Copy the SA token of sub-spaces only for specific tiers

Signed-off-by: Kartikey Mamgain <kmamgain@redhat.com>

controllers/spacerequest/spacerequest_controller.go

@@ -104,18 +104,19 @@ func (r *Reconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.
 		return reconcile.Result{}, err
 	}
 
-	subSpace, createdOrUpdated, err := r.ensureSpace(ctx, memberClusterWithSpaceRequest, spaceRequest)
+	subSpace, tier, createdOrUpdated, err := r.ensureSpace(ctx, memberClusterWithSpaceRequest, spaceRequest)
 	// if there was an error or if subSpace was just created or updated,
 	// let's just return.
 	if err != nil || createdOrUpdated {
 		return ctrl.Result{}, err
 	}
 
-	// ensure there is a secret that provides admin access to each provisioned namespaces of the subSpace
-	if err := r.ensureSecretForProvisionedNamespaces(ctx, memberClusterWithSpaceRequest, spaceRequest, subSpace); err != nil {
-		return reconcile.Result{}, r.setStatusFailedToCreateSubSpace(ctx, memberClusterWithSpaceRequest, spaceRequest, err)
+	if tier.Spec.SpaceRequestConfig != nil {
+		// ensure there is a secret that provides admin access to each provisioned namespaces of the subSpace
+		if err := r.ensureSecretForProvisionedNamespaces(ctx, memberClusterWithSpaceRequest, spaceRequest, subSpace, tier.Spec.SpaceRequestConfig.ServiceAccountName); err != nil {
+			return reconcile.Result{}, r.setStatusFailedToCreateSubSpace(ctx, memberClusterWithSpaceRequest, spaceRequest, err)
+		}
 	}
-
 	// update spaceRequest conditions and target cluster url
 	err = r.updateSpaceRequest(ctx, memberClusterWithSpaceRequest, spaceRequest, subSpace)
 
@@ -160,25 +161,26 @@ func (r *Reconciler) addFinalizer(ctx context.Context, memberCluster cluster.Clu
 	return nil
 }
 
-func (r *Reconciler) ensureSpace(ctx context.Context, memberCluster cluster.Cluster, spaceRequest *toolchainv1alpha1.SpaceRequest) (*toolchainv1alpha1.Space, bool, error) {
+func (r *Reconciler) ensureSpace(ctx context.Context, memberCluster cluster.Cluster, spaceRequest *toolchainv1alpha1.SpaceRequest) (*toolchainv1alpha1.Space, *toolchainv1alpha1.NSTemplateTier, bool, error) {
 	logger := log.FromContext(ctx)
 	logger.Info("ensuring subSpace")
 
 	// find parent space from namespace labels
 	parentSpace, err := r.getParentSpace(ctx, memberCluster, spaceRequest)
 	if err != nil {
-		return nil, false, err
+		return nil, nil, false, err
 	}
 	// parentSpace is being deleted
 	if util.IsBeingDeleted(parentSpace) {
-		return nil, false, errs.New("parentSpace is being deleted")
+		return nil, nil, false, errs.New("parentSpace is being deleted")
 	}
 
+	var tier toolchainv1alpha1.NSTemplateTier
+
 	// validate tierName
-	if err := r.validateNSTemplateTier(ctx, spaceRequest.Spec.TierName); err != nil {
-		return nil, false, err
+	if err, tier = r.validateNSTemplateTier(ctx, spaceRequest.Spec.TierName); err != nil {
+		return nil, nil, false, err
 	}
-
 	// create if not found on the expected target cluster
 	subSpace := &toolchainv1alpha1.Space{}
 	if err := r.Client.Get(ctx, types.NamespacedName{
@@ -189,21 +191,21 @@ func (r *Reconciler) ensureSpace(ctx context.Context, memberCluster cluster.Clus
 			// no spaces found, let's create it
 			logger.Info("creating subSpace")
 			if err := r.setStatusProvisioning(ctx, memberCluster, spaceRequest); err != nil {
-				return nil, false, errs.Wrap(err, "error updating status")
+				return nil, nil, false, errs.Wrap(err, "error updating status")
 			}
 			subSpace, err = r.createNewSubSpace(ctx, spaceRequest, parentSpace)
 			if err != nil {
 				// failed to create subSpace
-				return nil, false, r.setStatusFailedToCreateSubSpace(ctx, memberCluster, spaceRequest, err)
+				return nil, nil, false, r.setStatusFailedToCreateSubSpace(ctx, memberCluster, spaceRequest, err)
 			}
-			return subSpace, true, nil // a subSpace was created
+			return subSpace, &tier, true, nil // a subSpace was created
 		}
 		// failed to create subSpace
-		return nil, false, r.setStatusFailedToCreateSubSpace(ctx, memberCluster, spaceRequest, err)
+		return nil, nil, false, r.setStatusFailedToCreateSubSpace(ctx, memberCluster, spaceRequest, err)
 	}
 	logger.Info("subSpace already exists")
 	updated, err := r.updateExistingSubSpace(ctx, spaceRequest, subSpace)
-	return subSpace, updated, err
+	return subSpace, &tier, updated, err
 }
 
 func (r *Reconciler) createNewSubSpace(ctx context.Context, spaceRequest *toolchainv1alpha1.SpaceRequest, parentSpace *toolchainv1alpha1.Space) (*toolchainv1alpha1.Space, error) {
@@ -237,9 +239,9 @@ func (r *Reconciler) updateExistingSubSpace(ctx context.Context, spaceRequest *t
 }
 
 // validateNSTemplateTier checks if the provided tierName in the spaceRequest exists and is valid
-func (r *Reconciler) validateNSTemplateTier(ctx context.Context, tierName string) error {
+func (r *Reconciler) validateNSTemplateTier(ctx context.Context, tierName string) (error, toolchainv1alpha1.NSTemplateTier) {
 	if tierName == "" {
-		return fmt.Errorf("tierName cannot be blank")
+		return fmt.Errorf("tierName cannot be blank"), toolchainv1alpha1.NSTemplateTier{}
 	}
 	// check if requested tier exists
 	tier := &toolchainv1alpha1.NSTemplateTier{}
@@ -248,12 +250,12 @@ func (r *Reconciler) validateNSTemplateTier(ctx context.Context, tierName string
 		Name:      tierName,
 	}, tier); err != nil {
 		if errors.IsNotFound(err) {
-			return err
+			return err, *tier
 		}
 		// Error reading the object - requeue the request.
-		return errs.Wrap(err, "unable to get the current NSTemplateTier")
+		return errs.Wrap(err, "unable to get the current NSTemplateTier"), *tier
 	}
-	return nil
+	return nil, *tier
 }
 
 // updateSubSpace updates the tierName and targetClusterRoles from the spaceRequest to the subSpace object
@@ -397,7 +399,7 @@ func (r *Reconciler) deleteExistingSubSpace(ctx context.Context, subSpace *toolc
 	return true, nil
 }
 
-func (r *Reconciler) ensureSecretForProvisionedNamespaces(ctx context.Context, memberClusterWithSpaceRequest cluster.Cluster, spaceRequest *toolchainv1alpha1.SpaceRequest, subSpace *toolchainv1alpha1.Space) error {
+func (r *Reconciler) ensureSecretForProvisionedNamespaces(ctx context.Context, memberClusterWithSpaceRequest cluster.Cluster, spaceRequest *toolchainv1alpha1.SpaceRequest, subSpace *toolchainv1alpha1.Space, serviceAccountName string) error {
 	logger := log.FromContext(ctx)
 
 	if len(subSpace.Status.ProvisionedNamespaces) == 0 {
@@ -427,7 +429,7 @@ func (r *Reconciler) ensureSecretForProvisionedNamespaces(ctx context.Context, m
 		switch {
 		case len(secretList.Items) == 0:
 			// create the secret for this namespace
-			clientConfig, err := r.generateKubeConfig(subSpaceTargetCluster, namespace.Name)
+			clientConfig, err := r.generateKubeConfig(subSpaceTargetCluster, namespace.Name, serviceAccountName)
 			if err != nil {
 				return err
 			}
@@ -483,11 +485,11 @@ func (r *Reconciler) ensureSecretForProvisionedNamespaces(ctx context.Context, m
 	return nil
 }
 
-func (r *Reconciler) generateKubeConfig(subSpaceTargetCluster cluster.Cluster, namespace string) (*api.Config, error) {
+func (r *Reconciler) generateKubeConfig(subSpaceTargetCluster cluster.Cluster, namespace, serviceAccountName string) (*api.Config, error) {
 	// create a token request for the admin service account
 	token, err := restclient.CreateTokenRequest(subSpaceTargetCluster.RESTClient, types.NamespacedName{
 		Namespace: namespace,
-		Name:      toolchainv1alpha1.AdminServiceAccountName,
+		Name:      serviceAccountName,
 	}, TokenRequestExpirationSeconds)
 	if err != nil {
 		return nil, err

deploy/templates/nstemplatetiers/appstudio-env/ns_env.yaml

@@ -25,7 +25,7 @@ objects:
   kind: ServiceAccount
   metadata:
     namespace: ${SPACE_NAME}-env
-    name: namespace-manager
+    name: ${SERVICE_ACCOUNT_NAME}
 
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: Role

deploy/templates/nstemplatetiers/appstudio-env/tier.yaml

@@ -20,10 +20,13 @@ objects:
         templateRef: ${MAINTAINER_TEMPL_REF}
       contributor:
         templateRef: ${CONTRIBUTOR_TEMPL_REF}
+    spaceRequestConfig:
+      serviceAccountName: ${SERVICE_ACCOUNT_NAME}
 parameters:
 - name: NAMESPACE
 - name: CLUSTER_TEMPL_REF
 - name: ENV_TEMPL_REF
 - name: ADMIN_TEMPL_REF
 - name: MAINTAINER_TEMPL_REF
 - name: CONTRIBUTOR_TEMPL_REF
+- name: SERVICE_ACCOUNT_NAME

go.mod

@@ -1,8 +1,8 @@
 module github.com/codeready-toolchain/host-operator
 
 require (
-	github.com/codeready-toolchain/api v0.0.0-20230918195153-739e8fb09a33
-	github.com/codeready-toolchain/toolchain-common v0.0.0-20231017151548-4fd4e48ab6b7
+	github.com/codeready-toolchain/api v0.0.0-20231017113033-acdc61b014c8
+	github.com/codeready-toolchain/toolchain-common v0.0.0-20231010071648-0735f55e8eb2
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
@@ -55,11 +55,13 @@ require (
 	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/fatih/color v1.12.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-logr/zapr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/gobuffalo/flect v0.2.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -73,9 +75,12 @@ require (
 	github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
 	github.com/huandu/xstrings v1.3.1 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mattn/go-colorable v0.1.8 // indirect
+	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/migueleliasweb/go-github-mock v0.0.18 // indirect
 	github.com/mitchellh/copystructure v1.0.0 // indirect
@@ -89,25 +94,31 @@ require (
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/segmentio/backo-go v1.0.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/spf13/cobra v1.4.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/code-generator v0.25.0 // indirect
 	k8s.io/component-base v0.25.0 // indirect
+	k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 // indirect
 	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
 	k8s.io/kubectl v0.24.0 // indirect
 	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	sigs.k8s.io/controller-tools v0.10.0 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect