m

Author: steveb

controllers/funcs.go

@@ -22,21 +22,17 @@ import (
 	"errors"
 	"fmt"
 	"strings"
-	"time"
 
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
-	common_role "github.com/openstack-k8s-operators/lib-common/modules/common/role"
-	common_rolebinding "github.com/openstack-k8s-operators/lib-common/modules/common/rolebinding"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 )
 
@@ -207,34 +203,34 @@ func ensureConsoleNamespace(
 	ns := &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: consolesNamespace,
-			Labels: map[string]string{
-				"app": "ironic",
-			},
 		},
 	}
 
-	err := h.GetClient().Get(ctx, client.ObjectKey{Name: consolesNamespace}, ns)
-	if err != nil {
-		if k8s_errors.IsNotFound(err) {
-			// Namespace doesn't exist, create it
-			err = h.GetClient().Create(ctx, ns)
-			if err != nil {
-				return fmt.Errorf("failed to create console namespace %s: %w", consolesNamespace, err)
-			}
-			h.GetLogger().Info(fmt.Sprintf("Created console namespace: %s", consolesNamespace))
-			return nil
+	op, err := controllerutil.CreateOrPatch(ctx, h.GetClient(), ns, func() error {
+		// Set labels
+		if ns.Labels == nil {
+			ns.Labels = make(map[string]string)
 		}
-		return fmt.Errorf("failed to get console namespace %s: %w", consolesNamespace, err)
+		ns.Labels["app"] = "ironic"
+		return nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to reconcile console namespace %s: %w", consolesNamespace, err)
+	}
+
+	if op != controllerutil.OperationResultNone {
+		h.GetLogger().Info(fmt.Sprintf("Namespace %s %s", consolesNamespace, op))
 	}
 
-	// Namespace already exists
 	return nil
 }
 
 // reconcileGraphicalConsoleRbac creates a Role and RoleBinding in the console namespace
 // that grants the ServiceAccount from the service namespace permissions to create console pods.
 // This enables cross-namespace RBAC where the ironic ServiceAccount in the 'openstack' namespace
 // can create pods and secrets in the 'openstack-ironic-consoles' namespace.
+// Note: These resources cannot have owner references since cross-namespace ownership is not allowed.
 func reconcileGraphicalConsoleRbac(
 	ctx context.Context,
 	h *helper.Helper,
@@ -244,81 +240,91 @@ func reconcileGraphicalConsoleRbac(
 	rules []rbacv1.PolicyRule,
 ) (ctrl.Result, error) {
 	serviceNamespace := instance.RbacNamespace()
-
-	// Create Role in the console namespace
 	roleName := serviceAccountName + "-console-role"
-	role := common_role.NewRole(
-		&rbacv1.Role{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      roleName,
-				Namespace: consoleNamespace,
-			},
-			Rules: rules,
+	roleBindingName := serviceAccountName + "-console-rolebinding"
+
+	labels := map[string]string{
+		"app":                          "ironic",
+		"ironic.openstack.org/service": serviceAccountName,
+	}
+
+	// Create or update Role in the console namespace without owner references
+	role := &rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      roleName,
+			Namespace: consoleNamespace,
 		},
-		time.Duration(10),
-	)
-	roleResult, err := role.CreateOrPatch(ctx, h)
+	}
+
+	op, err := controllerutil.CreateOrPatch(ctx, h.GetClient(), role, func() error {
+		// Set labels
+		role.Labels = labels
+		// Set rules
+		role.Rules = rules
+		return nil
+	})
+
 	if err != nil {
 		instance.RbacConditionsSet(condition.FalseCondition(
 			condition.RoleReadyCondition,
 			condition.ErrorReason,
 			condition.SeverityWarning,
 			condition.RoleReadyErrorMessage,
 			err.Error()))
-		return roleResult, err
-	} else if (roleResult != ctrl.Result{}) {
-		instance.RbacConditionsSet(condition.FalseCondition(
-			condition.RoleReadyCondition,
-			condition.RequestedReason,
-			condition.SeverityInfo,
-			condition.RoleCreatingMessage))
-		return roleResult, nil
+		return ctrl.Result{}, err
 	}
+
+	if op != controllerutil.OperationResultNone {
+		h.GetLogger().Info(fmt.Sprintf("Role %s %s in namespace %s", roleName, op, consoleNamespace))
+	}
+
 	instance.RbacConditionsSet(condition.TrueCondition(
 		condition.RoleReadyCondition,
 		condition.RoleReadyMessage))
 
-	// Create RoleBinding in the console namespace that references the ServiceAccount
-	// from the service namespace
-	roleBindingName := serviceAccountName + "-console-rolebinding"
-	rolebinding := common_rolebinding.NewRoleBinding(
-		&rbacv1.RoleBinding{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      roleBindingName,
-				Namespace: consoleNamespace,
-			},
-			RoleRef: rbacv1.RoleRef{
-				APIGroup: "rbac.authorization.k8s.io",
-				Kind:     "Role",
-				Name:     roleName,
-			},
-			Subjects: []rbacv1.Subject{
-				{
-					Kind:      "ServiceAccount",
-					Name:      serviceAccountName,
-					Namespace: serviceNamespace, // Cross-namespace reference
-				},
-			},
+	// Create or update RoleBinding in the console namespace that references the ServiceAccount
+	// from the service namespace (cross-namespace reference)
+	roleBinding := &rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      roleBindingName,
+			Namespace: consoleNamespace,
 		},
-		time.Duration(10),
-	)
-	roleBindingResult, err := rolebinding.CreateOrPatch(ctx, h)
+	}
+
+	op, err = controllerutil.CreateOrPatch(ctx, h.GetClient(), roleBinding, func() error {
+		// Set labels
+		roleBinding.Labels = labels
+		// Set RoleRef (immutable, but safe to set on create)
+		roleBinding.RoleRef = rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "Role",
+			Name:     roleName,
+		}
+		// Set Subjects
+		roleBinding.Subjects = []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      serviceAccountName,
+				Namespace: serviceNamespace,
+			},
+		}
+		return nil
+	})
+
 	if err != nil {
 		instance.RbacConditionsSet(condition.FalseCondition(
 			condition.RoleBindingReadyCondition,
 			condition.ErrorReason,
 			condition.SeverityWarning,
 			condition.RoleBindingReadyErrorMessage,
 			err.Error()))
-		return roleBindingResult, err
-	} else if (roleBindingResult != ctrl.Result{}) {
-		instance.RbacConditionsSet(condition.FalseCondition(
-			condition.RoleBindingReadyCondition,
-			condition.RequestedReason,
-			condition.SeverityInfo,
-			condition.RoleBindingCreatingMessage))
-		return roleBindingResult, nil
+		return ctrl.Result{}, err
+	}
+
+	if op != controllerutil.OperationResultNone {
+		h.GetLogger().Info(fmt.Sprintf("RoleBinding %s %s in namespace %s", roleBindingName, op, consoleNamespace))
 	}
+
 	instance.RbacConditionsSet(condition.TrueCondition(
 		condition.RoleBindingReadyCondition,
 		condition.RoleBindingReadyMessage))

controllers/ironic_controller.go

@@ -305,8 +305,6 @@ func (r *IronicReconciler) reconcileNormal(ctx context.Context, instance *ironic
 		return rbacResult, nil
 	}
 
-	
-
 	// ConfigMap
 	configMapVars := make(map[string]env.Setter)
 

controllers/ironicconductor_controller.go

@@ -464,13 +464,6 @@ func (r *IronicConductorReconciler) reconcileServices(
 			}
 		}
 		if instance.Spec.GraphicalConsoles == "Enabled" {
-			//
-			// Create the console namespace for graphical console pods
-			//
-			err = ensureConsoleNamespace(ctx, helper, instance.Namespace)
-			if err != nil {
-				return ctrl.Result{}, err
-			}
 
 			//
 			// Create the conductor pod route to enable traffic to the
@@ -550,6 +543,17 @@ func (r *IronicConductorReconciler) reconcileNormal(ctx context.Context, instanc
 
 	// Roles and binding for existing service account for graphical consoles
 	if instance.Spec.GraphicalConsoles == "Enabled" {
+		// TODO: (stevebaker) Uncomment this when the role.yaml
+		// rule which allows namespace operations is applied.
+		// Until then, proceed as if the namespace has been created.
+		// //
+		// // Create the console namespace for graphical console pods
+		// //
+		// err := ensureConsoleNamespace(ctx, helper, instance.Namespace)
+		// if err != nil {
+		// 	return ctrl.Result{}, err
+		// }
+
 		consoleNamespace := getConsoleNamespaceName(instance.Namespace)
 		serviceAccountName := instance.RbacResourceName()
 		gcRbacResult, err := reconcileGraphicalConsoleRbac(
@@ -993,9 +997,9 @@ func (r *IronicConductorReconciler) generateServiceConfigMaps(
 	templateParameters["LogPath"] = ironicconductor.LogPath
 	graphicalConsolesEnabled := instance.Spec.GraphicalConsoles == "Enabled"
 	templateParameters["GraphicalConsolesEnabled"] = graphicalConsolesEnabled
+	templateParameters["ConsoleNamespace"] = getConsoleNamespaceName(instance.Namespace)
 	if graphicalConsolesEnabled {
 		templateParameters["ConsoleImage"] = instance.Spec.ConsoleImage
-		templateParameters["ConsoleNamespace"] = getConsoleNamespaceName(instance.Namespace)
 	}
 
 	databaseAccount := db.GetAccount()