51 reduce controller roles (#345)

- add informer for service account to workload
- add informers for [Cluster]Role[Binding]
- Handle service account related errors:
- avoid triggering retry and fallback
- Handle service account related errors:
- log
- avoid triggering retry and fallback
- Move clientBuilder out of workload/component.go
- we will relax this in future work once we have more fallback
mechanisms
- Fix omitempty test on Workload
- Fix for repository losing logger
- Stamp Deliverable using named service account
- Add informers for service account / roles etc for Deliverable
- Removed unused ctx, fix errors in tests
- Lint
- Fall back to default ServiceAccount in namespace if not specified on         Workload or Deliverable
- Default to default service account
- Update setup script to wait longer for tests to pass
- add tests for workload map functions
- Add map_functions tests
- Address reviewers comments about rbac roles
- Address reviewers comments about imports
- Fix typo in rbac.yaml
- Address reviewers comment about pulling revision off outputs in tekton task

Co-authored-by: Ciro S. Costa <[email protected]>
Co-authored-by: Marty Spiewak <[email protected]>
Co-authored-by: Todd Ritchie <[email protected]>
Co-authored-by: Sam Coward <[email protected]>
Co-authored-by: Joshua Winters <[email protected]>

config/crd/bases/carto.run_deliverables.yaml

@@ -60,6 +60,8 @@ spec:
  - value
  type: object
  type: array
+ serviceAccountName:
+ type: string
  source:
  properties:
  git:

config/crd/bases/carto.run_runnables.yaml

@@ -79,6 +79,8 @@ spec:
  - matchingLabels
  - resource
  type: object
+ serviceAccountName:
+ type: string
  required:
  - runTemplateRef
  type: object

config/crd/bases/carto.run_workloads.yaml

@@ -306,6 +306,8 @@ spec:
  to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
  type: object
  type: object
+ serviceAccountName:
+ type: string
  serviceClaims:
  items:
  properties:

config/rbac/rbac.yaml

@@ -19,19 +19,44 @@ metadata:
  namespace: cartographer-system
 
 ---
-#!
-#! TODO make use of granular roles rather than a catch-all "cluster-admin"
-#! grants it more privileges than it needs.
-#!
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: cartographer-cluster-admin
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
- name: cluster-admin
+ name: cartographer-controller-admin
 subjects:
  - kind: ServiceAccount
  name: cartographer-controller
  namespace: cartographer-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cartographer-controller-admin
+rules:
+ - apiGroups:
+ - carto.run
+ resources:
+ - workloads/status
+ - clustersupplychains/status
+ - runnables/status
+ - clusterdeliveries/status
+ - deliverables/status
+ verbs:
+ - create
+ - update
+ - delete
+ - patch
+
+ - apiGroups:
+ - '*'
+ resources:
+ - '*'
+ verbs:
+ - watch
+ - get
+ - list

examples/source-to-knative-service/app-operator/runtemplate-tekton-pipelinerun.yaml

@@ -17,6 +17,9 @@ kind: ClusterRunTemplate
 metadata:
  name: tekton-pipelinerun
 spec:
+ outputs:
+ url: spec.params[?(@.name=="blob-url")].value
+ revision: spec.params[?(@.name=="blob-revision")].value
  template:
  apiVersion: tekton.dev/v1beta1
  kind: TaskRun

examples/source-to-knative-service/app-operator/supply-chain-templates.yaml

@@ -61,15 +61,17 @@ kind: ClusterSourceTemplate
 metadata:
  name: test
 spec:
- urlPath: .spec.inputs.source.url
- revisionPath: .spec.inputs.source.revision
+ urlPath: .status.outputs.url
+ revisionPath: .status.outputs.revision
 
  template:
  apiVersion: carto.run/v1alpha1
  kind: Runnable
  metadata:
  name: $(workload.metadata.name)$
  spec:
+ serviceAccountName: $(workload.spec.serviceAccountName)$
+
  runTemplateRef:
  name: tekton-pipelinerun
 
@@ -85,6 +87,8 @@ spec:
  params:
  - name: blob-url
  value: $(source.url)$
+ - name: blob-revision
+ value: $(source.revision)$
 
 
 ---

examples/source-to-knative-service/developer/serviceaccount.yaml

@@ -0,0 +1,64 @@
+# Copyright 2021 VMware
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#@ load("@ytt:data", "data")
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: #@ data.values.service_account_name
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: workload-role-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: workload-role
+subjects:
+ - kind: ServiceAccount
+ name: #@ data.values.service_account_name
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: workload-role
+rules:
+ - apiGroups:
+ - source.toolkit.fluxcd.io
+ - kpack.io
+ - kapp.k14s.io/v1alpha1
+ - kappctrl.k14s.io
+ - serving.knative.dev/v1
+ - carto.run
+ - tekton.dev
+ resources:
+ - gitrepositories
+ - images
+ - configs
+ - apps
+ - services
+ - runnables
+ - tasks
+ - taskruns
+ verbs:
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch

examples/source-to-knative-service/developer/tests-task.yaml

@@ -21,6 +21,7 @@ metadata:
 spec:
  params:
  - name: blob-url
+ - name: blob-revision
  steps:
  - name: test
  image: golang
@@ -30,6 +31,8 @@ spec:
  - |-
  set -o pipefail
 
+ echo $(params.blob-revision)
+
  cd `mktemp -d`
  curl -SL $(params.blob-url) | tar xvzf -
  go test -v ./...

examples/source-to-knative-service/developer/workload.yaml

@@ -12,13 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+#@ load("@ytt:data", "data")
+---
 apiVersion: carto.run/v1alpha1
 kind: Workload
 metadata:
  name: dev
  labels:
  app.tanzu.vmware.com/workload-type: web
 spec:
+ serviceAccountName: #@ data.values.service_account_name
  source:
  git:
  url: https://github.com/kontinue/hello-world

examples/source-to-knative-service/values.yaml

@@ -14,6 +14,7 @@
 
 #@data/values
 ---
+service_account_name: workload-service-account
 image_prefix: projectcartographer/demo-
 registry:
  server: https://index.docker.io/v1/

go.mod

@@ -5,12 +5,14 @@ go 1.17
 require (
  github.com/MakeNowJust/heredoc v1.0.0
  github.com/go-logr/logr v0.4.0
+ github.com/go-yaml/yaml v2.1.0+incompatible
  github.com/golangci/golangci-lint v1.43.0
  github.com/google/addlicense v1.0.0
  github.com/maxbrunsfeld/counterfeiter/v6 v6.4.1
  github.com/onsi/ginkgo v1.16.5
  github.com/onsi/gomega v1.17.0
  github.com/valyala/fasttemplate v1.2.1
+ go.uber.org/zap v1.19.1
  golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d // indirect
  golang.org/x/text v0.3.7 // indirect
  k8s.io/api v0.22.4
@@ -25,8 +27,6 @@ require (
  sigs.k8s.io/yaml v1.3.0
 )
 
-require go.uber.org/zap v1.19.1
-
 require (
  4d63.com/gochecknoglobals v0.1.0 // indirect
  cloud.google.com/go v0.93.3 // indirect

go.sum

@@ -301,6 +301,8 @@ github.com/go-toolsmith/typep v1.0.2 h1:8xdsa1+FSIH/RhEkgnD1j2CJOy5mNllW1Q9tRiYw
 github.com/go-toolsmith/typep v1.0.2/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU=
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b h1:khEcpUM4yFcxg4/FHQWkvVRmgijNXRfzkIDHh23ggEo=
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
+github.com/go-yaml/yaml v2.1.0+incompatible h1:RYi2hDdss1u4YE7GwixGzWwVo47T8UQwnTLB6vQiq+o=
+github.com/go-yaml/yaml v2.1.0+incompatible/go.mod h1:w2MrLa16VYP0jy6N7M5kHaCkaLENm+P+Tv+MfurjSw0=
 github.com/gobuffalo/flect v0.2.3 h1:f/ZukRnSNA/DUpSNDadko7Qc0PhGvsew35p/2tu+CRY=
 github.com/gobuffalo/flect v0.2.3/go.mod h1:vmkQwuZYhN5Pc4ljYQZzP+1sq+NEkK+lh20jmEmX3jc=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=

hack/setup.sh

@@ -265,20 +265,23 @@ teardown_example() {
 test_example() {
  log "testing"
 
- for i in {15..1}; do
- echo "- attempt $i"
-
- local deployed_pods
- deployed_pods=$(kubectl get pods \
- -l 'serving.knative.dev/configuration=dev' \
- -o name)
-
- if [[ -n "$deployed_pods" ]]; then
- log 'SUCCEEDED! sweet'
- exit 0
- fi
-
- sleep "$i"
+ for _ in {1..5}; do
+ for sleep_duration in {15..1}; do
+ local deployed_pods
+ deployed_pods=$(kubectl get pods \
+ -l 'serving.knative.dev/configuration=dev' \
+ -o name)
+
+ if [[ -n "$deployed_pods" ]]; then
+ log 'SUCCEEDED! sweet'
+ exit 0
+ fi
+
+ echo "- waiting $sleep_duration seconds"
+ sleep "$sleep_duration"
+ done
+
+ kubectl tree workload dev
  done
 
