This is an automated email from the ASF dual-hosted git repository.
astefanutti pushed a commit to branch release-1.5.x
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit 07b52bd29689419e7ada129d144c1dcce1b8604a
Author: nicolaferraro <ni.ferr...@gmail.com>
AuthorDate: Thu Jul 29 12:58:58 2021 +0200
Fix #2530: revert direct creation of image puller and use platform as owner
---
pkg/trait/owner.go | 4 +++-
pkg/trait/pull_secret.go | 38 ++++++++++++++++++++++++++++++++++----
2 files changed, 37 insertions(+), 5 deletions(-)
diff --git a/pkg/trait/owner.go b/pkg/trait/owner.go
index e6abc6d..a95b67a 100644
--- a/pkg/trait/owner.go
+++ b/pkg/trait/owner.go
@@ -78,7 +78,9 @@ func (t *ownerTrait) Apply(e *Environment) error {
}
e.Resources.VisitMetaObject(func(res metav1.Object) {
- // Avoid setting owner references across namespaces (resources
are asynchronously refused by the api server)
+ // Cross-namespace references are forbidden and also
asynchronously refused
+ // by the api server (sometimes no error is thrown but the
resource is not created).
+ // Ref: https://github.com/kubernetes/kubernetes/issues/65200
if res.GetNamespace() == "" || res.GetNamespace() ==
e.Integration.Namespace {
references := []metav1.OwnerReference{
{
diff --git a/pkg/trait/pull_secret.go b/pkg/trait/pull_secret.go
index b1612ce..82b3c64 100644
--- a/pkg/trait/pull_secret.go
+++ b/pkg/trait/pull_secret.go
@@ -23,7 +23,9 @@ import (
v1 "github.com/apache/camel-k/pkg/apis/camel/v1"
"github.com/apache/camel-k/pkg/platform"
"github.com/apache/camel-k/pkg/util"
+ "github.com/apache/camel-k/pkg/util/kubernetes"
"github.com/apache/camel-k/pkg/util/openshift"
+ "github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -109,14 +111,41 @@ func (t *pullSecretTrait) Apply(e *Environment) error {
})
}
if util.IsTrue(t.ImagePullerDelegation) {
- rb := t.newImagePullerRoleBinding(e)
- e.Resources.Add(rb)
+ if err := t.delegateImagePuller(e); err != nil {
+ return err
+ }
}
return nil
}
+func (t *pullSecretTrait) delegateImagePuller(e *Environment) error {
+ // Applying the rolebinding directly because it's a resource in the
operator namespace
+ // (different from the integration namespace when delegation is
enabled).
+ rb := t.newImagePullerRoleBinding(e)
+ if err := kubernetes.ReplaceResource(e.C, e.Client, rb); err != nil {
+ return errors.Wrap(err, "error during the creation of the
system:image-puller delegating role binding")
+ }
+ return nil
+}
+
func (t *pullSecretTrait) newImagePullerRoleBinding(e *Environment)
*rbacv1.RoleBinding {
+ targetNamespace := e.Integration.GetIntegrationKitNamespace(e.Platform)
+ var references []metav1.OwnerReference
+ if e.Platform != nil && e.Platform.Namespace == targetNamespace {
+ controller := true
+ blockOwnerDeletion := true
+ references = []metav1.OwnerReference{
+ {
+ APIVersion: e.Platform.APIVersion,
+ Kind: e.Platform.Kind,
+ Name: e.Platform.Name,
+ UID: e.Platform.UID,
+ Controller: &controller,
+ BlockOwnerDeletion: &blockOwnerDeletion,
+ },
+ }
+ }
serviceAccount := e.Integration.Spec.ServiceAccountName
if serviceAccount == "" {
serviceAccount = "default"
@@ -127,8 +156,9 @@ func (t *pullSecretTrait) newImagePullerRoleBinding(e
*Environment) *rbacv1.Role
APIVersion: rbacv1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{
- Namespace:
e.Integration.GetIntegrationKitNamespace(e.Platform),
- Name: fmt.Sprintf("camel-k-puller-%s",
e.Integration.Namespace),
+ Namespace: targetNamespace,
+ Name: fmt.Sprintf("camel-k-puller-%s-%s",
e.Integration.Namespace, serviceAccount),
+ OwnerReferences: references,
},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
