From 7b3000e1fe927d32396981a3b4cb4143d4a54d2e Mon Sep 17 00:00:00 2001 From: Xiangjing Li Date: Mon, 8 Jan 2024 16:05:39 -0500 Subject: [PATCH] upgrade managed serviceaccount api version to v1beta1 Signed-off-by: Xiangjing Li --- cmd/gitopscluster/exec/manager.go | 4 +- ...agement.io_managedserviceaccounts.crd.yaml | 179 ++++++++++++- e2e/run_e2e.sh | 2 +- go.mod | 10 +- go.sum | 20 +- ...-management.io_managedserviceaccounts.yaml | 249 ++++++++++++++++-- .../gitopscluster/gitopscluster_controller.go | 6 +- .../gitopscluster_controller_suite_test.go | 4 +- .../gitopscluster_controller_test.go | 22 +- pkg/utils/cluster.go | 10 +- pkg/utils/placement.go | 6 +- pkg/utils/placement_test.go | 4 +- 12 files changed, 443 insertions(+), 73 deletions(-) diff --git a/cmd/gitopscluster/exec/manager.go b/cmd/gitopscluster/exec/manager.go index 9a7a63d..a33cede 100644 --- a/cmd/gitopscluster/exec/manager.go +++ b/cmd/gitopscluster/exec/manager.go @@ -29,7 +29,7 @@ import ( "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" "k8s.io/klog" - authv1alpha1 "open-cluster-management.io/managed-serviceaccount/api/v1alpha1" + authv1beta1 "open-cluster-management.io/managed-serviceaccount/apis/authentication/v1beta1" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/client" @@ -108,7 +108,7 @@ func RunManager() { os.Exit(1) } - if err := authv1alpha1.AddToScheme(mgr.GetScheme()); err != nil { + if err := authv1beta1.AddToScheme(mgr.GetScheme()); err != nil { klog.Error(err, "") os.Exit(1) } diff --git a/deploy/crds/clusters.open-cluster-management.io_managedserviceaccounts.crd.yaml b/deploy/crds/clusters.open-cluster-management.io_managedserviceaccounts.crd.yaml index 149c625..3441bfc 100644 --- a/deploy/crds/clusters.open-cluster-management.io_managedserviceaccounts.crd.yaml +++ b/deploy/crds/clusters.open-cluster-management.io_managedserviceaccounts.crd.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 + controller-gen.kubebuilder.io/version: v0.6.2 creationTimestamp: null name: managedserviceaccounts.authentication.open-cluster-management.io spec: @@ -16,7 +16,11 @@ spec: singular: managedserviceaccount scope: Namespaced versions: - - name: v1alpha1 + - deprecated: true + deprecationWarning: authentication.open-cluster-management.io/v1alpha1 ManagedServiceAccount + is deprecated; use authentication.open-cluster-management.io/v1beta1 ManagedServiceAccount; + version v1alpha1 will be removed in the next release + name: v1alpha1 schema: openAPIV3Schema: description: ManagedServiceAccount is the Schema for the managedserviceaccounts @@ -78,13 +82,168 @@ spec: description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" + \n \ttype FooStatus struct{ \t // Represents the observations + of a foo's current state. \t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\" \t // + +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map + \t // +listMapKey=type \t Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields + \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + expirationTimestamp: + description: ExpirationTimestamp is the time when the token will expire. + format: date-time + type: string + tokenSecretRef: + description: TokenSecretRef is a reference to the corresponding ServiceAccount's + Secret, which stores the CA certficate and token from the managed + cluster. + properties: + lastRefreshTimestamp: + description: LastRefreshTimestamp is the timestamp indicating + when the token in the Secret is refreshed. + format: date-time + type: string + name: + description: Name is the name of the referenced secret. + type: string + required: + - lastRefreshTimestamp + - name + type: object + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ManagedServiceAccount is the Schema for the managedserviceaccounts + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ManagedServiceAccountSpec defines the desired state of ManagedServiceAccount + properties: + rotation: + description: Rotation is the policy for rotation the credentials. + properties: + enabled: + default: true + description: Enabled prescribes whether the ServiceAccount token + will be rotated from the upstream + type: boolean + validity: + default: 8640h0m0s + description: Validity is the duration for which the signed ServiceAccount + token is valid. + type: string + type: object + ttlSecondsAfterCreation: + description: ttlSecondsAfterCreation limits the lifetime of a ManagedServiceAccount. + If the ttlSecondsAfterCreation field is set, the ManagedServiceAccount + will be automatically deleted regardless of the ManagedServiceAccount's + status. When the ManagedServiceAccount is deleted, its lifecycle + guarantees (e.g. finalizers) will be honored. If this field is unset, + the ManagedServiceAccount won't be automatically deleted. If this + field is set to zero, the ManagedServiceAccount becomes eligible + for deletion immediately after its creation. In order to use ttlSecondsAfterCreation, + the EphemeralIdentity feature gate must be enabled. + exclusiveMinimum: true + format: int32 + minimum: 0 + type: integer + required: + - rotation + type: object + status: + description: ManagedServiceAccountStatus defines the observed state of + ManagedServiceAccount + properties: + conditions: + description: Conditions is the condition list. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n \ttype FooStatus struct{ \t // Represents the observations + of a foo's current state. \t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\" \t // + +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map + \t // +listMapKey=type \t Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields + \t}" properties: lastTransitionTime: description: lastTransitionTime is the last time the condition @@ -174,4 +333,4 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] + storedVersions: [] \ No newline at end of file diff --git a/e2e/run_e2e.sh b/e2e/run_e2e.sh index 7f52de1..8d429f5 100755 --- a/e2e/run_e2e.sh +++ b/e2e/run_e2e.sh @@ -9,7 +9,7 @@ set -o pipefail echo "SETUP install multicloud-integrations" kubectl config use-context kind-hub kubectl apply -f deploy/crds/ -kubectl apply -f hack/crds/0000_00_clusters.open-cluster-management.io_managedserviceaccounts.crd.yaml +kubectl apply -f hack/test/crds/0000_00_authentication.open-cluster-management.io_managedserviceaccounts.yaml kubectl apply -f deploy/controller/ sleep 120 diff --git a/go.mod b/go.mod index 9529d06..fe4dcc1 100644 --- a/go.mod +++ b/go.mod @@ -4,16 +4,16 @@ go 1.20 require ( github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 - github.com/onsi/ginkgo/v2 v2.9.5 - github.com/onsi/gomega v1.27.7 + github.com/onsi/ginkgo/v2 v2.11.0 + github.com/onsi/gomega v1.27.8 github.com/spf13/pflag v1.0.5 k8s.io/api v0.28.1 k8s.io/apiextensions-apiserver v0.28.1 k8s.io/apimachinery v0.28.1 k8s.io/client-go v0.28.1 k8s.io/klog v1.0.0 - open-cluster-management.io/api v0.11.0 - open-cluster-management.io/managed-serviceaccount v0.3.0 + open-cluster-management.io/api v0.11.1-0.20230921010001-9cb6321fa748 + open-cluster-management.io/managed-serviceaccount v0.4.0 sigs.k8s.io/controller-runtime v0.15.1 ) @@ -22,7 +22,7 @@ require ( github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect - golang.org/x/tools v0.9.1 // indirect + golang.org/x/tools v0.9.3 // indirect ) require ( diff --git a/go.sum b/go.sum index 762e55a..12d9ca2 100644 --- a/go.sum +++ b/go.sum @@ -84,10 +84,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= -github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= -github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4= +github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= +github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= +github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc= +github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ= github.com/openshift/api v3.9.0+incompatible