rules

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 1, 2025 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	MetadataNamespace = "agent.octopus.com"
	PermissionsKey    = MetadataNamespace + "/permissions"
	ProjectKey        = MetadataNamespace + "/project"
	EnvironmentKey    = MetadataNamespace + "/environment"
	TenantKey         = MetadataNamespace + "/tenant"
	StepKey           = MetadataNamespace + "/step"
	SpaceKey          = MetadataNamespace + "/space"
	// ManagedByLabel is the standard Kubernetes label for tracking resource ownership
	ManagedByLabel = "app.kubernetes.io/managed-by"
	// ManagedByValue is the value set on the managed-by label for resources created by this controller
	ManagedByValue = "octopus-permissions-controller"
)

Constants for metadata keys (used in both labels and annotations)

View Source 
const WildcardValue = "*"

Variables

This section is empty.

Functions

func GenerateServiceAccountMappings 

func GenerateServiceAccountMappings(
	scopeMap map[Scope]map[types.NamespacedName]WSAResource,
) (
	map[Scope]ServiceAccountName,
	map[ServiceAccountName]map[types.NamespacedName]WSAResource,
	map[types.NamespacedName][]string,
	[]*v1.ServiceAccount,
)

GenerateServiceAccountMappings processes the scope map and generates the required mappings for service account creation and management.

func IsOctopusManaged 

func IsOctopusManaged(labels map[string]string) bool

IsOctopusManaged checks if a resource is managed by the Octopus controller

Types

type AgentName 

type AgentName string

type DimensionIndex 

type DimensionIndex int
const (
	ProjectIndex DimensionIndex = iota
	EnvironmentIndex
	TenantIndex
	StepIndex
	SpaceIndex
	MaxDimensionIndex // Must be last - used for various looping through dimensions
)

type Engine 

type Engine interface {
	ResourceManagement
	NamespaceDiscovery
	ScopeComputation
	ApplyBatchPlan(ctx context.Context, plan interface{}) error
	CleanupServiceAccounts(ctx context.Context, deletingResource WSAResource) (ctrl.Result, error)
}

type GCTrackerInterface added in v1.0.0 

type GCTrackerInterface interface {
	MarkForDeletion(uid types.UID)
}

GCTrackerInterface defines the interface for tracking resources being garbage collected.

type GlobalVocabulary 

type GlobalVocabulary [MaxDimensionIndex]*set.Set[string]

GlobalVocabulary holds the set of known values for each dimension Indexes correspond to DimensionIndex constants e.g. ProjectIndex holds the set of known projects from all WSAs

func NewGlobalVocabulary 

func NewGlobalVocabulary() GlobalVocabulary

func (*GlobalVocabulary) GetKnownScopeCombination 

func (v *GlobalVocabulary) GetKnownScopeCombination(scope Scope) Scope

type GroupedDimensions 

type GroupedDimensions struct {
	Projects     []string
	Environments []string
	Tenants      []string
	Steps        []string
	Spaces       []string
}

GroupedDimensions holds collected dimension values for a group of scopes

type InMemoryEngine 

type InMemoryEngine struct {
	ScopeComputation
	ResourceManagement
	NamespaceDiscovery
	// contains filtered or unexported fields
}

func NewInMemoryEngine 

func NewInMemoryEngine(
	controllerClient client.Client,
	scheme *runtime.Scheme,
	targetNamespaceRegex *regexp.Regexp,
	namespaceCacheTTL time.Duration,
) InMemoryEngine

func NewInMemoryEngineWithNamespaces 

func NewInMemoryEngineWithNamespaces(
	controllerClient client.Client, scheme *runtime.Scheme, targetNamespaces []string,
) InMemoryEngine

func (*InMemoryEngine) ApplyBatchPlan added in v1.0.0 

func (i *InMemoryEngine) ApplyBatchPlan(ctx context.Context, plan interface{}) error

func (*InMemoryEngine) CleanupServiceAccounts 

func (i *InMemoryEngine) CleanupServiceAccounts(
	ctx context.Context, deletingResource WSAResource,
) (ctrl.Result, error)

CleanupServiceAccounts is called when a WSA/cWSA is being deleted. It no longer performs GC directly - staging handles all GC to avoid race conditions between concurrent cleanup and staging GC runs. This function just logs the cleanup request and returns immediately. The staging batch (which includes deleting resources) will handle eventual cleanup once the resource is fully removed from the API server.

func (*InMemoryEngine) GetOrDiscoverTargetNamespaces added in v1.0.0 

func (i *InMemoryEngine) GetOrDiscoverTargetNamespaces(ctx context.Context) ([]string, error)

func (*InMemoryEngine) GetServiceAccountForScope 

func (i *InMemoryEngine) GetServiceAccountForScope(scope Scope) (ServiceAccountName, error)

GetServiceAccountForScope retrieves the service account for a given scope with proper locking. This method shadows the embedded ScopeComputation.GetServiceAccountForScope to ensure thread-safe access to the in-memory maps.

func (*InMemoryEngine) GetTargetNamespaces 

func (i *InMemoryEngine) GetTargetNamespaces() []string

func (*InMemoryEngine) IsWSAInMaps added in v1.0.0 

func (i *InMemoryEngine) IsWSAInMaps(wsaKey types.NamespacedName) bool

IsWSAInMaps checks if a WSA is still present in the in-memory state. This is used to determine if staging has processed a deletion event.

func (*InMemoryEngine) RebuildStateFromCluster added in v1.0.0 

func (i *InMemoryEngine) RebuildStateFromCluster(ctx context.Context) error

RebuildStateFromCluster reconstructs the in-memory state by querying all WSA/CWSA resources from the cluster and recomputing the complete scope mappings. This is useful for: - Controller initialization/startup - Recovery from state corruption - Debugging state inconsistencies

func (*InMemoryEngine) SetGCTracker added in v1.0.0 

func (i *InMemoryEngine) SetGCTracker(tracker GCTrackerInterface)

type Namespace 

type Namespace string

type NamespaceDiscovery 

type NamespaceDiscovery interface {
	DiscoverTargetNamespaces(ctx context.Context, k8sClient client.Client) ([]string, error)
	GetTargetNamespaces() []string
}

type NamespaceDiscoveryService 

type NamespaceDiscoveryService struct {
	TargetNamespaceRegex *regexp.Regexp
}

func (NamespaceDiscoveryService) DiscoverTargetNamespaces 

func (nds NamespaceDiscoveryService) DiscoverTargetNamespaces(
	ctx context.Context, k8sClient client.Client,
) ([]string, error)

func (NamespaceDiscoveryService) GetTargetNamespaces 

func (nds NamespaceDiscoveryService) GetTargetNamespaces() []string

type ResourceManagement 

type ResourceManagement interface {
	GetWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.WorkloadServiceAccount], error)
	GetClusterWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.ClusterWorkloadServiceAccount], error)
	GetServiceAccounts(ctx context.Context) (iter.Seq[*corev1.ServiceAccount], error)
	GetRoles(ctx context.Context) (iter.Seq[*rbacv1.Role], error)
	GetClusterRoles(ctx context.Context) (iter.Seq[*rbacv1.ClusterRole], error)
	GetRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.RoleBinding], error)
	GetClusterRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.ClusterRoleBinding], error)
	EnsureRoles(ctx context.Context, resources []WSAResource) (map[types.NamespacedName]rbacv1.Role, error)
	EnsureServiceAccounts(
		ctx context.Context, serviceAccounts []*corev1.ServiceAccount, targetNamespaces []string,
	) error
	EnsureRoleBindings(
		ctx context.Context, resources []WSAResource, createdRoles map[types.NamespacedName]rbacv1.Role,
		wsaToServiceAccounts map[types.NamespacedName][]string, targetNamespaces []string,
	) error
	GarbageCollectServiceAccounts(
		ctx context.Context, expectedServiceAccounts *set.Set[string], targetNamespaces *set.Set[string],
	) (ctrl.Result, error)
	GarbageCollectRoles(ctx context.Context, resources []WSAResource) error
	GarbageCollectRoleBindings(ctx context.Context, resources []WSAResource, targetNamespaces []string) error
	GarbageCollectClusterRoleBindings(ctx context.Context, resources []WSAResource) error
}

ResourceManagement defines the interface for creating and managing Kubernetes resources

type ResourceManagementService 

type ResourceManagementService struct {
	// contains filtered or unexported fields
}

func NewResourceManagementService 

func NewResourceManagementService(newClient client.Client) ResourceManagementService

func NewResourceManagementServiceWithScheme 

func NewResourceManagementServiceWithScheme(newClient client.Client, scheme *runtime.Scheme) ResourceManagementService

func (ResourceManagementService) EnsureRoleBindings 

func (r ResourceManagementService) EnsureRoleBindings(
	ctx context.Context, resources []WSAResource, createdRoles map[types.NamespacedName]rbacv1.Role,
	wsaToServiceAccounts map[types.NamespacedName][]string, targetNamespaces []string,
) error

EnsureRoleBindings creates role bindings to connect service accounts with roles for all WSAs

func (ResourceManagementService) EnsureRoles 

func (r ResourceManagementService) EnsureRoles(
	ctx context.Context, resources []WSAResource,
) (map[types.NamespacedName]rbacv1.Role, error)

func (ResourceManagementService) EnsureServiceAccounts 

func (r ResourceManagementService) EnsureServiceAccounts(
	ctx context.Context, serviceAccounts []*corev1.ServiceAccount, targetNamespaces []string,
) error

EnsureServiceAccounts creates service accounts for all scopes in all target namespaces

func (ResourceManagementService) GarbageCollectClusterRoleBindings added in v1.0.0 

func (r ResourceManagementService) GarbageCollectClusterRoleBindings(
	ctx context.Context, resources []WSAResource,
) error

func (ResourceManagementService) GarbageCollectRoleBindings added in v1.0.0 

func (r ResourceManagementService) GarbageCollectRoleBindings(
	ctx context.Context, resources []WSAResource, targetNamespaces []string,
) error

func (ResourceManagementService) GarbageCollectRoles added in v1.0.0 

func (r ResourceManagementService) GarbageCollectRoles(ctx context.Context, resources []WSAResource) error

func (ResourceManagementService) GarbageCollectServiceAccounts 

func (r ResourceManagementService) GarbageCollectServiceAccounts(
	ctx context.Context, expectedServiceAccounts *set.Set[string], targetNamespaces *set.Set[string],
) (ctrl.Result, error)

GarbageCollectServiceAccounts deletes ServiceAccounts that are managed by this controller but are no longer needed (not in the expectedServiceAccounts set or in out-of-scope namespaces).

func (ResourceManagementService) GetClusterRoleBindings 

func (r ResourceManagementService) GetClusterRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.ClusterRoleBinding], error)

func (ResourceManagementService) GetClusterRoles 

func (r ResourceManagementService) GetClusterRoles(ctx context.Context) (iter.Seq[*rbacv1.ClusterRole], error)

func (ResourceManagementService) GetClusterWorkloadServiceAccounts 

func (r ResourceManagementService) GetClusterWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.ClusterWorkloadServiceAccount], error)

func (ResourceManagementService) GetRoleBindings 

func (r ResourceManagementService) GetRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.RoleBinding], error)

func (ResourceManagementService) GetRoles 

func (r ResourceManagementService) GetRoles(ctx context.Context) (iter.Seq[*rbacv1.Role], error)

func (ResourceManagementService) GetServiceAccounts 

func (r ResourceManagementService) GetServiceAccounts(ctx context.Context) (iter.Seq[*corev1.ServiceAccount], error)

func (ResourceManagementService) GetWorkloadServiceAccounts 

func (r ResourceManagementService) GetWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.WorkloadServiceAccount], error)

func (*ResourceManagementService) SetGCTracker added in v1.0.0 

func (r *ResourceManagementService) SetGCTracker(tracker GCTrackerInterface)

SetGCTracker sets the garbage collection tracker for filtering delete events.

type Scope 

type Scope = internaltypes.Scope

type ScopeComputation 

type ScopeComputation interface {
	GetServiceAccountForScope(scope Scope) (ServiceAccountName, error)
	ComputeScopesForWSAs(wsaList []WSAResource) (map[Scope]map[types.NamespacedName]WSAResource, GlobalVocabulary)
	GenerateServiceAccountMappings(scopeMap map[Scope]map[types.NamespacedName]WSAResource) (
		map[Scope]ServiceAccountName,
		map[ServiceAccountName]map[types.NamespacedName]WSAResource,
		map[types.NamespacedName][]string,
		[]*corev1.ServiceAccount,
	)
	GetScopeToSA() map[Scope]ServiceAccountName
}

ScopeComputation defines the interface for computing scopes and service account mappings

type ScopeComputationService 

type ScopeComputationService struct {
	// contains filtered or unexported fields
}

func NewScopeComputationService 

func NewScopeComputationService(
	vocabulary *GlobalVocabulary, scopeToSA map[Scope]ServiceAccountName,
) ScopeComputationService

func (ScopeComputationService) ComputeScopesForWSAs 

func (s ScopeComputationService) ComputeScopesForWSAs(wsaList []WSAResource) (map[Scope]map[types.NamespacedName]WSAResource, GlobalVocabulary)

func (ScopeComputationService) GenerateServiceAccountMappings 

func (s ScopeComputationService) GenerateServiceAccountMappings(scopeMap map[Scope]map[types.NamespacedName]WSAResource) (map[Scope]ServiceAccountName, map[ServiceAccountName]map[types.NamespacedName]WSAResource, map[types.NamespacedName][]string, []*corev1.ServiceAccount)

func (ScopeComputationService) GetScopeToSA 

func (s ScopeComputationService) GetScopeToSA() map[Scope]ServiceAccountName

GetScopeToSA returns the current scope to service account mapping

func (ScopeComputationService) GetServiceAccountForScope 

func (s ScopeComputationService) GetServiceAccountForScope(scope Scope) (ServiceAccountName, error)

type ServiceAccountName 

type ServiceAccountName string

type WSAResource 

type WSAResource interface {
	// GetName returns the resource name
	GetName() string

	// GetNamespace returns the namespace (empty string for cluster-scoped resources)
	GetNamespace() string

	// GetNamespacedName returns the NamespacedName of the resource
	GetNamespacedName() types.NamespacedName

	// GetScope returns the scope configuration
	GetScope() v1beta1.WorkloadServiceAccountScope

	// GetPermissionRules returns inline permission rules
	GetPermissionRules() []rbacv1.PolicyRule

	// GetRoles returns role references (only for namespace-scoped WSA)
	GetRoles() []rbacv1.RoleRef

	// GetClusterRoles returns cluster role references
	GetClusterRoles() []rbacv1.RoleRef

	// IsClusterScoped returns true if this is a cluster-scoped resource
	IsClusterScoped() bool

	// GetOwnerObject returns the underlying WSA or CWSA object for owner references
	GetOwnerObject() interface{}

	// UpdateCondition applies a status condition using SSA and updates the in-memory resource
	UpdateCondition(
		ctx context.Context, c client.Client, conditionType string, status metav1.ConditionStatus,
		reason, message string,
	) error
}

WSAResource is an internal interface that abstracts over both WorkloadServiceAccount and ClusterWorkloadServiceAccount to allow unified processing

func NewClusterWSAResource 

func NewClusterWSAResource(cwsa *v1beta1.ClusterWorkloadServiceAccount) WSAResource

NewClusterWSAResource creates a WSAResource from a ClusterWorkloadServiceAccount

func NewWSAResource 

func NewWSAResource(wsa *v1beta1.WorkloadServiceAccount) WSAResource

NewWSAResource creates a WSAResource from a WorkloadServiceAccount

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.