From cb455d2bc652736e3a3412123cba8ead06461f42 Mon Sep 17 00:00:00 2001 From: Tomas Turek Date: Tue, 18 Nov 2025 17:57:18 +0100 Subject: [PATCH] feat: remove Segment Backup Job from operator Signed-off-by: Tomas Turek --- .github/workflows/main.yml | 1 - cmd/main.go | 1 - config/default/images.env | 1 - config/default/kustomization.yaml | 11 - config/rbac/role.yaml | 22 -- config/samples/rhtas_v1alpha1_securesign.yaml | 2 - internal/annotations/annotations.go | 21 -- .../securesign/actions/constants.go | 2 - .../actions/segment_backup_cronjob.go | 100 ++------- .../securesign/actions/segment_backup_job.go | 114 ---------- .../securesign/actions/segment_rbac.go | 196 ++++-------------- .../securesign/securesign_controller.go | 29 --- internal/images/images.go | 6 +- test/e2e/benchmark/install_test.go | 3 - test/e2e/support/tas/securesign/securesign.go | 4 - test/e2e/upgrade_test.go | 11 + 16 files changed, 66 insertions(+), 458 deletions(-) delete mode 100644 internal/controller/securesign/actions/segment_backup_job.go diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 465a89afb..6d99ff2b3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -587,7 +587,6 @@ jobs: - name: Install securesign run: | sed -i 's#https://your-oidc-issuer-url#http://${{ steps.kind.outputs.oidc_host }}/auth/realms/trusted-artifact-signer#' config/samples/rhtas_v1alpha1_securesign.yaml - sed -i 's#rhtas.redhat.com/metrics: "true"#rhtas.redhat.com/metrics: "false"#' config/samples/rhtas_v1alpha1_securesign.yaml kubectl create ns ${{ env.TEST_NAMESPACE }} kubectl create -f config/samples/rhtas_v1alpha1_securesign.yaml -n ${{ env.TEST_NAMESPACE }} sleep 1 diff --git a/cmd/main.go b/cmd/main.go index 3db8e3df4..a65feed09 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -116,7 +116,6 @@ func main() { utils.RelatedImageFlag("ctlog-image", images.CTLog, "The image used for ctlog.") utils.RelatedImageFlag("http-server-image", images.HttpServer, "The image used to serve our cli binary's.") utils.RelatedImageFlag("client-server-image", images.ClientServer, "The image used to serve cosign and gitsign.") - utils.RelatedImageFlag("segment-backup-job-image", images.SegmentBackup, "The image used for the segment backup job") utils.RelatedImageFlag("timestamp-authority-image", images.TimestampAuthority, "The image used for Timestamp Authority") utils.RelatedImageFlag("rekor-monitor-image", images.RekorMonitor, "The image used for rekor monitor.") flag.StringVar(&clidownload.CliHostName, "cli-server-hostname", "", "The hostname for the cli server") diff --git a/config/default/images.env b/config/default/images.env index 765d70e56..8ea71a76f 100644 --- a/config/default/images.env +++ b/config/default/images.env @@ -11,7 +11,6 @@ RELATED_IMAGE_BACKFILL_REDIS=registry.redhat.io/rhtas/rekor-backfill-redis-rhel9 RELATED_IMAGE_TUF=registry.redhat.io/rhtas/tuffer-rhel9@sha256:0c30481d4afaf5c65e5bcc84879b8c6a4ba91c47dba9a752505325d6cb736eea RELATED_IMAGE_CTLOG=registry.redhat.io/rhtas/certificate-transparency-rhel9@sha256:651a5a412592819a96051ebaf39d02e24c61a1064c0236b01a0777297b66a685 RELATED_IMAGE_HTTP_SERVER=registry.redhat.io/ubi9/httpd-24@sha256:ab5885d4368f833f2262f96b2765f59cce8563a43b13966de5d2c01595b87959 -RELATED_IMAGE_SEGMENT_REPORTING=registry.redhat.io/rhtas/segment-reporting-rhel9@sha256:e1790a0cac5eadef484e10d8f3f7ef6af9bdfabec4ab9fcc35c5ebd42b0205b3 RELATED_IMAGE_TIMESTAMP_AUTHORITY=registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:be623422f3f636c39397a66416b02a79f1d59cf593ca258e1701d1728755dde9 RELATED_IMAGE_CLIENT_SERVER=registry.redhat.io/rhtas/client-server-rhel9@sha256:c81aaa8f300021d7cdbb964524fc5e89ea2c79fdab5507f0ec036bf96b219332 RELATED_IMAGE_REKOR_MONITOR=registry.redhat.io/rhtas/rekor-monitor-rhel9@sha256:1944eff9f103d84380b9efac6adec9cb22613643968e51f07db58df977b6b982 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 9bec3fc58..bf0f05a80 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -200,17 +200,6 @@ replacements: select: kind: Deployment name: operator-controller-manager -- source: - fieldPath: data.RELATED_IMAGE_SEGMENT_REPORTING - kind: ConfigMap - name: related-images - version: v1 - targets: - - fieldPaths: - - spec.template.spec.containers.