buildah instead of docker

Dockerfile

@@ -1,7 +1,8 @@
 # Build the manager binary
-FROM golang:1.19 as builder
+FROM --platform=${BUILDPLATFORM} golang:1.19 as builder
 ARG TARGETOS
 ARG TARGETARCH
+ARG TARGETPLATFORM
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -25,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o ma
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532

Makefile

@@ -71,38 +71,15 @@ run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
 PLATFORMS ?= linux/arm64,linux/amd64
-# If you wish built the manager image targeting other platforms you can use the --platform flag.
-# (i.e. docker build --platform linux/arm64 ). However, you must enable docker buildKit for it.
-# More info: https://docs.docker.com/develop/develop-images/build_enhancements/
-.PHONY: docker-build
-docker-build: test ## Build docker image with the manager.
-	docker build -t ${IMG} .
-
 .PHONY: docker-build-multiarch
 docker-build-multiarch:
-	buildah bud --manifest $(MANIFEST) --platform=$(PLATFORMS) Dockerfile.multi
+	buildah bud --manifest $(MANIFEST) --platform=$(PLATFORMS) --layers .
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	buildah manifest push --all --rm $(MANIFEST) "docker://$(IMG)"
 	#docker push ${IMG}
 
-# PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple
-# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
-# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/
-# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/
-# - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=<myregistry/image:<tag>> then the export will fail)
-# To properly provided solutions that supports more than one platform you should use this option.
-.PHONY: docker-buildx
-docker-buildx: test ## Build and push docker image for the manager for cross-platform support
-	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
-	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
-	- docker buildx create --name project-v3-builder
-	docker buildx use project-v3-builder
-	- docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
-	- docker buildx rm project-v3-builder
-	rm Dockerfile.cross
-
 ##@ Deployment
 
 ifndef ignore-not-found

api/v1alpha1/common.go

@@ -3,7 +3,9 @@ package v1alpha1
 import (
 	"fmt"
 	corev1 "k8s.io/api/core/v1"
+	"os"
 	"path/filepath"
+	"strings"
 )
 
 const (
@@ -57,14 +59,19 @@ func GetVolumeMounts(container corev1.Container, targetContainer TargetContainer
 		vm := corev1.VolumeMount{ReadOnly: true}
 		var longest int = 0
 		var sidecarPath string
+		path = filepath.Clean(path)
+		splitPath := strings.Split(path, string(os.PathSeparator))
 		for _, volumeMount := range container.VolumeMounts {
-			// if strings.HasPrefix(path, volumeMount.MountPath) && len(volumeMount.MountPath) > longest {
+			splitMountPath := strings.Split(volumeMount.MountPath, string(os.PathSeparator))
-			if rel, err := filepath.Rel(volumeMount.MountPath, path); err == nil && len(volumeMount.MountPath) > longest {
+			for j, pathItem := range splitMountPath {
-				longest = len(volumeMount.MountPath)
+				if j < len(splitPath) && pathItem == splitPath[j] && j > longest {
-				vm.Name = volumeMount.Name
+					longest = j
-				vm.MountPath = fmt.Sprintf("/%s%d", BACKUP_PREFIX_PATH, i)
+					vm.Name = volumeMount.Name
-				vm.SubPath = volumeMount.SubPath
+					vm.MountPath = fmt.Sprintf("/%s%d", BACKUP_PREFIX_PATH, i)
-				sidecarPath = filepath.Join(vm.MountPath, rel)
+					vm.SubPath = volumeMount.SubPath
+					rel, _ := filepath.Rel(volumeMount.MountPath, path)
+					sidecarPath = filepath.Join(vm.MountPath, rel)
+				}
 			}
 		}
 		vms = append(vms, vm)

controllers/backupconfiguration_controller.go

@@ -36,6 +36,9 @@ type BackupConfigurationReconciler struct {
 	Scheme *runtime.Scheme
 	Log    logr.Logger
 	context.Context
+	Name       string
+	Namespace  string
+	backupConf formolv1alpha1.BackupConfiguration
 }
 
 //+kubebuilder:rbac:groups=formol.desmojim.fr,resources=*,verbs=*
@@ -63,6 +66,8 @@ type BackupConfigurationReconciler struct {
 func (r *BackupConfigurationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	r.Context = ctx
 	r.Log = log.FromContext(ctx)
+	r.Name = req.NamespacedName.Name
+	r.Namespace = req.NamespacedName.Namespace
 
 	r.Log.V(1).Info("Enter Reconcile with req", "req", req, "reconciler", r)
 
@@ -74,6 +79,7 @@ func (r *BackupConfigurationReconciler) Reconcile(ctx context.Context, req ctrl.
 		}
 		return ctrl.Result{}, err
 	}
+	r.backupConf = backupConf
 
 	finalizerName := "finalizer.backupconfiguration.formol.desmojim.fr"
 
@@ -82,7 +88,7 @@ func (r *BackupConfigurationReconciler) Reconcile(ctx context.Context, req ctrl.
 		if controllerutil.ContainsFinalizer(&backupConf, finalizerName) {
 			_ = r.DeleteSidecar(backupConf)
 			_ = r.DeleteCronJob(backupConf)
-			_ = r.deleteRBACSidecar(backupConf.Namespace)
+			_ = r.deleteRBAC()
 			controllerutil.RemoveFinalizer(&backupConf, finalizerName)
 			if err := r.Update(ctx, &backupConf); err != nil {
 				r.Log.Error(err, "unable to remove finalizer")
@@ -111,6 +117,10 @@ func (r *BackupConfigurationReconciler) Reconcile(ctx context.Context, req ctrl.
 	} else {
 		backupConf.Status.ActiveCronJob = true
 	}
+	if err = r.createBSCreatorRBAC(); err != nil {
+		r.Log.Error(err, "unable to create RBAC for the sidecar container")
+		return ctrl.Result{}, err
+	}
 
 	for _, target := range backupConf.Spec.Targets {
 		if err := r.addSidecar(backupConf, target); err != nil {

controllers/backupconfiguration_controller_helpers.go

@@ -31,9 +31,13 @@ import (
 )
 
 const (
-	FORMOL_SA                  = "formol-controller"
+	FORMOL_BS_CREATOR_SA              = "bs-creator"
-	FORMOL_SIDECAR_ROLE        = "formol:sidecar-role"
+	FORMOL_BS_CREATOR_ROLE            = "formol:bs-creator-role"
-	FORMOL_SIDECAR_CLUSTERROLE = "formol:sidecar-clusterrole"
+	FORMOL_BS_CREATOR_ROLEBINDING     = "formol:bs-creator-rolebinding"
+	FORMOL_SIDECAR_ROLE               = "formol:sidecar-role"
+	FORMOL_SIDECAR_ROLEBINDING        = "formol:sidecar-rolebinding"
+	FORMOL_SIDECAR_CLUSTERROLE        = "formol:sidecar-clusterrole"
+	FORMOL_SIDECAR_CLUSTERROLEBINDING = "formol:sidecar-clusterrolebinding"
 )
 
 func (r *BackupConfigurationReconciler) DeleteCronJob(backupConf formolv1alpha1.BackupConfiguration) error {
@@ -93,7 +97,7 @@ func (r *BackupConfigurationReconciler) AddCronJob(backupConf formolv1alpha1.Bac
 					Template: corev1.PodTemplateSpec{
 						Spec: corev1.PodSpec{
 							RestartPolicy:      corev1.RestartPolicyOnFailure,
-							ServiceAccountName: "backupsession-creator",
+							ServiceAccountName: FORMOL_BS_CREATOR_SA,
 							Containers: []corev1.Container{
 								corev1.Container{
 									Name:  "job-createbackupsession-" + backupConf.Name,
@@ -234,12 +238,7 @@ func (r *BackupConfigurationReconciler) addSidecar(backupConf formolv1alpha1.Bac
 		return err
 	}
 	if !hasSidecar(targetPodSpec) {
-		if err = r.createRBACSidecar(corev1.ServiceAccount{
+		if err = r.createSidecarRBAC(targetPodSpec); err != nil {
-			ObjectMeta: metav1.ObjectMeta{
-				Namespace: backupConf.Namespace,
-				Name:      targetPodSpec.ServiceAccountName,
-			},
-		}); err != nil {
 			r.Log.Error(err, "unable to create RBAC for the sidecar container")
 			return
 		}
@@ -290,78 +289,146 @@ func (r *BackupConfigurationReconciler) addSidecar(backupConf formolv1alpha1.Bac
 }
 
