Skip to content

Commit c2e3a81

Browse files
committed
apply review comment, split konnector resources
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> On-behalf-of: @SAP karol.szwaj@sap.com
1 parent 241ab0c commit c2e3a81

3 files changed

Lines changed: 209 additions & 175 deletions

File tree

backend/http/handler.go

Lines changed: 33 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,15 @@ import (
3030
apierrors "k8s.io/apimachinery/pkg/api/errors"
3131
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3232
"k8s.io/apimachinery/pkg/runtime"
33+
"k8s.io/apimachinery/pkg/runtime/serializer"
34+
kjson "k8s.io/apimachinery/pkg/runtime/serializer/json"
3335
componentbaseversion "k8s.io/component-base/version"
3436
"k8s.io/klog/v2"
3537

3638
"github.com/kube-bind/kube-bind/backend/auth"
3739
"github.com/kube-bind/kube-bind/backend/client"
3840
"github.com/kube-bind/kube-bind/backend/kubernetes"
41+
kuberesources "github.com/kube-bind/kube-bind/backend/kubernetes/resources"
3942
"github.com/kube-bind/kube-bind/backend/oidc"
4043
"github.com/kube-bind/kube-bind/backend/session"
4144
"github.com/kube-bind/kube-bind/backend/spaserver"
@@ -150,6 +153,9 @@ func (h *handler) AddRoutes(mux *mux.Router) error {
150153
// Public API routes (no authentication required)
151154
mux.HandleFunc("/api/healthz", h.handleHealthz).Methods(http.MethodGet)
152155
mux.HandleFunc("/api/bindable-resources", h.handleBindableResources).Methods(http.MethodGet)
156+
// Intentionally unauthenticated: serves static, deterministic deployment YAML
157+
// (konnector image tag is the only variable, derived from the server's own version).
158+
// No secrets or cluster-specific data are included.
153159
mux.HandleFunc("/api/konnector-manifests", h.handleKonnectorManifests).Methods(http.MethodGet)
154160

155161
// Generic authentication routes (support both UI and CLI)
@@ -203,6 +209,8 @@ func (h *handler) handlePing(w http.ResponseWriter, r *http.Request) {
203209

204210
// handleKonnectorManifests returns the pre-rendered konnector YAML manifests
205211
// that a consumer cluster needs to apply to deploy the konnector agent.
212+
// The manifests are generated from the same Go structs used by the one-click
213+
// apply flow (ensureKonnector) to avoid definition drift.
206214
func (h *handler) handleKonnectorManifests(w http.ResponseWriter, r *http.Request) {
207215
prepareNoCache(w)
208216

@@ -212,79 +220,34 @@ func (h *handler) handleKonnectorManifests(w http.ResponseWriter, r *http.Reques
212220
}
213221
konnectorImage := fmt.Sprintf("ghcr.io/kube-bind/konnector:%s", konnectorVersion)
214222

215-
manifests := fmt.Sprintf(`apiVersion: v1
216-
kind: Namespace
217-
metadata:
218-
name: kube-bind
219-
---
220-
apiVersion: v1
221-
kind: ServiceAccount
222-
metadata:
223-
name: konnector
224-
namespace: kube-bind
225-
---
226-
apiVersion: rbac.authorization.k8s.io/v1
227-
kind: ClusterRole
228-
metadata:
229-
name: kube-bind-konnector
230-
rules:
231-
- apiGroups: ["*"]
232-
resources: ["*"]
233-
verbs: ["*"]
234-
---
235-
apiVersion: rbac.authorization.k8s.io/v1
236-
kind: ClusterRoleBinding
237-
metadata:
238-
name: kube-bind-konnector
239-
roleRef:
240-
apiGroup: rbac.authorization.k8s.io
241-
kind: ClusterRole
242-
name: kube-bind-konnector
243-
subjects:
244-
- kind: ServiceAccount
245-
name: konnector
246-
namespace: kube-bind
247-
---
248-
apiVersion: apps/v1
249-
kind: Deployment
250-
metadata:
251-
name: konnector
252-
namespace: kube-bind
253-
labels:
254-
app: konnector
255-
spec:
256-
replicas: 2
257-
selector:
258-
matchLabels:
259-
app: konnector
260-
template:
261-
metadata:
262-
labels:
263-
app: konnector
264-
spec:
265-
restartPolicy: Always
266-
serviceAccountName: konnector
267-
containers:
268-
- name: konnector
269-
image: %s
270-
env:
271-
- name: POD_NAME
272-
valueFrom:
273-
fieldRef:
274-
fieldPath: metadata.name
275-
- name: POD_NAMESPACE
276-
valueFrom:
277-
fieldRef:
278-
fieldPath: metadata.namespace
279-
readinessProbe:
280-
httpGet:
281-
path: /healthz
282-
port: 8090
283-
`, konnectorImage)
223+
manifests := kuberesources.NewKonnectorManifests(konnectorImage)
224+
225+
// Serialize each object to YAML and join with document separators
226+
s := runtime.NewScheme()
227+
kuberesources.AddKonnectorSchemes(s)
228+
encoder := kjson.NewSerializerWithOptions(
229+
kjson.DefaultMetaFactory,
230+
s,
231+
s,
232+
kjson.SerializerOptions{Yaml: true, Pretty: true, Strict: false},
233+
)
234+
codec := serializer.NewCodecFactory(s).EncoderForVersion(encoder, nil)
235+
236+
var buf strings.Builder
237+
objects := manifests.Objects()
238+
for i, obj := range objects {
239+
if i > 0 {
240+
buf.WriteString("---\n")
241+
}
242+
if err := codec.Encode(obj, &buf); err != nil {
243+
writeErrorResponse(w, http.StatusInternalServerError, kubebindv1alpha2.ErrorCodeInternalError, "Failed to serialize konnector manifests", err.Error())
244+
return
245+
}
246+
}
284247

285248
w.Header().Set("Content-Type", "text/yaml")
286249
w.Header().Set("Content-Disposition", "attachment; filename=konnector.yaml")
287-
w.Write([]byte(manifests)) //nolint:errcheck
250+
w.Write([]byte(buf.String())) //nolint:errcheck
288251
}
289252

290253
func (h *handler) handleLogout(w http.ResponseWriter, r *http.Request) {

backend/kubernetes/manager.go

Lines changed: 7 additions & 105 deletions
Original file line numberDiff line numberDiff line change
@@ -25,15 +25,13 @@ import (
2525
appsv1 "k8s.io/api/apps/v1"
2626
authzv1 "k8s.io/api/authorization/v1"
2727
corev1 "k8s.io/api/core/v1"
28-
rbacv1 "k8s.io/api/rbac/v1"
2928
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
3029
"k8s.io/apimachinery/pkg/api/errors"
3130
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3231
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
3332
"k8s.io/apimachinery/pkg/labels"
3433
"k8s.io/apimachinery/pkg/runtime/schema"
3534
"k8s.io/apimachinery/pkg/types"
36-
"k8s.io/apimachinery/pkg/util/intstr"
3735
"k8s.io/apimachinery/pkg/util/wait"
3836
"k8s.io/client-go/kubernetes/scheme"
3937
authorizationv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
@@ -569,122 +567,26 @@ func (m *Manager) ApplyToConsumer(
569567
func (m *Manager) ensureKonnector(ctx context.Context, c client.Client, konnectorImage string) (bool, error) {
570568
// Check if konnector deployment already exists
571569
existing := &appsv1.Deployment{}
572-
err := c.Get(ctx, types.NamespacedName{Name: "konnector", Namespace: "kube-bind"}, existing)
570+
err := c.Get(ctx, types.NamespacedName{Name: kuberesources.KonnectorDeploymentName, Namespace: kuberesources.KonnectorNamespace}, existing)
573571
if err == nil {
574572
return false, nil // already deployed
575573
}
576574
if !errors.IsNotFound(err) {
577575
return false, fmt.Errorf("failed to check for existing konnector: %w", err)
578576
}
579577

580-
// ServiceAccount
581-
sa := &corev1.ServiceAccount{
582-
ObjectMeta: metav1.ObjectMeta{
583-
Name: "konnector",
584-
Namespace: "kube-bind",
585-
},
586-
}
587-
if err := c.Create(ctx, sa); err != nil && !errors.IsAlreadyExists(err) {
588-
return false, fmt.Errorf("failed to create konnector service account: %w", err)
589-
}
578+
manifests := kuberesources.NewKonnectorManifests(konnectorImage)
590579

