add default rbac rules for devbox runtime and runtime class. (#5012)

* add retry logic when get service, fix rbac. * fix license. * add RetryOnConflict when sync pod
labring · Aug 31, 2024 · e3c9b62 · e3c9b62
1 parent d2eb60c
commit e3c9b62
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 50 deletions.
diff --git a/controllers/devbox/config/manager/manager.yaml b/controllers/devbox/config/manager/manager.yaml
@@ -77,6 +77,10 @@ spec:
         args:
           - --leader-elect
           - --health-probe-bind-address=:8081
+          - --registry-addr={{ .registryAddr }}
+          - --registry-user={{ .registryUser }}
+          - --registry-password={{ .registryPassword }}
+          - --auth-addr={{ .authAddr }}
         image: controller:latest
         name: manager
         securityContext:

diff --git a/controllers/devbox/config/rbac/role.yaml b/controllers/devbox/config/rbac/role.yaml
@@ -21,15 +21,16 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - pods
+    - events
   verbs:
   - create
-  - delete
-  - get
-  - list
   - patch
-  - update
-  - watch
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  verbs:
+    - '*'
 - apiGroups:
   - ""
   resources:
@@ -43,25 +44,13 @@ rules:
   resources:
   - secrets
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+    - '*'
 - apiGroups:
   - ""
   resources:
   - services
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+    - '*'
 - apiGroups:
   - devbox.sealos.io
   resources:

diff --git a/controllers/devbox/deploy/manifests/deploy.yaml.tmpl b/controllers/devbox/deploy/manifests/deploy.yaml.tmpl
@@ -574,15 +574,19 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - pods
+  - events
   verbs:
   - create
   - delete
   - get
   - list
   - patch
-  - update
-  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - '*'
 - apiGroups:
   - ""
   resources:
@@ -596,25 +600,13 @@ rules:
   resources:
   - secrets
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  - '*'
 - apiGroups:
   - ""
   resources:
   - services
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  - '*'
 - apiGroups:
   - devbox.sealos.io
   resources:

diff --git a/controllers/devbox/internal/controller/devbox_controller.go b/controllers/devbox/internal/controller/devbox_controller.go
@@ -32,6 +32,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/retry"
 	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -58,10 +59,11 @@ type DevboxReconciler struct {
 // +kubebuilder:rbac:groups=devbox.sealos.io,resources=devboxes,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=devbox.sealos.io,resources=devboxes/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=devbox.sealos.io,resources=devboxes/finalizers,verbs=update
-// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="",resources=pods,verbs=*
+// +kubebuilder:rbac:groups="",resources=pods/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups="",resources=services,verbs=*
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=*
+// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 
 func (r *DevboxReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	logger := log.FromContext(ctx, "devbox", req.NamespacedName)
@@ -83,15 +85,12 @@ func (r *DevboxReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 			}
 		}
 	} else {
-		if devbox.Spec.State == devboxv1alpha1.DevboxStateRunning {
-			devbox.Spec.State = devboxv1alpha1.DevboxStateStopped
-			return ctrl.Result{}, r.Update(ctx, devbox)
-		}
-
+		logger.Info("devbox deleted, remove all resources")
 		if err := r.removeAll(ctx, devbox, recLabels); err != nil {
 			return ctrl.Result{}, err
 		}
 
+		logger.Info("devbox deleted, remove finalizer")
 		if controllerutil.RemoveFinalizer(devbox, FinalizerName) {
 			if err := r.Update(ctx, devbox); err != nil {
 				return ctrl.Result{}, err
@@ -103,26 +102,34 @@ func (r *DevboxReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 	_ = r.Status().Update(ctx, devbox)
 
 	// create or update secret
+	logger.Info("create or update secret", "devbox", devbox.Name)
 	if err := r.syncSecret(ctx, devbox, recLabels); err != nil {
 		logger.Error(err, "create or update secret failed")
 		r.Recorder.Eventf(devbox, corev1.EventTypeWarning, "Create secret failed", "%v", err)
 		return ctrl.Result{}, err
 	}
 
-	if err := r.syncPod(ctx, devbox, recLabels); err != nil {
+	// create or update pod
+	logger.Info("create or update pod", "devbox", devbox.Name)
+	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		return r.syncPod(ctx, devbox, recLabels)
+	})
+	if err != nil {
 		logger.Error(err, "sync pod failed")
 		r.Recorder.Eventf(devbox, corev1.EventTypeWarning, "Sync pod failed", "%v", err)
 		return ctrl.Result{}, err
 	}
 
 	// create service if network type is NodePort
 	if devbox.Spec.NetworkSpec.Type == devboxv1alpha1.NetworkTypeNodePort {
+		logger.Info("create service", "devbox", devbox.Name)
 		if err := r.syncService(ctx, devbox, recLabels); err != nil {
 			logger.Error(err, "Create service failed")
 			r.Recorder.Eventf(devbox, corev1.EventTypeWarning, "Create service failed", "%v", err)
 			return ctrl.Result{RequeueAfter: time.Second * 3}, err
 		}
 	}
+	logger.Info("create devbox success", "devbox", devbox.Name)
 	r.Recorder.Eventf(devbox, corev1.EventTypeNormal, "Created", "create devbox success: %v", devbox.ObjectMeta.Name)
 	return ctrl.Result{Requeue: false}, nil
 }
@@ -449,7 +456,7 @@ func (r *DevboxReconciler) getLastSuccessCommitImageName(ctx context.Context, de
 	if err := r.Get(ctx, client.ObjectKey{Namespace: devbox.Namespace, Name: devbox.Spec.RuntimeRef.Name}, rt); err != nil {
 		return "", err
 	}
-	if devbox.Status.CommitHistory == nil || len(devbox.Status.CommitHistory) == 0 {
+	if len(devbox.Status.CommitHistory) == 0 {
 		return rt.Spec.Image, nil
 	}
 	// get image name from commit history, ues the latest commit history
@@ -503,8 +510,14 @@ func (r *DevboxReconciler) syncService(ctx context.Context, devbox *devboxv1alph
 
 	// Retrieve the updated Service to get the NodePort
 	var updatedService corev1.Service
-	if err := r.Client.Get(ctx, client.ObjectKey{Namespace: service.Namespace, Name: service.Name}, &updatedService); err != nil {
-		return err
+	err := retry.OnError(
+		retry.DefaultRetry,
+		func(err error) bool { return client.IgnoreNotFound(err) == nil },
+		func() error {
+			return r.Client.Get(ctx, client.ObjectKey{Namespace: service.Namespace, Name: service.Name}, &updatedService)
+		})
+	if err != nil {
+		return fmt.Errorf("failed to get updated service: %w", err)
 	}
 
 	// Extract the NodePort