Apply changes requested in code review

Israel Blancas · Israel Blancas · commit ab3b9384b20f · 2024-11-20T14:16:15.000+01:00
Signed-off-by: Israel Blancas &lt;iblancas@redhat.com&gt;
diff --git a/internal/manifests/collector/collector.go b/internal/manifests/collector/collector.go
@@ -84,18 +84,10 @@ func Build(params manifests.Params) ([]client.Object, error) {
 		}
 	}
 
-	if params.ErrorAsWarning && params.Config.CreateRBACPermissions() == rbac.NotAvailable && params.Reviewer != nil {
-		saName := params.OtelCol.Spec.ServiceAccount
-		if saName == "" {
-			sa, err := manifests.Factory(ServiceAccount)(params)
-			if err != nil {
-				return nil, err
-			}
-			saName = sa.GetName()
-		}
-		warnings, err := CheckRbacRules(params, saName)
+	if needsCheckSaPermissions(params) {
+		warnings, err := CheckRbacRules(params, params.OtelCol.Spec.ServiceAccount)
 		if err != nil {
-			return nil, fmt.Errorf("error checking RBAC rules for serviceAccount %s: %w", saName, err)
+			return nil, fmt.Errorf("error checking RBAC rules for serviceAccount %s: %w", params.OtelCol.Spec.ServiceAccount, err)
 		}
 
 		var w []error
@@ -115,3 +107,10 @@ func Build(params manifests.Params) ([]client.Object, error) {
 	}
 	return resourceManifests, nil
 }
+
+func needsCheckSaPermissions(params manifests.Params) bool {
+	return params.ErrorAsWarning &&
+		params.Config.CreateRBACPermissions() == rbac.NotAvailable &&
+		params.Reviewer != nil &&
+		params.OtelCol.Spec.ServiceAccount != ""
+}
diff --git a/internal/manifests/collector/collector_test.go b/internal/manifests/collector/collector_test.go
@@ -0,0 +1,343 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package collector
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/go-logr/logr"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	otelColFeatureGate "go.opentelemetry.io/collector/featuregate"
+	v1 "k8s.io/api/authorization/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+
+	"github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
+	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus"
+	autoRbac "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/rbac"
+	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/manifests"
+	irbac "github.com/open-telemetry/opentelemetry-operator/internal/rbac"
+	"github.com/open-telemetry/opentelemetry-operator/pkg/featuregate"
+)
+
+func TestNeedsCheckSaPermissions(t *testing.T) {
+	tests := []struct {
+		name     string
+		params   manifests.Params
+		expected bool
+	}{
+		{
+			name: "should return true when all conditions are met",
+			params: manifests.Params{
+				ErrorAsWarning: true,
+				Config:         config.New(config.WithRBACPermissions(autoRbac.NotAvailable)),
+				Reviewer:       &mockReviewer{},
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						OpenTelemetryCommonFields: v1beta1.OpenTelemetryCommonFields{
+							ServiceAccount: "test-sa",
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "should return false when ErrorAsWarning is false",
+			params: manifests.Params{
+				ErrorAsWarning: false,
+				Config:         config.New(config.WithRBACPermissions(autoRbac.NotAvailable)),
+				Reviewer:       &mockReviewer{},
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						OpenTelemetryCommonFields: v1beta1.OpenTelemetryCommonFields{
+							ServiceAccount: "test-sa",
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "should return false when RBAC is available",
+			params: manifests.Params{
+				ErrorAsWarning: true,
+				Config:         config.New(config.WithRBACPermissions(autoRbac.Available)),
+				Reviewer:       &mockReviewer{},
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						OpenTelemetryCommonFields: v1beta1.OpenTelemetryCommonFields{
+							ServiceAccount: "test-sa",
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "should return false when Reviewer is nil",
+			params: manifests.Params{
+				ErrorAsWarning: true,
+				Config:         config.New(config.WithRBACPermissions(autoRbac.NotAvailable)),
+				Reviewer:       nil,
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						OpenTelemetryCommonFields: v1beta1.OpenTelemetryCommonFields{
+							ServiceAccount: "test-sa",
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "should return false when ServiceAccount is empty",
+			params: manifests.Params{
+				ErrorAsWarning: true,
+				Config:         config.New(config.WithRBACPermissions(autoRbac.NotAvailable)),
+				Reviewer:       &mockReviewer{},
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						OpenTelemetryCommonFields: v1beta1.OpenTelemetryCommonFields{
+							ServiceAccount: "",
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := needsCheckSaPermissions(tt.params)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+type mockReviewer struct{}
+
+var _ irbac.SAReviewer = &mockReviewer{}
+
+func (m *mockReviewer) CheckPolicyRules(ctx context.Context, serviceAccount, serviceAccountNamespace string, rules ...*rbacv1.PolicyRule) ([]*v1.SubjectAccessReview, error) {
+	return nil, fmt.Errorf("error checking policy rules")
+}
+
+func (m *mockReviewer) CanAccess(ctx context.Context, serviceAccount, serviceAccountNamespace string, res *v1.ResourceAttributes, nonResourceAttributes *v1.NonResourceAttributes) (*v1.SubjectAccessReview, error) {
+	return nil, nil
+}
+
+func TestBuild(t *testing.T) {
+	logger := logr.Discard()
+	tests := []struct {
+		name            string
+		params          manifests.Params
+		expectedObjects int
+		wantErr         bool
+		featureGate     *otelColFeatureGate.Gate
+	}{
+		{
+			name: "deployment mode builds expected manifests",
+			params: manifests.Params{
+				Log: logger,
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						Mode: v1beta1.ModeDeployment,
+					},
+				},
+				Config: config.New(),
+			},
+			expectedObjects: 5,
+			wantErr:         false,
+		},
+		{
+			name: "statefulset mode builds expected manifests",
+			params: manifests.Params{
+				Log: logger,
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						Mode: v1beta1.ModeStatefulSet,
+					},
+				},
+				Config: config.New(),
+			},
+			expectedObjects: 5,
+			wantErr:         false,
+		},
+		{
+			name: "sidecar mode skips deployment manifests",
+			params: manifests.Params{
+				Log: logger,
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						Mode: v1beta1.ModeSidecar,
+					},
+				},
+				Config: config.New(),
+			},
+			expectedObjects: 3,
+			wantErr:         false,
+		},
+		{
+			name: "rbac available adds cluster role manifests",
+			params: manifests.Params{
+				Log: logger,
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						Mode: v1beta1.ModeDeployment,
+						Config: v1beta1.Config{
+							Processors: &v1beta1.AnyConfig{
+								Object: map[string]any{
+									"k8sattributes": map[string]any{},
+								},
+							},
+							Service: v1beta1.Service{
+								Pipelines: map[string]*v1beta1.Pipeline{
+									"traces": {
+										Processors: []string{"k8sattributes"},
+									},
+								},
+							},
+						},
+					},
+				},
+				Config: config.New(config.WithRBACPermissions(autoRbac.Available)),
+			},
+			expectedObjects: 7,
+			wantErr:         false,
+		},
+		{
+			name: "metrics enabled adds monitoring service monitor",
+			params: manifests.Params{
+				Log: logger,
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						Mode: v1beta1.ModeDeployment,
+						Observability: v1beta1.ObservabilitySpec{
+							Metrics: v1beta1.MetricsConfigSpec{
+								EnableMetrics: true,
+							},
+						},
+					},
+				},
+				Config: config.New(config.WithPrometheusCRAvailability(prometheus.Available)),
+			},
+			expectedObjects: 6,
+			wantErr:         false,
+			featureGate:     featuregate.PrometheusOperatorIsAvailable,
+		},
+		{
+			name: "metrics enabled adds service monitors",
+			params: manifests.Params{
+				Log: logger,
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						Mode: v1beta1.ModeDeployment,
+						Observability: v1beta1.ObservabilitySpec{
+							Metrics: v1beta1.MetricsConfigSpec{
+								EnableMetrics: true,
+							},
+						},
+						Config: v1beta1.Config{
+							Exporters: v1beta1.AnyConfig{
+								Object: map[string]any{
+									"prometheus": map[string]any{
+										"endpoint": "1.2.3.4:1234",
+									},
+								},
+							},
+							Service: v1beta1.Service{
+								Pipelines: map[string]*v1beta1.Pipeline{
+									"metrics": {
+										Exporters: []string{"prometheus"},
+									},
+								},
+							},
+						},
+					},
+				},
+				Config: config.New(config.WithPrometheusCRAvailability(prometheus.Available)),
+			},
+			expectedObjects: 9,
+			wantErr:         false,
+			featureGate:     featuregate.PrometheusOperatorIsAvailable,
+		},
+		{
+			name: "check sa permissions",
+			params: manifests.Params{
+				ErrorAsWarning: true,
+				Reviewer:       &mockReviewer{},
+				Log:            logger,
+				OtelCol: v1beta1.OpenTelemetryCollector{
+					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						OpenTelemetryCommonFields: v1beta1.OpenTelemetryCommonFields{
+							ServiceAccount: "test-sa",
+						},
+						Mode: v1beta1.ModeDeployment,
+						Observability: v1beta1.ObservabilitySpec{
+							Metrics: v1beta1.MetricsConfigSpec{
+								EnableMetrics: true,
+							},
+						},
+						Config: v1beta1.Config{
+							Processors: &v1beta1.AnyConfig{
+								Object: map[string]any{
+									"k8sattributes": map[string]any{},
+								},
+							},
+							Service: v1beta1.Service{
+								Pipelines: map[string]*v1beta1.Pipeline{
+									"metrics": {
+										Processors: []string{"k8sattributes"},
+									},
+								},
+							},
+						},
+					},
+				},
+				Config: config.New(config.WithPrometheusCRAvailability(prometheus.Available)),
+			},
+			expectedObjects: 9,
+			wantErr:         true,
+			featureGate:     featuregate.PrometheusOperatorIsAvailable,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.featureGate != nil {
+				err := otelColFeatureGate.GlobalRegistry().Set(tt.featureGate.ID(), true)
+				require.NoError(t, err)
+				defer func() {
+					err := otelColFeatureGate.GlobalRegistry().Set(tt.featureGate.ID(), false)
+					require.NoError(t, err)
+				}()
+			}
+
+			objects, err := Build(tt.params)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			assert.Len(t, objects, tt.expectedObjects)
+		})
+	}
+}
diff --git a/internal/manifests/params.go b/internal/manifests/params.go
@@ -36,6 +36,6 @@ type Params struct {
 	TargetAllocator *v1alpha1.TargetAllocator
 	OpAMPBridge     v1alpha1.OpAMPBridge
 	Config          config.Config
-	Reviewer        *rbac.Reviewer
+	Reviewer        rbac.SAReviewer
 	ErrorAsWarning  bool
 }
diff --git a/internal/rbac/access.go b/internal/rbac/access.go
@@ -29,6 +29,13 @@ const (
 	serviceAccountFmtStr = "system:serviceaccount:%s:%s"
 )
 
+type SAReviewer interface {
+	CheckPolicyRules(ctx context.Context, serviceAccount, serviceAccountNamespace string, rules ...*rbacv1.PolicyRule) ([]*v1.SubjectAccessReview, error)
+	CanAccess(ctx context.Context, serviceAccount, serviceAccountNamespace string, res *v1.ResourceAttributes, nonResourceAttributes *v1.NonResourceAttributes) (*v1.SubjectAccessReview, error)
+}
+
+var _ SAReviewer = &Reviewer{}
+
 type Reviewer struct {
 	client kubernetes.Interface
 }

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,6 @@ type Params struct {`
`36`	`36`	`TargetAllocator *v1alpha1.TargetAllocator`
`37`	`37`	`OpAMPBridge v1alpha1.OpAMPBridge`
`38`	`38`	`Config config.Config`
`39`		`- Reviewer *rbac.Reviewer`
	`39`	`+ Reviewer rbac.SAReviewer`
`40`	`40`	`ErrorAsWarning bool`
`41`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,13 @@ const (`
`29`	`29`	`serviceAccountFmtStr = "system:serviceaccount:%s:%s"`
`30`	`30`	`)`
`31`	`31`
	`32`	`+type SAReviewer interface {`
	`33`	`+ CheckPolicyRules(ctx context.Context, serviceAccount, serviceAccountNamespace string, rules ...rbacv1.PolicyRule) ([]v1.SubjectAccessReview, error)`
	`34`	`+ CanAccess(ctx context.Context, serviceAccount, serviceAccountNamespace string, res v1.ResourceAttributes, nonResourceAttributes v1.NonResourceAttributes) (*v1.SubjectAccessReview, error)`
	`35`	`+}`
	`36`	`+`
	`37`	`+var _ SAReviewer = &Reviewer{}`
	`38`	`+`
`32`	`39`	`type Reviewer struct {`
`33`	`40`	`client kubernetes.Interface`
`34`	`41`	`}`