diff --git a/pkg/common/scc.go b/pkg/common/scc.go index 0d96985532..c3f4ba61fc 100644 --- a/pkg/common/scc.go +++ b/pkg/common/scc.go @@ -41,12 +41,12 @@ func GetSecurityClient(ctx context.Context) *security.Clientset { return securityClient } -func VerifySCCExists(ctx context.Context, sccName string, securityClient security.Interface) error { +func VerifySCCExists(ctx context.Context, sccName string, securityClient *security.Clientset) error { _, err := securityClient.SecurityV1().SecurityContextConstraints().Get(ctx, sccName, metav1.GetOptions{}) return err } -func GetSCCRestrictiveList(ctx context.Context, securityClient security.Interface) ([]*securityv1.SecurityContextConstraints, error) { +func GetSCCRestrictiveList(ctx context.Context, securityClient *security.Clientset) ([]*securityv1.SecurityContextConstraints, error) { logger := logging.FromContext(ctx) sccList, err := securityClient.SecurityV1().SecurityContextConstraints().List(ctx, metav1.ListOptions{}) if err != nil { diff --git a/pkg/reconciler/common/common.go b/pkg/reconciler/common/common.go index 1f924e45ae..87e07417a4 100644 --- a/pkg/reconciler/common/common.go +++ b/pkg/reconciler/common/common.go @@ -32,7 +32,7 @@ const ( PipelineNotFound = "tekton-pipelines not installed" TriggerNotReady = "tekton-triggers not ready" TriggerNotFound = "tekton-triggers not installed" - NamespaceIgnorePattern = "^(openshift|kube|open-cluster-management|package-operator)-" + NamespaceIgnorePattern = "^(openshift|kube)-" ) func PipelineReady(informer informer.TektonPipelineInformer) (*v1alpha1.TektonPipeline, error) { diff --git a/pkg/reconciler/openshift/const.go b/pkg/reconciler/openshift/const.go index 4194a65226..62ec9ccda7 100644 --- a/pkg/reconciler/openshift/const.go +++ b/pkg/reconciler/openshift/const.go @@ -5,8 +5,4 @@ const ( OperandOpenShiftPipelineAsCode = "openshift-pipeline-as-code" // NamespaceSCCAnnotation is used to set SCC for a given namespace NamespaceSCCAnnotation = "operator.tekton.dev/scc" - - // RbacProvisioningMaxConcurrentCalls is used to set a go routine pool size when - // we reconcile namespaces and do rbac provisonning - RbacProvisioningMaxConcurrentCalls = "OCP_RBAC_MAX_CONCURRENT_CALLS" ) diff --git a/pkg/reconciler/openshift/tektonconfig/common.go b/pkg/reconciler/openshift/tektonconfig/common.go index 9f49077652..be24543501 100644 --- a/pkg/reconciler/openshift/tektonconfig/common.go +++ b/pkg/reconciler/openshift/tektonconfig/common.go @@ -97,7 +97,8 @@ func deleteInstallerSet(ctx context.Context, oc versioned.Interface, tc *v1alpha // checkIfInstallerSetExist checks if installer set exists for a component and return true/false based on it // and if installer set which already exist is of older version then it deletes and return false to create a new // installer set -func checkIfInstallerSetExist(ctx context.Context, oc versioned.Interface, relVersion string) (*v1alpha1.TektonInstallerSet, error) { +func checkIfInstallerSetExist(ctx context.Context, oc versioned.Interface, relVersion string, + tc *v1alpha1.TektonConfig) (*v1alpha1.TektonInstallerSet, error) { labelSelector, err := common.LabelSelector(rbacInstallerSetSelector) if err != nil { diff --git a/pkg/reconciler/openshift/tektonconfig/init.go b/pkg/reconciler/openshift/tektonconfig/init.go deleted file mode 100644 index ebdbfb4e38..0000000000 --- a/pkg/reconciler/openshift/tektonconfig/init.go +++ /dev/null @@ -1,70 +0,0 @@ -/* -Copyright 2024 The Tekton Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package tektonconfig - -import ( - "context" - "os" - "strconv" - - "github.com/tektoncd/operator/pkg/reconciler/openshift" - "knative.dev/pkg/logging" -) - -const ( - defaultRbacMaxConcurrentCalls = 20 - minRbacMaxConcurrentCalls = 1 - maxRbacMaxConcurrentCalls = 50 -) - -var rbacMaxConcurrentCalls int - -func init() { - rbacMaxConcurrentCalls = loadRbacMaxConcurrentCalls() -} - -func loadRbacMaxConcurrentCalls() int { - logger := logging.FromContext(context.TODO()) - envValue := os.Getenv(openshift.RbacProvisioningMaxConcurrentCalls) - if envValue == "" { - return defaultRbacMaxConcurrentCalls - } - parsedValue, err := strconv.Atoi(envValue) - if err != nil { - logger.Infof("Failed to parse %s, setting to default: %d", openshift.RbacProvisioningMaxConcurrentCalls, defaultRbacMaxConcurrentCalls) - return defaultRbacMaxConcurrentCalls - } - if parsedValue < minRbacMaxConcurrentCalls || parsedValue > maxRbacMaxConcurrentCalls { - logger.Infof("Invalid value %d for %s. Valid range is [%d, %d]. Setting to default: %d", - parsedValue, - openshift.RbacProvisioningMaxConcurrentCalls, - minRbacMaxConcurrentCalls, - maxRbacMaxConcurrentCalls, - defaultRbacMaxConcurrentCalls) - return defaultRbacMaxConcurrentCalls - } - - return parsedValue -} - -func init() { - rbacMaxConcurrentCalls = loadRbacMaxConcurrentCalls() -} - -func getRBACMaxCalls() int { - return rbacMaxConcurrentCalls -} diff --git a/pkg/reconciler/openshift/tektonconfig/init_test.go b/pkg/reconciler/openshift/tektonconfig/init_test.go deleted file mode 100644 index 272e1761b6..0000000000 --- a/pkg/reconciler/openshift/tektonconfig/init_test.go +++ /dev/null @@ -1,45 +0,0 @@ -/* -Copyright 2024 The Tekton Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package tektonconfig - -import ( - "os" - "testing" - - "github.com/stretchr/testify/require" - "github.com/tektoncd/operator/pkg/reconciler/openshift" -) - -func TestLoadRbacMaxConcurrentCalls(t *testing.T) { - for _, tt := range []struct { - desc string - envValue string - expectedValue int - }{ - {"empty envValue", "", defaultRbacMaxConcurrentCalls}, - {"valid envValue", "10", 10}, - {"below min envValue", "-1", defaultRbacMaxConcurrentCalls}, - {"above max envValye", "60", defaultRbacMaxConcurrentCalls}, - {"invalid envValue", "xyz", defaultRbacMaxConcurrentCalls}, - } { - t.Run(tt.desc, func(t *testing.T) { - os.Setenv(openshift.RbacProvisioningMaxConcurrentCalls, tt.envValue) - result := loadRbacMaxConcurrentCalls() - require.Equal(t, result, tt.expectedValue) - }) - } -} diff --git a/pkg/reconciler/openshift/tektonconfig/rbac.go b/pkg/reconciler/openshift/tektonconfig/rbac.go index 1c772438ec..bae76a95b6 100644 --- a/pkg/reconciler/openshift/tektonconfig/rbac.go +++ b/pkg/reconciler/openshift/tektonconfig/rbac.go @@ -21,7 +21,6 @@ import ( "fmt" "math" "regexp" - "sync" "time" security "github.com/openshift/client-go/security/clientset/versioned" @@ -31,19 +30,16 @@ import ( reconcilerCommon "github.com/tektoncd/operator/pkg/reconciler/common" "github.com/tektoncd/operator/pkg/reconciler/openshift" - zap "go.uber.org/zap" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/selection" - "k8s.io/apimachinery/pkg/util/wait" nsV1 "k8s.io/client-go/informers/core/v1" rbacV1 "k8s.io/client-go/informers/rbac/v1" "k8s.io/client-go/kubernetes" v1 "k8s.io/client-go/kubernetes/typed/core/v1" - "k8s.io/client-go/util/retry" "knative.dev/pkg/logging" ) @@ -86,7 +82,7 @@ var nsRegex = regexp.MustCompile(reconcilerCommon.NamespaceIgnorePattern) type rbac struct { kubeClientSet kubernetes.Interface operatorClientSet clientset.Interface - securityClientSet security.Interface + securityClientSet *security.Clientset rbacInformer rbacV1.ClusterRoleBindingInformer nsInformer nsV1.NamespaceInformer ownerRef metav1.OwnerReference @@ -122,7 +118,7 @@ func (r *rbac) EnsureRBACInstallerSet(ctx context.Context) (*v1alpha1.TektonInst return nil, err } - rbacISet, err := checkIfInstallerSetExist(ctx, r.operatorClientSet, r.version) + rbacISet, err := checkIfInstallerSetExist(ctx, r.operatorClientSet, r.version, r.tektonConfig) if err != nil { return nil, err } @@ -391,142 +387,72 @@ func (r *rbac) createResources(ctx context.Context) error { } logger.Debugf("RBAC: found %d namespaces to be reconciled", len(namespacesToBeReconciled)) - // Check and create clusterrole clusterInterceptors if doesnt exist - if err := r.createClusterRole(ctx); err != nil { - logger.Error(err) - return err - } - // remove and update namespaces from Cluster Interceptors if err := r.removeAndUpdateNSFromCI(ctx); err != nil { logger.Error(err) return err } - if len(namespacesToBeReconciled) > 0 { - jobs := make(chan corev1.Namespace, len(namespacesToBeReconciled)) - errCh := make(chan error, len(namespacesToBeReconciled)) - var wg sync.WaitGroup - - nWorkers := getRBACMaxCalls() - if len(namespacesToBeReconciled) < getRBACMaxCalls() { - nWorkers = len(namespacesToBeReconciled) - } - - logger.Infof("Starting %d goroutines for namespace rbac reconcile", nWorkers) - - // Start worker pool - for i := 0; i < nWorkers; i++ { - wg.Add(1) - go r.nsWorker(ctx, &wg, jobs, errCh) - } - // Send namespaces to be processed - for _, ns := range namespacesToBeReconciled { - jobs <- ns - } - close(jobs) - - wg.Wait() - close(errCh) + for _, ns := range namespacesToBeReconciled { + var withError bool - // Collect errors from the channel - var errs []error - for err := range errCh { - if err != nil { - errs = append(errs, err) - } + logger.Infow("Inject CA bundle configmap in ", "Namespace", ns.GetName()) + if err := r.ensureCABundles(ctx, &ns); err != nil { + withError = true + logger.Errorf("failed to ensure ca bundles presence in namespace %s, %v", ns.Name, err) } - if len(errs) > 0 { - return fmt.Errorf("errors occurred in createResource during namespaces rbac reconcile") + logger.Infow("Ensures Default SA in ", "Namespace", ns.GetName()) + sa, err := r.ensureSA(ctx, &ns) + if err != nil { + withError = true + logger.Errorf("failed to ensure default SA in namespace %s, %v", ns.Name, err) } - } else { - logger.Info("No namespaces to be reconciled, skipping worker creation") - } - return nil -} -func (r *rbac) nsWorker(ctx context.Context, wg *sync.WaitGroup, jobs <-chan corev1.Namespace, errCh chan<- error) { - defer wg.Done() - for ns := range jobs { - logging.FromContext(ctx).Infof("Processing namespace %s", ns.Name) - if err := r.processResourcesForSingleNamespace(ctx, ns); err != nil { - errCh <- fmt.Errorf("error processing namespace %s: %w", ns.Name, err) + // If "operator.tekton.dev/scc" exists in the namespace, then bind + // that SCC to the SA + err = r.handleSCCInNamespace(ctx, &ns) + if err != nil { + withError = true + logger.Errorf("failed to bind scc to namespace %s, %v", ns.Name, err) } - logging.FromContext(ctx).Infof("Finished processing namespace %s", ns.Name) - } -} - -func (r *rbac) processResourcesForSingleNamespace(ctx context.Context, ns corev1.Namespace) error { - - baseLogger := logging.FromContext(ctx) - logger := baseLogger.Desugar().With(zap.String("namespace", ns.Name)).Sugar() - - var withError bool - - logger.Infof("ensure ca bundle configmap in namespace %s", ns.Name) - if err := r.ensureCABundles(ctx, &ns); err != nil { - withError = true - logger.Errorf("failed to ensure ca bundles presence namespace %s, %v", ns.Name, err) - } - logger.Infof("ensures default pipelines service account namespace %s", ns.Name) - sa, err := r.ensureSA(ctx, &ns) - if err != nil { - withError = true - logger.Errorf("failed to ensure serviceaccount pipeline namespace %s, %v", ns.Name, err) - } - - // If "operator.tekton.dev/scc" exists in the namespace, then bind - // that SCC to the SA - err = r.handleSCCInNamespace(ctx, &ns) - if err != nil { - withError = true - logger.Errorf("failed to bind scc to namespace %s, %v", ns.Name, err) - } - if sa != nil { - // We use a namespace scoped Role when SCC annotation is present, and - // a cluster scoped ClusterRole when the default SCC is used - roleRef := r.getSCCRoleInNamespace(&ns) - if roleRef != nil { - if err := r.ensurePipelinesSCCRoleBinding(ctx, sa, roleRef); err != nil { + if sa != nil { + // We use a namespace scoped Role when SCC annotation is present, and + // a cluster scoped ClusterRole when the default SCC is used + roleRef := r.getSCCRoleInNamespace(&ns) + if roleRef != nil { + if err := r.ensurePipelinesSCCRoleBinding(ctx, sa, roleRef); err != nil { + withError = true + logger.Errorf("failed to create Pipeline Scc Role Binding in namespace %s, %v", ns.Name, err) + } + } + if err := r.ensureRoleBindings(ctx, sa); err != nil { withError = true - logger.Errorf("failed to create Pipeline Scc Role