@@ -20,47 +20,83 @@ import (
2020 "github.com/devfile/devworkspace-operator/pkg/provision/sync"
2121 rbacv1 "k8s.io/api/rbac/v1"
2222 k8sErrors "k8s.io/apimachinery/pkg/api/errors"
23+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2324 "k8s.io/apimachinery/pkg/types"
2425)
2526
2627// cleanupDeprecatedRBAC removes old Roles and RoleBindings created by an earlier version
2728// of the DevWorkspace Operator. These earlier roles and rolebindings are no longer used
2829// and need to be removed directly as there is no usual mechanism for their removal.
30+ //
31+ // Since the cache filters used for the operator are label-based and the old roles/bindings
32+ // do not have the appropriate labels, the old role/binding are "invisible" to the controller
33+ // This means we have to delete the object without reading it first. To avoid submitting many
34+ // delete requests to the API, we only do this if the new role/binding are not present.
2935// TODO: Remove this functionality for DevWorkspace Operator v0.19
3036func cleanupDeprecatedRBAC (namespace string , api sync.ClusterAPI ) error {
31- role := & rbacv1.Role {}
32- roleNN := types.NamespacedName {
33- Name : common .OldWorkspaceRoleName (),
37+ newRole := & rbacv1.Role {}
38+ newRoleNN := types.NamespacedName {
39+ Name : common .WorkspaceRoleName (),
3440 Namespace : namespace ,
3541 }
36- err := api .Client .Get (api .Ctx , roleNN , role )
42+ oldRole := & rbacv1.Role {
43+ ObjectMeta : metav1.ObjectMeta {
44+ Name : common .OldWorkspaceRoleName (),
45+ Namespace : namespace ,
46+ },
47+ }
48+ err := api .Client .Get (api .Ctx , newRoleNN , newRole )
3749 switch {
3850 case err == nil :
39- if err := api .Client .Delete (api .Ctx , role ); err != nil {
40- return err
41- }
42- return & RetryError {fmt .Errorf ("deleted deprecated DevWorkspace Role" )}
43- case k8sErrors .IsNotFound (err ):
51+ // New role exists, don't try to delete old role
4452 break
53+ case k8sErrors .IsNotFound (err ):
54+ // Try to delete old role
55+ deleteErr := api .Client .Delete (api .Ctx , oldRole )
56+ switch {
57+ case deleteErr == nil :
58+ return & RetryError {fmt .Errorf ("deleted deprecated DevWorkspace Role" )}
59+ case k8sErrors .IsNotFound (err ):
60+ // Already deleted
61+ break
62+ default :
63+ return deleteErr
64+ }
4565 default :
4666 return err
4767 }
48- rolebinding := & rbacv1.RoleBinding {}
49- rolebindingNN := types.NamespacedName {
50- Name : common .OldWorkspaceRolebindingName (),
68+
69+ newRolebinding := & rbacv1.RoleBinding {}
70+ newRolebindingNN := types.NamespacedName {
71+ Name : common .WorkspaceRolebindingName (),
5172 Namespace : namespace ,
5273 }
53- err = api .Client .Get (api .Ctx , rolebindingNN , rolebinding )
74+ oldRolebinding := & rbacv1.RoleBinding {
75+ ObjectMeta : metav1.ObjectMeta {
76+ Name : common .OldWorkspaceRolebindingName (),
77+ Namespace : namespace ,
78+ },
79+ }
80+ err = api .Client .Get (api .Ctx , newRolebindingNN , newRolebinding )
5481 switch {
5582 case err == nil :
56- if err := api .Client .Delete (api .Ctx , rolebinding ); err != nil {
57- return err
58- }
59- return & RetryError {fmt .Errorf ("deleted deprecated DevWorkspace RoleBinding" )}
60- case k8sErrors .IsNotFound (err ):
83+ // New role exists, don't try to delete old role
6184 break
85+ case k8sErrors .IsNotFound (err ):
86+ // Try to delete old role
87+ deleteErr := api .Client .Delete (api .Ctx , oldRolebinding )
88+ switch {
89+ case deleteErr == nil :
90+ return & RetryError {fmt .Errorf ("deleted deprecated DevWorkspace RoleBinding" )}
91+ case k8sErrors .IsNotFound (err ):
92+ // Already deleted
93+ break
94+ default :
95+ return deleteErr
96+ }
6297 default :
6398 return err
6499 }
100+
65101 return nil
66102}
0 commit comments