From 9387ab3fe7ffc2634b77a0bc6d5e92a4e3b6d0b5 Mon Sep 17 00:00:00 2001
From: changzhen <changzhen5@huawei.com>
Date: Thu, 15 Sep 2022 17:15:35 +0800
Subject: [PATCH] Use Cluster secret ref namespace in unified-auth-controller
 when generate ClusterRoleBinding

Signed-off-by: changzhen <changzhen5@huawei.com>
---
 .../unifiedauth/unified_auth_controller.go    | 45 ++++++++-----------
 pkg/util/rbac.go                              | 12 ++---
 2 files changed, 25 insertions(+), 32 deletions(-)

diff --git a/pkg/controllers/unifiedauth/unified_auth_controller.go b/pkg/controllers/unifiedauth/unified_auth_controller.go
index f5d72ee33..6be9e8f16 100644
--- a/pkg/controllers/unifiedauth/unified_auth_controller.go
+++ b/pkg/controllers/unifiedauth/unified_auth_controller.go
@@ -29,11 +29,12 @@ import (
 
 const (
 	// ControllerName is the controller name that will be used when reporting events.
-	ControllerName         = "unified-auth-controller"
-	rbacAPIVersion         = "rbac.authorization.k8s.io/v1"
-	clusterProxyResource   = "clusters/proxy"
-	clusterProxyAPIGroup   = "cluster.karmada.io"
-	karmadaImpersontorName = "karmada-impersonator"
+	ControllerName = "unified-auth-controller"
+
+	rbacAPIVersion          = "rbac.authorization.k8s.io/v1"
+	clusterProxyResource    = "clusters/proxy"
+	clusterProxyAPIGroup    = "cluster.karmada.io"
+	karmadaImpersonatorName = "karmada-impersonator"
 )
 
 // Controller is to sync impersonation config to member clusters for unified authentication.
@@ -87,6 +88,7 @@ func (c *Controller) syncImpersonationConfig(cluster *clusterv1alpha1.Cluster) e
 				util.PolicyRuleResourceMatches(&clusterRole.Rules[i], clusterProxyResource) &&
 				util.PolicyRuleResourceNameMatches(&clusterRole.Rules[i], cluster.Name) {
 				allMatchedClusterRoles.Insert(clusterRole.Name)
+				break
 			}
 		}
 	}
@@ -132,7 +134,7 @@ func (c *Controller) buildImpersonationClusterRole(cluster *clusterv1alpha1.Clus
 			Kind:       util.ClusterRoleKind,
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name: karmadaImpersontorName,
+			Name: karmadaImpersonatorName,
 		},
 		Rules: rules,
 	}
@@ -140,7 +142,7 @@ func (c *Controller) buildImpersonationClusterRole(cluster *clusterv1alpha1.Clus
 	clusterRoleObj, err := helper.ToUnstructured(impersonationClusterRole)
 	if err != nil {
 		klog.Errorf("Failed to transform clusterrole %s. Error: %v", impersonationClusterRole.GetName(), err)
-		return nil
+		return err
 	}
 
 	return c.buildWorks(cluster, clusterRoleObj)
@@ -153,26 +155,26 @@ func (c *Controller) buildImpersonationClusterRoleBinding(cluster *clusterv1alph
 			Kind:       util.ClusterRoleBindingKind,
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name: karmadaImpersontorName,
+			Name: karmadaImpersonatorName,
 		},
 		Subjects: []rbacv1.Subject{
 			{
 				Kind:      rbacv1.ServiceAccountKind,
-				Namespace: names.NamespaceKarmadaCluster,
+				Namespace: cluster.Spec.ImpersonatorSecretRef.Namespace,
 				Name:      names.GenerateServiceAccountName("impersonator"),
 			},
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: rbacv1.GroupName,
 			Kind:     util.ClusterRoleKind,
-			Name:     karmadaImpersontorName,
+			Name:     karmadaImpersonatorName,
 		},
 	}
 
 	clusterRoleBindingObj, err := helper.ToUnstructured(impersonatorClusterRoleBinding)
 	if err != nil {
 		klog.Errorf("Failed to transform clusterrolebinding %s. Error: %v", impersonatorClusterRoleBinding.GetName(), err)
-		return nil
+		return err
 	}
 
 	return c.buildWorks(cluster, clusterRoleBindingObj)
@@ -213,19 +215,10 @@ func (c *Controller) SetupWithManager(mgr controllerruntime.Manager) error {
 			return true
 		},
 		UpdateFunc: func(e event.UpdateEvent) bool {
-			if _, ok := e.ObjectNew.(*clusterv1alpha1.Cluster); ok {
-				return false
-			}
-			if _, ok := e.ObjectOld.(*clusterv1alpha1.Cluster); ok {
-				return false
-			}
-			return true
+			return false
 		},
 		DeleteFunc: func(e event.DeleteEvent) bool {
-			if _, ok := e.Object.(*clusterv1alpha1.Cluster); ok {
-				return false
-			}
-			return true
+			return false
 		},
 		GenericFunc: func(event.GenericEvent) bool {
 			return false
@@ -264,14 +257,14 @@ func (c *Controller) newClusterRoleBindingMapFunc() handler.MapFunc {
 
 // found out which clusters need to sync impersonation config from rules like:
 //   resources: ["cluster/proxy"]
-//   resourceNmaes: ["cluster1", "cluster2"]
+//   resourceNames: ["cluster1", "cluster2"]
 func (c *Controller) generateRequestsFromClusterRole(clusterRole *rbacv1.ClusterRole) []reconcile.Request {
 	var requests []reconcile.Request
 	for i := range clusterRole.Rules {
 		if util.PolicyRuleAPIGroupMatches(&clusterRole.Rules[i], clusterProxyAPIGroup) &&
 			util.PolicyRuleResourceMatches(&clusterRole.Rules[i], clusterProxyResource) {
 			if len(clusterRole.Rules[i].ResourceNames) == 0 {
-				// if rule.ResourceNames == 0, means to match all clusters
+				// if the length of rule[i].ResourceNames is 0, means to match all clusters
 				clusterList := &clusterv1alpha1.ClusterList{}
 				if err := c.Client.List(context.TODO(), clusterList); err != nil {
 					klog.Errorf("Failed to list clusters, error: %v", err)
@@ -283,9 +276,9 @@ func (c *Controller) generateRequestsFromClusterRole(clusterRole *rbacv1.Cluster
 					}})
 				}
 			} else {
-				for _, ruleName := range clusterRole.Rules[i].ResourceNames {
+				for _, resourceName := range clusterRole.Rules[i].ResourceNames {
 					requests = append(requests, reconcile.Request{NamespacedName: types.NamespacedName{
-						Name: ruleName,
+						Name: resourceName,
 					}})
 				}
 			}
diff --git a/pkg/util/rbac.go b/pkg/util/rbac.go
index 162f2c4dc..e3549371c 100644
--- a/pkg/util/rbac.go
+++ b/pkg/util/rbac.go
@@ -86,8 +86,8 @@ func DeleteClusterRoleBinding(client kubeclient.Interface, name string) error {
 }
 
 // PolicyRuleAPIGroupMatches determines if the given policy rule is applied for requested group.
-func PolicyRuleAPIGroupMatches(rules *rbacv1.PolicyRule, requestedGroup string) bool {
-	for _, ruleGroup := range rules.APIGroups {
+func PolicyRuleAPIGroupMatches(rule *rbacv1.PolicyRule, requestedGroup string) bool {
+	for _, ruleGroup := range rule.APIGroups {
 		if ruleGroup == rbacv1.APIGroupAll {
 			return true
 		}
@@ -100,8 +100,8 @@ func PolicyRuleAPIGroupMatches(rules *rbacv1.PolicyRule, requestedGroup string)
 }
 
 // PolicyRuleResourceMatches determines if the given policy rule is applied for requested resource.
-func PolicyRuleResourceMatches(rules *rbacv1.PolicyRule, requestedResource string) bool {
-	for _, ruleResource := range rules.Resources {
+func PolicyRuleResourceMatches(rule *rbacv1.PolicyRule, requestedResource string) bool {
+	for _, ruleResource := range rule.Resources {
 		if ruleResource == rbacv1.ResourceAll {
 			return true
 		}
@@ -119,8 +119,8 @@ func PolicyRuleResourceNameMatches(rule *rbacv1.PolicyRule, requestedName string
 		return true
 	}
 
-	for _, ruleName := range rule.ResourceNames {
-		if ruleName == requestedName {
+	for _, resourceName := range rule.ResourceNames {
+		if resourceName == requestedName {
 			return true
 		}
 	}