 // Delete the sidecar role is there is no more sidecar container in the namespace
-func (r *BackupConfigurationReconciler) deleteRBACSidecar(namespace string) error {
+func (r *BackupConfigurationReconciler) deleteRBAC() error {
-	podList := corev1.PodList{}
+	for _, roleBindingName := range []string{FORMOL_BS_CREATOR_ROLEBINDING, FORMOL_SIDECAR_CLUSTERROLEBINDING} {
-	if err := r.List(r.Context, &podList, &client.ListOptions{
+		roleBinding := rbacv1.RoleBinding{}
-		Namespace: namespace,
+		if err := r.Get(r.Context, client.ObjectKey{
-	}); err != nil {
+			Namespace: r.Namespace,
-		r.Log.Error(err, "unable to get the list of pods", "namespace", namespace)
+			Name:      roleBindingName,
-		return err
+		}, &roleBinding); err == nil {
-	}
+			if err = r.Delete(r.Context, &roleBinding); err != nil {
-	for _, pod := range podList.Items {
+				r.Log.Error(err, "unable to delete role binding", "role binding", roleBindingName)
-		for _, container := range pod.Spec.Containers {
-			for _, env := range container.Env {
-				if env.Name == formolv1alpha1.SIDECARCONTAINER_NAME {
-					// There is still a sidecar in the namespace.
-					// cannot delete the sidecar role
-					return nil
-				}
 			}
 		}
 	}
-	roleBinding := rbacv1.RoleBinding{
+	for _, roleName := range []string{FORMOL_BS_CREATOR_ROLE, FORMOL_SIDECAR_CLUSTERROLE} {
-		ObjectMeta: metav1.ObjectMeta{
+		role := rbacv1.Role{}
-			Namespace: namespace,
+		if err := r.Get(r.Context, client.ObjectKey{
-			Name:      FORMOL_SIDECAR_ROLE,
+			Namespace: r.Namespace,
-		},
+			Name:      roleName,
+		}, &role); err == nil {
+			if err = r.Delete(r.Context, &role); err != nil {
+				r.Log.Error(err, "unable to delete role", "role", roleName)
+			}
+		}
 	}
-	if err := r.Delete(r.Context, &roleBinding); err != nil {
+	sa := corev1.ServiceAccount{}
-		r.Log.Error(err, "unable to delete sidecar role binding")
+	if err := r.Get(r.Context, client.ObjectKey{
+		Namespace: r.Namespace,
+		Name:      FORMOL_BS_CREATOR_SA,
+	}, &sa); err == nil {
+		if err = r.Delete(r.Context, &sa); err != nil {
+			r.Log.Error(err, "unable to delete bs service account role")
+		}
 	}
-	role := rbacv1.Role{
+	clusterRoleBinding := rbacv1.ClusterRoleBinding{}
-		ObjectMeta: metav1.ObjectMeta{
+	if err := r.Get(r.Context, client.ObjectKey{
-			Namespace: namespace,
+		Namespace: r.Namespace,
-			Name:      FORMOL_SIDECAR_ROLE,
+		Name:      FORMOL_SIDECAR_CLUSTERROLEBINDING,
-		},
+	}, &clusterRoleBinding); err == nil {
+		if err = r.Delete(r.Context, &clusterRoleBinding); err != nil {
+			r.Log.Error(err, "unable to delete sidecar cluster role binding")
+		}
 	}
-	if err := r.Delete(r.Context, &role); err != nil {
+	clusterRole := rbacv1.ClusterRole{}
-		r.Log.Error(err, "unable to delete sidecar role")
+	if err := r.Get(r.Context, client.ObjectKey{
+		Namespace: r.Namespace,
