Delete clusterRole *aggregate* when RolloutManager is deleted

argoproj-labs · Aug 27, 2024 · d2c28c7 · d2c28c7
1 parent a96aa79
commit d2c28c7
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 0 deletions.
diff --git a/controllers/resources.go b/controllers/resources.go
@@ -339,6 +339,37 @@ func (r *RolloutManagerReconciler) removeClusterScopedResourcesIfApplicable(ctx
 		}
 	}
 
+	// List of ClusterRoles '*aggregate*' to delete
+	clusterRoles := []string{
+		"argo-rollouts-aggregate-to-admin",
+		"argo-rollouts-aggregate-to-edit",
+		"argo-rollouts-aggregate-to-view",
+	}
+
+	// Iterate over each ClusterRole '*aggregate*' and delete if it exists
+	for _, roleName := range clusterRoles {
+		clusterRole := &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: roleName,
+			},
+		}
+		if err := r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole); err != nil {
+			if !apierrors.IsNotFound(err) {
+				log.Error(err, "error on retrieving ClusterRole", "name", roleName)
+				return err
+			}
+			// ClusterRole '*aggregate*' doesn't exist, which is the desired state.
+		} else {
+			// ClusterRole '*aggregate*' does exist, so delete it.
+			log.Info("deleting ClusterRole", "name", roleName)
+			if err := r.Client.Delete(ctx, clusterRole); err != nil {
+				if !apierrors.IsNotFound(err) {
+					return err
+				}
+			}
+		}
+	}
+
 	clusterRoleBinding := &rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: DefaultArgoRolloutsResourceName,

diff --git a/controllers/resources_test.go b/controllers/resources_test.go
@@ -202,6 +202,28 @@ var _ = Describe("Resource creation and cleanup tests", func() {
 			}
 			Expect(r.Client.Create(ctx, clusterRoleBinding)).To(Succeed())
 
+			By("creating '*aggregate* clusterRoles")
+			clusterRoleAdmin := &rbacv1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "argo-rollouts-aggregate-to-admin",
+				},
+			}
+			Expect(r.Client.Create(ctx, clusterRoleAdmin)).To(Succeed())
+
+			clusterRoleEdit := &rbacv1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "argo-rollouts-aggregate-to-edit",
+				},
+			}
+			Expect(r.Client.Create(ctx, clusterRoleEdit)).To(Succeed())
+
+			clusterRoleView := &rbacv1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "argo-rollouts-aggregate-to-view",
+				},
+			}
+			Expect(r.Client.Create(ctx, clusterRoleView)).To(Succeed())
+
 			By("creating default cluster-scoped ClusterRole/ClusterRoleBinding with a different name. These should not be deleted")
 
 			unrelatedRole := &rbacv1.ClusterRole{
@@ -229,6 +251,13 @@ var _ = Describe("Resource creation and cleanup tests", func() {
 				"Unrelated ClusterRole should not have been deleted")
 			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(unrelatedRoleBinding), unrelatedRoleBinding)).To(Succeed(), "Unrelated ClusterRoleBinding should not have been deleted")
 
+			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRoleAdmin), clusterRoleAdmin)).ToNot(Succeed(),
+				"ClusterRole should have been deleted")
+			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRoleEdit), clusterRoleEdit)).ToNot(Succeed(),
+				"ClusterRole should have been deleted")
+			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRoleView), clusterRoleView)).ToNot(Succeed(),
+				"ClusterRole should have been deleted")
+
 			Expect(r.removeClusterScopedResourcesIfApplicable(ctx)).To(Succeed(), "calling the function again should not return an error")
 
 		})

diff --git a/tests/e2e/cluster-scoped/cluster_scoped_rollouts_test.go b/tests/e2e/cluster-scoped/cluster_scoped_rollouts_test.go
@@ -18,6 +18,7 @@ import (
 	controllers "github.com/argoproj-labs/argo-rollouts-manager/controllers"
 
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -324,5 +325,53 @@ var _ = Describe("Cluster-scoped RolloutManager tests", func() {
 			By("2nd RM: Verify that Status.Condition is having success condition.")
 			Eventually(rolloutsManagerCl2, "1m", "1s").Should(rmFixture.HaveSuccessCondition())
 		})
+
+		It("Verify that deleting the RolloutManager should delete the '*aggregate*' ", func() {
+			rolloutsManagerCl, err := utils.CreateRolloutManager(ctx, k8sClient, "test-rollouts-manager-1", fixture.TestE2ENamespace, false)
+			Expect(err).ToNot(HaveOccurred())
+
+			By("Verify that RolloutManager is successfully created.")
+			Eventually(rolloutsManagerCl, "1m", "1s").Should(rmFixture.HavePhase(rmv1alpha1.PhaseAvailable))
+
+			By("Verify clusterRole '*aggregate*' is created")
+			clusterRoleAdmin := &rbacv1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "argo-rollouts-aggregate-to-admin",
+				},
+			}
+
+			clusterRoleEdit := &rbacv1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "argo-rollouts-aggregate-to-edit",
+				},
+			}
+
+			clusterRoleView := &rbacv1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "argo-rollouts-aggregate-to-view",
+				},
+			}
+
+			Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(clusterRoleAdmin), clusterRoleView)).To(Succeed())
+			Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(clusterRoleEdit), clusterRoleView)).To(Succeed())
+			Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(clusterRoleView), clusterRoleView)).To(Succeed())
+
+			By("Delete RolloutManager")
+			Expect(k8sClient.Delete(ctx, &rolloutsManagerCl)).To(Succeed())
+
+			By("Verify clusterRole '*aggregate*' is deleted")
+			Eventually(func() error {
+				return k8sClient.Get(ctx, client.ObjectKeyFromObject(clusterRoleAdmin), clusterRoleView)
+			}, "1m", "1s").ShouldNot(Succeed())
+
+			Eventually(func() error {
+				return k8sClient.Get(ctx, client.ObjectKeyFromObject(clusterRoleView), clusterRoleView)
+			}, "1m", "1s").ShouldNot(Succeed())
+
+			Eventually(func() error {
+				return k8sClient.Get(ctx, client.ObjectKeyFromObject(clusterRoleEdit), clusterRoleView)
+			}, "1m", "1s").ShouldNot(Succeed())
+
+		})
 	})
 })