26148199291

Committed 20 May 2026 07:31AM UTC coverage: 72.073% (-0.6%) from 72.713%

Build # 26148199291

Build Type

Pull #534

github

Committed by

web-flow

Commit Message

Merge a20b5e3cb into 7e21d7039

Pull Request Pull Request #534: fix(deps): update k8s.io/kube-openapi digest to aa012df

Coverage Stats

2364 of 3280 relevant lines covered (72.07%)

32.36 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

74.42

/pkg/controller/profile_controller.go

// Copyright 2026 BWI GmbH and Solution Arsenal contributors
// SPDX-License-Identifier: Apache-2.0

package controller

import (
        "context"
        "fmt"

        corev1 "k8s.io/api/core/v1"
        apierrors "k8s.io/apimachinery/pkg/api/errors"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
        "k8s.io/apimachinery/pkg/labels"
        "k8s.io/apimachinery/pkg/runtime"
        "k8s.io/client-go/tools/events"
        ctrl "sigs.k8s.io/controller-runtime"
        "sigs.k8s.io/controller-runtime/pkg/client"
        "sigs.k8s.io/controller-runtime/pkg/handler"
        "sigs.k8s.io/controller-runtime/pkg/reconcile"

        solarv1alpha1 "go.opendefense.cloud/solar/api/solar/v1alpha1"
)

// bindingTargetKey returns a stable namespace/name key for a ReleaseBinding's target reference.
func bindingTargetKey(rb *solarv1alpha1.ReleaseBinding) string {
        ns := rb.Spec.TargetNamespace
        if ns == "" {
                ns = rb.Namespace
        }

        return ns + "/" + rb.Spec.TargetRef.Name
}

// targetKey returns the namespace/name key for a Target.
func targetKey(t *solarv1alpha1.Target) string {
        return t.Namespace + "/" + t.Name
}

// solarGroup is the API group for all solar resources.
const solarGroup = "solar.opendefense.cloud"

// grantPermits returns true if the ReferenceGrant allows a resource identified by
// (fromGroup, fromKind, fromNamespace) to reference a resource of (toGroup, toKind)
// in the grant's own namespace.
func grantPermits(grant *solarv1alpha1.ReferenceGrant, fromGroup, fromKind, fromNamespace, toGroup, toKind string) bool {
        hasFrom := false
        for _, f := range grant.Spec.From {
                if f.Namespace == fromNamespace && f.Kind == fromKind && f.Group == fromGroup {
                        hasFrom = true
                        break
                }
        }
        if !hasFrom {
                return false
        }
        for _, t := range grant.Spec.To {
                if t.Kind == toKind && t.Group == toGroup {
                        return true
                }
        }

        return false
}

// grantPermitsTargetAccess returns true if the ReferenceGrant allows a Profile in
// fromNamespace to reference Target resources in the grant's namespace.
func grantPermitsTargetAccess(grant *solarv1alpha1.ReferenceGrant, fromNamespace string) bool {
        return grantPermits(grant, solarGroup, "Profile", fromNamespace, solarGroup, "Target")
}

// grantsTargetResource returns true if the ReferenceGrant includes Target in its To list.
func grantsTargetResource(grant *solarv1alpha1.ReferenceGrant) bool {
        for _, t := range grant.Spec.To {
                if t.Kind == "Target" && t.Group == solarGroup {
                        return true
                }
        }

        return false
}

// grantPermitsComponentVersionAccess returns true if the ReferenceGrant allows a Release
// in fromNamespace to reference ComponentVersion resources in the grant's namespace.
func grantPermitsComponentVersionAccess(grant *solarv1alpha1.ReferenceGrant, fromNamespace string) bool {
        return grantPermits(grant, solarGroup, "Release", fromNamespace, solarGroup, "ComponentVersion")
}

// grantsComponentVersionResource returns true if the ReferenceGrant includes ComponentVersion in its To list.
func grantsComponentVersionResource(grant *solarv1alpha1.ReferenceGrant) bool {
        for _, t := range grant.Spec.To {
                if t.Kind == "ComponentVersion" && t.Group == solarGroup {
                        return true
                }
        }

        return false
}

// ProfileReconciler reconciles a Profile object.
// It evaluates the Profile's TargetSelector against all Targets in the namespace
// and creates/deletes ReleaseBindings accordingly.
// Cross-namespace Targets are included when a ReferenceGrant in the target's namespace
// grants the Profile's namespace access to "targets".
type ProfileReconciler struct {
        client.Client
        Scheme   *runtime.Scheme
        Recorder events.EventRecorder
        // WatchNamespace restricts reconciliation to this namespace.
        WatchNamespace string
}

