watch application-manager SA secrets in the customized app addon NS (#…

…397)

Signed-off-by: Xiangjing Li <[email protected]>

pkg/controller/mcmhub/gitrepo_sync_test.go

@@ -105,7 +105,7 @@ func TestGetGitResources(t *testing.T) {
  err = c.Create(context.TODO(), githubchn)
  g.Expect(err).NotTo(gomega.HaveOccurred())
 
- time.Sleep(2 * time.Second)
+ time.Sleep(5 * time.Second)
 
  resources, err := rec.GetGitResources(githubsub, false)
  g.Expect(err).NotTo(gomega.HaveOccurred())

pkg/controller/spoketoken/spoke_toke_controller_test.go

@@ -163,7 +163,7 @@ func TestReconcile(t *testing.T) {
  g.Expect(c.Create(context.TODO(), secret1)).NotTo(gomega.HaveOccurred())
  defer c.Delete(context.TODO(), secret1)
 
- time.Sleep(time.Second * 2)
+ time.Sleep(time.Second * 5)
 
  g.Eventually(requests, timeout).Should(gomega.Receive(gomega.Equal(expectedRequest)))
 

pkg/controller/spoketoken/spoke_token_controller.go

@@ -32,6 +32,7 @@ import (
  "k8s.io/apimachinery/pkg/types"
  "k8s.io/client-go/rest"
  "k8s.io/klog/v2"
+ "open-cluster-management.io/multicloud-operators-subscription/pkg/utils"
  "sigs.k8s.io/controller-runtime/pkg/client"
  "sigs.k8s.io/controller-runtime/pkg/controller"
  "sigs.k8s.io/controller-runtime/pkg/event"
@@ -40,18 +41,19 @@ import (
  "sigs.k8s.io/controller-runtime/pkg/predicate"
  "sigs.k8s.io/controller-runtime/pkg/reconcile"
  "sigs.k8s.io/controller-runtime/pkg/source"
-
- "open-cluster-management.io/multicloud-operators-subscription/pkg/utils"
 )
 
 const (
  secretSuffix = "-cluster-secret"
  requeuAfter = 5
  infrastructureConfigName = "cluster"
- appAddonNS = "open-cluster-management-agent-addon"
  appAddonName = "application-manager"
 )
 
+var (
+ appAddonNS = utils.GetComponentNamespace()
+)
+
 // Add creates a new agent token controller and adds it to the Manager if standalone is false.
 func Add(mgr manager.Manager, hubconfig *rest.Config, syncid *types.NamespacedName, standalone bool) error {
  if !standalone {
@@ -88,15 +90,15 @@ type applicationManagerSecretMapper struct {
 func (mapper *applicationManagerSecretMapper) Map(ctx context.Context, obj client.Object) []reconcile.Request {
  var requests []reconcile.Request
 
- // reconcile open-cluster-management-agent-addon/application-manager SA if its associated secret changes
+ // reconcile App addon application-manager SA if its associated secret changes
  requests = append(requests, reconcile.Request{
  NamespacedName: types.NamespacedName{
  Namespace: appAddonNS,
  Name: appAddonName,
  },
  })
 
- klog.Infof("app addon SA secret changed")
+ klog.Infof("app addon SA secret changed: %v/%v", appAddonNS, appAddonName)
 
  return requests
 }
@@ -110,13 +112,13 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
  return err
  }
 
- // Watch for changes to open-cluster-management-agent-addon/application-manager service account.
+ // Watch for changes to  App Addon application-manager service account.
  err = c.Watch(source.Kind(mgr.GetCache(), &corev1.ServiceAccount{}), &handler.EnqueueRequestForObject{}, utils.ServiceAccountPredicateFunctions)
  if err != nil {
  return err
  }
 
- // watch for changes to the secrets associated to the open-cluster-management-agent-addon/application-manager SA
+ // watch for changes to the secrets associated to the App Addon application-manager SA
  saSecretMapper := &applicationManagerSecretMapper{mgr.GetClient()}
  err = c.Watch(
  source.Kind(mgr.GetCache(), &corev1.Secret{}),
@@ -416,7 +418,7 @@ func (r *ReconcileAgentToken) getKubeAPIServerAddress() (string, error) {
  return infraConfig.Status.APIServerURL, nil
 }
 
-// detect if there is any change to the secret associated to the open-cluster-management-agent-addon/application-manager SA.
+// detect if there is any change to the secret associated to the App Addon application-manager SA.
 var applicationManagerSecretPredicateFunctions = predicate.Funcs{
  UpdateFunc: func(e event.UpdateEvent) bool {
  newSecret, ok := e.ObjectNew.(*corev1.Secret)
@@ -425,11 +427,14 @@ var applicationManagerSecretPredicateFunctions = predicate.Funcs{
  }
 
  if newSecret.Namespace != appAddonNS {
+ klog.Infof("secret namespace not matched, appAddonNS= %v", appAddonNS)
  return false
  }
 
  if newSecret.Type == "kubernetes.io/service-account-token" &&
  newSecret.GetAnnotations()["kubernetes.io/service-account.name"] == appAddonName {
+ klog.Infof("secret updated: %v/%v", appAddonNS, appAddonName)
+
  return true
  }
 