+		Name:      FORMOL_SIDECAR_CLUSTERROLE,
+	}, &clusterRole); err == nil {
+		if err = r.Delete(r.Context, &clusterRole); err != nil {
+			r.Log.Error(err, "unable to delete sidecar cluster role")
+		}
 	}
-	clusterRoleBinding := rbacv1.ClusterRoleBinding{
+	return nil
-		ObjectMeta: metav1.ObjectMeta{
+}
-			Namespace: namespace,
+
-			Name:      FORMOL_SIDECAR_CLUSTERROLE,
+func (r *BackupConfigurationReconciler) createBSCreatorRBAC() error {
-		},
+	sa := corev1.ServiceAccount{}
+	if err := r.Get(r.Context, client.ObjectKey{
+		Namespace: r.Namespace,
+		Name:      FORMOL_BS_CREATOR_SA,
+	}, &sa); errors.IsNotFound(err) {
+		sa = corev1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: r.Namespace,
+				Name:      FORMOL_BS_CREATOR_SA,
+			},
+		}
+		if err = r.Create(r.Context, &sa); err != nil {
+			r.Log.Error(err, "unable to create BS creator SA")
+			return err
+		}
 	}
-	if err := r.Delete(r.Context, &clusterRoleBinding); err != nil {
+	role := rbacv1.Role{}
-		r.Log.Error(err, "unable to delete sidecar clusterRole binding")
+	if err := r.Get(r.Context, client.ObjectKey{
+		Namespace: r.Namespace,
+		Name:      FORMOL_BS_CREATOR_ROLE,
+	}, &role); errors.IsNotFound(err) {
+		role = rbacv1.Role{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: r.Namespace,
+				Name:      FORMOL_BS_CREATOR_ROLE,
+			},
+			Rules: []rbacv1.PolicyRule{
+				rbacv1.PolicyRule{
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					APIGroups: []string{"formol.desmojim.fr"},
+					Resources: []string{"backupsessions"},
+				},
+			},
+		}
+		r.Log.V(0).Info("Creating formol bs creator role", "role", role)
+		if err = r.Create(r.Context, &role); err != nil {
+			r.Log.Error(err, "unable to create bs creator role")
+			return err
+		}
 	}
-	clusterRole := rbacv1.ClusterRole{
+	rolebinding := rbacv1.RoleBinding{}
-		ObjectMeta: metav1.ObjectMeta{
+	if err := r.Get(r.Context, client.ObjectKey{
-			Namespace: namespace,
+		Namespace: r.Namespace,
-			Name:      FORMOL_SIDECAR_CLUSTERROLE,
+		Name:      FORMOL_BS_CREATOR_ROLEBINDING,
-		},
+	}, &rolebinding); errors.IsNotFound(err) {
-	}
+		rolebinding = rbacv1.RoleBinding{
-	if err := r.Delete(r.Context, &clusterRole); err != nil {
+			ObjectMeta: metav1.ObjectMeta{
-		r.Log.Error(err, "unable to delete sidecar clusterRole")
+				Namespace: r.Namespace,
+				Name:      FORMOL_BS_CREATOR_ROLEBINDING,
+			},
+			Subjects: []rbacv1.Subject{
+				rbacv1.Subject{
+					Kind: "ServiceAccount",
+					Name: FORMOL_BS_CREATOR_SA,
+				},
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "Role",
+				Name:     FORMOL_BS_CREATOR_ROLE,
+			},
+		}
+		r.Log.V(0).Info("Creating formol bs creator rolebinding", "rolebinding", rolebinding)
+		if err = r.Create(r.Context, &rolebinding); err != nil {
+			r.Log.Error(err, "unable to create bs creator rolebinding")
+			return err
+		}
 	}
 	return nil
 }
 