Binding in namespace %s, %v", ns.Name, err) + logger.Errorf("failed to create rolebinding in namespace %s, %v", ns.Name, err) } - } - if err := r.ensureRoleBindings(ctx, sa); err != nil { - withError = true - logger.Errorf("failed to create rolebinding in namespace %s, %v", ns.Name, err) + if err := r.ensureClusterRoleBindings(ctx, sa); err != nil { + withError = true + logger.Errorf("failed to create clusterrolebinding in namespace %s, %v", ns.Name, err) + } } - - if err := r.ensureClusterRoleBindings(ctx, sa); err != nil { - withError = true - logger.Errorf("failed to create clusterrolebinding in namespace %s, %v", ns.Name, err) + if !withError { + logger.Infof("namespace %s sucessfully reconciled. Adding label namespace-reconcile-version to mark it as reconciled", ns.Name) + // Add `openshift-pipelines.tekton.dev/namespace-reconcile-version` label to namespace + // so that rbac won't loop on it again + nsLabels := ns.GetLabels() + if len(nsLabels) == 0 { + nsLabels = map[string]string{} + } + nsLabels[namespaceVersionLabel] = r.version + ns.SetLabels(nsLabels) + if _, err := r.kubeClientSet.CoreV1().Namespaces().Update(ctx, &ns, metav1.UpdateOptions{}); err != nil { + return fmt.Errorf("failed to update namespace %s with label %s, %v", ns.Name, namespaceVersionLabel, err) + } } - } else { - withError = true - logger.Errorf("Could not create servicaccount %s for namespace %s", "pipeline", ns.Name) } - // if No error add `openshift-pipelines.tekton.dev/namespace-reconcile-version` label to namespace - // so that rbac won't loop on it again - if !withError { - logger.Infof("namespace %s sucessfully reconciled. Adding label namespace-reconcile-version to mark it as reconciled", ns.Name) - nsLabels := ns.GetLabels() - if len(nsLabels) == 0 { - nsLabels = map[string]string{} - } - nsLabels[namespaceVersionLabel] = r.version - ns.SetLabels(nsLabels) - if _, err := r.kubeClientSet.CoreV1().Namespaces().Update(ctx, &ns, metav1.UpdateOptions{}); err != nil { - logger.Errorf("failed to update namespace %s with label %s, %v", ns.Name, namespaceVersionLabel, err) - return fmt.Errorf("failed to update namespace %s with label %s: %w", ns.Name, namespaceVersionLabel, err) - } - } else { - logger.Errorf("failed to reconcile namespace %s", ns.Name) - return fmt.Errorf("failed to reconcile namespace %s", ns.Name) - } return nil } @@ -676,7 +602,7 @@ func (r *rbac) ensureSA(ctx context.Context, ns *corev1.Namespace) (*corev1.Serv return nil, err } if err != nil && errors.IsNotFound(err) { - logger.Info("creating sa ", pipelineSA, " for ns:", ns.Name) + logger.Info("creating sa ", pipelineSA, " ns", ns.Name) return createSA(ctx, saInterface, ns.Name, *r.tektonConfig) } @@ -980,26 +906,20 @@ func (r *rbac) ensureClusterRoleBindings(ctx context.Context, sa *corev1.Service logger := logging.FromContext(ctx) rbacClient := r.kubeClientSet.RbacV1() + logger.Info("finding cluster-role ", clusterInterceptors) + if _, err := rbacClient.ClusterRoles().Get(ctx, clusterInterceptors, metav1.GetOptions{}); errors.IsNotFound(err) { + if e := r.createClusterRole(ctx); e != nil { + return e + } + } + logger.Info("finding cluster-role-binding ", clusterInterceptors) - // Fetch the ClusterRoleBinding viewCRB, err := rbacClient.ClusterRoleBindings().Get(ctx, clusterInterceptors, metav1.GetOptions{}) + if err == nil { logger.Infof("found clusterrolebinding %s", viewCRB.Name) - - // Retry the update operation on conflict - backoff := wait.Backoff{ - Steps: 10, // Number of retry attempts - Duration: 300 * time.Millisecond, // Initial backoff duration - Factor: 1.5, // Factor to increase backoff - Jitter: 0.2, // Jitter to avoid thundering herd - } - - err = retry.OnError(backoff, errors.IsConflict, func() error { - return r.updateClusterRoleBinding(ctx, viewCRB, sa) - }) - - return err + return r.updateClusterRoleBinding(ctx, viewCRB, sa) } if errors.IsNotFound(err) { @@ -1131,28 +1051,25 @@ func (r *rbac) createClusterRoleBinding(ctx context.Context, sa *corev1.ServiceA func (r *rbac) createClusterRole(ctx context.Context) error { logger := logging.FromContext(ctx) - rbacClient := r.kubeClientSet.RbacV1() - logger.Info("finding cluster-role ", clusterInterceptors) - if _, err := rbacClient.ClusterRoles().Get(ctx, clusterInterceptors, metav1.GetOptions{}); errors.IsNotFound(err) { - logger.Info("cluser-role %s is not found, creating new clusterrole %s", clusterInterceptors, clusterInterceptors) - cr := &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: clusterInterceptors, - OwnerReferences: []metav1.OwnerReference{r.ownerRef}, - }, - Rules: []rbacv1.PolicyRule{{ - APIGroups: []string{"triggers.tekton.dev"}, - Resources: []string{"clusterinterceptors"}, - Verbs: []string{"get", "list", "watch"}, - }}, - } + logger.Info("create new clusterrole ", clusterInterceptors) + rbacClient := r.kubeClientSet.RbacV1() - if _, err := rbacClient.ClusterRoles().Create(ctx, cr, metav1.CreateOptions{}); err != nil { - logger.Error(err, "creation of "+clusterInterceptors+" clusterrole failed") - return err - } + cr := &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: clusterInterceptors, + OwnerReferences: []metav1.OwnerReference{r.ownerRef}, + }, + Rules: []rbacv1.PolicyRule{{ + APIGroups: []string{"triggers.tekton.dev"}, + Resources: []string{"clusterinterceptors"}, + Verbs: []string{"get", "list", "watch"}, + }}, + } + if _, err := rbacClient.ClusterRoles().Create(ctx, cr, metav1.CreateOptions{}); err != nil { + logger.Error(err, "creation of "+clusterInterceptors+" clusterrole failed") + return err } return nil } diff --git a/pkg/reconciler/openshift/tektonconfig/rbac_test.go b/pkg/reconciler/openshift/tektonconfig/rbac_test.go deleted file mode 100644 index cbe6e46575..0000000000 --- a/pkg/reconciler/openshift/tektonconfig/rbac_test.go +++ /dev/null @@ -1,211 +0,0 @@ -/* -Copyright 2024 The Tekton Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package tektonconfig - -import ( - "context" - "fmt" - "os" - "testing" - - "github.com/google/go-cmp/cmp" - v1 "github.com/openshift/api/security/v1" - fakesecurity "github.com/openshift/client-go/security/clientset/versioned/fake" - "github.com/stretchr/testify/require" - "github.com/tektoncd/operator/pkg/apis/operator/v1alpha1" - - //fakeoperator "github.com/tektoncd/operator/pkg/client/injection/client/fake" - fakeoperator "github.com/tektoncd/operator/pkg/client/clientset/versioned/fake" - "github.com/tektoncd/operator/pkg/reconciler/common" - "github.com/tektoncd/pipeline/test/diff" - corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/client-go/informers" - fakek8s "k8s.io/client-go/kubernetes/fake" - duckv1 "knative.dev/pkg/apis/duck/v1" - ts "knative.dev/pkg/reconciler/testing" -) - -func TestGetNamespacesToBeReconciled(t *testing.T) { - var deletionTime = metav1.Now() - for _, c := range []struct { - desc string - wantNamespaces []corev1.Namespace - objs []runtime.Object - ctx context.Context - }{ - { - desc: "ignore system namespaces", - objs: []runtime.Object{ - &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "openshift-test"}}, - }, - wantNamespaces: nil, - ctx: context.Background(), - }, - { - desc: "ignore namespaces with deletion timestamp", - objs: []runtime.Object{ - &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "openshift-test", DeletionTimestamp: &deletionTime}}, - }, - wantNamespaces: nil, - ctx: context.Background(), - }, - { - desc: "add namespace to reconcile list if it has openshift scc operator.tekton.dev/scc annotation set ", - objs: []runtime.Object{ - &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "test", Annotations: map[string]string{"operator.tekton.dev/scc": "restricted"}}}, - }, - wantNamespaces: []corev1.Namespace{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "test", - Annotations: map[string]string{"operator.tekton.dev/scc": "restricted"}, - }, - }, - }, - ctx: context.Background(), - }, - { - desc: "add namespace to reconcile list if it has bad label openshift-pipelines.tekton.dev/namespace-reconcile-version", - objs: []runtime.Object{ - &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "test", Labels: map[string]string{"openshift-pipelines.tekton.dev/namespace-reconcile-version": ""}}}, - }, - wantNamespaces: []corev1.Namespace{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "test", - Labels: map[string]string{"openshift-pipelines.tekton.dev/namespace-reconcile-version": ""}, - }, - }, - }, - ctx: context.Background(), - }, - } { - t.Run(c.desc, func(t *testing.T) { - kubeclient := fakek8s.NewSimpleClientset(c.objs...) - r := rbac{ - kubeClientSet: kubeclient, - version: "devel", - } - namespaces, err := r.getNamespacesToBeReconciled(c.ctx) - if err != nil { - t.Fatalf("getNamespacesToBeReconciled: %v", err) - } - if d := cmp.Diff(c.wantNamespaces, namespaces); d != "" { - t.Fatalf("Diff %s", diff.PrintWantGot(d)) - } - }) - } -} - -func TestCreateResources(t *testing.T) { - ctx, _, _ := ts.SetupFakeContextWithCancel(t) - os.Setenv(common.KoEnvKey, "testdata") - scc := &v1.SecurityContextConstraints{ObjectMeta: metav1.ObjectMeta{Name: "PipelinesSCC"}} - tc := &v1alpha1.TektonConfig{ - ObjectMeta: metav1.ObjectMeta{ - Name: v1alpha1.ConfigResourceName, - Labels: map[string]string{}, - }, - Spec: v1alpha1.TektonConfigSpec{ - CommonSpec: v1alpha1.CommonSpec{ - TargetNamespace: "foo", - }, - Platforms: v1alpha1.Platforms{ - OpenShift: v1alpha1.OpenShift{ - SCC: &v1alpha1.SCC{ - Default: scc.Name, - }, - }, - }, - }, - Status: v1alpha1.TektonConfigStatus{ - Status: duckv1.Status{}, - TektonInstallerSet: map[string]string{}, - }, - } - for _, c := range []struct { - desc string - objs []runtime.Object - iSet *v1alpha1.TektonInstallerSet - err error - }{ - { - desc: "No existing installer set", - objs: []runtime.Object{ - &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "test", Labels: map[string]string{"openshift-pipelines.tekton.dev/namespace-reconcile-version": ""}}}, - }, - err: v1alpha1.RECONCILE_AGAIN_ERR, - }, - { - desc: "existing installer set, missing cluster role edit", - objs: []runtime.Object{ - &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "test", Labels: map[string]string{"openshift-pipelines.tekton.dev/namespace-reconcile-version": ""}}}, - }, - iSet: &v1alpha1.TektonInstallerSet{ObjectMeta: metav1.ObjectMeta{Name: "rhosp-rbac-001", Labels: map[string]string{v1alpha1.CreatedByKey: createdByValue, v1alpha1.InstallerSetType: componentNameRBAC}, Annotations: map[string]string{ - v1alpha1.ReleaseVersionKey: "devel", v1alpha1.TargetNamespaceKey: tc.Spec.TargetNamespace}}, Spec: v1alpha1.TektonInstallerSetSpec{}}, - err: fmt.Errorf("errors occurred in createResource during namespaces rbac reconcile"), - }, - { - desc: "existing installer set, all ok", - objs: []runtime.Object{ - &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "test", Labels: map[string]string{"openshift-pipelines.tekton.dev/namespace-reconcile-version": ""}}}, - &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "edit"}}, - }, - iSet: &v1alpha1.TektonInstallerSet{ObjectMeta: metav1.ObjectMeta{Name: "rhosp-rbac-001", Labels: map[string]string{v1alpha1.CreatedByKey: createdByValue, v1alpha1.InstallerSetType: componentNameRBAC}, Annotations: map[string]string{ - v1alpha1.ReleaseVersionKey: "devel", v1alpha1.TargetNamespaceKey: tc.Spec.TargetNamespace}}, Spec: v1alpha1.TektonInstallerSetSpec{}}, - }, - } { - t.Run(c.desc, func(t *testing.T) { - kubeclient := fakek8s.NewSimpleClientset(c.objs...) - fakeoperatorclient := fakeoperator.NewSimpleClientset() - fakesecurityclient := fakesecurity.NewSimpleClientset() - _, err := fakesecurityclient.SecurityV1().SecurityContextConstraints().Create(ctx, scc, metav1.CreateOptions{}) - if err != nil { - t.Logf("Could not create fake scc %v", err) - } - if c.iSet != nil { - _, err := fakeoperatorclient.OperatorV1alpha1().TektonInstallerSets().Create(ctx, c.iSet, metav1.CreateOptions{}) - if err != nil { - t.Logf("Could not create fake installerSet %v", err) - } - } - informers := informers.NewSharedInformerFactory(kubeclient, 0) - nsInformer := informers.Core().V1().Namespaces() - rbacinformer := informers.Rbac().V1().ClusterRoleBindings() - - r := rbac{ - kubeClientSet: kubeclient, - operatorClientSet: fakeoperatorclient, - securityClientSet: fakesecurityclient, - rbacInformer: rbacinformer, - nsInformer: nsInformer, - version: "devel", - tektonConfig: tc, - } - err = r.createResources(ctx) - if c.err != nil { - require.Error(t, err) - require.Equal(t, c.err.Error(), err.Error(), "Expected error '%v', got '%v'", c.err, err) - } else { - require.NoError(t, err) - } - }) - } -} diff --git a/pkg/reconciler/openshift/tektonconfig/testdata/tekton-pipeline/00-prereconcile/openshift-pipelines-scc.yaml b/pkg/reconciler/openshift/tektonconfig/testdata/tekton-pipeline/00-prereconcile/openshift-pipelines-scc.yaml deleted file mode 100644 index 1f0d813419..0000000000 --- a/pkg/reconciler/openshift/tektonconfig/testdata/tekton-pipeline/00-prereconcile/openshift-pipelines-scc.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - kubernetes.io/description: pipelines-scc is a close replica of anyuid scc. pipelines-scc has fsGroup - MustRunAs. - release.openshift.io/create-only: "true" - name: pipelines-scc -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: -- SETFCAP -defaultAddCapabilities: null -fsGroup: - type: MustRunAs -groups: -- system:cluster-admins -priority: 10 -readOnlyRootFilesystem: false -requiredDropCapabilities: -- MKNOD -runAsUser: - type: RunAsAny -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret -- csi diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/fake/clientset_generated.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/fake/clientset_generated.go deleted file mode 100644 index 9bcd5d024a..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/fake/clientset_generated.go +++ /dev/null @@ -1,69 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - clientset "github.com/openshift/client-go/security/clientset/versioned" - securityv1 "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" - fakesecurityv1 "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" - "k8s.io/client-go/testing" -) - -// NewSimpleClientset returns a clientset that will respond with the provided objects. -// It's backed by a very simple object tracker that processes creates, updates and deletions as-is, -// without applying any validations and/or defaults. It shouldn't be considered a replacement -// for a real clientset and is mostly useful in simple unit tests. -func NewSimpleClientset(objects ...runtime.Object) *Clientset { - o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder()) - for _, obj := range objects { - if err := o.Add(obj); err != nil { - panic(err) - } - } - - cs := &Clientset{tracker: o} - cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} - cs.AddReactor("*", "*", testing.ObjectReaction(o)) - cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { - gvr := action.GetResource() - ns := action.GetNamespace() - watch, err := o.Watch(gvr, ns) - if err != nil { - return false, nil, err - } - return true, watch, nil - }) - - return cs -} - -// Clientset implements clientset.Interface. Meant to be embedded into a -// struct to get a default implementation. This makes faking out just the method -// you want to test easier. -type Clientset struct { - testing.Fake - discovery *fakediscovery.FakeDiscovery - tracker testing.ObjectTracker -} - -func (c *Clientset) Discovery() discovery.DiscoveryInterface { - return c.discovery -} - -func (c *Clientset) Tracker() testing.ObjectTracker { - return c.tracker -} - -var ( - _ clientset.Interface = &Clientset{} - _ testing.FakeClient = &Clientset{} -) - -// SecurityV1 retrieves the SecurityV1Client -func (c *Clientset) SecurityV1() securityv1.SecurityV1Interface { - return &fakesecurityv1.FakeSecurityV1{Fake: &c.Fake} -} diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/fake/doc.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/fake/doc.go deleted file mode 100644 index 3630ed1cd1..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/fake/doc.go +++ /dev/null @@ -1,4 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated fake clientset. -package fake diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/fake/register.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/fake/register.go deleted file mode 100644 index ef2411341d..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/fake/register.go +++ /dev/null @@ -1,40 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - securityv1 "github.com/openshift/api/security/v1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - schema "k8s.io/apimachinery/pkg/runtime/schema" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" -) - -var scheme = runtime.NewScheme() -var codecs = serializer.NewCodecFactory(scheme) - -var localSchemeBuilder = runtime.SchemeBuilder{ - securityv1.AddToScheme, -} - -// AddToScheme adds all types of this clientset into the given scheme. This allows composition -// of clientsets, like in: -// -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) -// -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) -// -// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types -// correctly. -var AddToScheme = localSchemeBuilder.AddToScheme - -func init() { - v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(scheme)) -} diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/doc.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/doc.go deleted file mode 100644 index 2b5ba4c8e4..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/doc.go +++ /dev/null @@ -1,4 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -// Package fake has the automatically generated clients. -package fake diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_podsecuritypolicyreview.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_podsecuritypolicyreview.go deleted file mode 100644 index 61c5f9902a..