refactor: split tenant controller to separate files

Co-authored-by: Maksim Fedotov <[email protected]>

Author: MaxFedotov

controllers/tenant/limitranges.go

@@ -0,0 +1,80 @@
+package tenant
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+
+	"golang.org/x/sync/errgroup"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+// Ensuring all the LimitRange are applied to each Namespace handled by the Tenant.
+func (r *Manager) syncLimitRanges(tenant *capsulev1beta1.Tenant) error {
+	// getting requested LimitRange keys
+	keys := make([]string, 0, len(tenant.Spec.LimitRanges.Items))
+
+	for i := range tenant.Spec.LimitRanges.Items {
+		keys = append(keys, strconv.Itoa(i))
+	}
+
+	group := new(errgroup.Group)
+
+	for _, ns := range tenant.Status.Namespaces {
+		namespace := ns
+
+		group.Go(func() error {
+			return r.syncLimitRange(tenant, namespace, keys)
+		})
+	}
+
+	return group.Wait()
+}
+
+func (r *Manager) syncLimitRange(tenant *capsulev1beta1.Tenant, namespace string, keys []string) (err error) {
+	// getting LimitRange labels for the mutateFn
+	var tenantLabel, limitRangeLabel string
+
+	if tenantLabel, err = capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{}); err != nil {
+		return
+	}
+	if limitRangeLabel, err = capsulev1beta1.GetTypeLabel(&corev1.LimitRange{}); err != nil {
+		return
+	}
+
+	if err = r.pruningResources(namespace, keys, &corev1.LimitRange{}); err != nil {
+		return
+	}
+
+	for i, spec := range tenant.Spec.LimitRanges.Items {
+		target := &corev1.LimitRange{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("capsule-%s-%d", tenant.Name, i),
+				Namespace: namespace,
+			},
+		}
+
+		var res controllerutil.OperationResult
+		res, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, target, func() (err error) {
+			target.ObjectMeta.Labels = map[string]string{
+				tenantLabel:     tenant.Name,
+				limitRangeLabel: strconv.Itoa(i),
+			}
+			target.Spec = spec
+			return controllerutil.SetControllerReference(tenant, target, r.Scheme)
+		})
+
+		r.emitEvent(tenant, target.GetNamespace(), res, fmt.Sprintf("Ensuring LimitRange %s", target.GetName()), err)
+
+		r.Log.Info("LimitRange sync result: "+string(res), "name", target.Name, "namespace", target.Namespace)
+		if err != nil {
+			return
+		}
+	}
+
+	return
+}