 // Creates a role to allow the BackupSession controller in the sidecar to have access to resources
 // like Repo, Functions, ...
-func (r *BackupConfigurationReconciler) createRBACSidecar(sa corev1.ServiceAccount) error {
+func (r *BackupConfigurationReconciler) createSidecarRBAC(podSpec *corev1.PodSpec) error {
-	if sa.Name == "" {
+	sa := podSpec.ServiceAccountName
-		sa.Name = "default"
+	if sa == "" {
+		sa = "default"
 	}
 	role := rbacv1.Role{}
 	if err := r.Get(r.Context, client.ObjectKey{
-		Namespace: sa.Namespace,
+		Namespace: r.Namespace,
 		Name:      FORMOL_SIDECAR_ROLE,
-	}, &role); err != nil && errors.IsNotFound(err) {
+	}, &role); errors.IsNotFound(err) {
 		role = rbacv1.Role{
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: sa.Namespace,
+				Namespace: r.Namespace,
 				Name:      FORMOL_SIDECAR_ROLE,
 			},
 			Rules: []rbacv1.PolicyRule{
@@ -405,18 +472,18 @@ func (r *BackupConfigurationReconciler) createRBACSidecar(sa corev1.ServiceAccou
 	}
 	rolebinding := rbacv1.RoleBinding{}
 	if err := r.Get(r.Context, client.ObjectKey{
-		Namespace: sa.Namespace,
+		Namespace: r.Namespace,
-		Name:      FORMOL_SIDECAR_ROLE,
+		Name:      FORMOL_SIDECAR_ROLEBINDING,
-	}, &rolebinding); err != nil && errors.IsNotFound(err) {
+	}, &rolebinding); errors.IsNotFound(err) {
 		rolebinding = rbacv1.RoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: sa.Namespace,
+				Namespace: r.Namespace,
-				Name:      FORMOL_SIDECAR_ROLE,
+				Name:      FORMOL_SIDECAR_ROLEBINDING,
 			},
 			Subjects: []rbacv1.Subject{
 				rbacv1.Subject{
 					Kind: "ServiceAccount",
-					Name: sa.Name,
+					Name: sa,
 				},
 			},
 			RoleRef: rbacv1.RoleRef{
@@ -430,11 +497,25 @@ func (r *BackupConfigurationReconciler) createRBACSidecar(sa corev1.ServiceAccou
 			r.Log.Error(err, "unable to create sidecar rolebinding")
 			return err
 		}
+	} else {
+		if err != nil {
+			r.Log.Error(err, "something went very wrong here")
+			return err
+		}
+		rolebinding.Subjects = append(rolebinding.Subjects, rbacv1.Subject{
+			Kind: "ServiceAccount",
+			Name: sa,
+		})
+		r.Log.V(0).Info("Updating formol sidecar rolebinding with the new SA", "rolebinding", rolebinding)
+		if err = r.Update(r.Context, &rolebinding); err != nil {
+			r.Log.Error(err, "unable to update sidecar rolebinding")
+			return err
+		}
 	}
 	clusterRole := rbacv1.ClusterRole{}
 	if err := r.Get(r.Context, client.ObjectKey{
 		Name: FORMOL_SIDECAR_CLUSTERROLE,
-	}, &clusterRole); err != nil && errors.IsNotFound(err) {
+	}, &clusterRole); errors.IsNotFound(err) {
 		clusterRole = rbacv1.ClusterRole{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: FORMOL_SIDECAR_CLUSTERROLE,
@@ -460,18 +541,18 @@ func (r *BackupConfigurationReconciler) createRBACSidecar(sa corev1.ServiceAccou
 	}
 	clusterRolebinding := rbacv1.ClusterRoleBinding{}
 	if err := r.Get(r.Context, client.ObjectKey{
-		Namespace: sa.Namespace,
+		Namespace: r.Namespace,
-		Name:      FORMOL_SIDECAR_CLUSTERROLE,
+		Name:      FORMOL_SIDECAR_CLUSTERROLEBINDING,
-	}, &clusterRolebinding); err != nil && errors.IsNotFound(err) {
+	}, &clusterRolebinding); errors.IsNotFound(err) {
 		clusterRolebinding = rbacv1.ClusterRoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: FORMOL_SIDECAR_CLUSTERROLE,
+				Name: FORMOL_SIDECAR_CLUSTERROLEBINDING,
 			},
 			Subjects: []rbacv1.Subject{
 				rbacv1.Subject{
 					Kind:      "ServiceAccount",
-					Name:      sa.Name,
+					Name:      sa,
-					Namespace: sa.Namespace,
+					Namespace: r.Namespace,
 				},
 			},
 			RoleRef: rbacv1.RoleRef{