Skip to content

Commit 83cc83c

Browse files
authored
Drop support for K8s versions < 1.24 (fix for GKE version). (#68)
1 parent 91feb1f commit 83cc83c

File tree

5 files changed

+190
-268
lines changed

5 files changed

+190
-268
lines changed

Dockerfile

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ WORKDIR /work
55
COPY . .
66
RUN make
77

8-
FROM alpine:3.20
8+
FROM gcr.io/distroless/static-debian12:nonroot
99
COPY --from=builder /work/bin/firewall-controller-manager .
10-
USER 65534
1110
ENTRYPOINT ["/firewall-controller-manager"]

api/v2/helper/seed_access.go

Lines changed: 40 additions & 120 deletions
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,12 @@ import (
44
"context"
55
"fmt"
66

7-
"github.com/Masterminds/semver/v3"
87
v2 "github.com/metal-stack/firewall-controller-manager/api/v2"
98
controllerclient "sigs.k8s.io/controller-runtime/pkg/client"
109

1110
corev1 "k8s.io/api/core/v1"
1211
rbacv1 "k8s.io/api/rbac/v1"
1312
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
14-
"k8s.io/client-go/discovery"
1513
"k8s.io/client-go/rest"
1614
configlatest "k8s.io/client-go/tools/clientcmd/api/latest"
1715
configv1 "k8s.io/client-go/tools/clientcmd/api/v1"
@@ -58,11 +56,6 @@ func ensureSeedRBAC(ctx context.Context, seedConfig *rest.Config, deploy *v2.Fir
5856
}
5957
)
6058

61-
k8sVersion, err := determineK8sVersion(seedConfig)
62-
if err != nil {
63-
return fmt.Errorf("unable to determine seed k8s version: %w", err)
64-
}
65-
6659
seed, err := controllerclient.New(seedConfig, controllerclient.Options{
6760
Scheme: scheme,
6861
})
@@ -80,24 +73,22 @@ func ensureSeedRBAC(ctx context.Context, seedConfig *rest.Config, deploy *v2.Fir
8073
return fmt.Errorf("error ensuring service account: %w", err)
8174
}
8275

83-
if versionGreaterOrEqual124(k8sVersion) {
84-
serviceAccountSecret := &corev1.Secret{
85-
ObjectMeta: metav1.ObjectMeta{
86-
Name: name,
87-
Namespace: deploy.Namespace,
88-
},
89-
}
76+
serviceAccountSecret := &corev1.Secret{
77+
ObjectMeta: metav1.ObjectMeta{
78+
Name: name,
79+
Namespace: deploy.Namespace,
80+
},
81+
}
9082

91-
_, err := controllerutil.CreateOrUpdate(ctx, seed, serviceAccountSecret, func() error {
92-
serviceAccountSecret.Annotations = map[string]string{
93-
"kubernetes.io/service-account.name": serviceAccount.Name,
94-
}
95-
serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
96-
return nil
97-
})
98-
if err != nil {
99-
return fmt.Errorf("error ensuring service account token secret: %w", err)
83+
_, err = controllerutil.CreateOrUpdate(ctx, seed, serviceAccountSecret, func() error {
84+
serviceAccountSecret.Annotations = map[string]string{
85+
"kubernetes.io/service-account.name": serviceAccount.Name,
10086
}
87+
serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
88+
return nil
89+
})
90+
if err != nil {
91+
return fmt.Errorf("error ensuring service account token secret: %w", err)
10192
}
10293

10394
var shootAccessSecretNames []string
@@ -176,11 +167,6 @@ func ensureShootRBAC(ctx context.Context, shootConfig *rest.Config, shootNamespa
176167
}
177168
)
178169

179-
k8sVersion, err := determineK8sVersion(shootConfig)
180-
if err != nil {
181-
return fmt.Errorf("unable to determine shoot k8s version: %w", err)
182-
}
183-
184170
shoot, err := controllerclient.New(shootConfig, controllerclient.Options{
185171
Scheme: scheme,
186172
})
@@ -195,24 +181,22 @@ func ensureShootRBAC(ctx context.Context, shootConfig *rest.Config, shootNamespa
195181
return fmt.Errorf("error ensuring service account: %w", err)
196182
}
197183

198-
if versionGreaterOrEqual124(k8sVersion) {
199-
serviceAccountSecret := &corev1.Secret{
200-
ObjectMeta: metav1.ObjectMeta{
201-
Name: name,
202-
Namespace: shootNamespace,
203-
},
204-
}
184+
serviceAccountSecret := &corev1.Secret{
185+
ObjectMeta: metav1.ObjectMeta{
186+
Name: name,
187+
Namespace: shootNamespace,
188+
},
189+
}
205190

206-
_, err := controllerutil.CreateOrUpdate(ctx, shoot, serviceAccountSecret, func() error {
207-
serviceAccountSecret.Annotations = map[string]string{
208-
"kubernetes.io/service-account.name": serviceAccount.Name,
209-
}
210-
serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
211-
return nil
212-
})
213-
if err != nil {
214-
return fmt.Errorf("error ensuring service account token secret: %w", err)
191+
_, err = controllerutil.CreateOrUpdate(ctx, shoot, serviceAccountSecret, func() error {
192+
serviceAccountSecret.Annotations = map[string]string{
193+
"kubernetes.io/service-account.name": serviceAccount.Name,
215194
}
195+
serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
196+
return nil
197+
})
198+
if err != nil {
199+
return fmt.Errorf("error ensuring service account token secret: %w", err)
216200
}
217201

218202
_, err = controllerutil.CreateOrUpdate(ctx, shoot, clusterRole, func() error {
@@ -271,34 +255,6 @@ func ensureShootRBAC(ctx context.Context, shootConfig *rest.Config, shootNamespa
271255
return nil
272256
}
273257

274-
func determineK8sVersion(config *rest.Config) (*semver.Version, error) {
275-
discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
276-
if err != nil {
277-
return nil, fmt.Errorf("unable to create discovery client: %w", err)
278-
}
279-
280-
version, err := discoveryClient.ServerVersion()
281-
if err != nil {
282-
return nil, fmt.Errorf("unable to discover server version: %w", err)
283-
}
284-
285-
k8sVersion, err := semver.NewVersion(version.GitVersion)
286-
if err != nil {
287-
return nil, fmt.Errorf("unable to parse kubernetes version version: %w", err)
288-
}
289-
290-
return k8sVersion, nil
291-
}
292-
293-
func versionGreaterOrEqual124(v *semver.Version) bool {
294-
constraint, err := semver.NewConstraint(">=v1.24.0")
295-
if err != nil {
296-
return false
297-
}
298-
299-
return constraint.Check(v)
300-
}
301-
302258
type AccessConfig struct {
303259
Ctx context.Context
304260
Config *rest.Config
@@ -344,62 +300,26 @@ func GetAccessKubeconfig(c *AccessConfig) ([]byte, error) {
344300
return nil, err
345301
}
346302

347-
k8sVersion, err := determineK8sVersion(c.Config)
348-
if err != nil {
349-
return nil, fmt.Errorf("unable to determine k8s version: %w", err)
350-
}
351-
352303
cl, err := controllerclient.New(c.Config, controllerclient.Options{
353304
Scheme: scheme,
354305
})
355306
if err != nil {
356307
return nil, fmt.Errorf("unable to create client: %w", err)
357308
}
358309

359-
if versionGreaterOrEqual124(k8sVersion) {
360-
saSecret := &corev1.Secret{
361-
ObjectMeta: metav1.ObjectMeta{
362-
Name: name,
363-
Namespace: c.Namespace,
364-
},
365-
}
366-
err := cl.Get(c.Ctx, client.ObjectKeyFromObject(saSecret), saSecret, &client.GetOptions{})
367-
if err != nil {
368-
return nil, err
369-
}
370-
371-
token = string(saSecret.Data["token"])
372-
ca = saSecret.Data["ca.crt"]
373-
} else {
374-
sa := &corev1.ServiceAccount{
375-
ObjectMeta: metav1.ObjectMeta{
376-
Name: name,
377-
Namespace: c.Namespace,
378-
},
379-
}
380-
err := cl.Get(c.Ctx, client.ObjectKeyFromObject(sa), sa, &client.GetOptions{})
381-
if err != nil {
382-
return nil, err
383-
}
384-
385-
if len(sa.Secrets) == 0 {
386-
return nil, fmt.Errorf("service account %q contains no valid token secret", sa.Name)
387-
}
388-
389-
saSecret := &corev1.Secret{
390-
ObjectMeta: metav1.ObjectMeta{
391-
Name: sa.Secrets[0].Name,
392-
Namespace: c.Namespace,
393-
},
394-
}
395-
err = cl.Get(c.Ctx, client.ObjectKeyFromObject(saSecret), saSecret, &client.GetOptions{})
396-
if err != nil {
397-
return nil, err
398-
}
399-
400-
token = string(saSecret.Data["token"])
401-
ca = saSecret.Data["ca.crt"]
310+
saSecret := &corev1.Secret{
311+
ObjectMeta: metav1.ObjectMeta{
312+
Name: name,
313+
Namespace: c.Namespace,
314+
},
402315
}
316+
err = cl.Get(c.Ctx, client.ObjectKeyFromObject(saSecret), saSecret, &client.GetOptions{})
317+
if err != nil {
318+
return nil, err
319+
}
320+
321+
token = string(saSecret.Data["token"])
322+
ca = saSecret.Data["ca.crt"]
403323

404324
if token == "" {
405325
return nil, fmt.Errorf("no token was created")

api/v2/types_utils.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ const (
4040
ConditionUnknown ConditionStatus = "Unknown"
4141
)
4242

43-
type Conditions []Condition
43+
type Conditions []Condition // nolint:recvcheck
4444

4545
// NewCondition creates a new condition.
4646
func NewCondition(t ConditionType, status ConditionStatus, reason, message string) Condition {

0 commit comments

Comments
 (0)