@@ -442,11 +447,14 @@ var applicationManagerSecretPredicateFunctions = predicate.Funcs{
  }
 
  if newSecret.Namespace != appAddonNS {
+ klog.Infof("secret namespace not matched, appAddonNS= %v", appAddonNS)
  return false
  }
 
  if newSecret.Type == "kubernetes.io/service-account-token" &&
  newSecret.GetAnnotations()["kubernetes.io/service-account.name"] == appAddonName {
+ klog.Infof("secret created: %v/%v", appAddonNS, appAddonName)
+
  return true
  }
 
@@ -459,11 +467,14 @@ var applicationManagerSecretPredicateFunctions = predicate.Funcs{
  }
 
  if newSecret.Namespace != appAddonNS {
+ klog.Infof("secret namespace not matched, appAddonNS= %v", appAddonNS)
  return false
  }
 
  if newSecret.Type == "kubernetes.io/service-account-token" &&
  newSecret.GetAnnotations()["kubernetes.io/service-account.name"] == appAddonName {
+ klog.Infof("secret deleted: %v/%v", appAddonNS, appAddonName)
+
  return true
  }
 

pkg/controller/subscription/lease_controller.go

@@ -62,12 +62,7 @@ func (r *LeaseReconciler) CheckHubKubeConfig(ctx context.Context) error {
 
 func (r *LeaseReconciler) Reconcile(ctx context.Context) {
  if len(r.componentNamespace) == 0 {
- componentNamespace, err := utils.GetComponentNamespace()
- if err != nil {
- klog.Errorf("failed to get pod namespace use. error:%v", err)
- }
-
- r.componentNamespace = componentNamespace
+ r.componentNamespace = utils.GetComponentNamespace()
  }
 
  // Create/update lease on managed cluster first. If it fails, it could mean lease resource kind

pkg/controller/subscription/lease_controller_test.go

@@ -69,7 +69,7 @@ func TestLeaseReconcile(t *testing.T) {
  s := scheme.Scheme
  s.AddKnownTypes(corev1.SchemeGroupVersion, &corev1.Namespace{})
 
- addontNs, _ := utils.GetComponentNamespace()
+ addontNs := utils.GetComponentNamespace()
  pod.SetNamespace(addontNs)
 
  tmpFile, err := os.CreateTemp("", "temptest")

pkg/utils/kubernetes.go

@@ -61,13 +61,21 @@ func ConvertLabels(labelSelector *metav1.LabelSelector) (labels.Selector, error)
  return labels.Everything(), nil
 }
 
-func GetComponentNamespace() (string, error) {
+func GetComponentNamespace() string {
+ addonNameSpace := ""
  nsBytes, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
- if err != nil {
- return "open-cluster-management-agent-addon", err
+
+ if err != nil || len(nsBytes) == 0 {
+ klog.Errorf("failed to get app addon pod namespace use. error: %v", err)
+
+ addonNameSpace = "open-cluster-management-agent-addon"
+ } else {
+ addonNameSpace = string(nsBytes)
  }
 
- return string(nsBytes), nil
+ klog.Infof("App Addon Pod NS = %v", addonNameSpace)
+
+ return addonNameSpace
 }
 
 // GetCheckSum generates a checksum of a kube config file

pkg/utils/subscription.go

@@ -65,8 +65,11 @@ const (
  annotationsSep = ","
  maxGeneratedNameLength = maxNameLength - randomLength - 1
  // klusterletagentaddon secret token reconcile
- addonServiceAccountName = "application-manager"
- addonServiceAccountNamespace = "open-cluster-management-agent-addon"
+ addonServiceAccountName = "application-manager"
+)
+
+var (
+ addonServiceAccountNamespace = GetComponentNamespace()
 )
 
 // PlacementDecisionPredicateFunctions filters PlacementDecision status decisions update
@@ -378,12 +381,13 @@ var ChannelPredicateFunctions = predicate.Funcs{
  },
 }
 
-// ServiceAccountPredicateFunctions watches for changes in klusterlet-addon-appmgr service account in open-cluster-management-agent-addon namespace
+// ServiceAccountPredicateFunctions watches for App Addon SA changes
 var ServiceAccountPredicateFunctions = predicate.Funcs{
  UpdateFunc: func(e event.UpdateEvent) bool {
  newSA := e.ObjectNew.(*corev1.ServiceAccount)
 
  if strings.EqualFold(newSA.Namespace, addonServiceAccountNamespace) && strings.EqualFold(newSA.Name, addonServiceAccountName) {
+ klog.Infof("App Addon SA updated: %v/%v", addonServiceAccountNamespace, addonServiceAccountName)
  return true
  }
 
@@ -393,6 +397,7 @@ var ServiceAccountPredicateFunctions = predicate.Funcs{
  sa := e.Object.(*corev1.ServiceAccount)
 
  if strings.EqualFold(sa.Namespace, addonServiceAccountNamespace) && strings.EqualFold(sa.Name, addonServiceAccountName) {
+ klog.Infof("App Addon SA created: %v/%v", addonServiceAccountNamespace, addonServiceAccountName)
  return true
  }
 
@@ -402,6 +407,7 @@ var ServiceAccountPredicateFunctions = predicate.Funcs{
  sa := e.Object.(*corev1.ServiceAccount)
 
  if strings.EqualFold(sa.Namespace, addonServiceAccountNamespace) && strings.EqualFold(sa.Name, addonServiceAccountName) {
+ klog.Infof("App Addon SA deleted: %v/%v", addonServiceAccountNamespace, addonServiceAccountName)
  return true
  }