h1:fJ/KsefYuZAjmrr3+5U9yZIZbTOpVkDDLDLFresAeYs= github.com/openshift/api v3.9.0+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -181,8 +181,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= -golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= +golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -227,10 +227,10 @@ k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5Ohx k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU= k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -open-cluster-management.io/api v0.11.0 h1:zBxa33Co3wseLBF4HEJobhl0P6ygj+Drhe7Wrfo0/h8= -open-cluster-management.io/api v0.11.0/go.mod h1:WgKUCJ7+Bf40DsOmH1Gdkpyj3joco+QLzrlM6Ak39zE= -open-cluster-management.io/managed-serviceaccount v0.3.0 h1:5WyHk/lVpeIWWwK5U1qVUdwm1ZhyhfxyOkIDTNXWc6s= -open-cluster-management.io/managed-serviceaccount v0.3.0/go.mod h1:bLjc86mQJh9i9xDOcGTLuAqRsmQbD23q6ryRPAW835k= +open-cluster-management.io/api v0.11.1-0.20230921010001-9cb6321fa748 h1:OjemV/LWwBuKDZJLfEPw51w0Zbd9HKgpkxGtPclOjkQ= +open-cluster-management.io/api v0.11.1-0.20230921010001-9cb6321fa748/go.mod h1:/CZhelEH+30/pX7vXGSZOzLMX0zvjthYOkT/5ZTzVTQ= +open-cluster-management.io/managed-serviceaccount v0.4.0 h1:DPuNNR0a+sYnlvUkUB77mBNasl+fpl/vgKb1vq6+aqk= +open-cluster-management.io/managed-serviceaccount v0.4.0/go.mod h1:o8vJwxYo3FYoxM2x245LqAmwvl5/ViYk/Md+3peXLSc= sigs.k8s.io/controller-runtime v0.15.1 h1:9UvgKD4ZJGcj24vefUFgZFP3xej/3igL9BsOUTb/+4c= sigs.k8s.io/controller-runtime v0.15.1/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/hack/test/crds/0000_00_authentication.open-cluster-management.io_managedserviceaccounts.yaml b/hack/test/crds/0000_00_authentication.open-cluster-management.io_managedserviceaccounts.yaml index 6944edc..3441bfc 100644 --- a/hack/test/crds/0000_00_authentication.open-cluster-management.io_managedserviceaccounts.yaml +++ b/hack/test/crds/0000_00_authentication.open-cluster-management.io_managedserviceaccounts.yaml @@ -1,12 +1,13 @@ + +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null name: managedserviceaccounts.authentication.open-cluster-management.io spec: - conversion: - strategy: None group: authentication.open-cluster-management.io names: kind: ManagedServiceAccount @@ -15,16 +16,25 @@ spec: singular: managedserviceaccount scope: Namespaced versions: - - name: v1alpha1 + - deprecated: true + deprecationWarning: authentication.open-cluster-management.io/v1alpha1 ManagedServiceAccount + is deprecated; use authentication.open-cluster-management.io/v1beta1 ManagedServiceAccount; + version v1alpha1 will be removed in the next release + name: v1alpha1 schema: openAPIV3Schema: - description: ManagedServiceAccount is the Schema for the managedserviceaccounts API + description: ManagedServiceAccount is the Schema for the managedserviceaccounts + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -36,15 +46,25 @@ spec: properties: enabled: default: true - description: Enabled prescribes whether the ServiceAccount token will be rotated from the upstream + description: Enabled prescribes whether the ServiceAccount token + will be rotated from the upstream type: boolean validity: default: 8640h0m0s - description: Validity is the duration for which the signed ServiceAccount token is valid. + description: Validity is the duration for which the signed ServiceAccount + token is valid. type: string type: object ttlSecondsAfterCreation: - description: ttlSecondsAfterCreation limits the lifetime of a ManagedServiceAccount. If the ttlSecondsAfterCreation field is set, the ManagedServiceAccount will be automatically deleted regardless of the ManagedServiceAccount's status. When the ManagedServiceAccount is deleted, its lifecycle guarantees (e.g. finalizers) will be honored. If this field is unset, the ManagedServiceAccount won't be automatically deleted. If this field is set to zero, the ManagedServiceAccount becomes eligible for deletion immediately after its