591-
// ClusterRole
592-
cr := &rbacv1.ClusterRole{
593-
ObjectMeta: metav1.ObjectMeta{
594-
Name: "kube-bind-konnector",
595-
},
596-
Rules: []rbacv1.PolicyRule{
597-
{
598-
APIGroups: []string{"*"},
599-
Resources: []string{"*"},
600-
Verbs: []string{"*"},
601-
},
602-
},
580+
if err := c.Create(ctx, manifests.ServiceAccount); err != nil && !errors.IsAlreadyExists(err) {
581+
return false, fmt.Errorf("failed to create konnector service account: %w", err)
603582
}
604-
if err := c.Create(ctx, cr); err != nil && !errors.IsAlreadyExists(err) {
583+
if err := c.Create(ctx, manifests.ClusterRole); err != nil && !errors.IsAlreadyExists(err) {
605584
return false, fmt.Errorf("failed to create konnector cluster role: %w", err)
606585
}
607-
608-
// ClusterRoleBinding
609-
crb := &rbacv1.ClusterRoleBinding{
610-
ObjectMeta: metav1.ObjectMeta{
611-
Name: "kube-bind-konnector",
612-
},
613-
RoleRef: rbacv1.RoleRef{
614-
APIGroup: "rbac.authorization.k8s.io",
615-
Kind: "ClusterRole",
616-
Name: "kube-bind-konnector",
617-
},
618-
Subjects: []rbacv1.Subject{
619-
{
620-
Kind: "ServiceAccount",
621-
Name: "konnector",
622-
Namespace: "kube-bind",
623-
},
624-
},
625-
}
626-
if err := c.Create(ctx, crb); err != nil && !errors.IsAlreadyExists(err) {
586+
if err := c.Create(ctx, manifests.ClusterRoleBinding); err != nil && !errors.IsAlreadyExists(err) {
627587
return false, fmt.Errorf("failed to create konnector cluster role binding: %w", err)
628588
}
629-
630-
// Deployment
631-
replicas := int32(2)
632-
httpPort := intstr.FromInt(8090)
633-
deploy := &appsv1.Deployment{
634-
ObjectMeta: metav1.ObjectMeta{
635-
Name: "konnector",
636-
Namespace: "kube-bind",
637-
Labels: map[string]string{"app": "konnector"},
638-
},
639-
Spec: appsv1.DeploymentSpec{
640-
Replicas: &replicas,
641-
Selector: &metav1.LabelSelector{
642-
MatchLabels: map[string]string{"app": "konnector"},
643-
},
644-
Template: corev1.PodTemplateSpec{
645-
ObjectMeta: metav1.ObjectMeta{
646-
Labels: map[string]string{"app": "konnector"},
647-
},
648-
Spec: corev1.PodSpec{
649-
RestartPolicy: corev1.RestartPolicyAlways,
650-
ServiceAccountName: "konnector",
651-
Containers: []corev1.Container{
652-
{
653-
Name: "konnector",
654-
Image: konnectorImage,
655-
Env: []corev1.EnvVar{
656-
{
657-
Name: "POD_NAME",
658-
ValueFrom: &corev1.EnvVarSource{
659-
FieldRef: &corev1.ObjectFieldSelector{
660-
FieldPath: "metadata.name",
661-
},
662-
},
663-
},
664-
{
665-
Name: "POD_NAMESPACE",
666-
ValueFrom: &corev1.EnvVarSource{
667-
FieldRef: &corev1.ObjectFieldSelector{
668-
FieldPath: "metadata.namespace",
669-
},
670-
},
671-
},
672-
},
673-
ReadinessProbe: &corev1.Probe{
674-
ProbeHandler: corev1.ProbeHandler{
675-
HTTPGet: &corev1.HTTPGetAction{
676-
Path: "/healthz",
677-
Port: httpPort,
678-
},
679-
},
680-
},
681-
},
682-
},
683-
},
684-
},
685-
},
686-
}
687-
if err := c.Create(ctx, deploy); err != nil {
589+
if err := c.Create(ctx, manifests.Deployment); err != nil {
688590
return false, fmt.Errorf("failed to create konnector deployment: %w", err)
689591
}
690592

0 commit comments

Comments
 (0)