Migrate segment jobs and securesign resources

securesign · Feb 6, 2025 · b0781e0 · b0781e0
1 parent f1a77ef
commit b0781e0
Show file tree

Hide file tree

Showing 30 changed files with 404 additions and 1,081 deletions.
diff --git a/internal/controller/annotations/annotations.go b/internal/controller/annotations/annotations.go
@@ -110,18 +110,6 @@ const (
 	TLS = "service.beta.openshift.io/serving-cert-secret-name"
 )
 
-var inheritable = []string{
+var InheritableAnnotations = []string{
 	TrustedCA, LogType,
 }
-
-func FilterInheritable(annotations map[string]string) map[string]string {
-	result := make(map[string]string, 0)
-	for key, value := range annotations {
-		for _, ia := range inheritable {
-			if key == ia {
-				result[key] = value
-			}
-		}
-	}
-	return result
-}
diff --git a/internal/controller/annotations/annotations_test.go b/internal/controller/annotations/annotations_test.go
diff --git a/internal/controller/common/action/base_action.go b/internal/controller/common/action/base_action.go
@@ -3,24 +3,13 @@ package action
 import (
 	"context"
 	"errors"
-	"fmt"
-	"maps"
-	"reflect"
-	"strconv"
 	"strings"
 	"time"
 
+	"github.com/go-logr/logr"
 	"github.com/securesign/operator/internal/apis"
-	"github.com/securesign/operator/internal/controller/annotations"
 	"github.com/securesign/operator/internal/controller/constants"
-	"k8s.io/apimachinery/pkg/api/equality"
-	apiErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/util/retry"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-
-	"github.com/go-logr/logr"
-	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	client2 "sigs.k8s.io/controller-runtime/pkg/client"
@@ -30,8 +19,6 @@ import (
 // OptimisticLockErrorMsg - ignore update error: https://github.com/kubernetes/kubernetes/issues/28149
 const OptimisticLockErrorMsg = "the object has been modified; please apply your changes to the latest version and try again"
 
