#4794

Committed 14 Jul 2024 06:12PM UTC coverage: 58.983% (+0.01%) from 58.972%

Build # #4794

Build Type

push

travis-ci

Committed by

web-flow

Commit Message

update to k8s 1.30 libs and controller-runtime 0.18.4 (#3336)

* make deps-update

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

* ReourceRequirements -> VolumeResourceRequirements

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

* fix calls to controller.Watch()

controller-runtime changed the API!

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

* Fix errors with actual openshift/library-go lib

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

* make all works now and everything compiles

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

* fix "make update-codegen" because generate_groups.sh deprecated

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

* run "make generate"

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

* fix transfer unittest because of change to controller-runtime

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

---------

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

Run Details

6 of 238 new or added lines in 24 files covered. (2.52%)

10 existing lines in 4 files now uncovered.

16454 of 27896 relevant lines covered (58.98%)

0.65 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

69.7

/pkg/operator/controller/scc.go

/*
Copyright 2018 The CDI Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package controller

import (
        "context"
        "fmt"

        "github.com/go-logr/logr"
        secv1 "github.com/openshift/api/security/v1"

        corev1 "k8s.io/api/core/v1"
        apiequality "k8s.io/apimachinery/pkg/api/equality"
        "k8s.io/apimachinery/pkg/api/errors"
        "k8s.io/apimachinery/pkg/api/meta"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

        "sigs.k8s.io/controller-runtime/pkg/client"
        "sigs.k8s.io/controller-runtime/pkg/source"

        cc "kubevirt.io/containerized-data-importer/pkg/controller/common"
        "kubevirt.io/containerized-data-importer/pkg/operator"
        "kubevirt.io/containerized-data-importer/pkg/util"
        sdk "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk"
)

const sccName = "containerized-data-importer"

func setSCC(scc *secv1.SecurityContextConstraints) {
        // Ensure we are just good citizens that don't want to compete against other prioritized SCCs
        scc.Priority = nil
        scc.RunAsUser = secv1.RunAsUserStrategyOptions{
                Type: secv1.RunAsUserStrategyMustRunAsNonRoot,
        }
        scc.SELinuxContext = secv1.SELinuxContextStrategyOptions{
                Type: secv1.SELinuxStrategyMustRunAs,
        }
        scc.SupplementalGroups = secv1.SupplementalGroupsStrategyOptions{
                Type: secv1.SupplementalGroupsStrategyMustRunAs,
        }
        scc.SeccompProfiles = []string{
                "runtime/default",
        }
        scc.DefaultAddCapabilities = nil
        scc.RequiredDropCapabilities = []corev1.Capability{
                "ALL",
        }
        scc.Volumes = []secv1.FSType{
                secv1.FSTypeConfigMap,
                secv1.FSTypeDownwardAPI,
                secv1.FSTypeEmptyDir,
                secv1.FSTypePersistentVolumeClaim,
                secv1.FSProjected,
                secv1.FSTypeSecret,
        }
}

func ensureSCCExists(ctx context.Context, logger logr.Logger, c client.Client, saNamespace, saName, cronSaName string) error {
        scc := &secv1.SecurityContextConstraints{}
        userName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, saName)
        cronUserName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, cronSaName)

        err := c.Get(ctx, client.ObjectKey{Name: sccName}, scc)
        if meta.IsNoMatchError(err) {
                // not in openshift
                logger.V(3).Info("No match error for SCC, must not be in openshift")
                return nil
        } else if errors.IsNotFound(err) {
                cr, err := cc.GetActiveCDI(ctx, c)
                if err != nil {
                        return err
                }
                if cr == nil {
                        return fmt.Errorf("no active CDI")
                }
                installerLabels := util.GetRecommendedInstallerLabelsFromCr(cr)

                scc = &secv1.SecurityContextConstraints{
                        ObjectMeta: metav1.ObjectMeta{
                                Name: sccName,
                                Labels: map[string]string{
                                        "cdi.kubevirt.io": "",
                                },
                        },
                        Users: []string{
                                userName,
                                cronUserName,
                        },
                }

                setSCC(scc)

                util.SetRecommendedLabels(scc, installerLabels, "cdi-operator")

                if err = operator.SetOwnerRuntime(c, scc); err != nil {
                        return err
                }

                return c.Create(ctx, scc)
        } else if err != nil {
                return err
        }

        origSCC := scc.DeepCopy()

        setSCC(scc)

        if !sdk.ContainsStringValue(scc.Users, userName) {
                scc.Users = append(scc.Users, userName)
        }
        if !sdk.ContainsStringValue(scc.Users, cronUserName) {
                scc.Users = append(scc.Users, cronUserName)
        }

        if !apiequality.Semantic.DeepEqual(origSCC, scc) {
                return c.Update(context.TODO(), scc)
        }

        return nil
}

func (r *ReconcileCDI) watchSecurityContextConstraints() error {
        err := r.uncachedClient.List(context.TODO(), &secv1.SecurityContextConstraintsList{}, &client.ListOptions{
                Limit: 1,
        })
        if err == nil {
                var scc client.Object = &secv1.SecurityContextConstraints{}
                return r.controller.Watch(source.Kind(r.getCache(), scc, enqueueCDI(r.client)))
        }
        if meta.IsNoMatchError(err) {
                log.Info("Not watching SecurityContextConstraints")
                return nil
        }

        return err
}

1	/*
2	Copyright 2018 The CDI Authors.
3
4	Licensed under the Apache License, Version 2.0 (the "License");
5	you may not use this file except in compliance with the License.
6	You may obtain a copy of the License at
7
8	http://www.apache.org/licenses/LICENSE-2.0
9
10	Unless required by applicable law or agreed to in writing, software
11	distributed under the License is distributed on an "AS IS" BASIS,
12	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	See the License for the specific language governing permissions and
14	limitations under the License.
15	*/
16
17	package controller
18
19	import (
20	"context"
21	"fmt"
22
23	"github.com/go-logr/logr"
24	secv1 "github.com/openshift/api/security/v1"
25
26	corev1 "k8s.io/api/core/v1"
27	apiequality "k8s.io/apimachinery/pkg/api/equality"
28	"k8s.io/apimachinery/pkg/api/errors"
29	"k8s.io/apimachinery/pkg/api/meta"
30	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
31
32	"sigs.k8s.io/controller-runtime/pkg/client"
33	"sigs.k8s.io/controller-runtime/pkg/source"
34
35	cc "kubevirt.io/containerized-data-importer/pkg/controller/common"
36	"kubevirt.io/containerized-data-importer/pkg/operator"
37	"kubevirt.io/containerized-data-importer/pkg/util"
38	sdk "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk"
39	)
40
41	const sccName = "containerized-data-importer"
42
43	func setSCC(scc *secv1.SecurityContextConstraints) {	1✔
44	// Ensure we are just good citizens that don't want to compete against other prioritized SCCs	1✔
45	scc.Priority = nil	1✔
46	scc.RunAsUser = secv1.RunAsUserStrategyOptions{	1✔
47	Type: secv1.RunAsUserStrategyMustRunAsNonRoot,	1✔
48	}	1✔
49	scc.SELinuxContext = secv1.SELinuxContextStrategyOptions{	1✔
50	Type: secv1.SELinuxStrategyMustRunAs,	1✔
51	}	1✔
52	scc.SupplementalGroups = secv1.SupplementalGroupsStrategyOptions{	1✔
53	Type: secv1.SupplementalGroupsStrategyMustRunAs,	1✔
54	}	1✔
55	scc.SeccompProfiles = []string{	1✔
56	"runtime/default",	1✔
57	}	1✔
58	scc.DefaultAddCapabilities = nil	1✔
59	scc.RequiredDropCapabilities = []corev1.Capability{	1✔
60	"ALL",	1✔
61	}	1✔
62	scc.Volumes = []secv1.FSType{	1✔
63	secv1.FSTypeConfigMap,	1✔
64	secv1.FSTypeDownwardAPI,	1✔
65	secv1.FSTypeEmptyDir,	1✔
66	secv1.FSTypePersistentVolumeClaim,	1✔
67	secv1.FSProjected,	1✔
68	secv1.FSTypeSecret,	1✔
69	}	1✔
70	}	1✔
71
72	func ensureSCCExists(ctx context.Context, logger logr.Logger, c client.Client, saNamespace, saName, cronSaName string) error {	1✔
73	scc := &secv1.SecurityContextConstraints{}	1✔
74	userName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, saName)	1✔
75	cronUserName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, cronSaName)	1✔
76		1✔
77	err := c.Get(ctx, client.ObjectKey{Name: sccName}, scc)	1✔
78	if meta.IsNoMatchError(err) {	1✔
79	// not in openshift	×
80	logger.V(3).Info("No match error for SCC, must not be in openshift")	×
81	return nil	×
82	} else if errors.IsNotFound(err) {	2✔
83	cr, err := cc.GetActiveCDI(ctx, c)	1✔
84	if err != nil {	1✔
85	return err	×
86	}	×
87	if cr == nil {	1✔
88	return fmt.Errorf("no active CDI")	×
89	}	×
90	installerLabels := util.GetRecommendedInstallerLabelsFromCr(cr)	1✔
91		1✔
92	scc = &secv1.SecurityContextConstraints{	1✔
93	ObjectMeta: metav1.ObjectMeta{	1✔
94	Name: sccName,	1✔
95	Labels: map[string]string{	1✔
96	"cdi.kubevirt.io": "",	1✔
97	},	1✔
98	},	1✔
99	Users: []string{	1✔
100	userName,	1✔
101	cronUserName,	1✔
102	},	1✔
103	}	1✔
104		1✔
105	setSCC(scc)	1✔
106		1✔
107	util.SetRecommendedLabels(scc, installerLabels, "cdi-operator")	1✔
108		1✔
109	if err = operator.SetOwnerRuntime(c, scc); err != nil {	1✔
110	return err	×
111	}	×
112
113	return c.Create(ctx, scc)	1✔
114	} else if err != nil {	1✔
115	return err	×
116	}	×
117
118	origSCC := scc.DeepCopy()	1✔
119		1✔
120	setSCC(scc)	1✔
121		1✔
122	if !sdk.ContainsStringValue(scc.Users, userName) {	1✔
123	scc.Users = append(scc.Users, userName)	×
124	}	×
125	if !sdk.ContainsStringValue(scc.Users, cronUserName) {	1✔
126	scc.Users = append(scc.Users, cronUserName)	×
127	}	×
128
129	if !apiequality.Semantic.DeepEqual(origSCC, scc) {	1✔
130	return c.Update(context.TODO(), scc)	×
131	}	×
132
133	return nil	1✔
134	}
135
136	func (r *ReconcileCDI) watchSecurityContextConstraints() error {	×
137	err := r.uncachedClient.List(context.TODO(), &secv1.SecurityContextConstraintsList{}, &client.ListOptions{	×
138	Limit: 1,	×
139	})	×
140	if err == nil {	×
NEW 141	var scc client.Object = &secv1.SecurityContextConstraints{}	×
NEW 142	return r.controller.Watch(source.Kind(r.getCache(), scc, enqueueCDI(r.client)))	×
143	}	×
144	if meta.IsNoMatchError(err) {	×
145	log.Info("Not watching SecurityContextConstraints")	×
146	return nil	×
147	}	×
148
149	return err	×
150	}

kubevirt / containerized-data-importer / #4794

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous