Merge pull request #915 from equinor/remove-machine-user

remove machine user related code

charts/radix-operator/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: radix-operator
-version: 1.21.5
-appVersion: 1.41.5
+version: 1.21.6
+appVersion: 1.41.6
 kubeVersion: ">=1.24.0"
 description: Radix Operator
 keywords:

docs/RBAC.md

@@ -236,10 +236,6 @@ charts/radix-operator/templates/radix-apps-rbac.yaml|clusterrole|radix-webhook
 charts/radix-operator/templates/radix-apps-rbac.yaml|clusterrole|radix-api
 pkg/apis/application/serviceaccount.go:applyPipelineServiceAccount|serviceaccount|radix-pipeline
 pkg/apis/application/serviceaccount.go:applyRadixTektonServiceAccount|serviceaccount|radix-tekton
-pkg/apis/application/serviceaccount.go:applyMachineUserServiceAccount|serviceaccount|`application`-machine-user
-pkg/apis/application/serviceaccount.go:applyMachineUserServiceAccount|clusterrolebinding|`application`-machine-user
-pkg/apis/application/serviceaccount.go:GrantAppAdminAccessToMachineUserToken|role|`application`-machine-user-token
-pkg/apis/application/serviceaccount.go:GrantAppAdminAccessToMachineUserToken|rolebinding|`application`-machine-user-token
 pkg/apis/application/roles.go:rrUserClusterRole|clusterrole|radix-platform-user-rr-`application`
 pkg/apis/application/roles.go:rrPipelineClusterRole|clusterrole|radix-pipeline-rr-`application`
 pkg/apis/application/roles.go:radixTektonRole|role|radix-tekton

pkg/apis/alert/alert_test.go

@@ -6,7 +6,6 @@ import (
 	"testing"
 
 	"github.com/equinor/radix-common/utils"
-	"github.com/equinor/radix-operator/pkg/apis/defaults"
 	"github.com/equinor/radix-operator/pkg/apis/kube"
 	radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
 	"github.com/equinor/radix-operator/pkg/apis/test"
@@ -105,7 +104,7 @@ func (s *alertTestSuite) Test_OnSync_ResourcesCreated() {
 	appName, alertName, alertUID, namespace, adGroup := "any-app", "any-alert", types.UID("alert-uid"), "any-ns", "any-group"
 	rr := &radixv1.RadixRegistration{
 		ObjectMeta: metav1.ObjectMeta{Name: appName},
-		Spec:       radixv1.RadixRegistrationSpec{AdGroups: []string{adGroup}, MachineUser: true},
+		Spec:       radixv1.RadixRegistrationSpec{AdGroups: []string{adGroup}},
 	}
 	s.radixClient.RadixV1().RadixRegistrations().Create(context.Background(), rr, metav1.CreateOptions{})
 	radixalert := &radixv1.RadixAlert{
@@ -224,8 +223,8 @@ func (s *alertTestSuite) Test_OnSync_Rbac_ConfiguredCorrectly() {
 		Spec:       radixv1.RadixAlertSpec{},
 	}
 	radixalert, _ = s.radixClient.RadixV1().RadixAlerts(namespace).Create(context.Background(), radixalert, metav1.CreateOptions{})
-	rr := &radixv1.RadixRegistration{ObjectMeta: metav1.ObjectMeta{Name: appName}, Spec: radixv1.RadixRegistrationSpec{AdGroups: []string{adGroup1, adGroup2}, MachineUser: true}}
-	rr, _ = s.radixClient.RadixV1().RadixRegistrations().Create(context.Background(), rr, metav1.CreateOptions{})
+	rr := &radixv1.RadixRegistration{ObjectMeta: metav1.ObjectMeta{Name: appName}, Spec: radixv1.RadixRegistrationSpec{AdGroups: []string{adGroup1, adGroup2}}}
+	s.radixClient.RadixV1().RadixRegistrations().Create(context.Background(), rr, metav1.CreateOptions{})
 
 	sut := s.createAlertSyncer(radixalert)
 	err := sut.OnSync()
@@ -236,27 +235,14 @@ func (s *alertTestSuite) Test_OnSync_Rbac_ConfiguredCorrectly() {
 	actualRoleBinding, _ := s.kubeClient.RbacV1().RoleBindings(namespace).Get(context.Background(), getAlertConfigSecretRoleName(alertName), metav1.GetOptions{})
 	s.Equal(actualRole.Name, actualRoleBinding.RoleRef.Name, "rolebinding role reference not as expected")
 	s.Equal("Role", actualRoleBinding.RoleRef.Kind, "rolebinding role kind not as expected")
-	s.Len(actualRoleBinding.Subjects, 3, "rolebinding subject count not as expected")
+	s.Len(actualRoleBinding.Subjects, 2, "rolebinding subject count not as expected")
 	actualSubject, found := s.getSubjectByName(actualRoleBinding.Subjects, adGroup1)
 	s.True(found, "group1 not found in rolebinding")
 	s.Equal(rbacv1.GroupKind, actualSubject.Kind, "incorrect kind for group1")
 	actualSubject, found = s.getSubjectByName(actualRoleBinding.Subjects, adGroup2)
 	s.True(found, "group2 not found in rolebinding")
 	s.Equal(rbacv1.GroupKind, actualSubject.Kind, "incorrect kind for group2")
-	actualSubject, found = s.getSubjectByName(actualRoleBinding.Subjects, defaults.GetMachineUserRoleName(appName))
-	s.True(found, "machineuser not found in rolebinding")
-	s.Equal(rbacv1.ServiceAccountKind, actualSubject.Kind, "incorrect kind for machineuser")
-
-	// Disable machine user and remove group2 from RR
-	rr.Spec.MachineUser = false
-	rr.Spec.AdGroups = []string{adGroup1}
-	s.radixClient.RadixV1().RadixRegistrations().Update(context.Background(), rr, metav1.UpdateOptions{})
-	err = sut.OnSync()
-	s.Nil(err)
-	actualRoleBinding, _ = s.kubeClient.RbacV1().RoleBindings(namespace).Get(context.Background(), getAlertConfigSecretRoleName(alertName), metav1.GetOptions{})
-	s.Len(actualRoleBinding.Subjects, 1, "rolebinding subject count not as expected")
-	actualSubject, found = s.getSubjectByName(actualRoleBinding.Subjects, adGroup1)
-	s.True(found, "group1 not found in rolebinding after updating RR")
+
 }
 