[name=^manager$].env.[name=^RELATED_IMAGE_SEGMENT_REPORTING$].value - select: - kind: Deployment - name: operator-controller-manager - source: fieldPath: data.RELATED_IMAGE_TIMESTAMP_AUTHORITY kind: ConfigMap diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e0e902f7a..15f6967db 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -156,14 +156,6 @@ rules: - patch - update - watch -- apiGroups: - - monitoring.coreos.com - resources: - - prometheuses/api - verbs: - - create - - get - - update - apiGroups: - monitoring.coreos.com resources: @@ -188,13 +180,6 @@ rules: - patch - update - watch -- apiGroups: - - operator.openshift.io - resources: - - consoles - verbs: - - get - - list - apiGroups: - rbac.authorization.k8s.io resources: @@ -255,10 +240,3 @@ rules: - get - patch - update -- apiGroups: - - route.openshift.io - resources: - - routes - verbs: - - get - - list diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml index d4934437d..66b451020 100644 --- a/config/samples/rhtas_v1alpha1_securesign.yaml +++ b/config/samples/rhtas_v1alpha1_securesign.yaml @@ -5,8 +5,6 @@ metadata: app.kubernetes.io/name: securesign-sample app.kubernetes.io/instance: securesign-sample app.kubernetes.io/part-of: trusted-artifact-signer - annotations: - rhtas.redhat.com/metrics: "true" name: securesign-sample spec: rekor: diff --git a/internal/annotations/annotations.go b/internal/annotations/annotations.go index 82ceecacd..c7735cb1d 100644 --- a/internal/annotations/annotations.go +++ b/internal/annotations/annotations.go @@ -20,24 +20,6 @@ // annotations: // rhtas.redhat.com/pause-reconciliation: "true" // -// # Annotation: rhtas.redhat.com/metrics -// -// [Metrics] controls whether analytic metrics are collected for installed services. -// This annotation applies only to the Securesign resource. -// -// Options: -// - "true": Enables metrics collection (default). -// - "false": Disables metrics collection. -// -// Example usage: -// -// apiVersion: rhtas.redhat.com/v1alpha1 -// kind: Securesign -// metadata: -// name: example -// annotations: -// rhtas.redhat.com/metrics: "false" -// // # Annotation: rhtas.redhat.com/trusted-ca // // [TrustedCA] specifies the name of a ConfigMap containing a custom CA bundle. @@ -95,9 +77,6 @@ const ( // PausedReconciliation defines the annotation key used to pause reconciliation for a resource. PausedReconciliation = "rhtas.redhat.com/pause-reconciliation" - // Metrics defines the annotation key used to enable or disable metric collection by the operator. - Metrics = "rhtas.redhat.com/metrics" - // TrustedCA defines the annotation key for specifying a custom CA bundle ConfigMap. TrustedCA = "rhtas.redhat.com/trusted-ca" diff --git a/internal/controller/securesign/actions/constants.go b/internal/controller/securesign/actions/constants.go index d1a1b5e57..62367693f 100644 --- a/internal/controller/securesign/actions/constants.go +++ b/internal/controller/securesign/actions/constants.go @@ -8,8 +8,6 @@ const ( TrillianCondition = "TrillianAvailable" CTlogCondition = "CTlogAvailable" SegmentBackupCronJobName = "segment-backup-nightly-metrics" - SegmentBackupJobName = "segment-backup-installation" SegmentRBACName = "rhtas-segment-backup-job" MetricsCondition = "MetricsAvailable" - AnalyiticsCronSchedule = " 0 0 * * *" ) diff --git a/internal/controller/securesign/actions/segment_backup_cronjob.go b/internal/controller/securesign/actions/segment_backup_cronjob.go index