Service account reconciliation in connect cluster #3187
Conversation
ranatrk
force-pushed
the
cluster-connection-config
branch
from
83b8224 to
3a5afc4
Compare
pkg/cluster/connector/driver.go
Outdated
pkg/cluster/connector/config.go
Outdated
| "k8s.io/client-go/tools/clientcmd" | ||
| ) | ||
|
|
||
| // ConnectCluster will ensure that the cluster referenced by newContext can be |
There was a problem hiding this comment.
We can remove this?
And let's add a Doc comment for ConfigForContext?
| t.Fatal(err) | ||
| } | ||
|
|
||
| if restCfg.Host != "https://cluster2.example.com" { |
There was a problem hiding this comment.
We could also check the other fields in the created config?
| // ReconcileServiceAccount accepts a client and the name for a service account. | ||
| // A new Service account is created, if one with same name exists that will be used | ||
| // A new cluster role and cluster role binding are created, if already existing those will be used | ||
| func ReconcileServiceAccount(ctx context.Context, client kubernetes.Interface, serviceAccountName string) ([]byte, error) { |
There was a problem hiding this comment.
We should indicate what it returns ?
| return nil | ||
| } | ||
| for _, resource := range resources { | ||
| switch reflect.TypeOf(resource) { |
There was a problem hiding this comment.
You could use a Go type switch here?
This would simplify the code a fair bit?
| // Add resources of different types to the client based on the type of the resource | ||
| // Valid resources: v1.ServiceAccount, rbacv1.ClusterRole, rbacv1.ClusterRoleBinding, v1.Secret | ||
| func addFakeResources(client kubernetes.Interface, resources []runtime.Object) error { | ||
| if resources == nil { |
There was a problem hiding this comment.
Probably don't need to do this?
| switch reflect.TypeOf(resource) { | ||
|
|
||
| case reflect.TypeOf(&v1.ServiceAccount{}): | ||
| _, err := client.CoreV1().ServiceAccounts(corev1.NamespaceDefault).Create(context.Background(), resource.(*v1.ServiceAccount), metav1.CreateOptions{}) |
There was a problem hiding this comment.
If you pass in a *testing.T you could just fail the test here in the event of error?
|
|
||
| } | ||
|
|
||
| } |
There was a problem hiding this comment.
Passing in a *testing.T would have another benefit, you could fail if you get an unknown type :-)
| return nil | ||
| } | ||
|
|
||
| func addFakeServiceAccounts(client kubernetes.Interface, serviceAccounts []string) error { |
There was a problem hiding this comment.
See above and https://speakerdeck.com/mitchellh/advanced-testing-with-go?slide=28 is a great talk well worth watching https://www.youtube.com/watch?v=8hQG7QlcLBk
ranatrk
force-pushed
the
cluster-connection-config
branch
2 times, most recently
from
2a6a446 to
9bcf9ad
Compare
| "k8s.io/client-go/kubernetes" | ||
| ) | ||
|
|
||
| type ClusterConnectionOptions struct { |
There was a problem hiding this comment.
Let's add a go doc for this, it's exported?
https://github.com/golang/go/wiki/CodeReviewComments#doc-comments
| t.Errorf("error adding resources: %v", err) | ||
| } | ||
| default: | ||
| t.Error("invalid resource type") |
There was a problem hiding this comment.
how about t.Fatalf("invalid resource type %s", resource)
This can be fatal, because it's during the setup, so if the setup fails, the tests likely would anyway, for unrelated reasons.
| // ReconcileServiceAccount accepts a client and the name for a service account. | ||
| // A new Service account is created, if one with same name exists that will be used | ||
| // A new cluster role and cluster role binding are created, if already existing those will be used | ||
| // returns the token of the secret created for the service account |
There was a problem hiding this comment.
Nit pick here, I would move this to the top of the file, so that it's the first function you see, the rest are fairly unimportant, so it makes it easier to pick up.
But this is very much a personal preference.
Add test cases for existing service account, cluster role, and cluster role binding Add helper function in test to add resources to client based on the type of the resource Add logs when existing resources found in reconcile service account instead of creating new ones Move functionality from service account test to service account
Add test case for failing ConfigForContext Delete driver file Add ClusterConnectionOptions struct Simplify ReconcileServiceAccount to extract resource creation to different helper functions Cleanup service account tests Move artificially populating secret token to helper function in test
ranatrk
force-pushed
the
cluster-connection-config
branch
from
74d0b67 to
eb91c05
Compare
ranatrk
force-pushed
the
cluster-connection-config
branch
from
eb91c05 to
7ba19b9
Compare
#3086
What changed?
Why was this change made?
Create the resources required (Service account, Cluster Role, Cluster Role Binding, Secret) to be able to access the intended cluster from the management cluster
How was this change implemented?
New package was created that includes the reconciliation process and checks
How did you validate the change?
kubectlthe generated resources can be verified to exist correctly.Cluster role: test-service-account-cluster-role
Cluster role binding: test-service-account-cluster-role-binding
Secret: test-service-account-token
there tests that fail without the change?
Release notes
Documentation Changes
Other follow ups