 func (s *alertTestSuite) Test_OnSync_Secret_RemoveOrphanedKeys() {

pkg/apis/alert/rbac.go

@@ -4,11 +4,9 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/equinor/radix-operator/pkg/apis/defaults"
 	"github.com/equinor/radix-operator/pkg/apis/kube"
 	radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
 	"github.com/equinor/radix-operator/pkg/apis/utils"
-	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -83,16 +81,6 @@ func (syncer *alertSyncer) grantAccessToAlertConfigSecret(rr *radixv1.RadixRegis
 	}
 
 	subjects := kube.GetRoleBindingGroups(adGroups)
-
-	// Add machine user to subjects
-	if rr.Spec.MachineUser {
-		subjects = append(subjects, rbacv1.Subject{
-			Kind:      "ServiceAccount",
-			Name:      defaults.GetMachineUserRoleName(rr.Name),
-			Namespace: utils.GetAppNamespace(rr.Name),
-		})
-	}
-
 	rolebinding := kube.GetRolebindingToRoleWithLabelsForSubjects(roleName, subjects, role.Labels)
 	rolebinding.OwnerReferences = syncer.getOwnerReference()
 	return syncer.kubeUtil.ApplyRoleBinding(namespace, rolebinding)

pkg/apis/application/application.go

@@ -12,16 +12,12 @@ import (
 	"github.com/equinor/radix-operator/pkg/apis/utils"
 	radixclient "github.com/equinor/radix-operator/pkg/client/clientset/versioned"
 	log "github.com/sirupsen/logrus"
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 )
 
 var logger *log.Entry
 
-// GranterFunction Handle to granter function for granting access to service account token
-type GranterFunction func(kubeutil *kube.Kube, app *v1.RadixRegistration, namespace string, serviceAccount *corev1.ServiceAccount) error
-
 // Application Instance variables
 type Application struct {
 	kubeclient   kubernetes.Interface
@@ -47,13 +43,6 @@ func NewApplication(
 // OnSync compares the actual state with the desired, and attempts to
 // converge the two
 func (app Application) OnSync() error {
-	// The grantAppAdminAccessToMachineUserToken cannot be a part of out automated tests as it assues the
-	// secret for the token is automatically created
-	return app.OnSyncWithGranterToMachineUserToken(GrantAppAdminAccessToMachineUserToken)
-}
-
-// OnSyncWithGranterToMachineUserToken OnSync where handler is passed in, as the granter function cannot be tested and has to be mocked
-func (app Application) OnSyncWithGranterToMachineUserToken(machineUserTokenGranter GranterFunction) error {
 	radixRegistration := app.registration
 	logger = log.WithFields(log.Fields{"registrationName": radixRegistration.GetName()})
 
@@ -62,21 +51,6 @@ func (app Application) OnSyncWithGranterToMachineUserToken(machineUserTokenGrant
 		logger.Errorf("Failed to create app namespace. %v", err)
 		return err
 	}
-
-	if app.registration.Spec.MachineUser {
-		_, err = app.applyMachineUserServiceAccount(machineUserTokenGranter)
-		if err != nil {
-			logger.Errorf("Failed to create machine user. %v", err)
-			return err
-		}
-	} else {
-		err := app.garbageCollectMachineUserNoLongerInSpec()
-		if err != nil {
-			logger.Errorf("Failed to perform garbage collection of machine user resources: %v", err)
-			return err
-		}
-	}
-
 	logger.Debugf("App namespace created")
 
 	err = app.createLimitRangeOnAppNamespace(utils.GetAppNamespace(radixRegistration.Name))
@@ -158,23 +132,3 @@ func (app *Application) updateRadixRegistrationStatus(rr *v1.RadixRegistration,
 		return err
 	})
 }
-
-// Garbage collect machine user resources
-func (app Application) garbageCollectMachineUserNoLongerInSpec() error {
-	err := app.garbageCollectMachineUserServiceAccount()
-	if err != nil {
-		logger.Errorf("Failed to perform garbage collection of service account: %v", err)
-		return err
-	}
-	err = app.removeMachineUserFromPlatformUserRole()
-	if err != nil {
-		logger.Errorf("Failed to remove machine user from platform user role: %v", err)
-		return err
-	}
-	err = app.removeAppAdminAccessToMachineUserToken()
-	if err != nil {
-		logger.Errorf("Failed to remove app admin access to machine user: %v", err)
-		return err
-	}
-	return nil
-}