From f556d864d1e74d7f15afbdf4c90dd569f26b8367 Mon Sep 17 00:00:00 2001 From: Lukasz Raczylo Date: Fri, 10 Jan 2025 16:15:55 +0000 Subject: [PATCH] Add rbac to delete collection as well. --- chart/Chart.yaml | 4 +- chart/values.yaml | 2 +- config/rbac/role.yaml | 135 +++++++++--------- .../raczylo.com/clusterimage_controller.go | 17 ++- .../clusterimageexport_controller.go | 8 +- 5 files changed, 94 insertions(+), 72 deletions(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index cc090d8..ba66fea 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -10,9 +10,9 @@ description: | type: application -version: 0.2.43 +version: 0.2.44 -appVersion: "0.2.43" +appVersion: "0.2.44" home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator diff --git a/chart/values.yaml b/chart/values.yaml index fe6cead..8142d7b 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -12,7 +12,7 @@ sa: - ALL image: repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator - tag: 0.2.43 + tag: 0.2.44 resources: limits: cpu: 500m diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e399ae8..4524309 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,70 +4,71 @@ kind: ClusterRole metadata: name: impex-mgr rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - daemonsets - - deployments - verbs: - - get - - list - - watch -- apiGroups: - - batch - resources: - - cronjobs - verbs: - - get - - list - - watch -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - raczylo.com - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - raczylo.com - resources: - - '*/finalizers' - verbs: - - update -- apiGroups: - - raczylo.com - resources: - - '*/status' - verbs: - - get - - patch - - update + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - raczylo.com + resources: + - "*" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - raczylo.com + resources: + - "*/finalizers" + verbs: + - update + - apiGroups: + - raczylo.com + resources: + - "*/status" + verbs: + - get + - patch + - update diff --git a/internal/controller/raczylo.com/clusterimage_controller.go b/internal/controller/raczylo.com/clusterimage_controller.go index 06e614f..b0b8b10 100644 --- a/internal/controller/raczylo.com/clusterimage_controller.go +++ b/internal/controller/raczylo.com/clusterimage_controller.go @@ -345,11 +345,26 @@ func (r *ClusterImageReconciler) createBackupJob(ctx context.Context, clusterIma } defaultCommands = append(defaultCommands, "rm -f /tmp/"+normalisedImageName+".tar") + // Merge annotations from different sources + mergedAnnotations := make(map[string]string) + // 1. Add ClusterImageExport metadata annotations + for k, v := range clusterImageExport.Annotations { + mergedAnnotations[k] = v + } + // 2. Add ClusterImage metadata annotations + for k, v := range clusterImage.Annotations { + mergedAnnotations[k] = v + } + // 3. Add job-specific annotations from spec (these take precedence) + for k, v := range clusterImage.Spec.JobAnnotations { + mergedAnnotations[k] = v + } + jobParams := shared.JobParams{ Name: fmt.Sprintf("img-export-%s", clusterImage.Name), Namespace: clusterImage.Namespace, Image: shared.BACKUP_JOB_IMAGE, - Annotations: clusterImage.Spec.JobAnnotations, + Annotations: mergedAnnotations, Commands: defaultCommands, ServiceAccount: "", ImagePullSecrets: clusterImage.Spec.ImagePullSecrets, diff --git a/internal/controller/raczylo.com/clusterimageexport_controller.go b/internal/controller/raczylo.com/clusterimageexport_controller.go index 47ad5f2..7b1d508 100644 --- a/internal/controller/raczylo.com/clusterimageexport_controller.go +++ b/internal/controller/raczylo.com/clusterimageexport_controller.go @@ -400,11 +400,17 @@ func (r *ClusterImageExportReconciler) runCleanupJob(ctx context.Context, cluste backoffLimit := int32(2) // 3 total attempts (initial + 2 retries) ttlSecondsAfterFinished := int32(30) // Delete job 30 seconds after completion - // Merge controller pod annotations with job annotations + // Merge annotations from different sources mergedAnnotations := make(map[string]string) + // 1. Add CRD metadata annotations + for k, v := range clusterImageExport.Annotations { + mergedAnnotations[k] = v + } + // 2. Add controller pod annotations for k, v := range r.podAnnotations { mergedAnnotations[k] = v } + // 3. Add job-specific annotations from spec (these take precedence) for k, v := range clusterImageExport.Spec.JobAnnotations { mergedAnnotations[k] = v }