Skip to content

Commit

Permalink
remove finalizer removal code
Browse files Browse the repository at this point in the history
Signed-off-by: Alex Pana <[email protected]>

keep comment, mark rbac for removal

Signed-off-by: Alex Pana <[email protected]>
  • Loading branch information
acpana committed Oct 19, 2023
1 parent 780a66a commit b7d4275
Show file tree
Hide file tree
Showing 9 changed files with 7 additions and 153 deletions.
9 changes: 0 additions & 9 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -144,15 +144,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates/finalizers
verbs:
- delete
- get
- patch
- update
- apiGroups:
- templates.gatekeeper.sh
resources:
Expand Down
1 change: 0 additions & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,6 @@ blockingLoop:

// Manager stops controllers asynchronously.
// Instead, we use ControllerSwitch to synchronously prevent them from doing more work.
// This can be removed when finalizer and status teardown is removed.
setupLog.Info("disabling controllers...")
sw.Stop()

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -152,15 +152,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates/finalizers
verbs:
- delete
- get
- patch
- update
- apiGroups:
- templates.gatekeeper.sh
resources:
Expand Down
9 changes: 0 additions & 9 deletions manifest_staging/deploy/gatekeeper.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3551,15 +3551,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates/finalizers
verbs:
- delete
- get
- patch
- update
- apiGroups:
- templates.gatekeeper.sh
resources:
Expand Down
43 changes: 2 additions & 41 deletions pkg/controller/config/config_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,7 @@ import (
)

const (
ctrlName = "config-controller"
finalizerName = "finalizers.gatekeeper.sh/config"
ctrlName = "config-controller"
)

var log = logf.Log.WithName("controller").WithValues("kind", "Config")
Expand Down Expand Up @@ -131,8 +130,7 @@ type ReconcileConfig struct {

// Reconcile reads that state of the cluster for a Config object and makes changes based on the state read
// and what is in the Config.Spec
// Automatically generate RBAC rules to allow the Controller to read all things (for sync)
// update is needed for finalizers.
// Automatically generate RBAC rules to allow the Controller to read all things (for sync).
func (r *ReconcileConfig) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
// Short-circuit if shutting down.
if r.cs != nil {
Expand Down Expand Up @@ -161,16 +159,6 @@ func (r *ReconcileConfig) Reconcile(ctx context.Context, request reconcile.Reque
}
}

// Actively remove config finalizer. This should automatically remove
// the finalizer over time even if state teardown didn't work correctly
// after a deprecation period, all finalizer code can be removed.
if exists && hasFinalizer(instance) {
removeFinalizer(instance)
if err := r.writer.Update(ctx, instance); err != nil {
return reconcile.Result{}, err
}
}

newExcluder := process.New()
var statsEnabled bool
// If the config is being deleted the user is saying they don't want to
Expand Down Expand Up @@ -203,30 +191,3 @@ func (r *ReconcileConfig) Reconcile(ctx context.Context, request reconcile.Reque

return reconcile.Result{}, nil
}

func containsString(s string, items []string) bool {
for _, item := range items {
if item == s {
return true
}
}
return false
}

func removeString(s string, items []string) []string {
var rval []string
for _, item := range items {
if item != s {
rval = append(rval, item)
}
}
return rval
}

func hasFinalizer(instance *configv1alpha1.Config) bool {
return containsString(finalizerName, instance.GetFinalizers())
}

func removeFinalizer(instance *configv1alpha1.Config) {
instance.SetFinalizers(removeString(finalizerName, instance.GetFinalizers()))
}
7 changes: 2 additions & 5 deletions pkg/controller/config/config_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -301,9 +301,8 @@ func TestConfig_DeleteSyncResources(t *testing.T) {
// create the Config object and expect the Reconcile to be created when controller starts
instance := &configv1alpha1.Config{
ObjectMeta: metav1.ObjectMeta{
Name: "config",
Namespace: "gatekeeper-system",
Finalizers: []string{finalizerName},
Name: "config",
Namespace: "gatekeeper-system",
},
Spec: configv1alpha1.ConfigSpec{
Sync: configv1alpha1.Sync{
Expand Down Expand Up @@ -418,8 +417,6 @@ func setupController(ctx context.Context, mgr manager.Manager, wm *watch.Manager
}
}

// ControllerSwitch will be used to disable controllers during our teardown process,
// avoiding conflicts in finalizer cleanup.
cs := watch.NewSwitch()
processExcluder := process.Get()
syncMetricsCache := syncutil.NewMetricsCache()
Expand Down
38 changes: 0 additions & 38 deletions pkg/controller/constraint/constraint_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,6 @@ import (

var log = logf.Log.WithName("controller").WithValues(logging.Process, "constraint_controller")

const (
finalizerName = "finalizers.gatekeeper.sh/constraint"
)

type Adder struct {
CFClient *constraintclient.Client
ConstraintsCache *ConstraintsCache
Expand Down Expand Up @@ -268,13 +264,6 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R
}
}()

if HasFinalizer(instance) {
RemoveFinalizer(instance)
if err := r.writer.Update(ctx, instance); err != nil {
return reconcile.Result{Requeue: true}, nil
}
}

if !deleted {
r.log.Info("handling constraint update", "instance", instance)
status, err := r.getOrCreatePodStatus(ctx, instance)
Expand Down Expand Up @@ -422,33 +411,6 @@ func (r *ReconcileConstraint) cacheConstraint(ctx context.Context, instance *uns
return nil
}

func RemoveFinalizer(instance *unstructured.Unstructured) {
instance.SetFinalizers(removeString(finalizerName, instance.GetFinalizers()))
}

func HasFinalizer(instance *unstructured.Unstructured) bool {
return containsString(finalizerName, instance.GetFinalizers())
}

func containsString(s string, items []string) bool {
for _, item := range items {
if item == s {
return true
}
}
return false
}

func removeString(s string, items []string) []string {
var rval []string
for _, item := range items {
if item != s {
rval = append(rval, item)
}
}
return rval
}

func NewConstraintsCache() *ConstraintsCache {
return &ConstraintsCache{
cache: make(map[string]tags),
Expand Down
42 changes: 3 additions & 39 deletions pkg/controller/constrainttemplate/constrainttemplate_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,7 @@ import (
)

const (
finalizerName = "constrainttemplate.finalizers.gatekeeper.sh"
ctrlName = "constrainttemplate-controller"
ctrlName = "constrainttemplate-controller"
)

var logger = log.Log.WithName("controller").WithValues("kind", "ConstraintTemplate", logging.Process, "constraint_template_controller")
Expand Down Expand Up @@ -242,9 +241,9 @@ type ReconcileConstraintTemplate struct {

// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=templates.gatekeeper.sh,resources=constrainttemplates,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=templates.gatekeeper.sh,resources=constrainttemplates/finalizers,verbs=get;update;patch;delete
// +kubebuilder:rbac:groups=templates.gatekeeper.sh,resources=constrainttemplates/status,verbs=get;update;patch

// TODO(acpana): remove in 3.16 as per https://github.com/open-policy-agent/gatekeeper/issues/3084
// +kubebuilder:rbac:groups=templates.gatekeeper.sh,resources=constrainttemplates/finalizers,verbs=get;update;patch;delete
// +kubebuilder:rbac:groups=externaldata.gatekeeper.sh,resources=providers,verbs=get;list;watch;create;update;patch;delete

// Reconcile reads that state of the cluster for a ConstraintTemplate object and makes changes based on the state read
Expand All @@ -271,21 +270,9 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec
return reconcile.Result{}, err
}
deleted = true
// be sure we are using a blank constraint template so that
// we know finalizer removal code won't break (can be removed once that
// code is removed)
ct = &v1beta1.ConstraintTemplate{}
}
deleted = deleted || !ct.GetDeletionTimestamp().IsZero()

if containsString(finalizerName, ct.GetFinalizers()) {
RemoveFinalizer(ct)
if err := r.Update(ctx, ct); err != nil && !errors.IsNotFound(err) {
logger.Error(err, "update error")
return reconcile.Result{Requeue: true}, nil
}
}

if deleted {
ctRef := &templates.ConstraintTemplate{}
ctRef.SetNamespace(request.Namespace)
Expand Down Expand Up @@ -601,33 +588,10 @@ func logError(name string) {
)
}

func RemoveFinalizer(instance *v1beta1.ConstraintTemplate) {
instance.SetFinalizers(removeString(finalizerName, instance.GetFinalizers()))
}

func makeGvk(kind string) schema.GroupVersionKind {
return schema.GroupVersionKind{
Group: "constraints.gatekeeper.sh",
Version: "v1beta1",
Kind: kind,
}
}

func containsString(s string, items []string) bool {
for _, item := range items {
if item == s {
return true
}
}
return false
}

func removeString(s string, items []string) []string {
var rval []string
for _, item := range items {
if item != s {
rval = append(rval, item)
}
}
return rval
}
2 changes: 0 additions & 2 deletions pkg/readiness/ready_tracker_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,6 @@ func setupController(
return fmt.Errorf("setting up tracker: %w", err)
}

// ControllerSwitch will be used to disable controllers during our teardown process,
// avoiding conflicts in finalizer cleanup.
sw := watch.NewSwitch()

pod := fakes.Pod(
Expand Down

0 comments on commit b7d4275

Please sign in to comment.