Handle reconciliation annotation during conversion

simo5 · enj · commit 33c4fc3243a8 · 2017-08-16T22:38:18.000-04:00
Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/pkg/authorization/apis/authorization/conversion.go b/pkg/authorization/apis/authorization/conversion.go
@@ -12,6 +12,10 @@ import (
 	"github.com/openshift/origin/pkg/user/apis/user/validation"
 )
 
+// reconcileProtectAnnotation is the name of an annotation which prevents reconciliation if set to "true"
+// can't use this const in pkg/oc/admin/policy because of import cycle
+const reconcileProtectAnnotation = "openshift.io/reconcile-protect"
+
 func addConversionFuncs(scheme *runtime.Scheme) error {
 	if err := scheme.AddConversionFuncs(
 		Convert_authorization_ClusterRole_To_rbac_ClusterRole,
@@ -30,6 +34,7 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
 
 func Convert_authorization_ClusterRole_To_rbac_ClusterRole(in *ClusterRole, out *rbac.ClusterRole, _ conversion.Scope) error {
 	out.ObjectMeta = in.ObjectMeta
+	out.Annotations = convert_authorization_Annotations_To_rbac_Annotations(in.Annotations)
 	out.Rules = convert_api_PolicyRules_To_rbac_PolicyRules(in.Rules)
 	return nil
 }
@@ -154,6 +159,7 @@ func getRBACRoleRefKind(namespace string) string {
 
 func Convert_rbac_ClusterRole_To_authorization_ClusterRole(in *rbac.ClusterRole, out *ClusterRole, _ conversion.Scope) error {
 	out.ObjectMeta = in.ObjectMeta
+	out.Annotations = convert_rbac_Annotations_To_authorization_Annotations(in.Annotations)
 	out.Rules = Convert_rbac_PolicyRules_To_authorization_PolicyRules(in.Rules)
 	return nil
 }
@@ -241,3 +247,41 @@ func Convert_rbac_PolicyRules_To_authorization_PolicyRules(in []rbac.PolicyRule)
 	}
 	return rules
 }
+
+func copyMapExcept(in map[string]string, except string) map[string]string {
+	out := map[string]string{}
+	for k, v := range in {
+		if k != except {
+			out[k] = v
+		}
+	}
+	return out
+}
+
+var stringBool = sets.NewString("true", "false")
+
+func convert_authorization_Annotations_To_rbac_Annotations(in map[string]string) map[string]string {
+	if value, ok := in[reconcileProtectAnnotation]; ok && stringBool.Has(value) {
+		out := copyMapExcept(in, reconcileProtectAnnotation)
+		if value == "true" {
+			out[rbac.AutoUpdateAnnotationKey] = "false"
+		} else {
+			out[rbac.AutoUpdateAnnotationKey] = "true"
+		}
+		return out
+	}
+	return in
+}
+
+func convert_rbac_Annotations_To_authorization_Annotations(in map[string]string) map[string]string {
+	if value, ok := in[rbac.AutoUpdateAnnotationKey]; ok && stringBool.Has(value) {
+		out := copyMapExcept(in, rbac.AutoUpdateAnnotationKey)
+		if value == "true" {
+			out[reconcileProtectAnnotation] = "false"
+		} else {
+			out[reconcileProtectAnnotation] = "true"
+		}
+		return out
+	}
+	return in
+}
diff --git a/pkg/authorization/apis/authorization/conversion_test.go b/pkg/authorization/apis/authorization/conversion_test.go
@@ -295,6 +295,58 @@ func TestResourceAndNonResourceRuleSplit(t *testing.T) {
 	}
 }
 
+func TestAnnotationsConversion(t *testing.T) {
+	for _, boolval := range []string{"true", "false"} {
+		ocr := &authorizationapi.ClusterRole{
+			Rules: []authorizationapi.PolicyRule{},
+		}
+		ocr.Annotations = map[string]string{"openshift.io/reconcile-protect": boolval}
+		ocr2 := &authorizationapi.ClusterRole{}
+		crcr := &rbac.ClusterRole{}
+		if err := authorizationapi.Convert_authorization_ClusterRole_To_rbac_ClusterRole(ocr, crcr, nil); err != nil {
+			t.Fatal(err)
+		}
+		value, ok := crcr.Annotations[rbac.AutoUpdateAnnotationKey]
+		if ok {
+			if (boolval == "true" && value != "false") || (boolval == "false" && value != "true") {
+				t.Fatal(fmt.Errorf("Wrong conversion value, 'true' instead of 'false'"))
+			}
+		} else {
+			t.Fatal(fmt.Errorf("Missing converted Annotation"))
+		}
+		if err := authorizationapi.Convert_rbac_ClusterRole_To_authorization_ClusterRole(crcr, ocr2, nil); err != nil {
+			t.Fatal(err)
+		}
+		if !reflect.DeepEqual(ocr, ocr2) {
+			t.Errorf("origin cluster data not preserved; the diff is %s", diff.ObjectDiff(ocr, ocr2))
+		}
+
+		rcr := &rbac.ClusterRole{
+			Rules: []rbac.PolicyRule{},
+		}
+		rcr.Annotations = map[string]string{rbac.AutoUpdateAnnotationKey: boolval}
+		rcr2 := &rbac.ClusterRole{}
+		cocr := &authorizationapi.ClusterRole{}
+		if err := authorizationapi.Convert_rbac_ClusterRole_To_authorization_ClusterRole(rcr, cocr, nil); err != nil {
+			t.Fatal(err)
+		}
+		value, ok = cocr.Annotations["openshift.io/reconcile-protect"]
+		if ok {
+			if (boolval == "true" && value != "false") || (boolval == "false" && value != "true") {
+				t.Fatal(fmt.Errorf("Wrong conversion value, 'true' instead of 'false'"))
+			}
+		} else {
+			t.Fatal(fmt.Errorf("Missing converted Annotation"))
+		}
+		if err := authorizationapi.Convert_authorization_ClusterRole_To_rbac_ClusterRole(cocr, rcr2, nil); err != nil {
+			t.Fatal(err)
+		}
+		if !reflect.DeepEqual(rcr, rcr2) {
+			t.Errorf("rbac cluster data not preserved; the diff is %s", diff.ObjectDiff(rcr, rcr2))
+		}
+	}
+}
+
 var fuzzer = fuzz.New().NilChance(0).Funcs(
 	func(*metav1.TypeMeta, fuzz.Continue) {}, // Ignore TypeMeta
 	func(*runtime.Object, fuzz.Continue) {},  // Ignore AttributeRestrictions since they are deprecated
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
