *runtime.Scheme
Logger logr.Logger
EventRecorder record.EventRecorder
}
func (r *Reconciler) SetupWithManager(mgr *kscontroller.Manager) error {
r.Client = mgr.GetClient()
r.EventRecorder = mgr.GetEventRecorderFor(controllerName)
r.Logger = ctrl.Log.WithName("controllers").WithName(controllerName)
return builder.
ControllerManagedBy(mgr).
For(
&corev1alpha1.ServiceAccount{},
builder.WithPredicates(
predicate.ResourceVersionChangedPredicate{},
),
).
Named(controllerName).
WithOptions(controller.Options{
MaxConcurrentReconciles: 2,
}).
Complete(r)
}
func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (reconcile.Result, error) {
logger := r.Logger.WithValues(req.NamespacedName, "ServiceAccount")
sa := &corev1alpha1.ServiceAccount{}
if err := r.Get(ctx, req.NamespacedName, sa); err != nil {
return ctrl.Result{}, client.IgnoreNotFound(err)
}
if sa.ObjectMeta.DeletionTimestamp.IsZero() {
if !controllerutil.ContainsFinalizer(sa, finalizer) {
deepCopy := sa.DeepCopy()
deepCopy.Finalizers = append(deepCopy.Finalizers, finalizer)
if len(sa.Secrets) == 0 {
secretCreated, err := r.createTokenSecret(ctx, sa)
if err != nil {
logger.Error(err, "create secret failed")
return ctrl.Result{}, err
}
logger.V(4).WithName(secretCreated.Name).Info("secret created successfully")
deepCopy.Secrets = append(deepCopy.Secrets, v1.ObjectReference{
Namespace: secretCreated.Namespace,
Name: secretCreated.Name,
})
r.EventRecorder.Event(deepCopy, corev1.EventTypeNormal, kscontroller.Synced, messageCreateSecretSuccessfully)
}
if err := r.Update(ctx, deepCopy); err != nil {
logger.Error(err, "update serviceaccount failed")
return ctrl.Result{}, err
}
}
} else {
if controllerutil.ContainsFinalizer(sa, finalizer) {
if err := r.deleteSecretToken(ctx, sa, logger); err != nil {
logger.Error(err, "delete secret failed")
return ctrl.Result{}, err
}
_ = controllerutil.RemoveFinalizer(sa, finalizer)
if err := r.Update(ctx, sa); err != nil {
logger.Error(err, "update serviceaccount failed")
return ctrl.Result{}, err
}
}
}
if err := r.checkAllSecret(ctx, sa); err != nil {
logger.Error(err, "failed check secrets")
return ctrl.Result{}, err
}
return ctrl.Result{}, nil
}
func (r *Reconciler) createTokenSecret(ctx context.Context, sa *corev1alpha1.ServiceAccount) (*v1.Secret, error) {
secret := &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
GenerateName: fmt.Sprintf("%s-", sa.Name),
Namespace: sa.Namespace,
Annotations: map[string]string{corev1alpha1.ServiceAccountName: sa.Name},
},
Type: corev1alpha1.SecretTypeServiceAccountToken,
}
return secret, r.Client.Create(ctx, secret)
}
func (r *Reconciler) deleteSecretToken(ctx context.Context, sa *corev1alpha1.ServiceAccount, logger logr.Logger) error {
for _, secretName := range sa.Secrets {
secret := &v1.Secret{}
if err := r.Get(ctx, client.ObjectKey{Namespace: secretName.Namespace, Name: secretName.Name}, secret); err != nil {
if errors.IsNotFound(err) {
continue
} else {
return err
}
}
if err := r.checkSecretToken(secret, sa.Name); err == nil {
if err = r.Delete(ctx, secret); err != nil {
return err
}
logger.V(2).WithName(secretName.Name).Info("delete secret successfully")
}
}
return nil
}
func (r *Reconciler) checkAllSecret(ctx context.Context, sa *corev1alpha1.ServiceAccount) error {
for _, secretRef := range sa.Secrets {
secret := &v1.Secret{}
if err := r.Get(ctx, client.ObjectKey{Namespace: sa.Namespace, Name: secretRef.Name}, secret); err != nil {
if errors.IsNotFound(err) {
r.EventRecorder.Event(sa, corev1.EventTypeWarning, reasonInvalidSecret, err.Error())
continue
}
return err
}
if err := r.checkSecretToken(secret, sa.Name); err != nil {
r.EventRecorder.Event(sa, corev1.EventTypeWarning, reasonInvalidSecret, err.Error())
}
}
return nil
}
// checkSecretTokens Check if there has valid token, and the invalid token reference will be deleted
func (r *Reconciler) checkSecretToken(secret *v1.Secret, subjectName string) error {
if secret.Type != corev1alpha1.SecretTypeServiceAccountToken {
return fmt.Errorf("unsupported secret %s type: %s", secret.Name, secret.Type)
}
if saName := secret.Annotations[corev1alpha1.ServiceAccountName]; saName != subjectName {
return fmt.Errorf("incorrect subject name %s", saName)
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink