[Bugfix] Allow limited rbac scope (#940)

ajanikow · web-flow · commit f8ed6f5098bc · 2022-03-25T19:44:44.000+01:00
diff --git a/chart/kube-arangodb/templates/deployment-operator/role.yaml b/chart/kube-arangodb/templates/deployment-operator/role.yaml
@@ -14,8 +14,18 @@ metadata:
         release: {{ .Release.Name }}
 rules:
     - apiGroups: ["database.arangodb.com"]
-      resources: ["arangodeployments", "arangodeployments/status","arangomembers", "arangomembers/status", "arangoclustersynchronizations", "arangoclustersynchronizations/status", "arangotasks", "arangotasks/status"]
+      resources: ["arangodeployments", "arangodeployments/status","arangomembers", "arangomembers/status"]
       verbs: ["*"]
+{{- if .Values.rbac.extensions.acs }}
+    - apiGroups: ["database.arangodb.com"]
+      resources: ["arangoclustersynchronizations", "arangoclustersynchronizations/status"]
+      verbs: ["*"]
+{{- end }}
+{{- if .Values.rbac.extensions.at }}
+    - apiGroups: ["database.arangodb.com"]
+      resources: ["arangotasks", "arangotasks/status"]
+      verbs: ["*"]
+{{- end }}
     - apiGroups: [""]
       resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "secrets", "serviceaccounts"]
       verbs: ["*"]
@@ -28,9 +38,11 @@ rules:
     - apiGroups: ["backup.arangodb.com"]
       resources: ["arangobackuppolicies", "arangobackups"]
       verbs: ["get", "list", "watch"]
+{{- if .Values.rbac.extensions.monitoring }}
     - apiGroups: ["monitoring.coreos.com"]
       resources: ["servicemonitors"]
       verbs: ["get", "create", "delete", "update", "list", "watch", "patch"]
-
+  
+{{- end }}
 {{- end }}
 {{- end }}
diff --git a/chart/kube-arangodb/values.yaml b/chart/kube-arangodb/values.yaml
@@ -54,4 +54,8 @@ operator:
   tolerations: []
 
 rbac:
-  enabled: true
+  enabled: true
+  extensions:
+    monitoring: true
+    acs: true
+    at: true
diff --git a/go.mod b/go.mod
@@ -28,6 +28,7 @@ require (
 	github.com/arangodb/go-driver v1.2.1
 	github.com/arangodb/go-driver/v2 v2.0.0-20211021031401-d92dcd5a4c83
 	github.com/arangodb/go-upgrade-rules v0.0.0-20180809110947-031b4774ff21
+	github.com/arangodb/rebalancer v0.1.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9
 	github.com/ghodss/yaml v1.0.0
@@ -108,3 +109,5 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 	sigs.k8s.io/yaml v1.2.0 // indirect
 )
+
+require github.com/arangodb/rebalancer v0.1.1
diff --git a/pkg/deployment/context_impl.go b/pkg/deployment/context_impl.go
@@ -262,6 +262,10 @@ func (d *Deployment) getAuth() (driver.Authentication, error) {
 		return nil, nil
 	}
 
+	if !d.GetCachedStatus().Initialised() {
+		return nil, errors.Newf("Cache is not yet started")
+	}
+
 	var secret string
 	var found bool
 
