diff --git a/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml b/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml index be74ec9f0..549bcd03a 100644 --- a/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml +++ b/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: csiaddonsnodes.csiaddons.openshift.io spec: group: csiaddons.openshift.io diff --git a/config/crd/bases/csiaddons.openshift.io_encryptionkeyrotationcronjobs.yaml b/config/crd/bases/csiaddons.openshift.io_encryptionkeyrotationcronjobs.yaml index cf9dd2a7d..d8462f40e 100644 --- a/config/crd/bases/csiaddons.openshift.io_encryptionkeyrotationcronjobs.yaml +++ b/config/crd/bases/csiaddons.openshift.io_encryptionkeyrotationcronjobs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: encryptionkeyrotationcronjobs.csiaddons.openshift.io spec: group: csiaddons.openshift.io diff --git a/config/crd/bases/csiaddons.openshift.io_encryptionkeyrotationjobs.yaml b/config/crd/bases/csiaddons.openshift.io_encryptionkeyrotationjobs.yaml index 51ba46da9..43a5f6409 100644 --- a/config/crd/bases/csiaddons.openshift.io_encryptionkeyrotationjobs.yaml +++ b/config/crd/bases/csiaddons.openshift.io_encryptionkeyrotationjobs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: encryptionkeyrotationjobs.csiaddons.openshift.io spec: group: csiaddons.openshift.io diff --git a/config/crd/bases/csiaddons.openshift.io_networkfences.yaml b/config/crd/bases/csiaddons.openshift.io_networkfences.yaml index 6c2fad1bf..e98a3ac35 100644 --- a/config/crd/bases/csiaddons.openshift.io_networkfences.yaml +++ b/config/crd/bases/csiaddons.openshift.io_networkfences.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: networkfences.csiaddons.openshift.io spec: group: csiaddons.openshift.io diff --git a/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml b/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml index c88787e7c..b1e0f8781 100644 --- a/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml +++ b/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: reclaimspacecronjobs.csiaddons.openshift.io spec: group: csiaddons.openshift.io diff --git a/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml b/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml index 9ac181b36..054017012 100644 --- a/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml +++ b/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: reclaimspacejobs.csiaddons.openshift.io spec: group: csiaddons.openshift.io diff --git a/config/crd/bases/replication.storage.openshift.io_volumegroupreplicationclasses.yaml b/config/crd/bases/replication.storage.openshift.io_volumegroupreplicationclasses.yaml index bcffea73f..ef414b074 100644 --- a/config/crd/bases/replication.storage.openshift.io_volumegroupreplicationclasses.yaml +++ b/config/crd/bases/replication.storage.openshift.io_volumegroupreplicationclasses.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumegroupreplicationclasses.replication.storage.openshift.io spec: group: replication.storage.openshift.io diff --git a/config/crd/bases/replication.storage.openshift.io_volumegroupreplicationcontents.yaml b/config/crd/bases/replication.storage.openshift.io_volumegroupreplicationcontents.yaml index 16cd3847f..21398094b 100644 --- a/config/crd/bases/replication.storage.openshift.io_volumegroupreplicationcontents.yaml +++ b/config/crd/bases/replication.storage.openshift.io_volumegroupreplicationcontents.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumegroupreplicationcontents.replication.storage.openshift.io spec: group: replication.storage.openshift.io diff --git a/config/crd/bases/replication.storage.openshift.io_volumegroupreplications.yaml b/config/crd/bases/replication.storage.openshift.io_volumegroupreplications.yaml index 92bf1ec0f..d93a58f4d 100644 --- a/config/crd/bases/replication.storage.openshift.io_volumegroupreplications.yaml +++ b/config/crd/bases/replication.storage.openshift.io_volumegroupreplications.