djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Finish WIP from previous commits: agent pods created in install namespace

Browse Source
This commit is contained in:
Ryan Richard 2020-09-21 17:15:36 -07:00
parent 820f1e977e
commit 526be79b11
7 changed files with 42 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
internal/controller/kubecertagent/annotater.go
View File

@ -70,7 +70,7 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
agentSelector := labels.SelectorFromSet(c.agentInfo.Template.Labels) agentSelector := labels.SelectorFromSet(c.agentInfo.Template.Labels)
agentPods, err := c.agentPodInformer. agentPods, err := c.agentPodInformer.
Lister(). Lister().
Pods(ControllerManagerNamespace). Pods(c.agentInfo.Template.Namespace).
List(agentSelector) List(agentSelector)
if err != nil { if err != nil {
return fmt.Errorf("informer cannot list agent pods: %w", err) return fmt.Errorf("informer cannot list agent pods: %w", err)
@ -91,6 +91,7 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
if err := c.maybeUpdateAgentPod( if err := c.maybeUpdateAgentPod(
ctx.Context, ctx.Context,
agentPod.Name, agentPod.Name,
agentPod.Namespace,
certPath, certPath,
certPathOK, certPathOK,
keyPath, keyPath,
@ -106,13 +107,14 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
func (c *annotaterController) maybeUpdateAgentPod( func (c *annotaterController) maybeUpdateAgentPod(
ctx context.Context, ctx context.Context,
name string, name string,
namespace string,
certPath string, certPath string,
certPathOK bool, certPathOK bool,
keyPath string, keyPath string,
keyPathOK bool, keyPathOK bool,
) error { ) error {
return retry.RetryOnConflict(retry.DefaultRetry, func() error { return retry.RetryOnConflict(retry.DefaultRetry, func() error {
agentPod, err := c.agentPodInformer.Lister().Pods(ControllerManagerNamespace).Get(name) agentPod, err := c.agentPodInformer.Lister().Pods(namespace).Get(name)
if err != nil { if err != nil {
return err return err
} }
@ -166,7 +168,7 @@ func (c *annotaterController) reallyUpdateAgentPod(
) )
_, err := c.k8sClient. _, err := c.k8sClient.
CoreV1(). CoreV1().
Pods(ControllerManagerNamespace). Pods(agentPod.Namespace).
Update(ctx, updatedAgentPod, metav1.UpdateOptions{}) Update(ctx, updatedAgentPod, metav1.UpdateOptions{})
return err return err
} }

18
internal/controller/kubecertagent/annotater_test.go
View File

@ -50,6 +50,7 @@ func TestAnnotaterControllerFilter(t *testing.T) {
func TestAnnotaterControllerSync(t *testing.T) { func TestAnnotaterControllerSync(t *testing.T) {
spec.Run(t, "AnnotaterControllerSync", func(t *testing.T, when spec.G, it spec.S) { spec.Run(t, "AnnotaterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
const kubeSystemNamespace = "kube-system" const kubeSystemNamespace = "kube-system"
const agentPodNamespace = "agent-pod-namespace"
const ( const (
certPath = "some-cert-path" certPath = "some-cert-path"
@ -73,7 +74,8 @@ func TestAnnotaterControllerSync(t *testing.T) {
agentPodTemplate := &corev1.Pod{ agentPodTemplate := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "some-agent-name-", Name: "some-agent-name-",
Namespace: agentPodNamespace,
Labels: map[string]string{ Labels: map[string]string{
"some-label-key": "some-label-value", "some-label-key": "some-label-value",
}, },
@ -134,7 +136,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
// fnv 32a hash of controller-manager uid // fnv 32a hash of controller-manager uid
controllerManagerPodHash := "fbb0addd" controllerManagerPodHash := "fbb0addd"
agentPod := agentPodTemplate.DeepCopy() agentPod := agentPodTemplate.DeepCopy()
agentPod.Namespace = kubeSystemNamespace agentPod.Namespace = agentPodNamespace
agentPod.Name += controllerManagerPodHash agentPod.Name += controllerManagerPodHash
agentPod.Annotations = map[string]string{ agentPod.Annotations = map[string]string{
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name, "kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,
@ -235,7 +237,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewUpdateAction( coretesting.NewUpdateAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
updatedAgentPod, updatedAgentPod,
), ),
}, },
@ -267,7 +269,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewUpdateAction( coretesting.NewUpdateAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
updatedAgentPod, updatedAgentPod,
), ),
}, },
@ -318,7 +320,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewUpdateAction( coretesting.NewUpdateAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
updatedAgentPod, updatedAgentPod,
), ),
}, },
@ -348,7 +350,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewUpdateAction( coretesting.NewUpdateAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
updatedAgentPod, updatedAgentPod,
), ),
}, },
@ -442,7 +444,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewUpdateAction( coretesting.NewUpdateAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
updatedAgentPod, updatedAgentPod,
), ),
}, },
@ -476,7 +478,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewUpdateAction( coretesting.NewUpdateAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
updatedAgentPod, updatedAgentPod,
), ),
}, },