diff --git a/pkg/deployment/deployment.go b/pkg/deployment/deployment.go
@@ -64,6 +64,7 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil/inspector/throttle"
 	"github.com/arangodb/kube-arangodb/pkg/util/kclient"
 	"github.com/arangodb/kube-arangodb/pkg/util/trigger"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
 // Config holds configuration settings for a Deployment
@@ -604,6 +605,9 @@ func (d *Deployment) lookForServiceMonitorCRD() {
 	var err error
 	if d.GetScope().IsNamespaced() {
 		_, err = d.currentState.ServiceMonitor().V1()
+		if apierrors.IsForbidden(err) {
+			return
+		}
 	} else {
 		_, err = d.deps.Client.KubernetesExtensions().ApiextensionsV1().CustomResourceDefinitions().Get(context.Background(), "servicemonitors.monitoring.coreos.com", meta.GetOptions{})
 	}
diff --git a/pkg/deployment/resources/annotations.go b/pkg/deployment/resources/annotations.go
@@ -37,6 +37,7 @@ import (
 	"github.com/rs/zerolog/log"
 	core "k8s.io/api/core/v1"
 	policy "k8s.io/api/policy/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -239,6 +240,9 @@ func ensurePvcsAnnotations(patch PatchFunc, cachedStatus inspectorInterface.Insp
 func ensureServiceMonitorsAnnotations(patch PatchFunc, cachedStatus inspectorInterface.Inspector, kind, name, namespace string, spec api.DeploymentSpec) error {
 	i, err := cachedStatus.ServiceMonitor().V1()
 	if err != nil {
+		if apierrors.IsForbidden(err) {
+			return nil
+		}
 		return err
 	}
 	if err := i.Iterate(func(serviceMonitor *monitoring.ServiceMonitor) error {
diff --git a/pkg/deployment/resources/inspector/acs.go b/pkg/deployment/resources/inspector/acs.go
@@ -163,10 +163,6 @@ func (p *arangoClusterSynchronizationsInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *arangoClusterSynchronizationsInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *arangoClusterSynchronizationsInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, arangoClusterSynchronizationsInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/am.go b/pkg/deployment/resources/inspector/am.go
@@ -167,10 +167,6 @@ func (p *arangoMembersInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *arangoMembersInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *arangoMembersInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, arangoMembersInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/at.go b/pkg/deployment/resources/inspector/at.go
@@ -163,10 +163,6 @@ func (p *arangoTasksInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *arangoTasksInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *arangoTasksInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, arangoTasksInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/inspector.go b/pkg/deployment/resources/inspector/inspector.go
@@ -139,7 +139,15 @@ type inspectorState struct {
 
 	versionInfo driver.Version
 
-	static bool
+	initialised bool
+}
+
+func (i *inspectorState) Initialised() bool {
+	if i == nil {
+		return false
+	}
+
+	return i.initialised
 }
 
 func (i *inspectorState) Client() kclient.Client {
@@ -210,15 +218,7 @@ func (i *inspectorState) Pod() pod.Definition {
 	return i.pods
 }
 
-func (i *inspectorState) IsStatic() bool {
-	return i.static
-}
-
 func (i *inspectorState) refresh(ctx context.Context, loaders ...inspectorLoader) error {
-	if i.IsStatic() {
-		return nil
-	}
-
 	return i.refreshInThreads(ctx, 15, loaders...)
 }
 
@@ -295,6 +295,7 @@ func (i *inspectorState) refreshInThreads(ctx context.Context, threads int, load
 	i.throttles = n.throttles
 