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_podsecuritypolicyreview.go +++ /dev/null @@ -1,32 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1 "github.com/openshift/api/security/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - testing "k8s.io/client-go/testing" -) - -// FakePodSecurityPolicyReviews implements PodSecurityPolicyReviewInterface -type FakePodSecurityPolicyReviews struct { - Fake *FakeSecurityV1 - ns string -} - -var podsecuritypolicyreviewsResource = v1.SchemeGroupVersion.WithResource("podsecuritypolicyreviews") - -var podsecuritypolicyreviewsKind = v1.SchemeGroupVersion.WithKind("PodSecurityPolicyReview") - -// Create takes the representation of a podSecurityPolicyReview and creates it. Returns the server's representation of the podSecurityPolicyReview, and an error, if there is any. -func (c *FakePodSecurityPolicyReviews) Create(ctx context.Context, podSecurityPolicyReview *v1.PodSecurityPolicyReview, opts metav1.CreateOptions) (result *v1.PodSecurityPolicyReview, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(podsecuritypolicyreviewsResource, c.ns, podSecurityPolicyReview), &v1.PodSecurityPolicyReview{}) - - if obj == nil { - return nil, err - } - return obj.(*v1.PodSecurityPolicyReview), err -} diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_podsecuritypolicyselfsubjectreview.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_podsecuritypolicyselfsubjectreview.go deleted file mode 100644 index 80aa29043c..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_podsecuritypolicyselfsubjectreview.go +++ /dev/null @@ -1,32 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1 "github.com/openshift/api/security/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - testing "k8s.io/client-go/testing" -) - -// FakePodSecurityPolicySelfSubjectReviews implements PodSecurityPolicySelfSubjectReviewInterface -type FakePodSecurityPolicySelfSubjectReviews struct { - Fake *FakeSecurityV1 - ns string -} - -var podsecuritypolicyselfsubjectreviewsResource = v1.SchemeGroupVersion.WithResource("podsecuritypolicyselfsubjectreviews") - -var podsecuritypolicyselfsubjectreviewsKind = v1.SchemeGroupVersion.WithKind("PodSecurityPolicySelfSubjectReview") - -// Create takes the representation of a podSecurityPolicySelfSubjectReview and creates it. Returns the server's representation of the podSecurityPolicySelfSubjectReview, and an error, if there is any. -func (c *FakePodSecurityPolicySelfSubjectReviews) Create(ctx context.Context, podSecurityPolicySelfSubjectReview *v1.PodSecurityPolicySelfSubjectReview, opts metav1.CreateOptions) (result *v1.PodSecurityPolicySelfSubjectReview, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(podsecuritypolicyselfsubjectreviewsResource, c.ns, podSecurityPolicySelfSubjectReview), &v1.PodSecurityPolicySelfSubjectReview{}) - - if obj == nil { - return nil, err - } - return obj.(*v1.PodSecurityPolicySelfSubjectReview), err -} diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_podsecuritypolicysubjectreview.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_podsecuritypolicysubjectreview.go deleted file mode 100644 index 9910db95de..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_podsecuritypolicysubjectreview.go +++ /dev/null @@ -1,32 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1 "github.com/openshift/api/security/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - testing "k8s.io/client-go/testing" -) - -// FakePodSecurityPolicySubjectReviews implements PodSecurityPolicySubjectReviewInterface -type FakePodSecurityPolicySubjectReviews struct { - Fake *FakeSecurityV1 - ns string -} - -var podsecuritypolicysubjectreviewsResource = v1.SchemeGroupVersion.WithResource("podsecuritypolicysubjectreviews") - -var podsecuritypolicysubjectreviewsKind = v1.SchemeGroupVersion.WithKind("PodSecurityPolicySubjectReview") - -// Create takes the representation of a podSecurityPolicySubjectReview and creates it. Returns the server's representation of the podSecurityPolicySubjectReview, and an error, if there is any. -func (c *FakePodSecurityPolicySubjectReviews) Create(ctx context.Context, podSecurityPolicySubjectReview *v1.PodSecurityPolicySubjectReview, opts metav1.CreateOptions) (result *v1.PodSecurityPolicySubjectReview, err error) { - obj, err := c.Fake. - Invokes(testing.NewCreateAction(podsecuritypolicysubjectreviewsResource, c.ns, podSecurityPolicySubjectReview), &v1.PodSecurityPolicySubjectReview{}) - - if obj == nil { - return nil, err - } - return obj.(*v1.PodSecurityPolicySubjectReview), err -} diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_rangeallocation.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_rangeallocation.go deleted file mode 100644 index 2692d3b982..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_rangeallocation.go +++ /dev/null @@ -1,129 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - json "encoding/json" - "fmt" - - v1 "github.com/openshift/api/security/v1" - securityv1 "github.com/openshift/client-go/security/applyconfigurations/security/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - testing "k8s.io/client-go/testing" -) - -// FakeRangeAllocations implements RangeAllocationInterface -type FakeRangeAllocations struct { - Fake *FakeSecurityV1 -} - -var rangeallocationsResource = v1.SchemeGroupVersion.WithResource("rangeallocations") - -var rangeallocationsKind = v1.SchemeGroupVersion.WithKind("RangeAllocation") - -// Get takes name of the rangeAllocation, and returns the corresponding rangeAllocation object, and an error if there is any. -func (c *FakeRangeAllocations) Get(ctx context.Context, name string, options metav1.GetOptions) (result *v1.RangeAllocation, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootGetAction(rangeallocationsResource, name), &v1.RangeAllocation{}) - if obj == nil { - return nil, err - } - return obj.(*v1.RangeAllocation), err -} - -// List takes label and field selectors, and returns the list of RangeAllocations that match those selectors. -func (c *FakeRangeAllocations) List(ctx context.Context, opts metav1.ListOptions) (result *v1.RangeAllocationList, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootListAction(rangeallocationsResource, rangeallocationsKind, opts), &v1.RangeAllocationList{}) - if obj == nil { - return nil, err - } - - label, _, _ := testing.ExtractFromListOptions(opts) - if label == nil { - label = labels.Everything() - } - list := &v1.RangeAllocationList{ListMeta: obj.(*v1.RangeAllocationList).ListMeta} - for _, item := range obj.(*v1.RangeAllocationList).Items { - if label.Matches(labels.Set(item.Labels)) { - list.Items = append(list.Items, item) - } - } - return list, err -} - -// Watch returns a watch.Interface that watches the requested rangeAllocations. -func (c *FakeRangeAllocations) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) { - return c.Fake. - InvokesWatch(testing.NewRootWatchAction(rangeallocationsResource, opts)) -} - -// Create takes the representation of a rangeAllocation and creates it. Returns the server's representation of the rangeAllocation, and an error, if there is any. -func (c *FakeRangeAllocations) Create(ctx context.Context, rangeAllocation *v1.RangeAllocation, opts metav1.CreateOptions) (result *v1.RangeAllocation, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootCreateAction(rangeallocationsResource, rangeAllocation), &v1.RangeAllocation{}) - if obj == nil { - return nil, err - } - return obj.(*v1.RangeAllocation), err -} - -// Update takes the representation of a rangeAllocation and updates it. Returns the server's representation of the rangeAllocation, and an error, if there is any. -func (c *FakeRangeAllocations) Update(ctx context.Context, rangeAllocation *v1.RangeAllocation, opts metav1.UpdateOptions) (result *v1.RangeAllocation, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootUpdateAction(rangeallocationsResource, rangeAllocation), &v1.RangeAllocation{}) - if obj == nil { - return nil, err - } - return obj.(*v1.RangeAllocation), err -} - -// Delete takes name of the rangeAllocation and deletes it. Returns an error if one occurs. -func (c *FakeRangeAllocations) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error { - _, err := c.Fake. - Invokes(testing.NewRootDeleteActionWithOptions(rangeallocationsResource, name, opts), &v1.RangeAllocation{}) - return err -} - -// DeleteCollection deletes a collection of objects. -func (c *FakeRangeAllocations) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error { - action := testing.NewRootDeleteCollectionAction(rangeallocationsResource, listOpts) - - _, err := c.Fake.Invokes(action, &v1.RangeAllocationList{}) - return err -} - -// Patch applies the patch and returns the patched rangeAllocation. -func (c *FakeRangeAllocations) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *v1.RangeAllocation, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootPatchSubresourceAction(rangeallocationsResource, name, pt, data, subresources...), &v1.RangeAllocation{}) - if obj == nil { - return nil, err - } - return obj.(*v1.RangeAllocation), err -} - -// Apply takes the given apply declarative configuration, applies it and returns the applied rangeAllocation. -func (c *FakeRangeAllocations) Apply(ctx context.Context, rangeAllocation *securityv1.RangeAllocationApplyConfiguration, opts metav1.ApplyOptions) (result *v1.RangeAllocation, err error) { - if rangeAllocation == nil { - return nil, fmt.Errorf("rangeAllocation provided to Apply must not be nil") - } - data, err := json.Marshal(rangeAllocation) - if err != nil { - return nil, err - } - name := rangeAllocation.Name - if name == nil { - return nil, fmt.Errorf("rangeAllocation.Name must be provided to Apply") - } - obj, err := c.Fake. - Invokes(testing.NewRootPatchSubresourceAction(rangeallocationsResource, *name, types.ApplyPatchType, data), &v1.RangeAllocation{}) - if obj == nil { - return nil, err - } - return obj.(*v1.RangeAllocation), err -} diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_security_client.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_security_client.go deleted file mode 100644 index 33240c41c1..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_security_client.go +++ /dev/null @@ -1,40 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v1 "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" - rest "k8s.io/client-go/rest" - testing "k8s.io/client-go/testing" -) - -type FakeSecurityV1 struct { - *testing.Fake -} - -func (c *FakeSecurityV1) PodSecurityPolicyReviews(namespace string) v1.PodSecurityPolicyReviewInterface { - return &FakePodSecurityPolicyReviews{c, namespace} -} - -func (c *FakeSecurityV1) PodSecurityPolicySelfSubjectReviews(namespace string) v1.PodSecurityPolicySelfSubjectReviewInterface { - return &FakePodSecurityPolicySelfSubjectReviews{c, namespace} -} - -func (c *FakeSecurityV1) PodSecurityPolicySubjectReviews(namespace string) v1.PodSecurityPolicySubjectReviewInterface { - return &FakePodSecurityPolicySubjectReviews{c, namespace} -} - -func (c *FakeSecurityV1) RangeAllocations() v1.RangeAllocationInterface { - return &FakeRangeAllocations{c} -} - -func (c *FakeSecurityV1) SecurityContextConstraints() v1.SecurityContextConstraintsInterface { - return &FakeSecurityContextConstraints{c} -} - -// RESTClient returns a RESTClient that is used to communicate -// with API server by this client implementation. -func (c *FakeSecurityV1) RESTClient() rest.Interface { - var ret *rest.RESTClient - return ret -} diff --git a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_securitycontextconstraints.go b/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_securitycontextconstraints.go deleted file mode 100644 index ee40b0dce0..0000000000 --- a/vendor/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake/fake_securitycontextconstraints.go +++ /dev/null @@ -1,129 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - json "encoding/json" - "fmt" - - v1 "github.com/openshift/api/security/v1" - securityv1 "github.com/openshift/client-go/security/applyconfigurations/security/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - testing "k8s.io/client-go/testing" -) - -// FakeSecurityContextConstraints implements SecurityContextConstraintsInterface -type FakeSecurityContextConstraints struct { - Fake *FakeSecurityV1 -} - -var securitycontextconstraintsResource = v1.SchemeGroupVersion.WithResource("securitycontextconstraints") - -var securitycontextconstraintsKind = v1.SchemeGroupVersion.WithKind("SecurityContextConstraints") - -// Get takes name of the securityContextConstraints, and returns the corresponding securityContextConstraints object, and an error if there is any. -func (c *FakeSecurityContextConstraints) Get(ctx context.Context, name string, options metav1.GetOptions) (result *v1.SecurityContextConstraints, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootGetAction(securitycontextconstraintsResource, name), &v1.SecurityContextConstraints{}) - if obj == nil { - return nil, err - } - return obj.