-type EnsureOption func(current client.Object, expected client.Object) error
-
 type BaseAction struct {
 	Client   client.Client
 	Recorder record.EventRecorder
@@ -126,203 +113,3 @@ func (action *BaseAction) Requeue() *Result {
 		Err:    nil,
 	}
 }
-
-// Deprecated: Use kubernetes.CreateOrUpdate function
-func (action *BaseAction) Ensure(ctx context.Context, obj client2.Object, opts ...EnsureOption) (bool, error) {
-	var (
-		expected client2.Object
-		ok       bool
-		result   controllerutil.OperationResult
-	)
-
-	if len(opts) == 0 {
-		opts = []EnsureOption{
-			EnsureSpec(),
-		}
-	}
-
-	if expected, ok = obj.DeepCopyObject().(client2.Object); !ok {
-		return false, errors.New("can't create DeepCopy object")
-	}
-
-	err := retry.OnError(retry.DefaultRetry, func(err error) bool {
-		return apiErrors.IsConflict(err) || apiErrors.IsAlreadyExists(err)
-	}, func() error {
-		var createUpdateError error
-		result, createUpdateError = controllerutil.CreateOrUpdate(ctx, action.Client, obj, func() error {
-			annoStr, find := obj.GetAnnotations()[annotations.PausedReconciliation]
-			if find {
-				annoBool, _ := strconv.ParseBool(annoStr)
-				if annoBool {
-					return nil
-				}
-			}
-
-			for _, opt := range opts {
-				optError := opt(obj, expected)
-				if optError != nil {
-					return optError
-				}
-			}
-
-			return nil
-		})
-		return createUpdateError
-	})
-
-	if err != nil {
-		return false, err
-	}
-
-	return result != controllerutil.OperationResultNone, nil
-}
-
-func EnsureSpec() EnsureOption {
-	return func(current client.Object, expected client.Object) error {
-		currentSpec := reflect.ValueOf(current).Elem().FieldByName("Spec")
-		expectedSpec := reflect.ValueOf(expected).Elem().FieldByName("Spec")
-		if currentSpec == reflect.ValueOf(nil) {
-			// object without spec
-			// return without update
-			return nil
-		}
-		if !expectedSpec.IsValid() || !currentSpec.IsValid() {
-			return errors.New("spec is not valid")
-		}
-		if !currentSpec.CanSet() {
-			return errors.New("can't set expected spec to current object")
-		}
-
-		// WORKAROUND: CreateOrUpdate uses DeepEqual to compare
-		// DeepEqual does not honor default values
-		if !equality.Semantic.DeepDerivative(expectedSpec.Interface(), currentSpec.Interface()) {
-			currentSpec.Set(expectedSpec)
-		}
-		return nil
-	}
-}
-
-func EnsureRouteSelectorLabels(managedLabels ...string) EnsureOption {
-	return func(current client.Object, expected client.Object) error {
-		if current == nil || expected == nil {
-			return fmt.Errorf("nil object passed")
-		}
-
-		currentSpec := reflect.ValueOf(current).Elem().FieldByName("Spec")
-		expectedSpec := reflect.ValueOf(expected).Elem().FieldByName("Spec")
-		if !currentSpec.IsValid() || !expectedSpec.IsValid() {
-			return nil
-		}
-
-		//Current workaround for DeepEqual vs DeepDerivative, more info here https://issues.redhat.com/browse/SECURESIGN-1393
-		currentRouteSelectorLabels, expectedRouteSelectorLabels := getRouteSelectorLabels(currentSpec, expectedSpec)
-		if currentRouteSelectorLabels.CanSet() &&
-			!equality.Semantic.DeepEqual(currentRouteSelectorLabels.Interface(), expectedRouteSelectorLabels.Interface()) {
-			currentRouteSelectorLabels.Set(expectedRouteSelectorLabels)
-		}
-
-		gvk := current.GetObjectKind().GroupVersionKind()
-		if gvk.Kind == "Ingress" || gvk.Kind == "Route" {
-			if !reflect.DeepEqual(current.GetLabels(), expected.GetLabels()) {
-				if err := EnsureLabels(managedLabels...)(current, expected); err != nil {
-					return err
-				}
-			}
-		}
-		return nil
-	}
-}
-
-func EnsureLabels(managedLabels ...string) EnsureOption {
-	return func(current client.Object, expected client.Object) error {
-		expectedLabels := expected.GetLabels()
-		if expectedLabels == nil {
-			expectedLabels = map[string]string{}
-		}
-		currentLabels := current.GetLabels()
-		if currentLabels == nil {
-			currentLabels = map[string]string{}
-		}
-		mergedLabels := make(map[string]string)
-		maps.Copy(mergedLabels, currentLabels)
-
-		maps.DeleteFunc(mergedLabels, func(k, v string) bool {
-			_, existsInExpected := expectedLabels[k]
-			return !existsInExpected
-		})
-
-		for _, managedLabel := range managedLabels {
-			if val, exists := expectedLabels[managedLabel]; exists {
-				mergedLabels[managedLabel] = val
-			}
-		}
-		current.SetLabels(mergedLabels)
-		return nil
-	}
-}
-
-func EnsureAnnotations(managedAnnotations ...string) EnsureOption {
-	return func(current client.Object, expected client.Object) error {
-		expectedAnno := expected.GetAnnotations()
-		if expectedAnno == nil {
-			expectedAnno = map[string]string{}
-		}
-		currentAnno := current.GetAnnotations()
-		if currentAnno == nil {
-			currentAnno = map[string]string{}
-		}
-		mergedAnnotations := make(map[string]string)
-		maps.Copy(mergedAnnotations, currentAnno)
-
-		for _, managedAnno := range managedAnnotations {
-			if val, exists := expectedAnno[managedAnno]; exists {
-				mergedAnnotations[managedAnno] = val
-			} else {
-				delete(mergedAnnotations, managedAnno)
-			}
-		}
-		current.SetAnnotations(mergedAnnotations)
-		return nil
-	}
-}
-
-func EnsureNTPConfig() EnsureOption {
-	return func(current client.Object, expected client.Object) error {
-		currentTSA, ok1 := current.(*rhtasv1alpha1.TimestampAuthority)
-		expectedTSA, ok2 := expected.(*rhtasv1alpha1.TimestampAuthority)
-		if !ok1 || !ok2 {
-			return fmt.Errorf("EnsureNTPConfig: objects are not of type *rhtasv1alpha1.TimestampAuthority")
-		}
-		currentTSA.Spec.NTPMonitoring = expectedTSA.Spec.NTPMonitoring
-		return nil
-	}
-}
-
-func getRouteSelectorLabels(currentSpec, expectedSpec reflect.Value) (reflect.Value, reflect.Value) {
-	var currentRouteSelectorLabels, expectedRouteSelectorLabels reflect.Value
-	getRouteSelectorLabels := func(spec reflect.Value, fieldName string) reflect.Value {
-		if field := spec.FieldByName(fieldName); field.IsValid() {
-			if routeSelectorLabels := field.FieldByName("RouteSelectorLabels"); routeSelectorLabels.IsValid() {
-				return routeSelectorLabels
-			}
-		}
-		return reflect.Value{}
-	}
-
-	// Handle Rekor and rekor search ui
-	currentRekorLabels := getRouteSelectorLabels(currentSpec, "RekorSearchUI")
-	expectedRekorLabels := getRouteSelectorLabels(expectedSpec, "RekorSearchUI")
-	if currentRekorLabels.IsValid() && expectedRekorLabels.IsValid() {
-		if !equality.Semantic.DeepEqual(currentRekorLabels.Interface(), expectedRekorLabels.Interface()) {
-			currentRouteSelectorLabels = currentRekorLabels
-			expectedRouteSelectorLabels = expectedRekorLabels
-		}
-	}
-
-	//Handle the rest
-	if !currentRouteSelectorLabels.IsValid() && !expectedRouteSelectorLabels.IsValid() {
-		currentRouteSelectorLabels = getRouteSelectorLabels(currentSpec, "ExternalAccess")
-		expectedRouteSelectorLabels = getRouteSelectorLabels(expectedSpec, "ExternalAccess")
-	}
-	return currentRouteSelectorLabels, expectedRouteSelectorLabels
-}
diff --git a/internal/controller/common/utils/kubernetes/ensure/deployment.go b/internal/controller/common/utils/kubernetes/ensure/deployment.go
@@ -4,7 +4,6 @@ import (
 	"slices"
 