ebadd18f6..fe0ed7059 100644 --- a/internal/controller/securesign/actions/segment_backup_cronjob.go +++ b/internal/controller/securesign/actions/segment_backup_cronjob.go @@ -3,21 +3,11 @@ package actions import ( "context" "fmt" - "maps" - "slices" - "strconv" - "github.com/robfig/cron/v3" "github.com/securesign/operator/internal/action" - "github.com/securesign/operator/internal/annotations" "github.com/securesign/operator/internal/constants" - "github.com/securesign/operator/internal/images" - "github.com/securesign/operator/internal/labels" - "github.com/securesign/operator/internal/utils/kubernetes" - "github.com/securesign/operator/internal/utils/kubernetes/ensure" - "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" - batchv1 "k8s.io/api/batch/v1" + "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -36,96 +26,36 @@ func (i segmentBackupCronJob) Name() string { return "segment-backup-nightly-metrics" } func (i segmentBackupCronJob) CanHandle(_ context.Context, instance *rhtasv1alpha1.Securesign) bool { - c := meta.FindStatusCondition(instance.Status.Conditions, MetricsCondition) - if c == nil || c.Reason == constants.Ready { - return false - } - val, found := instance.Annotations[annotations.Metrics] - if !found { - return true - } - if boolVal, err := strconv.ParseBool(val); err == nil { - return boolVal - } return true } func (i segmentBackupCronJob) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesign) *action.Result { - var ( - err error - result controllerutil.OperationResult - ) - - if _, err := cron.ParseStandard(AnalyiticsCronSchedule); err != nil { - return i.Error(ctx, fmt.Errorf("could not create segment backuup cron job due to errors with parsing the cron schedule: %w", err), instance) - } - - labels := labels.For(SegmentBackupCronJobName, SegmentBackupCronJobName, instance.Name) - segmentBackupCronJob := &batchv1.CronJob{ ObjectMeta: metav1.ObjectMeta{ Name: SegmentBackupCronJobName, Namespace: instance.Namespace, - Labels: labels, }, } - if result, err = kubernetes.CreateOrUpdate(ctx, i.Client, - segmentBackupCronJob, - i.ensureSegmentBackupCronJob(), - ensure.ControllerReference[*batchv1.CronJob](instance, i.Client), - ensure.Labels[*batchv1.CronJob](slices.Collect(maps.Keys(labels)), labels), - func(object *batchv1.CronJob) error { - ensure.SetProxyEnvs(object.Spec.JobTemplate.Spec.Template.Spec.Containers) - return nil - }, - ); err != nil { - return i.Error(ctx, fmt.Errorf("could not create segment backup cron job: %w", err), instance, - metav1.Condition{ + err := i.Client.Delete(ctx, segmentBackupCronJob) + if err != nil { + if errors.IsNotFound(err) { + return i.Continue() + } else { + return i.Error(ctx, fmt.Errorf("could not delete segment backup cron job: %w", err), instance, metav1.Condition{ Type: MetricsCondition, Status: metav1.ConditionFalse, Reason: constants.Failure, Message: err.Error(), }) - } - - if result != controllerutil.OperationResultNone { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: MetricsCondition, - Status: metav1.ConditionTrue, - Reason: constants.Ready, - Message: "Segment backup Cron Job created", - }) - return i.StatusUpdate(ctx, instance) - } - - return i.Continue() -} - -func (i segmentBackupCronJob) ensureSegmentBackupCronJob() func(job *batchv1.CronJob) error { - return func(job *batchv1.CronJob) error { - { - spec := &job.Spec - spec.Schedule = AnalyiticsCronSchedule - - templateSpec := &spec.JobTemplate.Spec.Template.Spec - templateSpec.ServiceAccountName = SegmentRBACName - templateSpec.RestartPolicy = "OnFailure" - - container := kubernetes.FindContainerByNameOrCreate(templateSpec, SegmentBackupCronJobName) - container.Image = images.Registry.Get(images.SegmentBackup) - container.Command = []string{"python3", "/opt/app-root/src/src/script.py"} - - runTypeEnv := kubernetes.FindEnvByNameOrCreate(container, "RUN_TYPE") - runTypeEnv.Value = "nightly" - - caBundleEnv := kubernetes.FindEnvByNameOrCreate(container, "REQUESTS_CA_BUNDLE") - caBundleEnv.Value = "/etc/pki/tls/certs/ca-bundle.crt" // Certificate used to verify requests externally i.e communication with segment - - internalCaBundleEnv := kubernetes.FindEnvByNameOrCreate(container, "REQUESTS_CA_BUNDLE_INTERNAL") - internalCaBundleEnv.Value = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" // Certificate used to verify requests internally i.e queries to thanos - } - return nil } + + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: MetricsCondition, + Status: metav1.ConditionTrue, + Reason: "Removed", + Message: "Segment backup Cron Job removed", + }) + return i.StatusUpdate(ctx, instance) } diff --git a/internal/controller/securesign/actions/segment_backup_job.go b/internal/controller/securesign/actions/segment_backup_job.go deleted file mode 100644 index 18b28246a..000000000 --- a/internal/controller/securesign/actions/segment_backup_job.go +++ /dev/null @@ -1,114 +0,0 @@ -package actions - -import ( - "context" - "fmt" - "maps" - "slices" - "strconv" - - "github.com/securesign/operator/internal/action" - "github.com/securesign/operator/internal/annotations" - "github.com/securesign/operator/internal/constants" - "github.com/securesign/operator/internal/images" - "github.com/securesign/operator/internal/labels" - "github.com/securesign/operator/internal/utils" - "github.com/securesign/operator/internal/utils/kubernetes" - "github.com/securesign/operator/internal/utils/kubernetes/ensure" - batchv1 "k8s.io/api/batch/v1" - - rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" - "k8s.io/apimachinery/pkg/api/meta" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -func NewSegmentBackupJobAction() action.Action[*rhtasv1alpha1.Securesign] { - return &segmentBackupJob{} -} - -type segmentBackupJob struct { - action.BaseAction -} - -func (i segmentBackupJob) Name() string { - return SegmentBackupJobName -} - -func (i segmentBackupJob) CanHandle(_ context.Context, instance *rhtasv1alpha1.Securesign) bool { - c := meta.FindStatusCondition(instance.Status.Conditions, MetricsCondition) - if c == nil || c.Reason == constants.Ready { - return false - } - - val, found := instance.Annotations[annotations.Metrics] - if !found { - return true - } - if boolVal, err := strconv.ParseBool(val); err == nil { - return boolVal - } - return true -} - -func (i segmentBackupJob) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesign) *action.Result { - var ( - err error - job = &batchv1.Job{ - ObjectMeta: metav1.ObjectMeta{ - GenerateName: SegmentBackupJobName + "-", - Namespace: instance.Namespace, - }, - } - ) - - l := labels.For(SegmentBackupJobName, SegmentBackupJobName, instance.Name) - if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, - job, - i.ensureSegmentBackupJob(), - ensure.ControllerReference[*batchv1.Job](instance, i.Client), - ensure.Labels[*batchv1.Job](slices.Collect(maps.Keys(l)), l), - func(object *batchv1.Job) error { - ensure.SetProxyEnvs(object.Spec.Template.Spec.Containers) - return nil - }, - ); err != nil { - return i.Error(ctx, fmt.Errorf("could not create segment backup job: %w", err), instance, - metav1.Condition{ - Type: MetricsCondition, - Status: metav1.ConditionFalse, - Reason: constants.Creating, - Message: err.Error(), - }) - } - - return i.Continue() -} - -func (i segmentBackupJob) ensureSegmentBackupJob() func(*batchv1.Job) error { - return func(job *batchv1.Job) error { - - spec := &job.Spec - spec.Parallelism = utils.Pointer[int32](1) - spec.Completions = utils.Pointer[int32](1) - spec.ActiveDeadlineSeconds = utils.Pointer[int64](600) - spec.BackoffLimit = utils.Pointer[int32](5) - - templateSpec := &spec.Template.Spec - templateSpec.ServiceAccountName = SegmentRBACName - templateSpec.RestartPolicy = "OnFailure" - - container := kubernetes.FindContainerByNameOrCreate(templateSpec, SegmentBackupJobName) - container.Image = images.Registry.Get(images.SegmentBackup) - container.Command = []string{"python3", "/opt/app-root/src/src/script.py"} - - runTypeEnv := kubernetes.FindEnvByNameOrCreate(container, "RUN_TYPE") - runTypeEnv.Value = "installation" - - caBundleEnv := kubernetes.FindEnvByNameOrCreate(container, "REQUESTS_CA_BUNDLE") - caBundleEnv.Value = "/etc/pki/tls/certs/ca-bundle.crt" // Certificate used to verify requests externally i.e communication with segment - - internalCaBundleEnv := kubernetes.FindEnvByNameOrCreate(container, "REQUESTS_CA_BUNDLE_INTERNAL") - internalCaBundleEnv.Value = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" // Certificate used to verify requests internally i.e queries to thanos - return nil - } -} diff --git a/internal/controller/securesign/actions/segment_rbac.go b/internal/controller/securesign/actions/segment_rbac.go index 60946773b..100b930f6 100644 --- a/internal/controller/securesign/actions/segment_rbac.go +++ b/internal/controller/securesign/actions/segment_rbac.go @@ -3,23 +3,14 @@ package actions import ( "context" "fmt" - "maps" - "slices" - "strconv" + rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/action" - "github.com/securesign/operator/internal/annotations" "github.com/securesign/operator/internal/constants" - "github.com/securesign/operator/internal/labels" - "github.com/securesign/operator/internal/utils/kubernetes" - "github.com/securesign/operator/internal/utils/kubernetes/ensure" - "sigs.k8s.io/controller-runtime/pkg/reconcile" - - rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" v1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" - "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" ) const ( @@ -41,190 +32,79 @@ func (i rbacAction) Name() string { } func (i rbacAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Securesign) bool { - c := meta.FindStatusCondition(instance.Status.Conditions, MetricsCondition) - if c == nil || c.Reason == constants.Ready { - return false - } - val, found := instance.Annotations[annotations.Metrics] - if !found { - return true - } - if boolVal, err := strconv.ParseBool(val); err == nil { - return boolVal - } return true } func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesign) *action.Result { - var err error - - jobLabels := labels.For(SegmentBackupJobName, SegmentBackupCronJobName, instance.Name) - jobLabels[labels.LabelAppNamespace] = instance.Namespace - - // ServiceAccount - if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, &v1.ServiceAccount{ + result := i.cleanupResource(ctx, instance, &v1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: SegmentRBACName, Namespace: instance.Namespace, }, - }, - ensure.ControllerReference[*v1.ServiceAccount](instance, i.Client), - ensure.Labels[*v1.ServiceAccount](slices.Collect(maps.Keys(jobLabels)), jobLabels), - ); err != nil { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: MetricsCondition, - Status: metav1.ConditionFalse, - Reason: constants.Failure, - Message: err.Error(), - }) - return i.Error(ctx, reconcile.TerminalError(fmt.Errorf("could not create SA: %w", err)), instance) + }) + if !action.IsContinue(result) { + return result } - // Role - if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, &rbacv1.Role{ + result = i.cleanupResource(ctx, instance, &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf(namespacedNamePattern, instance.Namespace), Namespace: OpenshiftMonitoringNS, }, - }, - ensure.Labels[*rbacv1.Role](slices.Collect(maps.Keys(jobLabels)), jobLabels), - kubernetes.EnsureRoleRules( - rbacv1.PolicyRule{ - - APIGroups: []string{""}, - Resources: []string{"configmaps"}, - Verbs: []string{"get", "list"}, - ResourceNames: []string{"cluster-monitoring-config"}, - }, - rbacv1.PolicyRule{ - APIGroups: []string{"route.openshift.io"}, - Resources: []string{"routes"}, - Verbs: []string{"get", "list"}, - }, - ), - ); err != nil { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: MetricsCondition, - Status: metav1.ConditionFalse, - Reason: constants.Failure, - Message: err.Error(), - }) - return i.Error(ctx, reconcile.TerminalError(fmt.Errorf("could not create openshift-monitoring role for SBJ: %w", err)), instance) + }) + if !action.IsContinue(result) { + return result } - // RoleBinding - if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, &rbacv1.RoleBinding{ + result = i.cleanupResource(ctx, instance, &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf(namespacedNamePattern, instance.Namespace), Namespace: OpenshiftMonitoringNS, }, - }, - ensure.Labels[*rbacv1.RoleBinding](slices.Collect(maps.Keys(jobLabels)), jobLabels), - kubernetes.EnsureRoleBinding( - rbacv1.RoleRef{ - APIGroup: v1.SchemeGroupVersion.Group, - Kind: "Role", - Name: fmt.Sprintf(namespacedNamePattern, instance.Namespace), - }, - rbacv1.Subject{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, - ), - ); err != nil { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: MetricsCondition, - Status: metav1.ConditionFalse, - Reason: constants.Failure, - Message: err.Error(), - }) - return i.Error(ctx, reconcile.TerminalError(fmt.Errorf("could not create openshift-monitoring role binding for SBJ: %w", err)), instance) + }) + if !action.IsContinue(result) { + return result } - // ClusterRoleBinding - if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, &rbacv1.ClusterRoleBinding{ + result = i.cleanupResource(ctx, instance, &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf(clusterWideNamePattern, instance.Namespace, "clusterMonitoringRoleBinding"), }, - }, - ensure.Labels[*rbacv1.ClusterRoleBinding](slices.Collect(maps.Keys(jobLabels)), jobLabels), - kubernetes.EnsureClusterRoleBinding( - rbacv1.RoleRef{ - APIGroup: v1.SchemeGroupVersion.Group, - Kind: "ClusterRole", - Name: "cluster-monitoring-view", - }, - rbacv1.Subject{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, - ), - ); err != nil { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: MetricsCondition, - Status: metav1.ConditionFalse, - Reason: constants.Failure, - Message: err.Error(), - }) - return i.Error(ctx, reconcile.TerminalError(fmt.Errorf("could not create monitoring ClusterRoleBinding for SBJ: %w", err)), instance) + }) + if !action.IsContinue(result) { + return result } - // ClusterRole - if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, &rbacv1.ClusterRole{ + result = i.cleanupResource(ctx, instance, &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf(clusterWideNamePattern, instance.Namespace, "clusterRole"), }, - }, - ensure.Labels[*rbacv1.ClusterRole](slices.Collect(maps.Keys(jobLabels)), jobLabels), - kubernetes.EnsureClusterRoleRules( - rbacv1.PolicyRule{ - APIGroups: []string{"operator.openshift.io"}, - Resources: []string{"consoles"}, - Verbs: []string{"get", "list"}, - ResourceNames: []string{"cluster"}, - }, - rbacv1.PolicyRule{ - APIGroups: []string{"route.openshift.io"}, - Resources: []string{"routes"}, - Verbs: []string{"get", "list"}, - ResourceNames: []string{"console"}, - }, - ), - ); err != nil { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: MetricsCondition, - Status: metav1.ConditionFalse, - Reason: constants.Failure, - Message: err.Error(), - }) - return i.Error(ctx, reconcile.TerminalError(fmt.Errorf("could not create openshift-console ClusterRole for SBJ: %w", err)), instance) + }) + if !action.IsContinue(result) { + return result } - // ClusterRoleBinding - if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, &rbacv1.ClusterRoleBinding{ + result = i.cleanupResource(ctx, instance, &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf(clusterWideNamePattern, instance.Namespace, "clusterRoleBinding"), }, - }, - ensure.Labels[*rbacv1.ClusterRoleBinding](slices.Collect(maps.Keys(jobLabels)), jobLabels), - kubernetes.EnsureClusterRoleBinding( - rbacv1.RoleRef{ - APIGroup: v1.SchemeGroupVersion.Group, - Kind: "ClusterRole", - Name: fmt.Sprintf(clusterWideNamePattern, instance.Namespace, "clusterRole"), - }, - rbacv1.Subject{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, - ), - ); err != nil { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: MetricsCondition, - Status: metav1.ConditionFalse, - Reason: constants.Failure, - Message: err.Error(), - }) - return i.Error(ctx, reconcile.TerminalError(fmt.Errorf("could not create openshift-console ClusterRoleBinding for SBJ: %w", err)), instance) + }) + if !action.IsContinue(result) { + return result } - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: MetricsCondition, - Status: metav1.ConditionTrue, - Reason: constants.Creating, - Message: "Segment Backup Job Creating", - }) + return i.Continue() +} +func (i rbacAction) cleanupResource(ctx context.Context, instance *rhtasv1alpha1.Securesign, object client.Object) *action.Result { + if err := client.IgnoreNotFound(i.Client.Delete(ctx, object)); err != nil { + return i.Error(ctx, err, instance, + metav1.Condition{ + Type: MetricsCondition, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + } return i.Continue() } diff --git a/internal/controller/securesign/securesign_controller.go b/internal/controller/securesign/securesign_controller.go index 978063cc9..e046ba859 100644 --- a/internal/controller/securesign/securesign_controller.go +++ b/internal/controller/securesign/securesign_controller.go @@ -21,18 +21,14 @@ import ( "github.com/securesign/operator/internal/action" "github.com/securesign/operator/internal/annotations" - "github.com/securesign/operator/internal/constants" "github.com/securesign/operator/internal/controller" - "github.com/securesign/operator/internal/labels" v12 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/tools/record" "github.com/operator-framework/operator-lib/predicate" rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/securesign/actions" - v1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" @@ -63,9 +59,6 @@ func NewReconciler(c client.Client, scheme *runtime.Scheme, recorder record.Even //+kubebuilder:rbac:groups=rhtas.redhat.com,resources=securesigns,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=rhtas.redhat.com,resources=securesigns/status,verbs=get;update;patch //+kubebuilder:rbac:groups=rhtas.redhat.com,resources=securesigns/finalizers,verbs=update -//+kubebuilder:rbac:groups="operator.openshift.io",resources=consoles,verbs=get;list -//+kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list -//+kubebuilder:rbac:groups=monitoring.coreos.com,resources=prometheuses/api,verbs=create;get;update // TODO: rework Securesign controller to watch resources func (r *securesignReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { @@ -91,21 +84,6 @@ func (r *securesignReconciler) Reconcile(ctx context.Context, req ctrl.Request) } if instance.DeletionTimestamp != nil { - instanceLabels := labels.For(actions.SegmentBackupJobName, actions.SegmentBackupCronJobName, instance.Name) - instanceLabels[labels.LabelAppNamespace] = instance.Namespace - if err := r.DeleteAllOf(ctx, &v1.ClusterRoleBinding{}, client.MatchingLabels(instanceLabels)); err != nil { - log.Error(err, "problem with removing clusterRoleBinding resource") - } - if err := r.DeleteAllOf(ctx, &v1.ClusterRole{}, client.MatchingLabels(instanceLabels)); err != nil { - log.Error(err, "problem with removing ClusterRole resource") - } - if err := r.DeleteAllOf(ctx, &v1.Role{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(instanceLabels)); err != nil { - log.Error(err, "problem with removing Role resource in %s", actions.OpenshiftMonitoringNS) - } - if err := r.DeleteAllOf(ctx, &v1.RoleBinding{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(instanceLabels)); err != nil { - log.Error(err, "problem with removing RoleBinding resource in %s", actions.OpenshiftMonitoringNS) - } - controllerutil.RemoveFinalizer(target, finalizer) return ctrl.Result{}, r.Update(ctx, target) } @@ -119,7 +97,6 @@ func (r *securesignReconciler) Reconcile(ctx context.Context, req ctrl.Request) acs := []action.Action[*rhtasv1alpha1.Securesign]{ actions.NewInitializeStatusAction(), actions.NewSBJRBACAction(), - actions.NewSegmentBackupJobAction(), actions.NewSegmentBackupCronJobAction(), actions.NewTrillianAction(), actions.NewFulcioAction(), @@ -134,12 +111,6 @@ func (r *securesignReconciler) Reconcile(ctx context.Context, req ctrl.Request) a.InjectClient(r.Client) a.InjectLogger(log.WithName(a.Name())) - if a.Name() == actions.SegmentBackupJobName { - if c := meta.FindStatusCondition(instance.GetConditions(), actions.MetricsCondition); c != nil && c.Reason == constants.Creating { - continue - } - } - if a.CanHandle(ctx, target) { result := a.Handle(ctx, target) if result != nil { diff --git a/internal/images/images.go b/internal/images/images.go index 48c5af2f0..4f5674c71 100644 --- a/internal/images/images.go +++ b/internal/images/images.go @@ -32,9 +32,8 @@ const ( TimestampAuthority Image = "RELATED_IMAGE_TIMESTAMP_AUTHORITY" - HttpServer Image = "RELATED_IMAGE_HTTP_SERVER" - SegmentBackup Image = "RELATED_IMAGE_SEGMENT_REPORTING" - ClientServer Image = "RELATED_IMAGE_CLIENT_SERVER" + HttpServer Image = "RELATED_IMAGE_HTTP_SERVER" + ClientServer Image = "RELATED_IMAGE_CLIENT_SERVER" ) var Images = []Image{ @@ -53,7 +52,6 @@ var Images = []Image{ CTLog, TimestampAuthority, HttpServer, - SegmentBackup, ClientServer, } diff --git a/test/e2e/benchmark/install_test.go b/test/e2e/benchmark/install_test.go index f447723ef..383e829d6 100644 --- a/test/e2e/benchmark/install_test.go +++ b/test/e2e/benchmark/install_test.go @@ -84,9 +84,6 @@ func installTAS(ctx context.Context, cli client.Client, namespace string) error ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, Name: "test", - Annotations: map[string]string{ - "rhtas.redhat.com/metrics": "false", - }, }, Spec: v1alpha1.SecuresignSpec{ Rekor: v1alpha1.RekorSpec{ diff --git a/test/e2e/support/tas/securesign/securesign.go b/test/e2e/support/tas/securesign/securesign.go index ab11f5744..e17169e68 100644 --- a/test/e2e/support/tas/securesign/securesign.go +++ b/test/e2e/support/tas/securesign/securesign.go @@ -5,7 +5,6 @@ import ( . "github.com/onsi/gomega" "github.com/securesign/operator/api/v1alpha1" - "github.com/securesign/operator/internal/annotations" "github.com/securesign/operator/test/e2e/support" "github.com/securesign/operator/test/e2e/support/condition" "k8s.io/apimachinery/pkg/api/errors" @@ -44,9 +43,6 @@ func Create(namespace, name string, opts ...Opts) *v1alpha1.Securesign { ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, - Annotations: map[string]string{ - annotations.Metrics: "false", - }, }, } diff --git a/test/e2e/upgrade_test.go b/test/e2e/upgrade_test.go index 7b3e1c338..0b8d3f542 100644 --- a/test/e2e/upgrade_test.go +++ b/test/e2e/upgrade_test.go @@ -134,6 +134,17 @@ var _ = Describe("Operator upgrade", Ordered, func() { func(v *tasv1alpha.Securesign) { v.Spec.Trillian.Db.Pvc.Retain = nil }, + func(v *tasv1alpha.Securesign) { + if v.Annotations == nil { + v.Annotations = map[string]string{} + } + + if testSupportKubernetes.IsRemoteClusterOpenshift() { + v.Annotations["rhtas.redhat.com/metrics"] = "true" + } else { + v.Annotations["rhtas.redhat.com/metrics"] = "false" + } + }, ) gomega.Expect(cli.Create(ctx, securesignDeployment)).To(gomega.Succeed())