creation. In order to use ttlSecondsAfterCreation, the EphemeralIdentity feature gate must be enabled. + description: ttlSecondsAfterCreation limits the lifetime of a ManagedServiceAccount. + If the ttlSecondsAfterCreation field is set, the ManagedServiceAccount + will be automatically deleted regardless of the ManagedServiceAccount's + status. When the ManagedServiceAccount is deleted, its lifecycle + guarantees (e.g. finalizers) will be honored. If this field is unset, + the ManagedServiceAccount won't be automatically deleted. If this + field is set to zero, the ManagedServiceAccount becomes eligible + for deletion immediately after its creation. In order to use ttlSecondsAfterCreation, + the EphemeralIdentity feature gate must be enabled. exclusiveMinimum: true format: int32 minimum: 0 @@ -53,28 +73,52 @@ spec: - rotation type: object status: - description: ManagedServiceAccountStatus defines the observed state of ManagedServiceAccount + description: ManagedServiceAccountStatus defines the observed state of + ManagedServiceAccount properties: conditions: description: Conditions is the condition list. items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n \ttype FooStatus struct{ \t // Represents the observations + of a foo's current state. \t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\" \t // + +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map + \t // +listMapKey=type \t Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields + \t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating details about the transition. This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -87,7 +131,11 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -104,10 +152,167 @@ spec: format: date-time type: string tokenSecretRef: - description: TokenSecretRef is a reference to the corresponding ServiceAccount's Secret, which stores the CA certficate and token from the managed cluster. + description: TokenSecretRef is a reference to the corresponding ServiceAccount's + Secret, which stores the CA certficate and token from the managed + cluster. properties: lastRefreshTimestamp: - description: LastRefreshTimestamp is the timestamp indicating when the token in the Secret is refreshed. + description: LastRefreshTimestamp is the timestamp indicating + when the token in the Secret is refreshed. + format: date-time + type: string + name: + description: Name is the name of the referenced secret. + type: string + required: + - lastRefreshTimestamp + - name + type: object + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ManagedServiceAccount is the Schema for the managedserviceaccounts + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ManagedServiceAccountSpec defines the desired state of ManagedServiceAccount + properties: + rotation: + description: Rotation is the policy for rotation the credentials. + properties: + enabled: + default: true + description: Enabled prescribes whether the ServiceAccount token + will be rotated from the upstream + type: boolean + validity: + default: 8640h0m0s + description: Validity is the duration for which the signed ServiceAccount + token is valid. + type: string + type: object + ttlSecondsAfterCreation: + description: ttlSecondsAfterCreation limits the lifetime of a ManagedServiceAccount. + If the ttlSecondsAfterCreation field is set, the ManagedServiceAccount + will be automatically deleted regardless of the ManagedServiceAccount's + status. When the ManagedServiceAccount is deleted, its lifecycle + guarantees (e.g. finalizers) will be honored. If this field is unset, + the ManagedServiceAccount won't be automatically deleted. If this + field is set to zero, the ManagedServiceAccount becomes eligible + for deletion immediately after its creation. In order to use ttlSecondsAfterCreation, + the EphemeralIdentity feature gate must be enabled. + exclusiveMinimum: true + format: int32 + minimum: 0 + type: integer + required: + - rotation + type: object + status: + description: ManagedServiceAccountStatus defines the observed state of + ManagedServiceAccount + properties: + conditions: + description: Conditions is the condition list. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n \ttype FooStatus struct{ \t // Represents the observations + of a foo's current state. \t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\" \t // + +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map + \t // +listMapKey=type \t Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields + \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + expirationTimestamp: + description: ExpirationTimestamp is the time when the token will expire. + format: date-time + type: string + tokenSecretRef: + description: TokenSecretRef is a reference to the corresponding ServiceAccount's + Secret, which stores the CA certficate and token from the managed + cluster. + properties: + lastRefreshTimestamp: + description: LastRefreshTimestamp is the timestamp indicating + when the token in the Secret is refreshed. format: date-time type: string name: @@ -123,3 +328,9 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/pkg/controller/gitopscluster/gitopscluster_controller.go b/pkg/controller/gitopscluster/gitopscluster_controller.go index 0534786..76a32b1 100644 --- a/pkg/controller/gitopscluster/gitopscluster_controller.go +++ b/pkg/controller/gitopscluster/gitopscluster_controller.go @@ -45,7 +45,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/dynamic" - authv1alpha1 "open-cluster-management.io/managed-serviceaccount/api/v1alpha1" + authv1beta1 "open-cluster-management.io/managed-serviceaccount/apis/authentication/v1beta1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/handler" @@ -191,7 +191,7 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error { // Watch changes to Managed service account's tokenSecretRef if utils.IsReadyManagedServiceAccount(mgr.GetAPIReader()) { err = c.Watch( - source.Kind(mgr.GetCache(), &authv1alpha1.ManagedServiceAccount{}), + source.Kind(mgr.GetCache(), &authv1beta1.ManagedServiceAccount{}), &handler.EnqueueRequestForObject{}, utils.ManagedServiceAccountPredicateFunc) if err != nil { @@ -1023,7 +1023,7 @@ func (r *ReconcileGitOpsCluster) CreateManagedClusterSecretInArgo(argoNamespace func (r *ReconcileGitOpsCluster) CreateMangedClusterSecretFromManagedServiceAccount(argoNamespace string, managedCluster *spokeclusterv1.ManagedCluster, managedServiceAccountRef string) (*v1.Secret, error) { // Find managedserviceaccount in the managed cluster namespace - account := &authv1alpha1.ManagedServiceAccount{} + account := &authv1beta1.ManagedServiceAccount{} if err := r.Get(context.TODO(), types.NamespacedName{Name: managedServiceAccountRef, Namespace: managedCluster.Name}, account); err != nil { klog.Errorf("failed to get managed service account: %v/%v", managedCluster.Name, managedServiceAccountRef) diff --git a/pkg/controller/gitopscluster/gitopscluster_controller_suite_test.go b/pkg/controller/gitopscluster/gitopscluster_controller_suite_test.go index 569ff29..7d2d01c 100644 --- a/pkg/controller/gitopscluster/gitopscluster_controller_suite_test.go +++ b/pkg/controller/gitopscluster/gitopscluster_controller_suite_test.go @@ -27,7 +27,7 @@ import ( "k8s.io/client-go/rest" spokeClusterV1 "open-cluster-management.io/api/cluster/v1" clusterv1beta1 "open-cluster-management.io/api/cluster/v1beta1" - authv1alpha1 "open-cluster-management.io/managed-serviceaccount/api/v1alpha1" + authv1beta1 "open-cluster-management.io/managed-serviceaccount/apis/authentication/v1beta1" gitopsclusterV1beta1 "open-cluster-management.io/multicloud-integrations/pkg/apis/apps/v1beta1" "sigs.k8s.io/controller-runtime/pkg/envtest" "sigs.k8s.io/controller-runtime/pkg/manager" @@ -48,7 +48,7 @@ func TestMain(m *testing.M) { clusterv1beta1.AddToScheme(scheme.Scheme) gitopsclusterV1beta1.AddToScheme(scheme.Scheme) - authv1alpha1.AddToScheme(scheme.Scheme) + authv1beta1.AddToScheme(scheme.Scheme) var