//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=profiles,verbs=get;list;watch
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=profiles/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=releasebindings,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=targets,verbs=get;list;watch
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=referencegrants,verbs=get;list;watch
//+kubebuilder:rbac:groups=events.k8s.io,resources=events,verbs=create;patch

// Reconcile evaluates the Profile's TargetSelector and ensures matching ReleaseBindings exist.
func (r *ProfileReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
        log := ctrl.LoggerFrom(ctx)

        log.V(1).Info("Profile is being reconciled", "req", req)

        if r.WatchNamespace != "" && req.Namespace != r.WatchNamespace {
                return ctrl.Result{}, nil
        }

        // Fetch Profile
        profile := &solarv1alpha1.Profile{}
        if err := r.Get(ctx, req.NamespacedName, profile); err != nil {
                if apierrors.IsNotFound(err) {
                        return ctrl.Result{}, nil
                }

                return ctrl.Result{}, errLogAndWrap(log, err, "failed to get Profile")
        }

        // Evaluate TargetSelector against all Targets
        selector, err := metav1.LabelSelectorAsSelector(&profile.Spec.TargetSelector)
        if err != nil {
                log.Error(err, "invalid targetSelector in Profile")

                return ctrl.Result{}, nil
        }

        // Collect matching targets from the profile's own namespace
        sameNsTargets := &solarv1alpha1.TargetList{}
        if err := r.List(ctx, sameNsTargets,
                client.InNamespace(profile.Namespace),
                client.MatchingLabelsSelector{Selector: selector},
        ); err != nil {
                return ctrl.Result{}, errLogAndWrap(log, err, "failed to list Targets")
        }

        allTargets := make([]solarv1alpha1.Target, 0, len(sameNsTargets.Items))
        allTargets = append(allTargets, sameNsTargets.Items...)

        // Collect cross-namespace targets via ReferenceGrants.
        // A ReferenceGrant in namespace B listing the profile's namespace in From and
        // "targets" in To allows this Profile to select Targets from namespace B.
        //
        // FIXME: listing all ReferenceGrants cluster-wide on every reconcile is a cache
        // scan only (no etcd round-trip, no host-cluster impact), but may become a
        // bottleneck at scale. Consider adding a field index on ReferenceGrants keyed by
        // the namespaces they grant access to so we can filter server-side.
        grantList := &solarv1alpha1.ReferenceGrantList{}
        if err := r.List(ctx, grantList); err != nil {
                return ctrl.Result{}, errLogAndWrap(log, err, "failed to list ReferenceGrants")
        }

        for i := range grantList.Items {
                grant := &grantList.Items[i]
                if grant.Namespace == profile.Namespace {
                        // same-namespace targets already covered above
                        continue
                }
                if !grantPermitsTargetAccess(grant, profile.Namespace) {
                        continue
                }
                crossNsTargets := &solarv1alpha1.TargetList{}
                if err := r.List(ctx, crossNsTargets,
                        client.InNamespace(grant.Namespace),
                        client.MatchingLabelsSelector{Selector: selector},
                ); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to list cross-namespace Targets in "+grant.Namespace)
                }
                allTargets = append(allTargets, crossNsTargets.Items...)
        }

        // Build set of desired ReleaseBindings (one per matching target, keyed by namespace/name)
        desiredTargets := map[string]solarv1alpha1.Target{}
        for _, t := range allTargets {
                desiredTargets[targetKey(&t)] = t
        }

        // List existing ReleaseBindings owned by this Profile
        existingBindings := &solarv1alpha1.ReleaseBindingList{}
        if err := r.List(ctx, existingBindings,
                client.InNamespace(profile.Namespace),
                client.MatchingFields{"metadata.ownerReferences.name": profile.Name},
        ); err != nil {
                // Field index may not be available; fall back to listing all and filtering
                allBindings := &solarv1alpha1.ReleaseBindingList{}
                if err := r.List(ctx, allBindings, client.InNamespace(profile.Namespace)); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to list ReleaseBindings")
                }

                existingBindings = &solarv1alpha1.ReleaseBindingList{}

                for i := range allBindings.Items {
                        if metav1.IsControlledBy(&allBindings.Items[i], profile) {
                                existingBindings.Items = append(existingBindings.Items, allBindings.Items[i])
                        }
                }
        }

        // Delete ReleaseBindings for targets that no longer match
        existingByKey := map[string]*solarv1alpha1.ReleaseBinding{}
        for i := range existingBindings.Items {
                rb := &existingBindings.Items[i]
                key := bindingTargetKey(rb)
                existingByKey[key] = rb

                if _, desired := desiredTargets[key]; !desired {
                        log.V(1).Info("Deleting ReleaseBinding for unmatched target", "key", key)
                        if err := r.Delete(ctx, rb); err != nil && !apierrors.IsNotFound(err) {
                                return ctrl.Result{}, errLogAndWrap(log, err, "failed to delete ReleaseBinding")
                        }

                        r.Recorder.Eventf(profile, nil, corev1.EventTypeNormal, "Deleted", "Delete",
                                "Deleted ReleaseBinding for target %s", key)
                }
        }

        // Create ReleaseBindings for new matching targets
        for key, target := range desiredTargets {
                if _, exists := existingByKey[key]; exists {
                        continue
                }

                crossNs := ""
                if target.Namespace != profile.Namespace {
                        crossNs = target.Namespace
                }

                rb := &solarv1alpha1.ReleaseBinding{
                        ObjectMeta: metav1.ObjectMeta{
                                // We need to truncated the name: 57 (input) + 1 (-) + 5 (appended by generated) = 63 (max chars allowed)
                                GenerateName: truncateName(fmt.Sprintf("%s-%s", profile.Name, target.Name), 57) + "-",
                                Namespace:    profile.Namespace,
                        },
                        Spec: solarv1alpha1.ReleaseBindingSpec{
                                TargetRef:       corev1.LocalObjectReference{Name: target.Name},
                                TargetNamespace: crossNs,
                                ReleaseRef:      profile.Spec.ReleaseRef,
                        },
                }
                if err := ctrl.SetControllerReference(profile, rb, r.Scheme); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to set controller reference on ReleaseBinding")
                }

                if err := r.Create(ctx, rb); err != nil {
                        if apierrors.IsAlreadyExists(err) {
                                continue
                        }

                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to create ReleaseBinding")
                }

                log.V(1).Info("Created ReleaseBinding for target", "key", key)
                r.Recorder.Eventf(profile, nil, corev1.EventTypeNormal, "Created", "Create",
                        "Created ReleaseBinding for target %s", key)
        }

        // Update status
        original := profile.DeepCopy()
        profile.Status.MatchedTargets = len(desiredTargets)
        if profile.Status.MatchedTargets != original.Status.MatchedTargets {
                if err := r.Status().Update(ctx, profile); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to update Profile status")
                }
        }

        return ctrl.Result{}, nil
}

// SetupWithManager sets up the controller with the Manager.
func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error {
        return ctrl.NewControllerManagedBy(mgr).
                For(&solarv1alpha1.Profile{}).
                Owns(&solarv1alpha1.ReleaseBinding{}).
                Watches(
                        &solarv1alpha1.Target{},
                        handler.EnqueueRequestsFromMapFunc(r.mapTargetToProfiles),
                ).
                Watches(
                        &solarv1alpha1.ReferenceGrant{},
                        handler.EnqueueRequestsFromMapFunc(r.mapReferenceGrantToProfiles),
                ).
                Complete(r)
}

// mapTargetToProfiles maps a Target to all Profiles that might match it,
// including Profiles in namespaces that have been granted access via ReferenceGrant.
func (r *ProfileReconciler) mapTargetToProfiles(ctx context.Context, obj client.Object) []reconcile.Request {
        log := ctrl.LoggerFrom(ctx)

        target, ok := obj.(*solarv1alpha1.Target)
        if !ok {
                return nil
        }

        targetLabels := labels.Set(target.Labels)
        var requests []reconcile.Request

        // Enqueue profiles in the target's own namespace
        profileList := &solarv1alpha1.ProfileList{}
        if err := r.List(ctx, profileList, client.InNamespace(target.Namespace)); err != nil {
                log.Error(err, "failed to list Profiles for Target mapping")

                return nil
        }

        for _, profile := range profileList.Items {
                selector, err := metav1.LabelSelectorAsSelector(&profile.Spec.TargetSelector)
                if err != nil {
                        continue
                }

                if selector.Matches(targetLabels) {
                        requests = append(requests, reconcile.Request{
                                NamespacedName: client.ObjectKeyFromObject(&profile),
                        })
                }
        }

        // Enqueue profiles in namespaces that have been granted access to targets in
        // this target's namespace via a ReferenceGrant.
        grantList := &solarv1alpha1.ReferenceGrantList{}
        if err := r.List(ctx, grantList, client.InNamespace(target.Namespace)); err != nil {
                log.Error(err, "failed to list ReferenceGrants for cross-namespace Target mapping")

                return requests
        }

        for i := range grantList.Items {
                grant := &grantList.Items[i]
                if !grantsTargetResource(grant) {
                        continue
                }
                for _, from := range grant.Spec.From {
                        if from.Namespace == target.Namespace || from.Kind != "Profile" {
                                continue
                        }
                        fromProfiles := &solarv1alpha1.ProfileList{}
                        if err := r.List(ctx, fromProfiles, client.InNamespace(from.Namespace)); err != nil {
                                log.Error(err, "failed to list Profiles in granted namespace", "namespace", from.Namespace)
                                continue
                        }
                        for _, p := range fromProfiles.Items {
                                selector, err := metav1.LabelSelectorAsSelector(&p.Spec.TargetSelector)
                                if err != nil {
                                        continue
                                }
                                if selector.Matches(targetLabels) {
                                        requests = append(requests, reconcile.Request{
                                                NamespacedName: client.ObjectKeyFromObject(&p),
                                        })
                                }
                        }
                }
        }

        return requests
}

// mapReferenceGrantToProfiles enqueues all Profiles in the namespaces listed in
// a ReferenceGrant's From field, allowing them to re-evaluate cross-namespace matches.
func (r *ProfileReconciler) mapReferenceGrantToProfiles(ctx context.Context, obj client.Object) []reconcile.Request {
        log := ctrl.LoggerFrom(ctx)

        grant, ok := obj.(*solarv1alpha1.ReferenceGrant)
        if !ok {
                return nil
        }

        if !grantsTargetResource(grant) {
                return nil
        }

        var requests []reconcile.Request
        for _, from := range grant.Spec.From {
                if from.Kind != "Profile" || from.Group != solarGroup {
                        continue
                }
                profiles := &solarv1alpha1.ProfileList{}
                if err := r.List(ctx, profiles, client.InNamespace(from.Namespace)); err != nil {
                        log.Error(err, "failed to list Profiles for ReferenceGrant mapping", "namespace", from.Namespace)
                        continue
                }
                for _, p := range profiles.Items {
                        requests = append(requests, reconcile.Request{
                                NamespacedName: client.ObjectKeyFromObject(&p),
                        })
                }
        }

        return requests
}

1	// Copyright 2026 BWI GmbH and Solution Arsenal contributors
2	// SPDX-License-Identifier: Apache-2.0
3
4	package controller
5
6	import (
7	"context"
8	"fmt"
9
10	corev1 "k8s.io/api/core/v1"
11	apierrors "k8s.io/apimachinery/pkg/api/errors"
12	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
13	"k8s.io/apimachinery/pkg/labels"
14	"k8s.io/apimachinery/pkg/runtime"
15	"k8s.io/client-go/tools/events"
16	ctrl "sigs.k8s.io/controller-runtime"
17	"sigs.k8s.io/controller-runtime/pkg/client"
18	"sigs.k8s.io/controller-runtime/pkg/handler"
19	"sigs.k8s.io/controller-runtime/pkg/reconcile"
20
21	solarv1alpha1 "go.opendefense.cloud/solar/api/solar/v1alpha1"
22	)
23
24	// bindingTargetKey returns a stable namespace/name key for a ReleaseBinding's target reference.
25	func bindingTargetKey(rb *solarv1alpha1.ReleaseBinding) string {	10✔
26	ns := rb.Spec.TargetNamespace	10✔
27	if ns == "" {	18✔
28	ns = rb.Namespace	8✔
29	}	8✔
30
31	return ns + "/" + rb.Spec.TargetRef.Name	10✔
32	}
33
34	// targetKey returns the namespace/name key for a Target.
35	func targetKey(t *solarv1alpha1.Target) string {	15✔
36	return t.Namespace + "/" + t.Name	15✔
37	}	15✔
38
39	// solarGroup is the API group for all solar resources.
40	const solarGroup = "solar.opendefense.cloud"
41
42	// grantPermits returns true if the ReferenceGrant allows a resource identified by
43	// (fromGroup, fromKind, fromNamespace) to reference a resource of (toGroup, toKind)
44	// in the grant's own namespace.
45	func grantPermits(grant *solarv1alpha1.ReferenceGrant, fromGroup, fromKind, fromNamespace, toGroup, toKind string) bool {	6✔
46	hasFrom := false	6✔
47	for _, f := range grant.Spec.From {	12✔
48	if f.Namespace == fromNamespace && f.Kind == fromKind && f.Group == fromGroup {	12✔
49	hasFrom = true	6✔
50	break	6✔
51	}
52	}
53	if !hasFrom {	6✔
54	return false	×
55	}	×
56	for _, t := range grant.Spec.To {	12✔
57	if t.Kind == toKind && t.Group == toGroup {	12✔
58	return true	6✔
59	}	6✔
60	}
61
62	return false	×
63	}
64
65	// grantPermitsTargetAccess returns true if the ReferenceGrant allows a Profile in
66	// fromNamespace to reference Target resources in the grant's namespace.
67	func grantPermitsTargetAccess(grant *solarv1alpha1.ReferenceGrant, fromNamespace string) bool {	2✔
68	return grantPermits(grant, solarGroup, "Profile", fromNamespace, solarGroup, "Target")	2✔
69	}	2✔
70
71	// grantsTargetResource returns true if the ReferenceGrant includes Target in its To list.
72	func grantsTargetResource(grant *solarv1alpha1.ReferenceGrant) bool {	8✔
73	for _, t := range grant.Spec.To {	16✔
74	if t.Kind == "Target" && t.Group == solarGroup {	12✔
75	return true	4✔
76	}	4✔
77	}
78
79	return false	4✔
80	}
81
82	// grantPermitsComponentVersionAccess returns true if the ReferenceGrant allows a Release
83	// in fromNamespace to reference ComponentVersion resources in the grant's namespace.
84	func grantPermitsComponentVersionAccess(grant *solarv1alpha1.ReferenceGrant, fromNamespace string) bool {	4✔
85	return grantPermits(grant, solarGroup, "Release", fromNamespace, solarGroup, "ComponentVersion")	4✔
86	}	4✔
87
88	// grantsComponentVersionResource returns true if the ReferenceGrant includes ComponentVersion in its To list.
89	func grantsComponentVersionResource(grant *solarv1alpha1.ReferenceGrant) bool {	16✔
90	for _, t := range grant.Spec.To {	32✔
91	if t.Kind == "ComponentVersion" && t.Group == solarGroup {	24✔
92	return true	8✔
93	}	8✔
94	}
95
96	return false	8✔
97	}
98
99	// ProfileReconciler reconciles a Profile object.
100	// It evaluates the Profile's TargetSelector against all Targets in the namespace
101	// and creates/deletes ReleaseBindings accordingly.
102	// Cross-namespace Targets are included when a ReferenceGrant in the target's namespace
103	// grants the Profile's namespace access to "targets".
104	type ProfileReconciler struct {
105	client.Client
106	Scheme *runtime.Scheme
107	Recorder events.EventRecorder
108	// WatchNamespace restricts reconciliation to this namespace.
109	WatchNamespace string
110	}
111
112	//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=profiles,verbs=get;list;watch
113	//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=profiles/status,verbs=get;update;patch
114	//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=releasebindings,verbs=get;list;watch;create;update;patch;delete
115	//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=targets,verbs=get;list;watch
116	//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=referencegrants,verbs=get;list;watch
117	//+kubebuilder:rbac:groups=events.k8s.io,resources=events,verbs=create;patch
118
119	// Reconcile evaluates the Profile's TargetSelector and ensures matching ReleaseBindings exist.
120	func (r *ProfileReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {	31✔
121	log := ctrl.LoggerFrom(ctx)	31✔
122		31✔
123	log.V(1).Info("Profile is being reconciled", "req", req)	31✔
124		31✔
125	if r.WatchNamespace != "" && req.Namespace != r.WatchNamespace {	45✔
126	return ctrl.Result{}, nil	14✔
127	}	14✔
128
129	// Fetch Profile
130	profile := &solarv1alpha1.Profile{}	17✔
131	if err := r.Get(ctx, req.NamespacedName, profile); err != nil {	17✔
132	if apierrors.IsNotFound(err) {	×
133	return ctrl.Result{}, nil	×
134	}	×
135
136	return ctrl.Result{}, errLogAndWrap(log, err, "failed to get Profile")	×
137	}
138
139	// Evaluate TargetSelector against all Targets
140	selector, err := metav1.LabelSelectorAsSelector(&profile.Spec.TargetSelector)	17✔
141	if err != nil {	17✔
142	log.Error(err, "invalid targetSelector in Profile")	×
143		×
144	return ctrl.Result{}, nil	×
145	}	×
146
147	// Collect matching targets from the profile's own namespace
148	sameNsTargets := &solarv1alpha1.TargetList{}	17✔
149	if err := r.List(ctx, sameNsTargets,	17✔
150	client.InNamespace(profile.Namespace),	17✔
151	client.MatchingLabelsSelector{Selector: selector},	17✔
152	); err != nil {	17✔
153	return ctrl.Result{}, errLogAndWrap(log, err, "failed to list Targets")	×
154	}	×
155
156	allTargets := make([]solarv1alpha1.Target, 0, len(sameNsTargets.Items))	17✔
157	allTargets = append(allTargets, sameNsTargets.Items...)	17✔
158		17✔
159	// Collect cross-namespace targets via ReferenceGrants.	17✔
160	// A ReferenceGrant in namespace B listing the profile's namespace in From and	17✔
161	// "targets" in To allows this Profile to select Targets from namespace B.	17✔
162	//	17✔
163	// FIXME: listing all ReferenceGrants cluster-wide on every reconcile is a cache	17✔
164	// scan only (no etcd round-trip, no host-cluster impact), but may become a	17✔
165	// bottleneck at scale. Consider adding a field index on ReferenceGrants keyed by	17✔
166	// the namespaces they grant access to so we can filter server-side.	17✔
167	grantList := &solarv1alpha1.ReferenceGrantList{}	17✔
168	if err := r.List(ctx, grantList); err != nil {	17✔
169	return ctrl.Result{}, errLogAndWrap(log, err, "failed to list ReferenceGrants")	×
170	}	×
171
172	for i := range grantList.Items {	19✔
173	grant := &grantList.Items[i]	2✔
174	if grant.Namespace == profile.Namespace {	2✔
175	// same-namespace targets already covered above	×
176	continue	×
177	}
178	if !grantPermitsTargetAccess(grant, profile.Namespace) {	2✔
179	continue	×
180	}
181	crossNsTargets := &solarv1alpha1.TargetList{}	2✔
182	if err := r.List(ctx, crossNsTargets,	2✔
183	client.InNamespace(grant.Namespace),	2✔
184	client.MatchingLabelsSelector{Selector: selector},	2✔
185	); err != nil {	2✔
186	return ctrl.Result{}, errLogAndWrap(log, err, "failed to list cross-namespace Targets in "+grant.Namespace)	×
187	}	×
188	allTargets = append(allTargets, crossNsTargets.Items...)	2✔
189	}
190
191	// Build set of desired ReleaseBindings (one per matching target, keyed by namespace/name)
192	desiredTargets := map[string]solarv1alpha1.Target{}	17✔
193	for _, t := range allTargets {	32✔
194	desiredTargets[targetKey(&t)] = t	15✔
195	}	15✔
196
197	// List existing ReleaseBindings owned by this Profile
198	existingBindings := &solarv1alpha1.ReleaseBindingList{}	17✔
199	if err := r.List(ctx, existingBindings,	17✔
200	client.InNamespace(profile.Namespace),	17✔
201	client.MatchingFields{"metadata.ownerReferences.name": profile.Name},	17✔
202	); err != nil {	34✔
203	// Field index may not be available; fall back to listing all and filtering	17✔
204	allBindings := &solarv1alpha1.ReleaseBindingList{}	17✔
205	if err := r.List(ctx, allBindings, client.InNamespace(profile.Namespace)); err != nil {	17✔
206	return ctrl.Result{}, errLogAndWrap(log, err, "failed to list ReleaseBindings")	×
207	}	×
208
209	existingBindings = &solarv1alpha1.ReleaseBindingList{}	17✔
210		17✔
211	for i := range allBindings.Items {	27✔
212	if metav1.IsControlledBy(&allBindings.Items[i], profile) {	20✔
213	existingBindings.Items = append(existingBindings.Items, allBindings.Items[i])	10✔
214	}	10✔
215	}
216	}
217
218	// Delete ReleaseBindings for targets that no longer match
219	existingByKey := map[string]*solarv1alpha1.ReleaseBinding{}	17✔
220	for i := range existingBindings.Items {	27✔
221	rb := &existingBindings.Items[i]	10✔
222	key := bindingTargetKey(rb)	10✔
223	existingByKey[key] = rb	10✔
224		10✔
225	if _, desired := desiredTargets[key]; !desired {	13✔
226	log.V(1).Info("Deleting ReleaseBinding for unmatched target", "key", key)	3✔
227	if err := r.Delete(ctx, rb); err != nil && !apierrors.IsNotFound(err) {	3✔
228	return ctrl.Result{}, errLogAndWrap(log, err, "failed to delete ReleaseBinding")	×
229	}	×
230
231	r.Recorder.Eventf(profile, nil, corev1.EventTypeNormal, "Deleted", "Delete",	3✔
232	"Deleted ReleaseBinding for target %s", key)	3✔
233	}
234	}
235
236	// Create ReleaseBindings for new matching targets
237	for key, target := range desiredTargets {	32✔
238	if _, exists := existingByKey[key]; exists {	22✔
239	continue	7✔
240	}
241
242	crossNs := ""	8✔
243	if target.Namespace != profile.Namespace {	10✔
244	crossNs = target.Namespace	2✔
245	}	2✔
246
247	rb := &solarv1alpha1.ReleaseBinding{	8✔
248	ObjectMeta: metav1.ObjectMeta{	8✔
249	// We need to truncated the name: 57 (input) + 1 (-) + 5 (appended by generated) = 63 (max chars allowed)	8✔
250	GenerateName: truncateName(fmt.Sprintf("%s-%s", profile.Name, target.Name), 57) + "-",	8✔
251	Namespace: profile.Namespace,	8✔
252	},	8✔
253	Spec: solarv1alpha1.ReleaseBindingSpec{	8✔
254	TargetRef: corev1.LocalObjectReference{Name: target.Name},	8✔
255	TargetNamespace: crossNs,	8✔
256	ReleaseRef: profile.Spec.ReleaseRef,	8✔
257	},	8✔
258	}	8✔
259	if err := ctrl.SetControllerReference(profile, rb, r.Scheme); err != nil {	8✔
260	return ctrl.Result{}, errLogAndWrap(log, err, "failed to set controller reference on ReleaseBinding")	×
261	}	×
262
263	if err := r.Create(ctx, rb); err != nil {	8✔
264	if apierrors.IsAlreadyExists(err) {	×
265	continue	×
266	}
267
268	return ctrl.Result{}, errLogAndWrap(log, err, "failed to create ReleaseBinding")	×
269	}
270
271	log.V(1).Info("Created ReleaseBinding for target", "key", key)	8✔
272	r.Recorder.Eventf(profile, nil, corev1.EventTypeNormal, "Created", "Create",	8✔
273	"Created ReleaseBinding for target %s", key)	8✔
274	}
275
276	// Update status
277	original := profile.DeepCopy()	17✔
278	profile.Status.MatchedTargets = len(desiredTargets)	17✔
279	if profile.Status.MatchedTargets != original.Status.MatchedTargets {	27✔
280	if err := r.Status().Update(ctx, profile); err != nil {	10✔
281	return ctrl.Result{}, errLogAndWrap(log, err, "failed to update Profile status")	×
282	}	×
283	}
284
285	return ctrl.Result{}, nil	17✔
286	}
287
288	// SetupWithManager sets up the controller with the Manager.
289	func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error {	1✔
290	return ctrl.NewControllerManagedBy(mgr).	1✔
291	For(&solarv1alpha1.Profile{}).	1✔
292	Owns(&solarv1alpha1.ReleaseBinding{}).	1✔
293	Watches(	1✔
294	&solarv1alpha1.Target{},	1✔
295	handler.EnqueueRequestsFromMapFunc(r.mapTargetToProfiles),	1✔
296	).	1✔
297	Watches(	1✔
298	&solarv1alpha1.ReferenceGrant{},	1✔
299	handler.EnqueueRequestsFromMapFunc(r.mapReferenceGrantToProfiles),	1✔
300	).	1✔
301	Complete(r)	1✔
302	}	1✔
303
304	// mapTargetToProfiles maps a Target to all Profiles that might match it,
305	// including Profiles in namespaces that have been granted access via ReferenceGrant.
306	func (r *ProfileReconciler) mapTargetToProfiles(ctx context.Context, obj client.Object) []reconcile.Request {	200✔
307	log := ctrl.LoggerFrom(ctx)	200✔
308		200✔
309	target, ok := obj.(*solarv1alpha1.Target)	200✔
310	if !ok {	200✔
311	return nil	×
312	}	×
313
314	targetLabels := labels.Set(target.Labels)	200✔
315	var requests []reconcile.Request	200✔
316		200✔
317	// Enqueue profiles in the target's own namespace	200✔
318	profileList := &solarv1alpha1.ProfileList{}	200✔
319	if err := r.List(ctx, profileList, client.InNamespace(target.Namespace)); err != nil {	200✔
320	log.Error(err, "failed to list Profiles for Target mapping")	×
321		×
322	return nil	×
323	}	×
324
325	for _, profile := range profileList.Items {	243✔
326	selector, err := metav1.LabelSelectorAsSelector(&profile.Spec.TargetSelector)	43✔
327	if err != nil {	43✔
328	continue	×
329	}
330
331	if selector.Matches(targetLabels) {	75✔
332	requests = append(requests, reconcile.Request{	32✔
333	NamespacedName: client.ObjectKeyFromObject(&profile),	32✔
334	})	32✔
335	}	32✔
336	}
337
338	// Enqueue profiles in namespaces that have been granted access to targets in
339	// this target's namespace via a ReferenceGrant.
340	grantList := &solarv1alpha1.ReferenceGrantList{}	200✔
341	if err := r.List(ctx, grantList, client.InNamespace(target.Namespace)); err != nil {	200✔
342	log.Error(err, "failed to list ReferenceGrants for cross-namespace Target mapping")	×
343		×
344	return requests	×
345	}	×
346
347	for i := range grantList.Items {	200✔
348	grant := &grantList.Items[i]	×
349	if !grantsTargetResource(grant) {	×
350	continue	×
351	}
352	for _, from := range grant.Spec.From {	×
353	if from.Namespace == target.Namespace \|\| from.Kind != "Profile" {	×
354	continue	×
355	}
356	fromProfiles := &solarv1alpha1.ProfileList{}	×
357	if err := r.List(ctx, fromProfiles, client.InNamespace(from.Namespace)); err != nil {	×
358	log.Error(err, "failed to list Profiles in granted namespace", "namespace", from.Namespace)	×
359	continue	×
360	}
361	for _, p := range fromProfiles.Items {	×
362	selector, err := metav1.LabelSelectorAsSelector(&p.Spec.TargetSelector)	×
363	if err != nil {	×
364	continue	×
365	}
366	if selector.Matches(targetLabels) {	×
367	requests = append(requests, reconcile.Request{	×
368	NamespacedName: client.ObjectKeyFromObject(&p),	×
369	})	×
370	}	×
371	}
372	}
373	}
374
375	return requests	200✔
376	}
377
378	// mapReferenceGrantToProfiles enqueues all Profiles in the namespaces listed in
379	// a ReferenceGrant's From field, allowing them to re-evaluate cross-namespace matches.
380	func (r *ProfileReconciler) mapReferenceGrantToProfiles(ctx context.Context, obj client.Object) []reconcile.Request {	8✔
381	log := ctrl.LoggerFrom(ctx)	8✔
382		8✔
383	grant, ok := obj.(*solarv1alpha1.ReferenceGrant)	8✔
384	if !ok {	8✔
385	return nil	×
386	}	×
387
388	if !grantsTargetResource(grant) {	12✔
389	return nil	4✔
390	}	4✔
391
392	var requests []reconcile.Request	4✔
393	for _, from := range grant.Spec.From {	8✔
394	if from.Kind != "Profile" \|\| from.Group != solarGroup {	4✔
395	continue	×
396	}
397	profiles := &solarv1alpha1.ProfileList{}	4✔
398	if err := r.List(ctx, profiles, client.InNamespace(from.Namespace)); err != nil {	4✔
399	log.Error(err, "failed to list Profiles for ReferenceGrant mapping", "namespace", from.Namespace)	×
400	continue	×
401	}
402	for _, p := range profiles.Items {	6✔
403	requests = append(requests, reconcile.Request{	2✔
404	NamespacedName: client.ObjectKeyFromObject(&p),	2✔
405	})	2✔
406	}	2✔
407	}
408
409	return requests	4✔
410	}

opendefensecloud / solution-arsenal / 26148199291

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous