Skip to content

feat: Add ServiceAccount generation from WSA list #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 8 commits into from
Closed

feat: Add ServiceAccount generation from WSA list #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8c62cfe
Add ServiceAccount generation from WSA list
sathvikkumar-octo Sep 1, 2025
661b6fb
Add space to scope and create SAs
sathvikkumar-octo Sep 21, 2025
6b87175
Add E2E test
sathvikkumar-octo Sep 22, 2025
4fb5362
Pass client in when creating manager
sathvikkumar-octo Sep 22, 2025
268a63e
Remove functions from MockEngine
sathvikkumar-octo Sep 22, 2025
dc19693
Fetch WSAs across all namespaces
sathvikkumar-octo Sep 22, 2025
4efce96
WIP wsa pipeline
sathvikkumar-octo Sep 23, 2025
5e081b9
wip: working on generator
liam-mackie Sep 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cmd/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ func main() {
}

// Create the rules engine instance
engine := rules.NewInMemoryEngine()
engine := rules.NewInMemoryEngine(mgr.GetClient())

if err := (&controller.WorkloadServiceAccountReconciler{
Client: mgr.GetClient(),
Expand Down
27 changes: 27 additions & 0 deletions config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,15 @@ kind: ClusterRole
metadata:
name: manager-role
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- get
- list
- watch
- apiGroups:
- agent.octopus.com
resources:
Expand All @@ -30,3 +39,21 @@ rules:
- get
- patch
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- get
- list
- watch
29 changes: 6 additions & 23 deletions internal/controller/workloadserviceaccount_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ type WorkloadServiceAccountReconciler struct {
// +kubebuilder:rbac:groups=agent.octopus.com,resources=workloadserviceaccounts,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=agent.octopus.com,resources=workloadserviceaccounts/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=agent.octopus.com,resources=workloadserviceaccounts/finalizers,verbs=update
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch

// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
Expand All @@ -46,32 +50,11 @@ func (r *WorkloadServiceAccountReconciler) Reconcile(ctx context.Context, req ct

log.Info("WorkloadServiceAccount reconciliation triggered")

wsaList := &agentoctopuscomv1beta1.WorkloadServiceAccountList{}
if err := r.List(ctx, wsaList, client.InNamespace(req.Namespace)); err != nil {
log.Error(err, "failed to list WorkloadServiceAccounts")
if err := r.Engine.Reconcile(ctx, req.Namespace); err != nil {
log.Error(err, "failed to reconcile ServiceAccounts from WorkloadServiceAccounts")
return ctrl.Result{}, err
}

log.Info("Found WSAs in namespace", "count", len(wsaList.Items))

for _, currentWSA := range wsaList.Items {
for _, project := range currentWSA.Spec.Scope.Projects {
log.Info("WSA has project scope", "wsa", currentWSA.Name, "project", project)
}
for _, environment := range currentWSA.Spec.Scope.Environments {
log.Info("WSA has environment scope", "wsa", currentWSA.Name, "environment", environment)
}
for _, tenant := range currentWSA.Spec.Scope.Tenants {
log.Info("WSA has tenant scope", "wsa", currentWSA.Name, "tenant", tenant)
}
for _, step := range currentWSA.Spec.Scope.Steps {
log.Info("WSA has step scope", "wsa", currentWSA.Name, "step", step)
}
for _, space := range currentWSA.Spec.Scope.Spaces {
log.Info("WSA has space scope", "wsa", currentWSA.Name, "space", space)
}
}

log.Info("Successfully reconciled WorkloadServiceAccounts")
return ctrl.Result{}, nil
}
Expand Down
3 changes: 3 additions & 0 deletions internal/controller/workloadserviceaccount_controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

agentoctopuscomv1beta1 "github.com/octopusdeploy/octopus-permissions-controller/api/v1beta1"
"github.com/octopusdeploy/octopus-permissions-controller/internal/rules"
)

var _ = Describe("WorkloadServiceAccount Controller", func() {
Expand Down Expand Up @@ -68,9 +69,11 @@ var _ = Describe("WorkloadServiceAccount Controller", func() {
})
It("should successfully reconcile the resource", func() {
By("Reconciling the created resource")
engine := rules.NewInMemoryEngine(k8sClient)
controllerReconciler := &WorkloadServiceAccountReconciler{
Client: k8sClient,
Scheme: k8sClient.Scheme(),
Engine: &engine,
}

_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
Expand Down
Loading
Loading