Merge pull request #13 from IBM/fix/ie-for-ie

yuji-watanabe-jp · web-flow · commit e620686f324c · 2020-07-13T10:49:03.000+09:00
fixes for rolling update for ie-server to enable ie-for-ie scenario
diff --git a/enforcer/pkg/policy/policy.go b/enforcer/pkg/policy/policy.go
@@ -95,22 +95,14 @@ func (self *Policy) Validate(reqc *common.ReqContext, enforcerNs, policyNs strin
 		return false, fmt.Sprintf("Policy in invalid format; %s", errMsg)
 	}
 	ns := reqc.Namespace
-	ieNs := enforcerNs
+
 	polNs := policyNs
 	pType := self.PolicyType
-	if ns != ieNs && ns != polNs {
-		return false, fmt.Sprintf("Policy must be created in namespace \"%s\" or \"%s\", but requested in \"%s\"", ieNs, polNs, ns)
-	}
-	if (pType == DefaultPolicy || pType == IEPolicy || pType == SignerPolicy) && ns != ieNs {
-		return false, fmt.Sprintf("%s must be created in namespace \"%s\", but requested in \"%s\"", pType, ieNs, ns)
-	}
+
 	if pType == CustomPolicy && ns != polNs {
 		return false, fmt.Sprintf("%s must be created in namespace \"%s\", but requested in \"%s\"", pType, polNs, ns)
 	}
-	// op := self.Operation
-	// if op == "UPDATE" && (pType == policy.DefaultPolicy || pType == policy.IEPolicy) {
-	// 	return false, fmt.Sprintf("%s cannot be updated", pType)
-	// }
+
 	return true, ""
 }
 
diff --git a/operator/deploy/crds/research.ibm.com_v1alpha1_integrityenforcer_cr.yaml b/operator/deploy/crds/research.ibm.com_v1alpha1_integrityenforcer_cr.yaml
@@ -65,6 +65,8 @@ spec:
       runAsUser: 1000
     stdOutput: true
   replicaCount: 1
+  maxSurge: 1
+  maxUnavailable: 0
   security:
     clusterRole: ie-cluster-role
     clusterRoleBinding: ie-cluster-role-binding
@@ -96,4 +98,4 @@ spec:
   policyNamespace: ie-policy
   webhookConfigName: ie-webhook-config
   webhookServerTlsSecretName: ie-server-tls
-  webhookServiceName: ie-server
+  webhookServiceName: ie-server
diff --git a/operator/pkg/apis/research/v1alpha1/integrityenforcer_types.go b/operator/pkg/apis/research/v1alpha1/integrityenforcer_types.go
@@ -21,6 +21,7 @@ import (
 	policy "github.com/IBM/integrity-enforcer/enforcer/pkg/policy"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
@@ -31,6 +32,8 @@ type IntegrityEnforcerSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
 	// Add custom validation using kubebuilder tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html
+	MaxSurge         *intstr.IntOrString       `json:"maxSurge,omitempty"`
+	MaxUnavailable   *intstr.IntOrString       `json:"maxUnavailable,omitempty"`
 	ReplicaCount     *int32                    `json:"replicaCount,omitempty"`
 	MetaLabels       map[string]string         `json:"labels,omitempty"`
 	SelectorLabels   map[string]string         `json:"selector,omitempty"`
diff --git a/operator/pkg/apis/research/v1alpha1/zz_generated.deepcopy.go b/operator/pkg/apis/research/v1alpha1/zz_generated.deepcopy.go
diff --git a/operator/pkg/controller/integrityenforcer/integrityenforcer.go b/operator/pkg/controller/integrityenforcer/integrityenforcer.go
@@ -740,6 +740,18 @@ func (r *ReconcileIntegrityEnforcer) createOrUpdateDeployment(instance *research
 		return reconcile.Result{Requeue: true, RequeueAfter: time.Second * 1}, nil
 	} else if err != nil {
 		return reconcile.Result{}, err
+	} else if !res.EqualDeployments(expected, found) {
+		// If spec is incorrect, update it and requeue
+		found.ObjectMeta.Labels = expected.ObjectMeta.Labels
+		found.Spec = expected.Spec
+		err = r.client.Update(context.TODO(), found)
+		if err != nil {
+			reqLogger.Error(err, "Failed to update Deployment", "Namespace", instance.Namespace, "Name", found.Name)
+			return reconcile.Result{}, err
+		}
+		reqLogger.Info("Updating IntegrityEnforcer Controller Deployment", "Deployment.Name", found.Name)
+		// Spec updated - return and requeue
+		return reconcile.Result{Requeue: true}, nil
 	}
 
 	// No extra validation
diff --git a/operator/pkg/resources/deploy.go b/operator/pkg/resources/deploy.go
@@ -19,7 +19,7 @@ package resources
 import (
 	"fmt"
 	"strconv"
-
+	"reflect"
 	appsv1 "k8s.io/api/apps/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -62,6 +62,17 @@ func BuildDeploymentForCR(cr *researchv1alpha1.IntegrityEnforcer) *appsv1.Deploy
 		SecurityContext: cr.Spec.Server.SecurityContext,
 		Image:           cr.Spec.Server.Image,
 		ImagePullPolicy: cr.Spec.Server.ImagePullPolicy,
+		ReadinessProbe: &v1.Probe{
+			InitialDelaySeconds: 30,
+			PeriodSeconds:       30,
+			Handler: v1.Handler{
+				Exec: &v1.ExecAction{
+					Command: []string{
+						"ls",
+					},
+				},
+			},
+		},
 		Ports: []v1.ContainerPort{
 			{
 				Name:          "ac-api",
@@ -203,7 +214,12 @@ func BuildDeploymentForCR(cr *researchv1alpha1.IntegrityEnforcer) *appsv1.Deploy
 			Labels:    labels,
 		},
 		Spec: appsv1.DeploymentSpec{
-
+			Strategy: appsv1.DeploymentStrategy{
+				RollingUpdate: &appsv1.RollingUpdateDeployment{
+					MaxSurge: cr.Spec.MaxSurge,
+					MaxUnavailable: cr.Spec.MaxUnavailable,
+				},
+			},
 			Replicas: cr.Spec.ReplicaCount,
 			Selector: &metav1.LabelSelector{
 				MatchLabels: cr.Spec.SelectorLabels,
@@ -227,3 +243,76 @@ func BuildDeploymentForCR(cr *researchv1alpha1.IntegrityEnforcer) *appsv1.Deploy
 		},
 	}
 }
+
+// EqualDeployments returns a Boolean
+func EqualDeployments(expected *appsv1.Deployment, found *appsv1.Deployment) bool {
+	if !EqualLabels(found.ObjectMeta.Labels, expected.ObjectMeta.Labels) {
+		return false
+	}
+	if !EqualPods(expected.Spec.Template, found.Spec.Template) {
+		return false
+	}
+	return true
+}
+
+// EqualPods returns a Boolean
+func EqualPods(expected v1.PodTemplateSpec, found v1.PodTemplateSpec) bool {
+	if !EqualLabels(found.ObjectMeta.Labels, expected.ObjectMeta.Labels) {
+		return false
+	}
+	if !EqualAnnotations(found.ObjectMeta.Annotations, expected.ObjectMeta.Annotations) {
+		return false
+	}
+	if !reflect.DeepEqual(found.Spec.ServiceAccountName, expected.Spec.ServiceAccountName) {
+		return false
+	}
+	if len(found.Spec.Containers) != len(expected.Spec.Containers) {
+		return false
+	}
+	if !EqualContainers(expected.Spec.Containers[0], found.Spec.Containers[0]) {
+		return false
+	}
+	return true
+}
+// EqualContainers returns a Boolean
+func EqualContainers(expected v1.Container, found v1.Container) bool {
+	if !reflect.DeepEqual(found.Name, expected.Name) {
+		return false
+	}
+	if !reflect.DeepEqual(found.Image, expected.Image) {
+		return false
+	}
+	if !reflect.DeepEqual(found.ImagePullPolicy, expected.ImagePullPolicy) {
+		return false
+	}
+	if !reflect.DeepEqual(found.VolumeMounts, expected.VolumeMounts) {
+		return false
+	}
+	if !reflect.DeepEqual(found.SecurityContext, expected.SecurityContext) {
+		return false
+	}
+	if !reflect.DeepEqual(found.Ports, expected.Ports) {
+		return false
+	}
+	if !reflect.DeepEqual(found.Args, expected.Args) {
+		return false
+	}
+	if !reflect.DeepEqual(found.Env, expected.Env) {
+		return false
+	}
+	return true
+}
+
+func EqualLabels(found map[string]string, expected map[string]string) bool {
+	if !reflect.DeepEqual(found, expected) {
+		return false
+	}
+	return true
+}
+
+func EqualAnnotations(found map[string]string, expected map[string]string) bool {
+	if !reflect.DeepEqual(found, expected) {
+		return false
+	}
+	return true
+}
diff --git a/operator/resources/default-policy.yaml b/operator/resources/default-policy.yaml
@@ -17,6 +17,7 @@ spec:
       request: {}
     allowedForInternalRequest:
     - username: system:admin
+    - username: system:serviceaccount:integrity-enforcer-ns:integrity-enforcer-operator
     - username: system:serviceaccount:openshift-marketplace:marketplace-operator
     - username: system:serviceaccount:openshift-monitoring:cluster-monitoring-operator
     - username: system:serviceaccount:openshift-network-operator:default
