Skip to content

Commit 381a2dc

Browse files
AlldaAllda
committed
Per workspace backup SA
A SA is created for every backup workspace to avoid ownership conflict. Signed-off-by: Ales Raszka <[email protected]>
1 parent 319f706 commit 381a2dc

File tree

2 files changed

+14
-5
lines changed

2 files changed

+14
-5
lines changed

controllers/backupcronjob/backupcronjob_controller.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -347,7 +347,7 @@ func (r *BackupCronJobReconciler) createBackupJob(
347347
Spec: batchv1.JobSpec{
348348
Template: corev1.PodTemplateSpec{
349349
Spec: corev1.PodSpec{
350-
ServiceAccountName: JobRunnerSAName,
350+
ServiceAccountName: JobRunnerSAName + "-" + workspace.Status.DevWorkspaceId,
351351
RestartPolicy: corev1.RestartPolicyNever,
352352
SecurityContext: &corev1.PodSecurityContext{
353353
FSGroup: ptr.To[int64](0),

controllers/backupcronjob/rbac.go

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,11 @@ package controllers
1717

1818
import (
1919
"context"
20-
"fmt"
2120

2221
dw "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
2322
"github.com/devfile/devworkspace-operator/pkg/constants"
23+
"github.com/devfile/devworkspace-operator/pkg/dwerrors"
24+
"github.com/devfile/devworkspace-operator/pkg/provision/sync"
2425
corev1 "k8s.io/api/core/v1"
2526
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2627
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -35,9 +36,16 @@ func (r *BackupCronJobReconciler) ensureJobRunnerRBAC(ctx context.Context, works
3536
roleName = "devworkspace-job-runner-role"
3637
rbName = "devworkspace-job-runner-rolebinding"
3738
)
39+
clusterAPI := sync.ClusterAPI{
40+
Client: r.Client,
41+
NonCachingClient: r.NonCachingClient,
42+
Scheme: r.Scheme,
43+
Logger: r.Log,
44+
Ctx: ctx,
45+
}
3846

3947
sa := &corev1.ServiceAccount{
40-
ObjectMeta: metav1.ObjectMeta{Name: JobRunnerSAName, Namespace: workspace.Namespace, Labels: map[string]string{
48+
ObjectMeta: metav1.ObjectMeta{Name: JobRunnerSAName + "-" + workspace.Status.DevWorkspaceId, Namespace: workspace.Namespace, Labels: map[string]string{
4149
constants.DevWorkspaceIDLabel: workspace.Status.DevWorkspaceId,
4250
constants.DevWorkspaceWatchSecretLabel: "true",
4351
}},
@@ -47,8 +55,9 @@ func (r *BackupCronJobReconciler) ensureJobRunnerRBAC(ctx context.Context, works
4755
if err := controllerutil.SetControllerReference(workspace, sa, r.Scheme); err != nil {
4856
return err
4957
}
50-
if _, err := controllerutil.CreateOrUpdate(ctx, r.Client, sa, func() error { return nil }); err != nil {
51-
return fmt.Errorf("ensuring ServiceAccount: %w", err)
58+
59+
if _, err := sync.SyncObjectWithCluster(sa, clusterAPI); err != nil {
60+
return dwerrors.WrapSyncError(err)
5261
}
5362

5463
return nil

0 commit comments

Comments
 (0)