fix cluster upgrade ako role doesn't update issue (#159)

Signed-off-by: Xudong Liu <[email protected]>

Author: XudongLiuHarold

Makefile

@@ -13,7 +13,7 @@ PUBLISH?=publish
 BUILD_VERSION ?= $(shell git describe --always --match "v*" | sed 's/v//')
 
 # TKG Version
-TKG_VERSION ?= v1.10.0+vmware.1
+TKG_VERSION ?= v1.10.0+vmware.2
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))

controllers/akodeploymentconfig/akodeploymentconfig_controller_intg_test.go

@@ -260,7 +260,32 @@ func intgTestAkoDeploymentConfigController() {
 		})
 		ctx.AviClient.Role.SetCreateRoleFunc(func(obj *models.Role, options ...session.ApiOptionsParams) (*models.Role, error) {
 			userRoleCreateCalled = true
-			return &models.Role{}, nil
+			return &models.Role{
+				Privileges: []*models.Permission{
+					{
+						Type:     pointer.StringPtr("READ_ACCESS"),
+						Resource: pointer.StringPtr("PERMISSION_SYSTEMCONFIGURATION"),
+					},
+					{
+						Type:     pointer.StringPtr("READ_ACCESS"),
+						Resource: pointer.StringPtr("PERMISSION_CONTROLLER"),
+					},
+				},
+			}, nil
+		})
+		ctx.AviClient.Role.SetUpdateRoleFunc(func(obj *models.Role, options ...session.ApiOptionsParams) (*models.Role, error) {
+			return &models.Role{
+				Privileges: []*models.Permission{
+					{
+						Type:     pointer.StringPtr("READ_ACCESS"),
+						Resource: pointer.StringPtr("PERMISSION_SYSTEMCONFIGURATION"),
+					},
+					{
+						Type:     pointer.StringPtr("READ_ACCESS"),
+						Resource: pointer.StringPtr("PERMISSION_CONTROLLER"),
+					},
+				},
+			}, nil
 		})
 		ctx.AviClient.Tenant.SetGetTenantFunc(func(uuid string, options ...session.ApiOptionsParams) (*models.Tenant, error) {
 			return &models.Tenant{}, nil
@@ -525,6 +550,23 @@ func intgTestAkoDeploymentConfigController() {
 							})
 
 							When("AVI user exists", func() {
+								BeforeEach(func() {
+									ctx.AviClient.Role.SetGetByNameRoleFunc(func(name string, options ...session.ApiOptionsParams) (*models.Role, error) {
+										return &models.Role{
+											Privileges: []*models.Permission{
+												{
+													Type:     pointer.StringPtr("READ_ACCESS"),
+													Resource: pointer.StringPtr("PERMISSION_SYSTEMCONFIGURATION"),
+												},
+												{
+													Type:     pointer.StringPtr("READ_ACCESS"),
+													Resource: pointer.StringPtr("PERMISSION_CONTROLLER"),
+												},
+											},
+										}, nil
+									})
+								})
+
 								It("should update AVI user", func() {
 									Eventually(func() bool {
 										return userUpdateCalled

controllers/akodeploymentconfig/user/user_controller.go

@@ -288,10 +288,15 @@ func (r *AkoUserReconciler) createOrUpdateAviUser(aviUsername, aviPassword, tena
 		}
 		return r.aviClient.UserCreate(aviUser)
 	}
-	// Update the password when user found, this is needed when the AVI user was
-	// created before the mc Secret. And this operation will sync
-	// the User's password to be the same as mc Secret's
+
 	if err == nil {
+		// ensure user's role align with latest essential permission when user found
+		if _, err := r.ensureAkoUserRole(); err != nil {
+			return nil, err
+		}
+		// Update the password when user found, this is needed when the AVI user was
+		// created before the mc Secret. And this operation will sync
+		// the User's password to be the same as mc Secret's
 		aviUser.Password = &aviPassword
 		return r.aviClient.UserUpdate(aviUser)
 	}
@@ -310,10 +315,34 @@ func (r *AkoUserReconciler) getOrCreateAkoUserRole(roleTenantRef *string) (*mode
 		}
 		return r.aviClient.RoleCreate(role)
 	}
-	// else return role or error
+	if err == nil {
+		return r.ensureAkoUserRole()
+	}
 	return role, err
 }
 
