wip

castai · Nov 5, 2024 · 02bdb6d · 02bdb6d
1 parent 4a3f219
commit 02bdb6d
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 15 deletions.
diff --git a/cmd/controller/run.go b/cmd/controller/run.go
@@ -190,7 +190,7 @@ func runController(
 
 		if isGKE {
 			log.Info("auto approve csr started as running on GKE")
-			csrMgr := csr.NewApprovalManager(log, clientset)
+			csrMgr := csr.NewApprovalManager(log, clientset, cfg.ServiceAccount)
 			csrMgr.Start(ctx)
 		}
 

diff --git a/internal/actions/csr/csr.go b/internal/actions/csr/csr.go
@@ -273,7 +273,7 @@ func getNodeCSRV1Beta1(ctx context.Context, client kubernetes.Interface, nodeNam
 	return nil, ErrNodeCertificateNotFound
 }
 
-func WatchCastAINodeCSRs(ctx context.Context, log logrus.FieldLogger, client kubernetes.Interface, c chan *Certificate) {
+func WatchCastAINodeCSRs(ctx context.Context, clusterControllerServiceAccount string, log logrus.FieldLogger, client kubernetes.Interface, c chan *Certificate) {
 	var w watch.Interface
 	var err error
 	b := waitext.DefaultExponentialBackoff()
@@ -313,11 +313,11 @@ func WatchCastAINodeCSRs(ctx context.Context, log logrus.FieldLogger, client kub
 		case event, ok := <-w.ResultChan():
 			if !ok {
 				log.Info("watcher closed")
-				go WatchCastAINodeCSRs(ctx, log, client, c) // start over in case of any error.
+				go WatchCastAINodeCSRs(ctx, clusterControllerServiceAccount, log, client, c) // start over in case of any error.
 				return
 			}
 
-			cert, err := toCertificate(event)
+			cert, err := toCertificate(event, clusterControllerServiceAccount, log)
 			if err != nil {
 				log.Warnf("toCertificate: skipping csr event: %v", err)
 				continue
@@ -354,18 +354,20 @@ var (
 	errNonCastAINode        = errors.New("not a castai node")
 )
 
-func toCertificate(event watch.Event) (cert *Certificate, err error) {
+func toCertificate(event watch.Event, clusterControllerServiceAccount string, log logrus.FieldLogger) (cert *Certificate, err error) {
 	var name string
 	var request []byte
 
 	isOutdated := false
 	switch e := event.Object.(type) {
 	case *certv1.CertificateSigningRequest:
+		log.Printf("certv1.CertificateSigningRequest: %s", e.Name)
 		name = e.Name
 		request = e.Spec.Request
 		cert = &Certificate{Name: name, v1: e, RequestingUser: e.Spec.Username}
 		isOutdated = e.CreationTimestamp.Add(csrTTL).Before(time.Now())
 	case *certv1beta1.CertificateSigningRequest:
+		log.Printf("certv1.CertificateSigningRequest: %s", e.Name)
 		name = e.Name
 		request = e.Spec.Request
 		cert = &Certificate{Name: name, v1Beta1: e, RequestingUser: e.Spec.Username}
@@ -381,7 +383,7 @@ func toCertificate(event watch.Event) (cert *Certificate, err error) {
 	// Since we only have one handler per CSR/certificate name,
 	// which is the node name, we can process the controller's certificates and kubelet-bootstrap`s.
 	// This covers the case when the controller restarts but the bootstrap certificate was deleted without our own certificate being approved.
-	if cert.RequestingUser != "kubelet-bootstrap" && cert.RequestingUser != "system:serviceaccount:castai-agent:castai-cluster-controller" {
+	if cert.RequestingUser != "kubelet-bootstrap" && cert.RequestingUser != clusterControllerServiceAccount {
 		return nil, fmt.Errorf("csr with certificate Name: %v RequestingUser: %v %w", cert.Name, cert.RequestingUser, errOwner)
 	}
 

diff --git a/internal/actions/csr/svc.go b/internal/actions/csr/svc.go
@@ -19,10 +19,11 @@ const (
 	approveCSRTimeout = 4 * time.Minute
 )
 
-func NewApprovalManager(log logrus.FieldLogger, clientset kubernetes.Interface) *ApprovalManager {
+func NewApprovalManager(log logrus.FieldLogger, clientset kubernetes.Interface, clusterControllerServiceAccount string) *ApprovalManager {
 	return &ApprovalManager{
-		log:       log,
-		clientset: clientset,
+		log:                             log,
+		clientset:                       clientset,
+		clusterControllerServiceAccount: clusterControllerServiceAccount,
 	}
 }
 
@@ -31,6 +32,8 @@ type ApprovalManager struct {
 	clientset         kubernetes.Interface
 	cancelAutoApprove context.CancelFunc
 
+	clusterControllerServiceAccount string
+
 	inProgress map[string]struct{} // one handler per csr/certificate Name.
 	m          sync.Mutex          // Used to make sure there is just one watcher running.
 }
@@ -110,7 +113,7 @@ func (h *ApprovalManager) runAutoApproveForCastAINodes(ctx context.Context) {
 
 	log := h.log.WithField("RunAutoApprove", "auto-approve-csr")
 	c := make(chan *Certificate, 1)
-	go WatchCastAINodeCSRs(ctx, log, h.clientset, c)
+	go WatchCastAINodeCSRs(ctx, h.clusterControllerServiceAccount, log, h.clientset, c)
 
 	for {
 		select {

diff --git a/internal/actions/csr/svc_test.go b/internal/actions/csr/svc_test.go
@@ -76,7 +76,7 @@ func TestCSRApprove(t *testing.T) {
 		csrName := "node-csr-123"
 		userName := "kubelet-bootstrap"
 		client := fake.NewClientset(getCSRv1(csrName, userName))
-		s := NewApprovalManager(log, client)
+		s := NewApprovalManager(log, client, "system:serviceaccount:castai-agent:castai-cluster-controller")
 		watcher := watch.NewFake()
 		client.PrependWatchReactor("certificatesigningrequests", ktest.DefaultWatchReactor(watcher, nil))
 
@@ -109,7 +109,7 @@ func TestCSRApprove(t *testing.T) {
 		csrName := "123"
 		userName := "kubelet-bootstrap"
 		client := fake.NewClientset(getCSRv1(csrName, userName))
-		s := NewApprovalManager(log, client)
+		s := NewApprovalManager(log, client, "system:serviceaccount:castai-agent:castai-cluster-controller")
 		watcher := watch.NewFake()
 		client.PrependWatchReactor("certificatesigningrequests", ktest.DefaultWatchReactor(watcher, nil))
 

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/sirupsen/logrus"
@@ -28,6 +29,7 @@ type Config struct {
 
 	MonitorMetadataPath string `mapstructure:"monitor_metadata"`
 	SelfPod             Pod    `mapstructure:"self_pod"`
+	ServiceAccount      string `mapstructure:"service_account_name"`
 }
 
 type Pod struct {
@@ -90,6 +92,8 @@ func Get() Config {
 	_ = viper.BindEnv("self_pod.node", "KUBERNETES_NODE_NAME")
 	_ = viper.BindEnv("self_pod.name", "KUBERNETES_POD")
 	_ = viper.BindEnv("self_pod.namespace", "LEADER_ELECTION_NAMESPACE")
+	// TODO([email protected]): update helm charts
+	_ = viper.BindEnv("service_account_name", "SERVICE_ACCOUNT")
 
 	cfg = &Config{}
 	if err := viper.Unmarshal(&cfg); err != nil {
@@ -115,6 +119,12 @@ func Get() Config {
 		required("LEADER_ELECTION_NAMESPACE")
 	}
 
+	if !strings.HasPrefix(cfg.ServiceAccount, "system:serviceaccount:") {
+		cfg.ServiceAccount = "system:serviceaccount:" + cfg.SelfPod.Namespace + ":" + cfg.ServiceAccount
+	} else if cfg.ServiceAccount == "" {
+		cfg.ServiceAccount = "system:serviceaccount:castai-agent:castai-cluster-controller"
+	}
+
 	if cfg.LeaderElection.Enabled {
 		if cfg.LeaderElection.LockName == "" {
 			required("LEADER_ELECTION_LOCK_NAME")

diff --git a/internal/config/config_test.go b/internal/config/config_test.go
@@ -35,7 +35,8 @@ func TestConfig(t *testing.T) {
 		SelfPod: Pod{
 			Namespace: "castai-agent",
 		},
-		ClusterID: "c1",
+		ServiceAccount: "system:serviceaccount:castai-agent:castai-cluster-controller",
+		ClusterID:      "c1",
 		LeaderElection: LeaderElection{
 			Enabled:            true,
 			LockName:           "castai-cluster-controller",

diff --git a/main.go b/main.go
@@ -12,9 +12,9 @@ import (
 
 // These should be set via `go build` during a release.
 var (
-	GitCommit = "undefined"
+	GitCommit = "4a3f219"
 	GitRef    = "no-ref"
-	Version   = "local"
+	Version   = "v0.54.6"
 )
 
 func main() {