 	"github.com/securesign/operator/api/v1alpha1"
-	"github.com/securesign/operator/internal/controller/common/utils"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
 	v1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -23,15 +22,14 @@ const (
 
 func Proxy() func(*v1.Deployment) error {
 	return func(dp *v1.Deployment) error {
-		utils.SetProxyEnvs(dp)
+		SetProxyEnvs(dp.Spec.Template.Spec.Containers)
 		return nil
 	}
 }
 
 // TrustedCA mount config map with trusted CA bundle to all deployment's containers.
 func TrustedCA(lor *v1alpha1.LocalObjectReference) func(dp *v1.Deployment) error {
 	return func(dp *v1.Deployment) error {
-
 		template := &dp.Spec.Template
 		for i := range template.Spec.Containers {
 			env := kubernetes.FindEnvByNameOrCreate(&template.Spec.Containers[i], "SSL_CERT_DIR")

diff --git a/internal/controller/common/utils/kubernetes/ensure/deployment_test.go b/internal/controller/common/utils/kubernetes/ensure/deployment_test.go
@@ -7,7 +7,6 @@ import (
 	"github.com/onsi/gomega"
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/annotations"
-	"github.com/securesign/operator/internal/controller/common/utils"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
 	testAction "github.com/securesign/operator/internal/testing/action"
 	v1 "k8s.io/api/apps/v1"
@@ -41,7 +40,7 @@ func TestEnsureTrustedCAFromAnnotations(t *testing.T) {
 
 		result, err := kubernetes.CreateOrUpdate(ctx, c,
 			&v1.Deployment{ObjectMeta: v2.ObjectMeta{Name: name, Namespace: "default"}},
-			TrustedCA(utils.TrustedCAAnnotationToReference(map[string]string{annotations.TrustedCA: "test"})),
+			TrustedCA(TrustedCAAnnotationToReference(map[string]string{annotations.TrustedCA: "test"})),
 		)
 		gomega.Expect(err).ToNot(gomega.HaveOccurred())