Fix empty subject attempt #2 (#71)

fxiang1 · web-flow · commit 3267edb4c7fe · 2025-10-03T17:09:41.000Z
* Fix empty subject attempt #2 Signed-off-by: fxiang1 <fxiang@redhat.com> * Switch to new builder image Signed-off-by: fxiang1 <fxiang@redhat.com> * Use Go 1.24 image Signed-off-by: fxiang1 <fxiang@redhat.com> * Try with Go 1.23 Signed-off-by: fxiang1 <fxiang@redhat.com> * Bump workflow Go version Signed-off-by: fxiang1 <fxiang@redhat.com> * Bump ubi image Signed-off-by: fxiang1 <fxiang@redhat.com> --------- Signed-off-by: fxiang1 <fxiang@redhat.com>
diff --git a/.github/workflows/go-presubmit.yml b/.github/workflows/go-presubmit.yml
@@ -8,7 +8,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.21'
+  GO_VERSION: '1.23'
   GO_REQUIRED_MIN_VERSION: ''
   GOPATH: '/home/runner/work/cluster-permission/cluster-permission/go'
 defaults:
diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,10 @@
-FROM registry.ci.openshift.org/stolostron/builder:go1.21-linux AS builder
+FROM registry.ci.openshift.org/stolostron/builder:go1.23-linux AS builder
 
 WORKDIR /go/src/github.com/open-cluster-management-io/cluster-permission
 COPY . .
 RUN make -f Makefile build
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
 RUN microdnf update && \
      microdnf clean all
diff --git a/Dockerfile.rhtap b/Dockerfile.rhtap
@@ -1,12 +1,12 @@
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.21 AS plugin-builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.23 AS plugin-builder
 
 WORKDIR /go/src/github.com/open-cluster-management-io/cluster-permission
 COPY . .
 RUN rm -fr vendor && \
         go mod vendor && \
         make -f Makefile build
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
 RUN microdnf update && \
      microdnf clean all
diff --git a/api/v1alpha1/clusterpermission_types.go b/api/v1alpha1/clusterpermission_types.go
@@ -73,7 +73,7 @@ type ClusterRoleBinding struct {
 	// Besides the typical subject for a binding, a ManagedServiceAccount can be used as a subject as well.
 	// If both subject and subjects exist then only subjects will be used.
 	// +optional
-	Subject rbacv1.Subject `json:"subject,omitempty"`
+	Subject *rbacv1.Subject `json:"subject,omitempty"`
 
 	// Subjects contains an array of references to objects or user identities a ClusterPermission binding applies to.
 	// Besides the typical subject for a binding, a ManagedServiceAccount can be used as a subject as well.
@@ -112,13 +112,13 @@ type RoleBinding struct {
 	// Besides the typical subject for a binding, a ManagedServiceAccount can be used as a subject as well.
 	// If both subject and subjects exist then only subjects will be used.
 	// +optional
-	rbacv1.Subject `json:"subject"`
+	*rbacv1.Subject `json:"subject,omitempty"`
 
 	// Subjects contains an array of references to objects or user identities a ClusterPermission binding applies to.
 	// Besides the typical subject for a binding, a ManagedServiceAccount can be used as a subject as well.
 	// If both subject and subjects exist then only subjects will be used.
 	// +optional
-	Subjects []rbacv1.Subject `json:"subjects"`
+	Subjects []rbacv1.Subject `json:"subjects,omitempty"`
 
 	// RoleRef contains information that points to the role being used
 	// +required
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/controllers/clusterpermission_controller.go b/controllers/clusterpermission_controller.go
@@ -283,12 +283,15 @@ func (r *ClusterPermissionReconciler) validateSubject(ctx context.Context, subje
 	return nil
 }
 
-func getSubjects(subject rbacv1.Subject, subjects []rbacv1.Subject) []rbacv1.Subject {
+func getSubjects(subject *rbacv1.Subject, subjects []rbacv1.Subject) []rbacv1.Subject {
 	if len(subjects) > 0 {
 		return subjects
 	} else {
 		// should be safe since one of them has to exist due to CRD validation
-		return []rbacv1.Subject{subject}
+		if subject == nil {
+			return []rbacv1.Subject{}
+		}
+		return []rbacv1.Subject{*subject}
 	}
 }
 
@@ -739,7 +742,7 @@ func (r *ClusterPermissionReconciler) clusterPermissionUsesManagedServiceAccount
 		if r.subjectIsManagedServiceAccount(cp.Spec.ClusterRoleBinding.Subject) {
 			return true
 		}
-		if slices.ContainsFunc(cp.Spec.ClusterRoleBinding.Subjects, r.subjectIsManagedServiceAccount) {
+		if slices.ContainsFunc(cp.Spec.ClusterRoleBinding.Subjects, r.subjectIsManagedServiceAccountByValue) {
 			return true
 		}
 	}
@@ -750,7 +753,7 @@ func (r *ClusterPermissionReconciler) clusterPermissionUsesManagedServiceAccount
 			if r.subjectIsManagedServiceAccount(crb.Subject) {
 				return true
 			}
-			if slices.ContainsFunc(crb.Subjects, r.subjectIsManagedServiceAccount) {
+			if slices.ContainsFunc(crb.Subjects, r.subjectIsManagedServiceAccountByValue) {
 				return true
 			}
 		}
@@ -762,7 +765,7 @@ func (r *ClusterPermissionReconciler) clusterPermissionUsesManagedServiceAccount
 			if r.subjectIsManagedServiceAccount(rb.Subject) {
 				return true
 			}
-			if slices.ContainsFunc(rb.Subjects, r.subjectIsManagedServiceAccount) {
+			if slices.ContainsFunc(rb.Subjects, r.subjectIsManagedServiceAccountByValue) {
 				return true
 			}
 		}
@@ -772,6 +775,14 @@ func (r *ClusterPermissionReconciler) clusterPermissionUsesManagedServiceAccount
 }
 
 // subjectIsManagedServiceAccount checks if a subject is a ManagedServiceAccount
-func (r *ClusterPermissionReconciler) subjectIsManagedServiceAccount(subject rbacv1.Subject) bool {
+func (r *ClusterPermissionReconciler) subjectIsManagedServiceAccount(subject *rbacv1.Subject) bool {
+	if subject == nil {
+		return false
+	}
 	return subject.APIGroup == msav1beta1.GroupVersion.Group && subject.Kind == "ManagedServiceAccount"
 }
+
+// subjectIsManagedServiceAccountByValue is a wrapper for use with slices.ContainsFunc
+func (r *ClusterPermissionReconciler) subjectIsManagedServiceAccountByValue(subject rbacv1.Subject) bool {
+	return r.subjectIsManagedServiceAccount(&subject)
+}
diff --git a/controllers/clusterpermission_controller_test.go b/controllers/clusterpermission_controller_test.go
@@ -108,7 +108,7 @@ var _ = Describe("ClusterPermission controller", func() {
 					}},
 					ClusterRoleBinding: &cpv1alpha1.ClusterRoleBinding{
 						Subjects: []rbacv1.Subject{},
-						Subject: rbacv1.Subject{
+						Subject: &rbacv1.Subject{
 							Kind:      "ServiceAccount",
 							Name:      "klusterlet-work-sa",
 							Namespace: "open-cluster-management-agent",
@@ -119,7 +119,7 @@ var _ = Describe("ClusterPermission controller", func() {
 							Namespace: "default",
 							RoleRef:   cpv1alpha1.RoleRef{Kind: "ClusterRole"},
 							Subjects:  []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								Kind:      "ServiceAccount",
 								Name:      "klusterlet-work-sa",
 								Namespace: "open-cluster-management-agent",
@@ -216,7 +216,7 @@ var _ = Describe("ClusterPermission controller", func() {
 					}},
 					ClusterRoleBinding: &cpv1alpha1.ClusterRoleBinding{
 						Subjects: []rbacv1.Subject{},
-						Subject: rbacv1.Subject{
+						Subject: &rbacv1.Subject{
 							APIGroup: "authentication.open-cluster-management.io",
 							Kind:     "ManagedServiceAccount",
 							Name:     msaName,
@@ -227,7 +227,7 @@ var _ = Describe("ClusterPermission controller", func() {
 							Namespace: "default",
 							RoleRef:   cpv1alpha1.RoleRef{Kind: "ClusterRole"},
 							Subjects:  []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								APIGroup: "authentication.open-cluster-management.io",
 								Kind:     "ManagedServiceAccount",
 								Name:     msaName,
@@ -274,7 +274,7 @@ var _ = Describe("ClusterPermission controller", func() {
 							NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"a": "b"}},
 							RoleRef:           cpv1alpha1.RoleRef{Kind: "ClusterRole"},
 							Subjects:          []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								APIGroup: "authentication.open-cluster-management.io",
 								Kind:     "ManagedServiceAccount",
 								Name:     msaName,
@@ -322,7 +322,7 @@ var _ = Describe("ClusterPermission controller", func() {
 								Name:     "argocd-application-controller-1",
 							},
 							Subjects: []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								Namespace: "openshift-gitops",
 								Kind:      "ServiceAccount",
 								Name:      "sa-sample-existing",
@@ -337,7 +337,7 @@ var _ = Describe("ClusterPermission controller", func() {
 								Name:     "argocd-application-controller-2",
 							},
 							Subjects: []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								APIGroup: "rbac.authorization.k8s.io",
 								Kind:     "User",
 								Name:     "user1",
@@ -351,7 +351,7 @@ var _ = Describe("ClusterPermission controller", func() {
 								Name:     "argocd-application-controller-2",
 							},
 							Subjects: []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								APIGroup: "rbac.authorization.k8s.io",
 								Kind:     "User",
 								Name:     "user1",
@@ -366,7 +366,7 @@ var _ = Describe("ClusterPermission controller", func() {
 							Name:     "argocd-application-controller-3",
 						},
 						Subjects: []rbacv1.Subject{},
-						Subject: rbacv1.Subject{
+						Subject: &rbacv1.Subject{
 							APIGroup: "rbac.authorization.k8s.io",
 							Kind:     "Group",
 							Name:     "group1",
@@ -401,7 +401,7 @@ var _ = Describe("ClusterPermission controller", func() {
 								Name:     "argocd-application-controller-1",
 							},
 							Subjects: []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								Kind: "User",
 								Name: "user1",
 							},
@@ -490,7 +490,7 @@ var _ = Describe("ClusterPermission controller", func() {
 					},
 					ClusterRoleBinding: &cpv1alpha1.ClusterRoleBinding{
 						Subjects: []rbacv1.Subject{},
-						Subject: rbacv1.Subject{
+						Subject: &rbacv1.Subject{
 							APIGroup: "authentication.open-cluster-management.io",
 							Kind:     "ManagedServiceAccount",
 							Name:     msaName + "1",
@@ -538,7 +538,7 @@ var _ = Describe("ClusterPermission controller", func() {
 					RoleBindings: &[]cpv1alpha1.RoleBinding{
 						{
 							Subjects: []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								APIGroup: "authentication.open-cluster-management.io",
 								Kind:     "ManagedServiceAccount",
 								Name:     msaName,
@@ -624,7 +624,7 @@ var _ = Describe("ClusterPermission controller", func() {
 								Name: "argocd-application-controller-1",
 							},
 							Subjects: []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								Namespace: "openshift-gitops",
 								Kind:      "ServiceAccount",
 								Name:      "sa-sample-existing",
@@ -652,7 +652,7 @@ var _ = Describe("ClusterPermission controller", func() {
 								Kind:     "ClusterRole",
 							},
 							Subjects: []rbacv1.Subject{},
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								Namespace: "openshift-gitops",
 								Kind:      "ServiceAccount",
 								Name:      "sa-sample-existing",
@@ -665,7 +665,7 @@ var _ = Describe("ClusterPermission controller", func() {
 			Expect(k8sClient.Create(ctx, &clusterPermissionMissingName)).Should(Succeed())
 
 			By("Test getSubjects()")
-			Expect(len(getSubjects(rbacv1.Subject{}, []rbacv1.Subject{
+			Expect(len(getSubjects(&rbacv1.Subject{}, []rbacv1.Subject{
 				{
 					Namespace: "openshift-gitops",
 					Kind:      "ServiceAccount",
@@ -849,7 +849,7 @@ func TestGenerateSubjects(t *testing.T) {
 				Scheme: testscheme,
 			}
 
-			subjects, err := cpr.generateSubjects(context.TODO(), getSubjects(c.subject, c.subjects), c.clusterNamespace)
+			subjects, err := cpr.generateSubjects(context.TODO(), getSubjects(&c.subject, c.subjects), c.clusterNamespace)
 			if err != nil {
 				t.Errorf("generateSubjects() error = %v", err)
 			}
@@ -1345,7 +1345,7 @@ func TestManagedClusterAddOnEventHandler(t *testing.T) {
 					},
 					Spec: cpv1alpha1.ClusterPermissionSpec{
 						ClusterRoleBinding: &cpv1alpha1.ClusterRoleBinding{
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								APIGroup: msav1beta1.GroupVersion.Group,
 								Kind:     "ManagedServiceAccount",
 								Name:     "test-msa",
@@ -1360,7 +1360,7 @@ func TestManagedClusterAddOnEventHandler(t *testing.T) {
 					},
 					Spec: cpv1alpha1.ClusterPermissionSpec{
 						ClusterRoleBinding: &cpv1alpha1.ClusterRoleBinding{
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								Kind:      "ServiceAccount",
 								Name:      "regular-sa",
 								Namespace: "default",
@@ -1377,7 +1377,7 @@ func TestManagedClusterAddOnEventHandler(t *testing.T) {
 						RoleBindings: &[]cpv1alpha1.RoleBinding{
 							{
 								Namespace: "default",
-								Subject: rbacv1.Subject{
+								Subject: &rbacv1.Subject{
 									APIGroup: msav1beta1.GroupVersion.Group,
 									Kind:     "ManagedServiceAccount",
 									Name:     "another-msa",
@@ -1418,7 +1418,7 @@ func TestManagedClusterAddOnEventHandler(t *testing.T) {
 					},
 					Spec: cpv1alpha1.ClusterPermissionSpec{
 						ClusterRoleBinding: &cpv1alpha1.ClusterRoleBinding{
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								Kind:      "ServiceAccount",
 								Name:      "regular-sa",
 								Namespace: "default",
@@ -1433,7 +1433,7 @@ func TestManagedClusterAddOnEventHandler(t *testing.T) {
 					},
 					Spec: cpv1alpha1.ClusterPermissionSpec{
 						ClusterRoleBinding: &cpv1alpha1.ClusterRoleBinding{
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								Kind: "User",
 								Name: "test-user",
 							},
@@ -1501,14 +1501,14 @@ func TestManagedClusterAddOnEventHandler(t *testing.T) {
 					Spec: cpv1alpha1.ClusterPermissionSpec{
 						ClusterRoleBindings: &[]cpv1alpha1.ClusterRoleBinding{
 							{
-								Subject: rbacv1.Subject{
+								Subject: &rbacv1.Subject{
 									Kind:      "ServiceAccount",
 									Name:      "regular-sa",
 									Namespace: "default",
 								},
 							},
 							{
-								Subject: rbacv1.Subject{
+								Subject: &rbacv1.Subject{
 									APIGroup: msav1beta1.GroupVersion.Group,
 									Kind:     "ManagedServiceAccount",
 									Name:     "test-msa",
@@ -1554,7 +1554,7 @@ func TestManagedClusterAddOnEventHandler(t *testing.T) {
 					},
 					Spec: cpv1alpha1.ClusterPermissionSpec{
 						ClusterRoleBinding: &cpv1alpha1.ClusterRoleBinding{
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								APIGroup: msav1beta1.GroupVersion.Group,
 								Kind:     "ManagedServiceAccount",
 								Name:     "test-msa",
@@ -1592,15 +1592,15 @@ func TestManagedClusterAddOnEventHandler(t *testing.T) {
 					},
 					Spec: cpv1alpha1.ClusterPermissionSpec{
 						ClusterRoleBinding: &cpv1alpha1.ClusterRoleBinding{
-							Subject: rbacv1.Subject{
+							Subject: &rbacv1.Subject{
 								Kind:      "ServiceAccount",
 								Name:      "regular-sa",
 								Namespace: "default",
 							},
 						},
 						ClusterRoleBindings: &[]cpv1alpha1.ClusterRoleBinding{
 							{
-								Subject: rbacv1.Subject{
+								Subject: &rbacv1.Subject{
 									APIGroup: msav1beta1.GroupVersion.Group,
 									Kind:     "ManagedServiceAccount",
 									Name:     "test-msa-1",

Original file line number	Diff line number	Diff line change
`@@ -283,12 +283,15 @@ func (r *ClusterPermissionReconciler) validateSubject(ctx context.Context, subje`
`283`	`283`	`return nil`
`284`	`284`	`}`
`285`	`285`
`286`		`-func getSubjects(subject rbacv1.Subject, subjects []rbacv1.Subject) []rbacv1.Subject {`
	`286`	`+func getSubjects(subject *rbacv1.Subject, subjects []rbacv1.Subject) []rbacv1.Subject {`
`287`	`287`	`if len(subjects) > 0 {`
`288`	`288`	`return subjects`
`289`	`289`	`} else {`
`290`	`290`	`// should be safe since one of them has to exist due to CRD validation`
`291`		`- return []rbacv1.Subject{subject}`
	`291`	`+ if subject == nil {`
	`292`	`+ return []rbacv1.Subject{}`
	`293`	`+ }`
	`294`	`+ return []rbacv1.Subject{*subject}`
`292`	`295`	`}`
`293`	`296`	`}`
`294`	`297`
`@@ -739,7 +742,7 @@ func (r *ClusterPermissionReconciler) clusterPermissionUsesManagedServiceAccount`
`739`	`742`	`if r.subjectIsManagedServiceAccount(cp.Spec.ClusterRoleBinding.Subject) {`
`740`	`743`	`return true`
`741`	`744`	`}`
`742`		`- if slices.ContainsFunc(cp.Spec.ClusterRoleBinding.Subjects, r.subjectIsManagedServiceAccount) {`
	`745`	`+ if slices.ContainsFunc(cp.Spec.ClusterRoleBinding.Subjects, r.subjectIsManagedServiceAccountByValue) {`
`743`	`746`	`return true`
`744`	`747`	`}`
`745`	`748`	`}`
`@@ -750,7 +753,7 @@ func (r *ClusterPermissionReconciler) clusterPermissionUsesManagedServiceAccount`
`750`	`753`	`if r.subjectIsManagedServiceAccount(crb.Subject) {`
`751`	`754`	`return true`
`752`	`755`	`}`
`753`		`- if slices.ContainsFunc(crb.Subjects, r.subjectIsManagedServiceAccount) {`
	`756`	`+ if slices.ContainsFunc(crb.Subjects, r.subjectIsManagedServiceAccountByValue) {`
`754`	`757`	`return true`
`755`	`758`	`}`
`756`	`759`	`}`
`@@ -762,7 +765,7 @@ func (r *ClusterPermissionReconciler) clusterPermissionUsesManagedServiceAccount`
`762`	`765`	`if r.subjectIsManagedServiceAccount(rb.Subject) {`
`763`	`766`	`return true`
`764`	`767`	`}`
`765`		`- if slices.ContainsFunc(rb.Subjects, r.subjectIsManagedServiceAccount) {`
	`768`	`+ if slices.ContainsFunc(rb.Subjects, r.subjectIsManagedServiceAccountByValue) {`
`766`	`769`	`return true`
`767`	`770`	`}`
`768`	`771`	`}`
`@@ -772,6 +775,14 @@ func (r *ClusterPermissionReconciler) clusterPermissionUsesManagedServiceAccount`
`772`	`775`	`}`
`773`	`776`
`774`	`777`	`// subjectIsManagedServiceAccount checks if a subject is a ManagedServiceAccount`
`775`		`-func (r *ClusterPermissionReconciler) subjectIsManagedServiceAccount(subject rbacv1.Subject) bool {`
	`778`	`+func (r ClusterPermissionReconciler) subjectIsManagedServiceAccount(subject rbacv1.Subject) bool {`
	`779`	`+ if subject == nil {`
	`780`	`+ return false`
	`781`	`+ }`
`776`	`782`	`return subject.APIGroup == msav1beta1.GroupVersion.Group && subject.Kind == "ManagedServiceAccount"`
`777`	`783`	`}`
	`784`	`+`
	`785`	`+// subjectIsManagedServiceAccountByValue is a wrapper for use with slices.ContainsFunc`
	`786`	`+func (r *ClusterPermissionReconciler) subjectIsManagedServiceAccountByValue(subject rbacv1.Subject) bool {`
	`787`	`+ return r.subjectIsManagedServiceAccount(&subject)`
	`788`	`+}`