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumegroupreplications.replication.storage.openshift.io spec: group: replication.storage.openshift.io diff --git a/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml b/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml index 826a2cd7d..ceb1da021 100644 --- a/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml +++ b/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumereplicationclasses.replication.storage.openshift.io spec: group: replication.storage.openshift.io diff --git a/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml b/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml index 0abbfbb1b..5335d7fb3 100644 --- a/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml +++ b/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumereplications.replication.storage.openshift.io spec: group: replication.storage.openshift.io diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 6d9e2b9f6..232df6d5b 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,35 +4,11 @@ kind: ClusterRole metadata: name: manager-role rules: -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - apiGroups: - "" resources: - namespaces + - persistentvolumes - pods verbs: - get @@ -46,6 +22,7 @@ rules: - get - list - patch + - update - watch - apiGroups: - "" @@ -53,6 +30,14 @@ rules: - persistentvolumeclaims/finalizers verbs: - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch - apiGroups: - csiaddons.openshift.io resources: diff --git a/deploy/controller/crds.yaml b/deploy/controller/crds.yaml index 2c1ca436c..3d9ca85b4 100644 --- a/deploy/controller/crds.yaml +++ b/deploy/controller/crds.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: csiaddonsnodes.csiaddons.openshift.io spec: group: csiaddons.openshift.io @@ -127,7 +127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: encryptionkeyrotationcronjobs.csiaddons.openshift.io spec: group: csiaddons.openshift.io @@ -367,7 +367,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: encryptionkeyrotationjobs.csiaddons.openshift.io spec: group: csiaddons.openshift.io @@ -554,7 +554,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: networkfences.csiaddons.openshift.io spec: group: csiaddons.openshift.io @@ -748,7 +748,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: reclaimspacecronjobs.csiaddons.openshift.io spec: group: csiaddons.openshift.io @@ -986,7 +986,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: reclaimspacejobs.csiaddons.openshift.io spec: group: csiaddons.openshift.io @@ -1181,7 +1181,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumegroupreplicationclasses.replication.storage.openshift.io spec: group: replication.storage.openshift.io @@ -1257,7 +1257,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumegroupreplicationcontents.replication.storage.openshift.io spec: group: replication.storage.openshift.io @@ -1430,7 +1430,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumegroupreplications.replication.storage.openshift.io spec: group: replication.storage.openshift.io @@ -1695,7 +1695,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumereplicationclasses.replication.storage.openshift.io spec: group: replication.storage.openshift.io @@ -1779,7 +1779,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: volumereplications.replication.storage.openshift.io spec: group: replication.storage.openshift.io diff --git a/deploy/controller/rbac.yaml b/deploy/controller/rbac.yaml index 851759802..539d6b928 100644 --- a/deploy/controller/rbac.yaml +++ b/deploy/controller/rbac.yaml @@ -47,35 +47,11 @@ kind: ClusterRole metadata: name: csi-addons-manager-role rules: -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - apiGroups: - "" resources: - namespaces + - persistentvolumes - pods verbs: - get @@ -89,6 +65,7 @@ rules: - get - list - patch + - update - watch - apiGroups: - "" @@ -96,6 +73,14 @@ rules: - persistentvolumeclaims/finalizers verbs: - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch - apiGroups: - csiaddons.openshift.io resources: diff --git a/tools/go.mod b/tools/go.mod index f85b9c687..bd17f59f3 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -7,7 +7,7 @@ require ( google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 google.golang.org/protobuf v1.34.2 sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240102165319-7f316f1309b1 - sigs.k8s.io/controller-tools v0.16.1 + sigs.k8s.io/controller-tools v0.16.2 sigs.k8s.io/kustomize/kustomize/v5 v5.4.3 ) diff --git a/tools/go.sum b/tools/go.sum index c00ead6aa..83598703c 100644 --- a/tools/go.sum +++ b/tools/go.sum @@ -814,8 +814,8 @@ sigs.k8s.io/controller-runtime v0.17.4 h1:AMf1E0+93/jLQ13fb76S6Atwqp24EQFCmNbG84 sigs.k8s.io/controller-runtime v0.17.4/go.mod h1:N0jpP5Lo7lMTF9aL56Z/B2oWBJjey6StQM0jRbKQXtY= sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240102165319-7f316f1309b1 h1:1/GQWB9rabeYd3oANeTQH7OHrtShvVgH0FmqHWBpR6I= sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240102165319-7f316f1309b1/go.mod h1:TF/lVLWS+JNNaVqJuDDictY2hZSXSsIHCx4FClMvqFg= -sigs.k8s.io/controller-tools v0.16.1 h1:gvIsZm+2aimFDIBiDKumR7EBkc+oLxljoUVfRbDI6RI= -sigs.k8s.io/controller-tools v0.16.1/go.mod h1:0I0xqjR65YTfoO12iR+mZR6s6UAVcUARgXRlsu0ljB0= +sigs.k8s.io/controller-tools v0.16.2 h1:uUFF/AW3phBWPiERvkSNOVct//L427bPS7xGfKi6Tz4= +sigs.k8s.io/controller-tools v0.16.2/go.mod h1:0I0xqjR65YTfoO12iR+mZR6s6UAVcUARgXRlsu0ljB0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kubebuilder/v3 v3.14.2 h1:LMZW8Y5eItnP4kh9tpp4Gs2Gd5V3DgLgzbNnXfMAShY= diff --git a/tools/vendor/modules.txt b/tools/vendor/modules.txt index 83ec23c85..5b3a86312 100644 --- a/tools/vendor/modules.txt +++ b/tools/vendor/modules.txt @@ -1740,7 +1740,7 @@ sigs.k8s.io/controller-runtime/tools/setup-envtest/remote sigs.k8s.io/controller-runtime/tools/setup-envtest/store sigs.k8s.io/controller-runtime/tools/setup-envtest/versions sigs.k8s.io/controller-runtime/tools/setup-envtest/workflows -# sigs.k8s.io/controller-tools v0.16.1 +# sigs.k8s.io/controller-tools v0.16.2 ## explicit; go 1.22.0 sigs.k8s.io/controller-tools/cmd/controller-gen sigs.k8s.io/controller-tools/pkg/crd diff --git a/tools/vendor/sigs.k8s.io/controller-tools/pkg/rbac/parser.go b/tools/vendor/sigs.k8s.io/controller-tools/pkg/rbac/parser.go index 51b4c043f..89729d436 100644 --- a/tools/vendor/sigs.k8s.io/controller-tools/pkg/rbac/parser.go +++ b/tools/vendor/sigs.k8s.io/controller-tools/pkg/rbac/parser.go @@ -105,6 +105,12 @@ func (r *Rule) keyWithResourcesResourceNamesURLsVerbs() string { return fmt.Sprintf("%s + %s + %s + %s", key.Resources, key.ResourceNames, key.URLs, verbs) } +func (r *Rule) keyWitGroupResourcesResourceNamesVerbs() string { + key := r.key() + verbs := strings.Join(r.Verbs, "&") + return fmt.Sprintf("%s + %s + %s + %s", key.Groups, key.Resources, key.ResourceNames, verbs) +} + // addVerbs adds new verbs into a Rule. // The duplicates in `r.Verbs` will be removed, and then `r.Verbs` will be sorted. func (r *Rule) addVerbs(verbs []string) { @@ -140,12 +146,6 @@ func removeDupAndSort(strs []string) []string { // ToRule converts this rule to its Kubernetes API form. func (r *Rule) ToRule() rbacv1.PolicyRule { - // fix the group names first, since letting people type "core" is nice - for i, group := range r.Groups { - if group == "core" { - r.Groups[i] = "" - } - } return rbacv1.PolicyRule{ APIGroups: r.Groups, Verbs: r.Verbs, @@ -190,6 +190,20 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{ // group RBAC markers by namespace and separate by resource for _, markerValue := range markerSet[RuleDefinition.Name] { rule := markerValue.(Rule) + if len(rule.Resources) == 0 { + // Add a rule without any resource if Resources is empty. + r := Rule{ + Groups: rule.Groups, + Resources: []string{}, + ResourceNames: rule.ResourceNames, + URLs: rule.URLs, + Namespace: rule.Namespace, + Verbs: rule.Verbs, + } + namespace := r.Namespace + rulesByNSResource[namespace] = append(rulesByNSResource[namespace], &r) + continue + } for _, resource := range rule.Resources { r := Rule{ Groups: rule.Groups, @@ -210,6 +224,13 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{ ruleMap := make(map[ruleKey]*Rule) // all the Rules having the same ruleKey will be merged into the first Rule for _, rule := range rules { + // fix the group name first, since letting people type "core" is nice + for i, name := range rule.Groups { + if name == "core" { + rule.Groups[i] = "" + } + } + key := rule.key() if _, ok := ruleMap[key]; !ok { ruleMap[key] = rule @@ -257,6 +278,25 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{ ruleMap[key] = rule } + // deduplicate URLs + // 1. create map based on key without URLs + ruleMapWithoutURLs := make(map[string][]*Rule) + for _, rule := range ruleMap { + // get key without Group + key := rule.keyWitGroupResourcesResourceNamesVerbs() + ruleMapWithoutURLs[key] = append(ruleMapWithoutURLs[key], rule) + } + // 2. merge to ruleMap + ruleMap = make(map[ruleKey]*Rule) + for _, rules := range ruleMapWithoutURLs { + rule := rules[0] + for _, mergeRule := range rules[1:] { + rule.URLs = append(rule.URLs, mergeRule.URLs...) + } + key := rule.key() + ruleMap[key] = rule + } + // sort the Rules in rules according to their ruleKeys keys := make([]ruleKey, 0, len(ruleMap)) for key := range ruleMap {