(*v1.SecurityContextConstraints), err -} - -// List takes label and field selectors, and returns the list of SecurityContextConstraints that match those selectors. -func (c *FakeSecurityContextConstraints) List(ctx context.Context, opts metav1.ListOptions) (result *v1.SecurityContextConstraintsList, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootListAction(securitycontextconstraintsResource, securitycontextconstraintsKind, opts), &v1.SecurityContextConstraintsList{}) - if obj == nil { - return nil, err - } - - label, _, _ := testing.ExtractFromListOptions(opts) - if label == nil { - label = labels.Everything() - } - list := &v1.SecurityContextConstraintsList{ListMeta: obj.(*v1.SecurityContextConstraintsList).ListMeta} - for _, item := range obj.(*v1.SecurityContextConstraintsList).Items { - if label.Matches(labels.Set(item.Labels)) { - list.Items = append(list.Items, item) - } - } - return list, err -} - -// Watch returns a watch.Interface that watches the requested securityContextConstraints. -func (c *FakeSecurityContextConstraints) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) { - return c.Fake. - InvokesWatch(testing.NewRootWatchAction(securitycontextconstraintsResource, opts)) -} - -// Create takes the representation of a securityContextConstraints and creates it. Returns the server's representation of the securityContextConstraints, and an error, if there is any. -func (c *FakeSecurityContextConstraints) Create(ctx context.Context, securityContextConstraints *v1.SecurityContextConstraints, opts metav1.CreateOptions) (result *v1.SecurityContextConstraints, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootCreateAction(securitycontextconstraintsResource, securityContextConstraints), &v1.SecurityContextConstraints{}) - if obj == nil { - return nil, err - } - return obj.(*v1.SecurityContextConstraints), err -} - -// Update takes the representation of a securityContextConstraints and updates it. Returns the server's representation of the securityContextConstraints, and an error, if there is any. -func (c *FakeSecurityContextConstraints) Update(ctx context.Context, securityContextConstraints *v1.SecurityContextConstraints, opts metav1.UpdateOptions) (result *v1.SecurityContextConstraints, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootUpdateAction(securitycontextconstraintsResource, securityContextConstraints), &v1.SecurityContextConstraints{}) - if obj == nil { - return nil, err - } - return obj.(*v1.SecurityContextConstraints), err -} - -// Delete takes name of the securityContextConstraints and deletes it. Returns an error if one occurs. -func (c *FakeSecurityContextConstraints) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error { - _, err := c.Fake. - Invokes(testing.NewRootDeleteActionWithOptions(securitycontextconstraintsResource, name, opts), &v1.SecurityContextConstraints{}) - return err -} - -// DeleteCollection deletes a collection of objects. -func (c *FakeSecurityContextConstraints) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error { - action := testing.NewRootDeleteCollectionAction(securitycontextconstraintsResource, listOpts) - - _, err := c.Fake.Invokes(action, &v1.SecurityContextConstraintsList{}) - return err -} - -// Patch applies the patch and returns the patched securityContextConstraints. -func (c *FakeSecurityContextConstraints) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *v1.SecurityContextConstraints, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootPatchSubresourceAction(securitycontextconstraintsResource, name, pt, data, subresources...), &v1.SecurityContextConstraints{}) - if obj == nil { - return nil, err - } - return obj.(*v1.SecurityContextConstraints), err -} - -// Apply takes the given apply declarative configuration, applies it and returns the applied securityContextConstraints. -func (c *FakeSecurityContextConstraints) Apply(ctx context.Context, securityContextConstraints *securityv1.SecurityContextConstraintsApplyConfiguration, opts metav1.ApplyOptions) (result *v1.SecurityContextConstraints, err error) { - if securityContextConstraints == nil { - return nil, fmt.Errorf("securityContextConstraints provided to Apply must not be nil") - } - data, err := json.Marshal(securityContextConstraints) - if err != nil { - return nil, err - } - name := securityContextConstraints.Name - if name == nil { - return nil, fmt.Errorf("securityContextConstraints.Name must be provided to Apply") - } - obj, err := c.Fake. - Invokes(testing.NewRootPatchSubresourceAction(securitycontextconstraintsResource, *name, types.ApplyPatchType, data), &v1.SecurityContextConstraints{}) - if obj == nil { - return nil, err - } - return obj.(*v1.SecurityContextConstraints), err -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 56d7d321ac..e3779fbbb7 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1044,10 +1044,8 @@ github.com/openshift/client-go/route/clientset/versioned/scheme github.com/openshift/client-go/security/applyconfigurations/internal github.com/openshift/client-go/security/applyconfigurations/security/v1 github.com/openshift/client-go/security/clientset/versioned -github.com/openshift/client-go/security/clientset/versioned/fake github.com/openshift/client-go/security/clientset/versioned/scheme github.com/openshift/client-go/security/clientset/versioned/typed/security/v1 -github.com/openshift/client-go/security/clientset/versioned/typed/security/v1/fake # github.com/opentracing/opentracing-go v1.2.0 ## explicit; go 1.14 github.com/opentracing/opentracing-go