+// ensureAkoUserRole ensure ako-essential-role has the latest permission
+func (r *AkoUserReconciler) ensureAkoUserRole() (*models.Role, error) {
+	role, err := r.aviClient.RoleGetByName(akoov1alpha1.AkoUserRoleName)
+	if err != nil {
+		return role, err
+	}
+	// check if role needs to be sync
+	needSync := false
+	for i, permission := range role.Privileges {
+		if *permission.Resource == "PERMISSION_CONTROLLER" || *permission.Resource == "PERMISSION_SYSTEMCONFIGURATION" {
+			if *permission.Type != "READ_ACCESS" {
+				needSync = true
+				role.Privileges[i].Type = pointer.StringPtr("READ_ACCESS")
+			}
+		}
+	}
+	if needSync {
+		return r.aviClient.RoleUpdate(role)
+	}
+	return role, nil
+}
+
 // mcAVISecretNameNameSpace get avi user secret name/namespace in management cluster. There is no need to
 // encode the cluster namespace as the secret is deployed in the same namespace as
 // the cluster

pkg/aviclient/client.go

@@ -276,6 +276,10 @@ func (r *realAviClient) RoleCreate(obj *models.Role, options ...session.ApiOptio
 	return r.Role.Create(obj)
 }
 
+func (r *realAviClient) RoleUpdate(obj *models.Role, options ...session.ApiOptionsParams) (*models.Role, error) {
+	return r.Role.Update(obj)
+}
+
 func (r *realAviClient) VirtualServiceGetByName(name string, options ...session.ApiOptionsParams) (*models.VirtualService, error) {
 	return r.VirtualService.GetByName(name)
 }

pkg/aviclient/fake_avi_client.go

@@ -116,6 +116,10 @@ func (r *FakeAviClient) RoleCreate(obj *models.Role, options ...session.ApiOptio
 	return r.Role.Create(obj)
 }
 
+func (r *FakeAviClient) RoleUpdate(obj *models.Role, options ...session.ApiOptionsParams) (*models.Role, error) {
+	return r.Role.Update(obj)
+}
+
 func (r *FakeAviClient) VirtualServiceGetByName(name string, options ...session.ApiOptionsParams) (*models.VirtualService, error) {
 	return r.VirtualService.GetByName(name)
 }
@@ -276,10 +280,12 @@ func (client *TenantClient) Get(uuid string, options ...session.ApiOptionsParams
 type RoleClient struct {
 	getByNameRoleFn GetByNameRoleFunc
 	createRoleFunc  CreateRoleFunc
+	updateRoleFunc  UpdateRoleFunc
 }
 
 type GetByNameRoleFunc func(name string, options ...session.ApiOptionsParams) (*models.Role, error)
 type CreateRoleFunc func(obj *models.Role, options ...session.ApiOptionsParams) (*models.Role, error)
+type UpdateRoleFunc func(obj *models.Role, options ...session.ApiOptionsParams) (*models.Role, error)
 
 func (client *RoleClient) SetGetByNameRoleFunc(fn GetByNameRoleFunc) {
 	client.getByNameRoleFn = fn
@@ -289,6 +295,10 @@ func (client *RoleClient) SetCreateRoleFunc(fn CreateRoleFunc) {
 	client.createRoleFunc = fn
 }
 
+func (client *RoleClient) SetUpdateRoleFunc(fn UpdateRoleFunc) {
+	client.updateRoleFunc = fn
+}
+
 func (client *RoleClient) GetByName(name string, options ...session.ApiOptionsParams) (*models.Role, error) {
 	return client.getByNameRoleFn(name)
 }
@@ -297,6 +307,10 @@ func (client *RoleClient) Create(obj *models.Role, options ...session.ApiOptions
 	return client.createRoleFunc(obj)
 }
 
+func (client *RoleClient) Update(obj *models.Role, options ...session.ApiOptionsParams) (*models.Role, error) {
+	return client.updateRoleFunc(obj)
+}
+
 // Pool Client
 type PoolClient struct {
 	getByNameFn GetByNamePoolFunc

pkg/aviclient/interface.go

@@ -27,6 +27,7 @@ type Client interface {
 
 	RoleGetByName(name string, options ...session.ApiOptionsParams) (*models.Role, error)
 	RoleCreate(obj *models.Role, options ...session.ApiOptionsParams) (*models.Role, error)
+	RoleUpdate(obj *models.Role, options ...session.ApiOptionsParams) (*models.Role, error)
 
 	IPAMDNSProviderProfileGet(uuid string, options ...session.ApiOptionsParams) (*models.IPAMDNSProviderProfile, error)
 	IPAMDNSProviderProfileUpdate(obj *models.IPAMDNSProviderProfile, options ...session.ApiOptionsParams) (*models.IPAMDNSProviderProfile, error)