Unproject workloads no longer targeted by a ServiceBinding (#348)

When a previously bound workload is no longer targeted by a ServiceBinding it is now unprojected. Previously, the projection was orphaned as the controller only managed workload matching the reference on the ServiceBinding resource. This could happen for a few different reasons: - the name of the referenced workload was updated on the ServiceBinding - the label selector matching the workload was updated on the ServiceBinding - the labels on the workload were updated to no longer match the selector on the ServiceBinding. In order to find previously bound workloads, we now list all resources matching the workload refs GVK in the namespace. That list is filtered to resources that are currently projected, or match the new criteria. All matching workloads are unprojected, but only resources matching the current ref are re-projected. To avoid a much larger search area, the workloadRef apiVersion and kind fields are now immutable. Users who need to update either of these values will need to delete the ServiceBinding and create a new resource with the desired values. Signed-off-by: Scott Andrews <[email protected]>
servicebinding · Oct 14, 2023 · a964673 · a964673
1 parent d12e4ec
commit a964673
Show file tree

Hide file tree

Showing 15 changed files with 759 additions and 163 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -342,7 +342,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         repository: servicebinding/conformance.git
-        ref: v0.3.1
+        ref: v0.3.2
         fetch-depth: 1
         path: conformance-tests
 

diff --git a/apis/v1beta1/servicebinding_test.go b/apis/v1beta1/servicebinding_test.go
@@ -20,7 +20,9 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
@@ -273,3 +275,166 @@ func TestServiceBindingValidate(t *testing.T) {
 		})
 	}
 }
+
+func TestServiceBindingValidate_Immutable(t *testing.T) {
+	tests := []struct {
+		name     string
+		seed     *ServiceBinding
+		old      runtime.Object
+		expected field.ErrorList
+	}{
+		{
+			name: "allow update workload name",
+			seed: &ServiceBinding{
+				Spec: ServiceBindingSpec{
+					Name: "my-binding",
+					Service: ServiceBindingServiceReference{
+						APIVersion: "v1",
+						Kind:       "Secret",
+						Name:       "my-service",
+					},
+					Workload: ServiceBindingWorkloadReference{
+						APIVersion: "apps/v1",
+						Kind:       "Deloyment",
+						Name:       "new-workload",
+					},
+				},
+			},
+			old: &ServiceBinding{
+				Spec: ServiceBindingSpec{
+					Name: "my-binding",
+					Service: ServiceBindingServiceReference{
+						APIVersion: "v1",
+						Kind:       "Secret",
+						Name:       "my-service",
+					},
+					Workload: ServiceBindingWorkloadReference{
+						APIVersion: "apps/v1",
+						Kind:       "Deloyment",
+						Name:       "old-workload",
+					},
+				},
+			},
+			expected: field.ErrorList{},
+		},
+		{
+			name: "reject update workload apiVersion",
+			seed: &ServiceBinding{
+				Spec: ServiceBindingSpec{
+					Name: "my-binding",
+					Service: ServiceBindingServiceReference{
+						APIVersion: "v1",
+						Kind:       "Secret",
+						Name:       "my-service",
+					},
+					Workload: ServiceBindingWorkloadReference{
+						APIVersion: "apps/v1",
+						Kind:       "Deloyment",
+						Name:       "my-workload",
+					},
+				},
+			},
+			old: &ServiceBinding{
+				Spec: ServiceBindingSpec{
+					Name: "my-binding",
+					Service: ServiceBindingServiceReference{
+						APIVersion: "v1",
+						Kind:       "Secret",
+						Name:       "my-service",
+					},
+					Workload: ServiceBindingWorkloadReference{
+						APIVersion: "extensions/v1beta1",
+						Kind:       "Deloyment",
+						Name:       "my-workload",
+					},
+				},
+			},
+			expected: field.ErrorList{
+				{
+					Type:     field.ErrorTypeForbidden,
+					Field:    "spec.workload.apiVersion",
+					Detail:   "Workload apiVersion is immutable. Delete and recreate the ServiceBinding to update.",
+					BadValue: "",
+				},
+			},
+		},
+		{
+			name: "reject update workload kind",
+			seed: &ServiceBinding{
+				Spec: ServiceBindingSpec{
+					Name: "my-binding",
+					Service: ServiceBindingServiceReference{
+						APIVersion: "v1",
+						Kind:       "Secret",
+						Name:       "my-service",
+					},
+					Workload: ServiceBindingWorkloadReference{
+						APIVersion: "apps/v1",
+						Kind:       "Deloyment",
+						Name:       "my-workload",
+					},
+				},
+			},
+			old: &ServiceBinding{
+				Spec: ServiceBindingSpec{
+					Name: "my-binding",
+					Service: ServiceBindingServiceReference{
+						APIVersion: "v1",
+						Kind:       "Secret",
+						Name:       "my-service",
+					},
+					Workload: ServiceBindingWorkloadReference{
+						APIVersion: "apps/v1",
+						Kind:       "StatefulSet",
+						Name:       "my-workload",
+					},
+				},
+			},
+			expected: field.ErrorList{
+				{
+					Type:     field.ErrorTypeForbidden,
+					Field:    "spec.workload.kind",
+					Detail:   "Workload kind is immutable. Delete and recreate the ServiceBinding to update.",
+					BadValue: "",
+				},
+			},
+		},
+		{
+			name: "unkonwn old object",
+			seed: &ServiceBinding{
+				Spec: ServiceBindingSpec{
+					Name: "my-binding",
+					Service: ServiceBindingServiceReference{
+						APIVersion: "v1",
+						Kind:       "Secret",
+						Name:       "my-service",
+					},
+					Workload: ServiceBindingWorkloadReference{
+						APIVersion: "apps/v1",
+						Kind:       "Deloyment",
+						Name:       "new-workload",
+					},
+				},
+			},
+			old: &corev1.Pod{},
+			expected: field.ErrorList{
+				{
+					Type:   field.ErrorTypeInternal,
+					Field:  "<nil>",
+					Detail: "old object must be of type v1beta1.ServiceBinding",
+				},
+			},
+		},
+	}
+
+	for _, c := range tests {
+		t.Run(c.name, func(t *testing.T) {
+			expectedErr := c.expected.ToAggregate()
+
+			_, actualUpdateErr := c.seed.ValidateUpdate(c.old)
+			if diff := cmp.Diff(expectedErr, actualUpdateErr); diff != "" {
+				t.Errorf("ValidateCreate (-expected, +actual): %s", diff)
+			}
+		})
+	}
+}
diff --git a/apis/v1beta1/servicebinding_webhook.go b/apis/v1beta1/servicebinding_webhook.go
@@ -17,10 +17,13 @@ limitations under the License.
 package v1beta1
 
 import (
+	"fmt"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
@@ -52,9 +55,41 @@ func (r *ServiceBinding) ValidateCreate() (admission.Warnings, error) {
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (r *ServiceBinding) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
-	// TODO(user): check for immutable fields, if any
 	r.Default()
-	return nil, r.validate().ToAggregate()
+
+	errs := field.ErrorList{}
+
+	// check immutable fields
+	var ro *ServiceBinding
+	if o, ok := old.(*ServiceBinding); ok {
+		ro = o
+	} else if o, ok := old.(conversion.Convertible); ok {
+		ro = &ServiceBinding{}
+		if err := o.ConvertTo(ro); err != nil {
+			return nil, err
+		}
+	} else {
+		errs = append(errs,
+			field.InternalError(nil, fmt.Errorf("old object must be of type v1beta1.ServiceBinding")),
+		)
+	}
+	if len(errs) == 0 {
+		if r.Spec.Workload.APIVersion != ro.Spec.Workload.APIVersion {
+			errs = append(errs,
+				field.Forbidden(field.NewPath("spec", "workload", "apiVersion"), "Workload apiVersion is immutable. Delete and recreate the ServiceBinding to update."),
+			)
+		}
+		if r.Spec.Workload.Kind != ro.Spec.Workload.Kind {
+			errs = append(errs,
+				field.Forbidden(field.NewPath("spec", "workload", "kind"), "Workload kind is immutable. Delete and recreate the ServiceBinding to update."),
+			)
+		}
+	}
+
+	// validate new object
+	errs = append(errs, r.validate()...)
+
+	return nil, errs.ToAggregate()
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type

diff --git a/controllers/servicebinding_controller.go b/controllers/servicebinding_controller.go
@@ -22,10 +22,12 @@ import (
 
 	"github.com/vmware-labs/reconciler-runtime/apis"
 	"github.com/vmware-labs/reconciler-runtime/reconcilers"
-	corev1 "k8s.io/api/core/v1"
+	"github.com/vmware-labs/reconciler-runtime/tracker"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	ctlr "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -63,13 +65,7 @@ func ResolveBindingSecret(hooks lifecycle.ServiceBindingHooks) reconcilers.SubRe
 		Sync: func(ctx context.Context, resource *servicebindingv1beta1.ServiceBinding) error {
 			c := reconcilers.RetrieveConfigOrDie(ctx)
 
-			ref := corev1.ObjectReference{
-				APIVersion: resource.Spec.Service.APIVersion,
-				Kind:       resource.Spec.Service.Kind,
-				Namespace:  resource.Namespace,
-				Name:       resource.Spec.Service.Name,
-			}
-			secretName, err := hooks.GetResolver(TrackingClient(c)).LookupBindingSecret(ctx, ref)
+			secretName, err := hooks.GetResolver(TrackingClient(c)).LookupBindingSecret(ctx, resource)
 			if err != nil {
 				if apierrs.IsNotFound(err) {
 					// leave Unknown, the provisioned service may be created shortly
@@ -122,20 +118,26 @@ func ResolveWorkloads(hooks lifecycle.ServiceBindingHooks) reconcilers.SubReconc
 		SyncWithResult: func(ctx context.Context, resource *servicebindingv1beta1.ServiceBinding) (reconcile.Result, error) {
 			c := reconcilers.RetrieveConfigOrDie(ctx)
 
-			ref := corev1.ObjectReference{
-				APIVersion: resource.Spec.Workload.APIVersion,
-				Kind:       resource.Spec.Workload.Kind,
-				Namespace:  resource.Namespace,
-				Name:       resource.Spec.Workload.Name,
+			trackingRef := tracker.Reference{
+				APIGroup:  schema.FromAPIVersionAndKind(resource.Spec.Workload.APIVersion, "").Group,
+				Kind:      resource.Spec.Workload.Kind,
+				Namespace: resource.Namespace,
 			}
-			workloads, err := hooks.GetResolver(TrackingClient(c)).LookupWorkloads(ctx, ref, resource.Spec.Workload.Selector)
-			if err != nil {
-				if apierrs.IsNotFound(err) {
-					// leave Unknown, the workload may be created shortly
-					resource.GetConditionManager().MarkUnknown(servicebindingv1beta1.ServiceBindingConditionWorkloadProjected, "WorkloadNotFound", "the workload was not found")
-					// TODO use track rather than requeue
-					return reconcile.Result{Requeue: true}, nil
+			if resource.Spec.Workload.Name != "" {
+				trackingRef.Name = resource.Spec.Workload.Name
+			}
+			if resource.Spec.Workload.Selector != nil {
+				selector, err := metav1.LabelSelectorAsSelector(resource.Spec.Workload.Selector)
+				if err != nil {
+					// should never get here
+					return reconcile.Result{}, err
 				}
+				trackingRef.Selector = selector
+			}
+			c.Tracker.TrackReference(trackingRef, resource)
+
+			workloads, err := hooks.GetResolver(c).LookupWorkloads(ctx, resource)
+			if err != nil {
 				if apierrs.IsForbidden(err) {
 					// set False, the operator needs to give access to the resource
 					// see https://servicebinding.io/spec/core/1.0.0/#considerations-for-role-based-access-control-rbac-1
@@ -144,12 +146,24 @@ func ResolveWorkloads(hooks lifecycle.ServiceBindingHooks) reconcilers.SubReconc
 					} else {
 						resource.GetConditionManager().MarkFalse(servicebindingv1beta1.ServiceBindingConditionWorkloadProjected, "WorkloadForbidden", "the controller does not have permission to get the workload")
 					}
-					// TODO use track rather than requeue
-					return reconcile.Result{Requeue: true}, nil
+					return reconcile.Result{}, nil
 				}
 				// TODO handle other err cases
 				return reconcile.Result{}, err
 			}
+			if resource.Spec.Workload.Name != "" {
+				found := false
+				for _, workload := range workloads {
+					if workload.(metav1.Object).GetName() == resource.Spec.Workload.Name {
+						found = true
+						break
+					}
+				}
+				if !found {
+					// leave Unknown, the workload may be created shortly
+					resource.GetConditionManager().MarkUnknown(servicebindingv1beta1.ServiceBindingConditionWorkloadProjected, "WorkloadNotFound", "the workload was not found")
+				}
+			}
 
 			StashWorkloads(ctx, workloads)