8
internal/controller/kubecertagent/creater_test.go
View File

@ -50,6 +50,7 @@ func TestCreaterControllerFilter(t *testing.T) {
func TestCreaterControllerSync(t *testing.T) { func TestCreaterControllerSync(t *testing.T) {
spec.Run(t, "CreaterControllerSync", func(t *testing.T, when spec.G, it spec.S) { spec.Run(t, "CreaterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
const kubeSystemNamespace = "kube-system" const kubeSystemNamespace = "kube-system"
const agentPodNamespace = "agent-pod-namespace"
var r *require.Assertions var r *require.Assertions
@ -65,7 +66,7 @@ func TestCreaterControllerSync(t *testing.T) {
agentPodTemplate := &corev1.Pod{ agentPodTemplate := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "some-agent-namespace", Namespace: agentPodNamespace,
Name: "some-agent-name-", Name: "some-agent-name-",
Labels: map[string]string{ Labels: map[string]string{
"some-label-key": "some-label-value", "some-label-key": "some-label-value",
@ -123,6 +124,7 @@ func TestCreaterControllerSync(t *testing.T) {
controllerManagerPodHash := "fbb0addd" controllerManagerPodHash := "fbb0addd"
agentPod := agentPodTemplate.DeepCopy() agentPod := agentPodTemplate.DeepCopy()
agentPod.Name += controllerManagerPodHash agentPod.Name += controllerManagerPodHash
agentPod.Namespace = agentPodNamespace
agentPod.Annotations = map[string]string{ agentPod.Annotations = map[string]string{
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name, "kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,
"kube-cert-agent.pinniped.dev/controller-manager-uid": string(controllerManagerPod.UID), "kube-cert-agent.pinniped.dev/controller-manager-uid": string(controllerManagerPod.UID),
@ -247,7 +249,7 @@ func TestCreaterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewCreateAction( coretesting.NewCreateAction(
podsGVR, podsGVR,
agentPod.Namespace, agentPodNamespace,
agentPod, agentPod,
), ),
}, },
@ -266,7 +268,7 @@ func TestCreaterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewCreateAction( coretesting.NewCreateAction(
podsGVR, podsGVR,
agentPod.Namespace, agentPodNamespace,
agentPod, agentPod,
), ),
}, },

4
internal/controller/kubecertagent/deleter.go
View File

@ -64,7 +64,7 @@ func (c *deleterController) Sync(ctx controllerlib.Context) error {
agentSelector := labels.SelectorFromSet(c.agentInfo.Template.Labels) agentSelector := labels.SelectorFromSet(c.agentInfo.Template.Labels)
agentPods, err := c.agentPodInformer. agentPods, err := c.agentPodInformer.
Lister(). Lister().
Pods(ControllerManagerNamespace). Pods(c.agentInfo.Template.Namespace).
List(agentSelector) List(agentSelector)
if err != nil { if err != nil {
return fmt.Errorf("informer cannot list agent pods: %w", err) return fmt.Errorf("informer cannot list agent pods: %w", err)
@ -80,7 +80,7 @@ func (c *deleterController) Sync(ctx controllerlib.Context) error {
klog.InfoS("deleting agent pod", "pod", klog.KObj(agentPod)) klog.InfoS("deleting agent pod", "pod", klog.KObj(agentPod))
err := c.k8sClient. err := c.k8sClient.
CoreV1(). CoreV1().
Pods(ControllerManagerNamespace). Pods(agentPod.Namespace).
Delete(ctx.Context, agentPod.Name, metav1.DeleteOptions{}) Delete(ctx.Context, agentPod.Name, metav1.DeleteOptions{})
if err != nil { if err != nil {
return fmt.Errorf("cannot delete agent pod: %w", err) return fmt.Errorf("cannot delete agent pod: %w", err)

