Merge pull request fluxcd#742 from fluxcd/refactor-impersonation

Refactor: Use impersonation from `fluxcd/pkg/runtime/client`
brexhq · Oct 7, 2022 · ce46ec8 · ce46ec8
2 parents 3086ae4 + 06e91e0
commit ce46ec8
Show file tree

Hide file tree

Showing 23 changed files with 66 additions and 318 deletions.
diff --git a/api/go.mod b/api/go.mod
@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/fluxcd/pkg/apis/kustomize v0.6.0
-	github.com/fluxcd/pkg/apis/meta v0.16.0
+	github.com/fluxcd/pkg/apis/meta v0.17.0
 	k8s.io/apiextensions-apiserver v0.25.2
 	k8s.io/apimachinery v0.25.2
 	sigs.k8s.io/controller-runtime v0.13.0

diff --git a/api/go.sum b/api/go.sum
@@ -3,8 +3,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fluxcd/pkg/apis/kustomize v0.6.0 h1:Afxv3Uv+xiuettzqm3sP0ceWikDZTfHdHtLv6u2nFM8=
 github.com/fluxcd/pkg/apis/kustomize v0.6.0/go.mod h1:iY0zSpK6eUiPfNt/yR6g0q/wQP+wH+Ax/L7KBOx5x2M=
-github.com/fluxcd/pkg/apis/meta v0.16.0 h1:6Mj9rB0TtvCeTe3IlQDc1i2DH75Oosea9yUqS7XafVg=
-github.com/fluxcd/pkg/apis/meta v0.16.0/go.mod h1:GrOVzWXiu22XjLNgLLe2EBYhQPqZetes5SIADb4bmHE=
+github.com/fluxcd/pkg/apis/meta v0.17.0 h1:Y2dfo1syHZDb9Mexjr2SWdcj1FnxnRXm015hEnhl6wU=
+github.com/fluxcd/pkg/apis/meta v0.17.0/go.mod h1:GrOVzWXiu22XjLNgLLe2EBYhQPqZetes5SIADb4bmHE=
 github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=

diff --git a/api/v1beta2/kustomization_types.go b/api/v1beta2/kustomization_types.go
@@ -68,7 +68,7 @@ type KustomizationSpec struct {
 	// a controller level fallback for when KustomizationSpec.ServiceAccountName
 	// is empty.
 	// +optional
-	KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
+	KubeConfig *meta.KubeConfigReference `json:"kubeConfig,omitempty"`
 
 	// Path to the directory containing the kustomization.yaml file, or the
 	// set of plain YAMLs a kustomization.yaml should be generated for.
@@ -168,21 +168,6 @@ type Decryption struct {
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 }
 
-// KubeConfig references a Kubernetes secret that contains a kubeconfig file.
-type KubeConfig struct {
-	// SecretRef holds the name of a secret that contains a key with
-	// the kubeconfig file as the value. If no key is set, the key will default
-	// to 'value'. The secret must be in the same namespace as
-	// the Kustomization.
-	// It is recommended that the kubeconfig is self-contained, and the secret
-	// is regularly updated if credentials such as a cloud-access-token expire.
-	// Cloud specific `cmd-path` auth helpers will not function without adding
-	// binaries and credentials to the Pod that is responsible for reconciling
-	// the Kustomization.
-	// +required
-	SecretRef meta.SecretKeyReference `json:"secretRef,omitempty"`
-}
-
 // PostBuild describes which actions to perform on the YAML manifest
 // generated by building the kustomize overlay.
 type PostBuild struct {

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/config/crd/bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml b/config/crd/bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml
@@ -699,12 +699,12 @@ spec:
                   secretRef:
                     description: SecretRef holds the name of a secret that contains
                       a key with the kubeconfig file as the value. If no key is set,
-                      the key will default to 'value'. The secret must be in the same
-                      namespace as the Kustomization. It is recommended that the kubeconfig
-                      is self-contained, and the secret is regularly updated if credentials
-                      such as a cloud-access-token expire. Cloud specific `cmd-path`
-                      auth helpers will not function without adding binaries and credentials
-                      to the Pod that is responsible for reconciling the Kustomization.
+                      the key will default to 'value'. It is recommended that the
+                      kubeconfig is self-contained, and the secret is regularly updated
+                      if credentials such as a cloud-access-token expire. Cloud specific
+                      `cmd-path` auth helpers will not function without adding binaries
+                      and credentials to the Pod that is responsible for reconciling
+                      Kubernetes resources.
                     properties:
                       key:
                         description: Key in the Secret, when not specified an implementation-specific
@@ -716,6 +716,8 @@ spec:
                     required:
                     - name
                     type: object
+                required:
+                - secretRef
                 type: object
               patches:
                 description: Strategic merge and JSON patches, defined as inline YAML

diff --git a/controllers/kustomization_acl_test.go b/controllers/kustomization_acl_test.go
@@ -88,7 +88,7 @@ stringData:
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
+			KubeConfig: &meta.KubeConfigReference{
 				SecretRef: meta.SecretKeyReference{
 					Name: "kubeconfig",
 				},

diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -363,7 +363,16 @@ func (r *KustomizationReconciler) reconcile(
 	}
 
 	// setup the Kubernetes client for impersonation
-	impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.KubeConfigOpts, r.PollingOpts)
+	impersonation := runtimeClient.NewImpersonator(
+		r.Client,
+		r.StatusPoller,
+		r.PollingOpts,
+		kustomization.Spec.KubeConfig,
+		r.KubeConfigOpts,
+		r.DefaultServiceAccount,
+		kustomization.Spec.ServiceAccountName,
+		kustomization.GetNamespace(),
+	)
 	kubeClient, statusPoller, err := impersonation.GetClient(ctx)
 	if err != nil {
 		return kustomizev1.KustomizationNotReady(
@@ -923,8 +932,17 @@ func (r *KustomizationReconciler) finalize(ctx context.Context, kustomization ku
 		kustomization.Status.Inventory.Entries != nil {
 		objects, _ := ListObjectsInInventory(kustomization.Status.Inventory)
 
-		impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.KubeConfigOpts, r.PollingOpts)
-		if impersonation.CanFinalize(ctx) {
+		impersonation := runtimeClient.NewImpersonator(
+			r.Client,
+			r.StatusPoller,
+			r.PollingOpts,
+			kustomization.Spec.KubeConfig,
+			r.KubeConfigOpts,
+			r.DefaultServiceAccount,
+			kustomization.Spec.ServiceAccountName,
+			kustomization.GetNamespace(),
+		)
+		if impersonation.CanImpersonate(ctx) {
 			kubeClient, _, err := impersonation.GetClient(ctx)
 			if err != nil {
 				return ctrl.Result{}, err

diff --git a/controllers/kustomization_decryptor_test.go b/controllers/kustomization_decryptor_test.go
@@ -125,7 +125,7 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: 2 * time.Minute},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
+			KubeConfig: &meta.KubeConfigReference{
 				SecretRef: meta.SecretKeyReference{
 					Name: "kubeconfig",
 				},

diff --git a/controllers/kustomization_dependson_test.go b/controllers/kustomization_dependson_test.go
@@ -119,7 +119,7 @@ spec:
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
+			KubeConfig: &meta.KubeConfigReference{
 				SecretRef: meta.SecretKeyReference{
 					Name: "kubeconfig",
 				},

diff --git a/controllers/kustomization_fetcher_test.go b/controllers/kustomization_fetcher_test.go
@@ -85,7 +85,7 @@ stringData:
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
+			KubeConfig: &meta.KubeConfigReference{
 				SecretRef: meta.SecretKeyReference{
 					Name: "kubeconfig",
 				},

diff --git a/controllers/kustomization_force_test.go b/controllers/kustomization_force_test.go
@@ -85,7 +85,7 @@ stringData:
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
+			KubeConfig: &meta.KubeConfigReference{
 				SecretRef: meta.SecretKeyReference{
 					Name: "kubeconfig",
 				},

diff --git a/controllers/kustomization_fuzzer_test.go b/controllers/kustomization_fuzzer_test.go
@@ -210,7 +210,7 @@ func Fuzz_Controllers(f *testing.F) {
 				},
 				Spec: kustomizev1.KustomizationSpec{
 					Path: "./",
-					KubeConfig: &kustomizev1.KubeConfig{
+					KubeConfig: &meta.KubeConfigReference{
 						SecretRef: meta.SecretKeyReference{
 							Name: "kubeconfig",
 						},