controllers/tenant/manager.go

@@ -0,0 +1,127 @@
+package tenant
+
+import (
+	"context"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/retry"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+type Manager struct {
+	client.Client
+	Log      logr.Logger
+	Scheme   *runtime.Scheme
+	Recorder record.EventRecorder
+}
+
+func (r *Manager) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&capsulev1beta1.Tenant{}).
+		Owns(&corev1.Namespace{}).
+		Owns(&networkingv1.NetworkPolicy{}).
+		Owns(&corev1.LimitRange{}).
+		Owns(&corev1.ResourceQuota{}).
+		Owns(&rbacv1.RoleBinding{}).
+		Complete(r)
+}
+
+func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ctrl.Result, err error) {
+	r.Log = r.Log.WithValues("Request.Name", request.Name)
+
+	// Fetch the Tenant instance
+	instance := &capsulev1beta1.Tenant{}
+	if err = r.Get(ctx, request.NamespacedName, instance); err != nil {
+		if errors.IsNotFound(err) {
+			r.Log.Info("Request object not found, could have been deleted after reconcile request")
+			return reconcile.Result{}, nil
+		}
+		r.Log.Error(err, "Error reading the object")
+		return
+	}
+	// Ensuring the Tenant Status
+	if err = r.updateTenantStatus(instance); err != nil {
+		r.Log.Error(err, "Cannot update Tenant status")
+		return
+	}
+
+	// Ensuring all namespaces are collected
+	r.Log.Info("Ensuring all Namespaces are collected")
+	if err = r.collectNamespaces(instance); err != nil {
+		r.Log.Error(err, "Cannot collect Namespace resources")
+		return
+	}
+
+	r.Log.Info("Starting processing of Namespaces", "items", len(instance.Status.Namespaces))
+	if err = r.syncNamespaces(instance); err != nil {
+		r.Log.Error(err, "Cannot sync Namespace items")
+		return
+	}
+
+	if instance.Spec.NetworkPolicies != nil {
+		r.Log.Info("Starting processing of Network Policies", "items", len(instance.Spec.NetworkPolicies.Items))
+		if err = r.syncNetworkPolicies(instance); err != nil {
+			r.Log.Error(err, "Cannot sync NetworkPolicy items")
+			return
+		}
+	}
+
+	if instance.Spec.LimitRanges != nil {
+		r.Log.Info("Starting processing of Limit Ranges", "items", len(instance.Spec.LimitRanges.Items))
+		if err = r.syncLimitRanges(instance); err != nil {
+			r.Log.Error(err, "Cannot sync LimitRange items")
+			return
+		}
+	}
+
+	if instance.Spec.ResourceQuota != nil {
+		r.Log.Info("Starting processing of Resource Quotas", "items", len(instance.Spec.ResourceQuota.Items))
+		if err = r.syncResourceQuotas(instance); err != nil {
+			r.Log.Error(err, "Cannot sync ResourceQuota items")
+			return
+		}
+	}
+
+	r.Log.Info("Ensuring additional RoleBindings for owner")
+	if err = r.syncAdditionalRoleBindings(instance); err != nil {
+		r.Log.Error(err, "Cannot sync additional RoleBindings items")
+		return
+	}
+
+	r.Log.Info("Ensuring RoleBinding for owner")
+	if err = r.ownerRoleBinding(instance); err != nil {
+		r.Log.Error(err, "Cannot sync owner RoleBinding")
+		return
+	}
+
+	r.Log.Info("Ensuring Namespace count")
+	if err = r.ensureNamespaceCount(instance); err != nil {
+		r.Log.Error(err, "Cannot sync Namespace count")
+		return
+	}
+
+	r.Log.Info("Tenant reconciling completed")
+	return ctrl.Result{}, err
+}
+
+func (r *Manager) updateTenantStatus(tnt *capsulev1beta1.Tenant) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
+		if tnt.IsCordoned() {
+			tnt.Status.State = capsulev1beta1.TenantStateCordoned
+		} else {
+			tnt.Status.State = capsulev1beta1.TenantStateActive
+		}
+
+		return r.Client.Status().Update(context.Background(), tnt)
+	})
+}

controllers/tenant/namespaces.go

@@ -0,0 +1,153 @@
+package tenant
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"golang.org/x/sync/errgroup"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/retry"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+// Ensuring all annotations are applied to each Namespace handled by the Tenant.
+func (r *Manager) syncNamespaces(tenant *capsulev1beta1.Tenant) (err error) {
+	group := new(errgroup.Group)
+
+	for _, item := range tenant.Status.Namespaces {
+		namespace := item
+
+		group.Go(func() error {
+			return r.syncNamespaceMetadata(namespace, tenant)
+		})
+	}
+
+	if err = group.Wait(); err != nil {
+		r.Log.Error(err, "Cannot sync Namespaces")
+
+		err = fmt.Errorf("cannot sync Namespaces: %s", err.Error())
+	}
+	return
+}
+
+func (r *Manager) syncNamespaceMetadata(namespace string, tnt *capsulev1beta1.Tenant) (err error) {
+	var res controllerutil.OperationResult
+
+	err = retry.RetryOnConflict(retry.DefaultBackoff, func() (conflictErr error) {
+		ns := &corev1.Namespace{}
+		if conflictErr = r.Client.Get(context.TODO(), types.NamespacedName{Name: namespace}, ns); err != nil {
+			return
+		}
+
+		capsuleLabel, _ := capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{})
+
+		res, conflictErr = controllerutil.CreateOrUpdate(context.TODO(), r.Client, ns, func() error {
+			annotations := make(map[string]string)
+
+			if tnt.Spec.NamespacesMetadata != nil {
+				for k, v := range tnt.Spec.NamespacesMetadata.AdditionalAnnotations {
+					annotations[k] = v
+				}
+			}
+
+			if tnt.Spec.NodeSelector != nil {
+				var selector []string
+				for k, v := range tnt.Spec.NodeSelector {
+					selector = append(selector, fmt.Sprintf("%s=%s", k, v))
+				}
+				annotations["scheduler.alpha.kubernetes.io/node-selector"] = strings.Join(selector, ",")
+			}
+
+			if tnt.Spec.IngressClasses != nil {
+				if len(tnt.Spec.IngressClasses.Exact) > 0 {
+					annotations[capsulev1beta1.AvailableIngressClassesAnnotation] = strings.Join(tnt.Spec.IngressClasses.Exact, ",")
+				}
+				if len(tnt.Spec.IngressClasses.Regex) > 0 {
+					annotations[capsulev1beta1.AvailableIngressClassesRegexpAnnotation] = tnt.Spec.IngressClasses.Regex
+				}
+			}
+
+			if tnt.Spec.StorageClasses != nil {
+				if len(tnt.Spec.StorageClasses.Exact) > 0 {
+					annotations[capsulev1beta1.AvailableStorageClassesAnnotation] = strings.Join(tnt.Spec.StorageClasses.Exact, ",")
+				}
+				if len(tnt.Spec.StorageClasses.Regex) > 0 {
+					annotations[capsulev1beta1.AvailableStorageClassesRegexpAnnotation] = tnt.Spec.StorageClasses.Regex
+				}
+			}
+
+			if tnt.Spec.ContainerRegistries != nil {
+				if len(tnt.Spec.ContainerRegistries.Exact) > 0 {
+					annotations[capsulev1beta1.AllowedRegistriesAnnotation] = strings.Join(tnt.Spec.ContainerRegistries.Exact, ",")
+				}
+				if len(tnt.Spec.ContainerRegistries.Regex) > 0 {
+					annotations[capsulev1beta1.AllowedRegistriesRegexpAnnotation] = tnt.Spec.ContainerRegistries.Regex
+				}
+			}
+
+			ns.SetAnnotations(annotations)
+
+			newLabels := map[string]string{
+				"name":       namespace,
+				capsuleLabel: tnt.GetName(),
+			}
+
+			if tnt.Spec.NamespacesMetadata != nil {
+				for k, v := range tnt.Spec.NamespacesMetadata.AdditionalLabels {
+					newLabels[k] = v
+				}
+			}
+
+			ns.SetLabels(newLabels)
+
+			return nil
+		})
+
+		return
+	})
+
+	r.emitEvent(tnt, namespace, res, "Ensuring Namespace metadata", err)
+
+	return
+}
+
+func (r *Manager) ensureNamespaceCount(tenant *capsulev1beta1.Tenant) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+		tenant.Status.Size = uint(len(tenant.Status.Namespaces))
+
+		found := &capsulev1beta1.Tenant{}
+		if err := r.Client.Get(context.TODO(), types.NamespacedName{Name: tenant.GetName()}, found); err != nil {
+			return err
+		}
+
+		found.Status.Size = tenant.Status.Size
+
+		return r.Client.Status().Update(context.TODO(), found, &client.UpdateOptions{})
+	})
+}
+
+func (r *Manager) collectNamespaces(tenant *capsulev1beta1.Tenant) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
+		list := &corev1.NamespaceList{}
+		err = r.Client.List(context.TODO(), list, client.MatchingFieldsSelector{
+			Selector: fields.OneTermEqualSelector(".metadata.ownerReferences[*].capsule", tenant.GetName()),
+		})
+
+		if err != nil {
+			return
+		}
+
+		_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, tenant.DeepCopy(), func() error {
+			tenant.AssignNamespaces(list.Items)
+
+			return r.Client.Status().Update(context.TODO(), tenant, &client.UpdateOptions{})
+		})
+		return
+	})
+}