  log 'FAILED :('

pkg/apis/v1alpha1/deliverable.go

@@ -53,8 +53,9 @@ type Deliverable struct {
 }
 
 type DeliverableSpec struct {
- Params []Param `json:"params,omitempty"`
- Source *Source `json:"source,omitempty"`
+ Params []Param `json:"params,omitempty"`
+ Source *Source `json:"source,omitempty"`
+ ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 type DeliverableStatus struct {

pkg/apis/v1alpha1/runnable.go

@@ -36,6 +36,7 @@ const (
  TemplateStampFailureRunTemplateReason = "TemplateStampFailure"
  FailedToListCreatedObjectsReason = "FailedToListCreatedObjects"
  UnknownErrorReason = "UnknownError"
+ ClientBuilderErrorResourcesSubmittedReason = "ClientBuilderError"
 )
 
 // +kubebuilder:object:root=true
@@ -56,9 +57,10 @@ type RunnableStatus struct {
 
 type RunnableSpec struct {
  // +kubebuilder:validation:Required
- RunTemplateRef TemplateReference `json:"runTemplateRef"`
- Selector *ResourceSelector `json:"selector,omitempty"`
- Inputs map[string]apiextensionsv1.JSON `json:"inputs,omitempty"`
+ RunTemplateRef TemplateReference `json:"runTemplateRef"`
+ Selector *ResourceSelector `json:"selector,omitempty"`
+ Inputs map[string]apiextensionsv1.JSON `json:"inputs,omitempty"`
+ ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 type ResourceSelector struct {

pkg/apis/v1alpha1/workload.go

@@ -30,10 +30,12 @@ const (
 )
 
 const (
- ReadySupplyChainReason = "Ready"
- WorkloadLabelsMissingSupplyChainReason = "WorkloadLabelsMissing"
- NotFoundSupplyChainReadyReason = "SupplyChainNotFound"
- MultipleMatchesSupplyChainReadyReason = "MultipleSupplyChainMatches"
+ ReadySupplyChainReason = "Ready"
+ WorkloadLabelsMissingSupplyChainReason = "WorkloadLabelsMissing"
+ NotFoundSupplyChainReadyReason = "SupplyChainNotFound"
+ MultipleMatchesSupplyChainReadyReason = "MultipleSupplyChainMatches"
+ ServiceAccountSecretErrorResourcesSubmittedReason = "ServiceAccountSecretError"
+ ResourceRealizerBuilderErrorResourcesSubmittedReason = "ResourceRealizerBuilderError"
 )
 
 // +kubebuilder:object:root=true
@@ -58,15 +60,16 @@ type WorkloadServiceClaimReference struct {
 }
 
 type WorkloadSpec struct {
- Params []Param `json:"params,omitempty"`
- Source *Source `json:"source,omitempty"`
+ Params []Param `json:"params,omitempty"`
+ Source *Source `json:"source,omitempty"`
+ Build WorkloadBuild `json:"build,omitempty"`
+ Env []corev1.EnvVar `json:"env,omitempty"`
  // Image is a pre-built image in a registry. It is an alternative to defining source
  // code.
- Image *string `json:"image,omitempty"`
- ServiceClaims []WorkloadServiceClaim `json:"serviceClaims,omitempty"`
- Env []corev1.EnvVar `json:"env,omitempty"`
- Build WorkloadBuild `json:"build,omitempty"`
- Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+ Image *string `json:"image,omitempty"`
+ Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+ ServiceAccountName string `json:"serviceAccountName,omitempty"`
+ ServiceClaims []WorkloadServiceClaim `json:"serviceClaims,omitempty"`
 }
 
 type WorkloadBuild struct {

pkg/apis/v1alpha1/workload_test.go

@@ -34,6 +34,14 @@ var _ = Describe("Workload", func() {
  workloadSpecType = reflect.TypeOf(workloadSpec)
  })
 
+ It("allows but does not require service account name", func() {
+ metadataField, found := workloadSpecType.FieldByName("ServiceAccountName")
+ Expect(found).To(BeTrue())
+ jsonValue := metadataField.Tag.Get("json")
+ Expect(jsonValue).To(ContainSubstring("serviceAccountName"))
+ Expect(jsonValue).To(ContainSubstring("omitempty"))
+ })
+
  It("allows but does not require params", func() {
  metadataField, found := workloadSpecType.FieldByName("Params")
  Expect(found).To(BeTrue())