err error if cfg, err = t.Start(); err != nil { diff --git a/pkg/controller/gitopscluster/gitopscluster_controller_test.go b/pkg/controller/gitopscluster/gitopscluster_controller_test.go index e012698..d8976af 100644 --- a/pkg/controller/gitopscluster/gitopscluster_controller_test.go +++ b/pkg/controller/gitopscluster/gitopscluster_controller_test.go @@ -30,7 +30,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" clusterv1 "open-cluster-management.io/api/cluster/v1" clusterv1beta1 "open-cluster-management.io/api/cluster/v1beta1" - authv1alpha1 "open-cluster-management.io/managed-serviceaccount/api/v1alpha1" + authv1beta1 "open-cluster-management.io/managed-serviceaccount/apis/authentication/v1beta1" gitopsclusterV1beta1 "open-cluster-management.io/multicloud-integrations/pkg/apis/apps/v1beta1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/fake" @@ -633,12 +633,12 @@ func TestReconcileCreateSecretInOpenshiftGitops(t *testing.T) { g.Expect(c.Create(context.TODO(), msaSecret)).NotTo(gomega.HaveOccurred()) defer c.Delete(context.TODO(), msaSecret) - msa := &authv1alpha1.ManagedServiceAccount{ + msa := &authv1beta1.ManagedServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: "managedserviceaccount1", Namespace: managedClusterNamespace1.Name, }, - Spec: authv1alpha1.ManagedServiceAccountSpec{Rotation: authv1alpha1.ManagedServiceAccountRotation{Enabled: false}}, + Spec: authv1beta1.ManagedServiceAccountSpec{Rotation: authv1beta1.ManagedServiceAccountRotation{Enabled: false}}, } g.Expect(c.Create(context.TODO(), msa)).NotTo(gomega.HaveOccurred()) @@ -648,9 +648,9 @@ func TestReconcileCreateSecretInOpenshiftGitops(t *testing.T) { g.Expect(c.Get(context.TODO(), client.ObjectKeyFromObject(msa), msa)).NotTo(gomega.HaveOccurred()) - tokenRef := authv1alpha1.SecretRef{Name: msaSecret.Name, LastRefreshTimestamp: metav1.Now()} + tokenRef := authv1beta1.SecretRef{Name: msaSecret.Name, LastRefreshTimestamp: metav1.Now()} etime := metav1.NewTime(time.Now().Add(30 * time.Second)) - msa.Status = authv1alpha1.ManagedServiceAccountStatus{ + msa.Status = authv1beta1.ManagedServiceAccountStatus{ TokenSecretRef: &tokenRef, ExpirationTimestamp: &etime, } @@ -1045,12 +1045,12 @@ func TestCreateMangedClusterSecretFromManagedServiceAccount(t *testing.T) { mgrStopped.Wait() }() - msa := &authv1alpha1.ManagedServiceAccount{ + msa := &authv1beta1.ManagedServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: "managedserviceaccount1", Namespace: managedClusterNamespace1.Name, }, - Spec: authv1alpha1.ManagedServiceAccountSpec{Rotation: authv1alpha1.ManagedServiceAccountRotation{Enabled: false}}, + Spec: authv1beta1.ManagedServiceAccountSpec{Rotation: authv1beta1.ManagedServiceAccountRotation{Enabled: false}}, } msaSecret := &corev1.Secret{ @@ -1111,9 +1111,9 @@ func TestCreateMangedClusterSecretFromManagedServiceAccount(t *testing.T) { // Has tokenSecretRef g.Expect(c.Get(context.TODO(), client.ObjectKeyFromObject(msa), msa)).NotTo(gomega.HaveOccurred()) - tokenRef := authv1alpha1.SecretRef{Name: msaSecret.Name, LastRefreshTimestamp: metav1.Now()} + tokenRef := authv1beta1.SecretRef{Name: msaSecret.Name, LastRefreshTimestamp: metav1.Now()} etime := metav1.NewTime(time.Now().Add(30 * time.Second)) - msa.Status = authv1alpha1.ManagedServiceAccountStatus{ + msa.Status = authv1beta1.ManagedServiceAccountStatus{ TokenSecretRef: &tokenRef, ExpirationTimestamp: &etime, } @@ -1133,8 +1133,8 @@ func TestCreateMangedClusterSecretFromManagedServiceAccount(t *testing.T) { // Update MSA to a different secret token g.Expect(c.Create(context.TODO(), msaSecret2)).NotTo(gomega.HaveOccurred()) - tokenRef = authv1alpha1.SecretRef{Name: msaSecret2.Name, LastRefreshTimestamp: metav1.Now()} - msa.Status = authv1alpha1.ManagedServiceAccountStatus{ + tokenRef = authv1beta1.SecretRef{Name: msaSecret2.Name, LastRefreshTimestamp: metav1.Now()} + msa.Status = authv1beta1.ManagedServiceAccountStatus{ TokenSecretRef: &tokenRef, ExpirationTimestamp: &etime, } diff --git a/pkg/utils/cluster.go b/pkg/utils/cluster.go index 2a32434..64e5c8f 100644 --- a/pkg/utils/cluster.go +++ b/pkg/utils/cluster.go @@ -30,7 +30,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" spokeClusterV1 "open-cluster-management.io/api/cluster/v1" clusterv1beta1 "open-cluster-management.io/api/cluster/v1beta1" - authv1alpha1 "open-cluster-management.io/managed-serviceaccount/api/v1alpha1" + authv1beta1 "open-cluster-management.io/managed-serviceaccount/apis/authentication/v1beta1" gitopsclusterV1beta1 "open-cluster-management.io/multicloud-integrations/pkg/apis/apps/v1beta1" "sigs.k8s.io/controller-runtime/pkg/event" "sigs.k8s.io/controller-runtime/pkg/predicate" @@ -333,8 +333,8 @@ var ArgocdServerPredicateFunc = predicate.Funcs{ var ManagedServiceAccountPredicateFunc = predicate.Funcs{ UpdateFunc: func(e event.UpdateEvent) bool { - oldmsa := e.ObjectOld.(*authv1alpha1.ManagedServiceAccount) - newmsa := e.ObjectNew.(*authv1alpha1.ManagedServiceAccount) + oldmsa := e.ObjectOld.(*authv1beta1.ManagedServiceAccount) + newmsa := e.ObjectNew.(*authv1beta1.ManagedServiceAccount) secretUpdated := !reflect.DeepEqual(oldmsa.Status.TokenSecretRef, newmsa.Status.TokenSecretRef) @@ -343,7 +343,7 @@ var ManagedServiceAccountPredicateFunc = predicate.Funcs{ return secretUpdated }, CreateFunc: func(e event.CreateEvent) bool { - msa := e.Object.(*authv1alpha1.ManagedServiceAccount) + msa := e.Object.(*authv1beta1.ManagedServiceAccount) if msa.Status.TokenSecretRef != nil { return true @@ -354,7 +354,7 @@ var ManagedServiceAccountPredicateFunc = predicate.Funcs{ return false }, DeleteFunc: func(e event.DeleteEvent) bool { - msa := e.Object.(*authv1alpha1.ManagedServiceAccount) + msa := e.Object.(*authv1beta1.ManagedServiceAccount) if msa.Status.TokenSecretRef != nil { return true diff --git a/pkg/utils/placement.go b/pkg/utils/placement.go index def598c..df39016 100644 --- a/pkg/utils/placement.go +++ b/pkg/utils/placement.go @@ -22,7 +22,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/klog" spokeClusterV1 "open-cluster-management.io/api/cluster/v1" - authv1alpha1 "open-cluster-management.io/managed-serviceaccount/api/v1alpha1" + authv1beta1 "open-cluster-management.io/managed-serviceaccount/apis/authentication/v1beta1" "sigs.k8s.io/controller-runtime/pkg/client" ) @@ -60,7 +60,7 @@ func DetectClusterRegistry(ctx context.Context, clReader client.Reader) { // IsReadyManagedServiceAccount check if managedServiceAccount API is ready or not. func IsReadyManagedServiceAccount(clReader client.Reader) bool { - managedList := &authv1alpha1.ManagedServiceAccountList{} + managedList := &authv1beta1.ManagedServiceAccountList{} listopts := &client.ListOptions{} @@ -86,6 +86,6 @@ func DetectManagedServiceAccount(ctx context.Context, clReader client.Reader) { if IsReadyManagedServiceAccount(clReader) { os.Exit(1) } - }, time.Duration(10)*time.Second) + }, time.Duration(300)*time.Second) } } diff --git a/pkg/utils/placement_test.go b/pkg/utils/placement_test.go index 9aa2cc3..12c1a86 100644 --- a/pkg/utils/placement_test.go +++ b/pkg/utils/placement_test.go @@ -25,7 +25,7 @@ import ( "github.com/onsi/gomega" "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" - authv1alpha1 "open-cluster-management.io/managed-serviceaccount/api/v1alpha1" + authv1beta1 "open-cluster-management.io/managed-serviceaccount/apis/authentication/v1beta1" "sigs.k8s.io/controller-runtime/pkg/envtest" "sigs.k8s.io/controller-runtime/pkg/manager" ) @@ -87,7 +87,7 @@ func TestIsReadyManagedServiceAccount(t *testing.T) { g.Expect(ret).To(gomega.BeFalse()) // Add CRD to scheme. - authv1alpha1.SchemeBuilder.AddToScheme(scheme.Scheme) + authv1beta1.SchemeBuilder.AddToScheme(scheme.Scheme) mgr2, err := manager.New(cfgSub, manager.Options{MetricsBindAddress: "0"}) g.Expect(err).NotTo(gomega.HaveOccurred())