26
internal/controller/kubecertagent/deleter_test.go
View File

@ -50,6 +50,7 @@ func TestDeleterControllerFilter(t *testing.T) {
func TestDeleterControllerSync(t *testing.T) { func TestDeleterControllerSync(t *testing.T) {
spec.Run(t, "DeleterControllerSync", func(t *testing.T, when spec.G, it spec.S) { spec.Run(t, "DeleterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
const kubeSystemNamespace = "kube-system" const kubeSystemNamespace = "kube-system"
const agentPodNamespace = "agent-pod-namespace"
var r *require.Assertions var r *require.Assertions
@ -65,7 +66,8 @@ func TestDeleterControllerSync(t *testing.T) {
agentPodTemplate := &corev1.Pod{ agentPodTemplate := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "some-agent-name-", Name: "some-agent-name-",
Namespace: agentPodNamespace,
Labels: map[string]string{ Labels: map[string]string{
"some-label-key": "some-label-value", "some-label-key": "some-label-value",
}, },
@ -127,7 +129,7 @@ func TestDeleterControllerSync(t *testing.T) {
// fnv 32a hash of controller-manager uid // fnv 32a hash of controller-manager uid
controllerManagerPodHash := "fbb0addd" controllerManagerPodHash := "fbb0addd"
agentPod := agentPodTemplate.DeepCopy() agentPod := agentPodTemplate.DeepCopy()
agentPod.Namespace = kubeSystemNamespace agentPod.Namespace = agentPodNamespace
agentPod.Name += controllerManagerPodHash agentPod.Name += controllerManagerPodHash
agentPod.Annotations = map[string]string{ agentPod.Annotations = map[string]string{
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name, "kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,
@ -236,7 +238,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },
@ -261,7 +263,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },
@ -290,7 +292,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },
@ -319,7 +321,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },
@ -346,7 +348,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },
@ -371,7 +373,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },
@ -400,7 +402,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },
@ -426,7 +428,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },
@ -451,7 +453,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },
@ -470,7 +472,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{ []coretesting.Action{
coretesting.NewDeleteAction( coretesting.NewDeleteAction(
podsGVR, podsGVR,
kubeSystemNamespace, agentPodNamespace,
agentPod.Name, agentPod.Name,
), ),
}, },

4
internal/controller/kubecertagent/kubecertagent.go
View File

@ -146,7 +146,7 @@ func isAgentPodUpToDate(actualAgentPod, expectedAgentPod *corev1.Pod) bool {
func findControllerManagerPodForSpecificAgentPod( func findControllerManagerPodForSpecificAgentPod(
agentPod *corev1.Pod, agentPod *corev1.Pod,
informer corev1informers.PodInformer, kubeSystemPodInformer corev1informers.PodInformer,
) (*corev1.Pod, error) { ) (*corev1.Pod, error) {
name, ok := agentPod.Annotations[controllerManagerNameAnnotationKey] name, ok := agentPod.Annotations[controllerManagerNameAnnotationKey]
if !ok { if !ok {
@ -160,7 +160,7 @@ func findControllerManagerPodForSpecificAgentPod(
return nil, nil return nil, nil
} }
maybeControllerManagerPod, err := informer. maybeControllerManagerPod, err := kubeSystemPodInformer.
Lister(). Lister().
Pods(ControllerManagerNamespace). Pods(ControllerManagerNamespace).
Get(name) Get(name)

6
internal/server/server.go
View File

@ -133,6 +133,7 @@ func (a *App) runServer(ctx context.Context) error {
// Load the Kubernetes cluster signing CA. // Load the Kubernetes cluster signing CA.
kubeCertAgentTemplate, kubeCertAgentLabelSelector := createKubeCertAgentTemplate( kubeCertAgentTemplate, kubeCertAgentLabelSelector := createKubeCertAgentTemplate(
&cfg.KubeCertAgentConfig, &cfg.KubeCertAgentConfig,
serverInstallationNamespace,
) )
k8sClusterCA, shutdownCA, err := getClusterCASigner( k8sClusterCA, shutdownCA, err := getClusterCASigner(
ctx, ctx,
@ -322,11 +323,12 @@ func getAggregatedAPIServerConfig(
return apiServerConfig, nil return apiServerConfig, nil
} }
func createKubeCertAgentTemplate(cfg *configapi.KubeCertAgentSpec) (*corev1.Pod, string) { func createKubeCertAgentTemplate(cfg *configapi.KubeCertAgentSpec, serverInstallationNamespace string) (*corev1.Pod, string) {
terminateImmediately := int64(0) terminateImmediately := int64(0)
pod := &corev1.Pod{ pod := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: *cfg.NamePrefix, Name: *cfg.NamePrefix,
Namespace: serverInstallationNamespace, // create the agent pods in the same namespace where Pinniped is installed
Labels: map[string]string{ Labels: map[string]string{
kubeCertAgentLabelKey: "", kubeCertAgentLabelKey: "",
}, },