Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41^! / . / metropolis / node / kubernetes / reconciler / resources_rbac.go
commit69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41[log] [tgz]
authorJan Schär <jan@monogon.tech>Wed May 15 10:32:07 2024 +0200
committerJan Schär <jan@monogon.tech>Wed May 15 16:15:25 2024 +0000
treea28c2166fc40b1a2bee20070b4ae6788477ccf1f
parent6bc958326f8bd4f3a1606e8a767d21f12f584e88 [diff] [blame]
m/n/k/reconciler: implement updates

The reconciler now checks if already present object are equal to the 
expected object, and else updates them. If the update fails due to 
immutable fields, the object is instead deleted and recreated.

Also, the reconciler now logs create/update/delete operations.

For the CSI driver, the StorageCapacity and RequiresRepublish were added 
and set to their default value. If we don't do this, the API server will 
add these defaults, and then our update comparison fails. There is also 
a new test which ensures that expected objects have all defaults already 
applied. This test will fail if a Kubernetes upgrade adds new fields 
with default values.

Closes #288.

Change-Id: Ibfb37d07b4613ae1a883ad47715feeda87135820
Reviewed-on: https://review.monogon.dev/c/monogon/+/2893
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/node/kubernetes/reconciler/resources_rbac.go b/metropolis/node/kubernetes/reconciler/resources_rbac.go
index 702ee6b..5ae5246 100644
--- a/metropolis/node/kubernetes/reconciler/resources_rbac.go
+++ b/metropolis/node/kubernetes/reconciler/resources_rbac.go

@@ -56,8 +56,13 @@
 	return err
 }
 
-func (r resourceClusterRoles) Delete(ctx context.Context, name string) error {
-	return r.RbacV1().ClusterRoles().Delete(ctx, name, meta.DeleteOptions{})
+func (r resourceClusterRoles) Update(ctx context.Context, el meta.Object) error {
+	_, err := r.RbacV1().ClusterRoles().Update(ctx, el.(*rbac.ClusterRole), meta.UpdateOptions{})
+	return err
+}
+
+func (r resourceClusterRoles) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
+	return r.RbacV1().ClusterRoles().Delete(ctx, name, opts)
 }
 
 func (r resourceClusterRoles) Expected() []meta.Object {
@@ -84,7 +89,7 @@
 				Name:   clusterRoleCSIProvisioner,
 				Labels: builtinLabels(nil),
 				Annotations: map[string]string{
-					"kubernetes.io/description": "This role grants access to PersistentVolumes, PersistentVolumeClaims and StorageClassses, as used the the CSI provisioner running on nodes.",
+					"kubernetes.io/description": "This role grants access to PersistentVolumes, PersistentVolumeClaims and StorageClassses, as used by the CSI provisioner running on nodes.",
 				},
 			},
 			Rules: []rbac.PolicyRule{
@@ -150,8 +155,13 @@
 	return err
 }
 
-func (r resourceClusterRoleBindings) Delete(ctx context.Context, name string) error {
-	return r.RbacV1().ClusterRoleBindings().Delete(ctx, name, meta.DeleteOptions{})
+func (r resourceClusterRoleBindings) Update(ctx context.Context, el meta.Object) error {
+	_, err := r.RbacV1().ClusterRoleBindings().Update(ctx, el.(*rbac.ClusterRoleBinding), meta.UpdateOptions{})
+	return err
+}
+
+func (r resourceClusterRoleBindings) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
+	return r.RbacV1().ClusterRoleBindings().Delete(ctx, name, opts)
 }
 
 func (r resourceClusterRoleBindings) Expected() []meta.Object {