 	i.last = time.Now()
+	i.initialised = true
 
 	return nil
 }
@@ -364,7 +365,6 @@ func (i *inspectorState) copyCore() *inspectorState {
 		arangoClusterSynchronizations: i.arangoClusterSynchronizations,
 		throttles:                     i.throttles.Copy(),
 		versionInfo:                   i.versionInfo,
-		static:                        i.static,
 		logger:                        i.logger,
 	}
 }
diff --git a/pkg/deployment/resources/inspector/nodes.go b/pkg/deployment/resources/inspector/nodes.go
@@ -163,10 +163,6 @@ func (p *nodesInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *nodesInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *nodesInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, nodesInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/pdbs.go b/pkg/deployment/resources/inspector/pdbs.go
@@ -274,10 +274,6 @@ func (p *podDisruptionBudgetsInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *podDisruptionBudgetsInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *podDisruptionBudgetsInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, podDisruptionBudgetsInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/pods.go b/pkg/deployment/resources/inspector/pods.go
@@ -167,10 +167,6 @@ func (p *podsInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *podsInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *podsInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, podsInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/pvcs.go b/pkg/deployment/resources/inspector/pvcs.go
@@ -167,10 +167,6 @@ func (p *persistentVolumeClaimsInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *persistentVolumeClaimsInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *persistentVolumeClaimsInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, persistentVolumeClaimsInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/sa.go b/pkg/deployment/resources/inspector/sa.go
@@ -167,10 +167,6 @@ func (p *serviceAccountsInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *serviceAccountsInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *serviceAccountsInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, serviceAccountsInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/secrets.go b/pkg/deployment/resources/inspector/secrets.go
@@ -167,10 +167,6 @@ func (p *secretsInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *secretsInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *secretsInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, secretsInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/services.go b/pkg/deployment/resources/inspector/services.go
@@ -167,10 +167,6 @@ func (p *servicesInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *servicesInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *servicesInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, servicesInspectorLoaderObj)
diff --git a/pkg/deployment/resources/inspector/sm.go b/pkg/deployment/resources/inspector/sm.go
@@ -163,10 +163,6 @@ func (p *serviceMonitorsInspector) LastRefresh() time.Time {
 	return p.last
 }
 
-func (p *serviceMonitorsInspector) IsStatic() bool {
-	return p.state.IsStatic()
-}
-
 func (p *serviceMonitorsInspector) Refresh(ctx context.Context) error {
 	p.Throttle(p.state.throttles).Invalidate()
 	return p.state.refresh(ctx, serviceMonitorsInspectorLoaderObj)
diff --git a/pkg/deployment/resources/labels.go b/pkg/deployment/resources/labels.go
@@ -30,6 +30,7 @@ import (
 	monitoring "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	core "k8s.io/api/core/v1"
 	policy "k8s.io/api/policy/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
@@ -151,6 +152,9 @@ func (r *Resources) EnsureServiceMonitorsLabels(ctx context.Context, cachedStatu
 	changed := false
 	i, err := cachedStatus.ServiceMonitor().V1()
 	if err != nil {
+		if apierrors.IsForbidden(err) {
+			return nil
+		}
 		return err
 	}
 	if err := i.Iterate(func(serviceMonitor *monitoring.ServiceMonitor) error {
diff --git a/pkg/util/k8sutil/inspector/inspector.go b/pkg/util/k8sutil/inspector/inspector.go
@@ -43,6 +43,8 @@ type Inspector interface {
 	Client() kclient.Client
 	Namespace() string
 
+	Initialised() bool
+
 	refresh.Inspector
 	throttle.Inspector
 
diff --git a/pkg/util/k8sutil/inspector/refresh/refresh.go b/pkg/util/k8sutil/inspector/refresh/refresh.go
@@ -26,7 +26,6 @@ import (
 )
 
 type Inspector interface {
-	IsStatic() bool
 	Refresh(ctx context.Context) error
 	LastRefresh() time.Time
 }
diff --git a/pkg/util/k8sutil/reconcile.go b/pkg/util/k8sutil/reconcile.go
@@ -119,10 +119,6 @@ func (r *reconcile) WithRefresh(ctx context.Context, err error) error {
 
 func (r *reconcile) Reconcile(ctx context.Context) error {
 	if r.required {
-		if r.refresh.IsStatic() {
-			return errors.Reconcile()
-		}
-
 		if err := r.refresh.Refresh(ctx); err != nil {
 			return err
 		}

Original file line number	Diff line number	Diff line change
`@@ -262,6 +262,10 @@ func (d *Deployment) getAuth() (driver.Authentication, error) {`
`262`	`262`	`return nil, nil`
`263`	`263`	`}`
`264`	`264`
	`265`	`+ if !d.GetCachedStatus().Initialised() {`
	`266`	`+ return nil, errors.Newf("Cache is not yet started")`
	`267`	`+ }`
	`268`	`+`
`265`	`269`	`var secret string`
`266`	`270`	`var found bool`
`267`	`271`