feat: Removed skr permission and cache config for remote kyma & Modul…

…eTemp… (#2198)

* Removed skr permission  and cache config for remote kyma & ModuleTemplate resources

* Removed e2e test for klm-controller-manager serviceAcount on kyma-system namespace.

* Remove remoteNamespace field as it will be not used for the cache.

---------

Co-authored-by: Benjamin Lindner <[email protected]>

cmd/main.go

@@ -116,7 +116,7 @@ func main() {
 	}
 
 	cacheOptions := internal.GetCacheOptions(flagVar.IsKymaManaged, flagVar.IstioNamespace,
-		flagVar.IstioGatewayNamespace, flagVar.RemoteSyncNamespace)
+		flagVar.IstioGatewayNamespace)
 	setupManager(flagVar, cacheOptions, scheme, setupLog)
 }
 

config/rbac/namespace_bindings/kustomization.yaml

@@ -13,6 +13,4 @@ resources:
   - role_binding.yaml
   # Comment the following to disable manifest integration
   - watcher_certmanager_role.yaml
-  - skr_role.yaml
   - watcher_certmanager_role_binding.yaml
-  - skr_role_binding.yaml

internal/cache_options.go

@@ -19,10 +19,9 @@ type DefaultCacheOptions struct {
 }
 
 type KcpCacheOptions struct {
-	CacheOptions    cache.Options
-	istioNamespace  string
-	kcpNamespace    string
-	remoteNamespace string
+	CacheOptions   cache.Options
+	istioNamespace string
+	kcpNamespace   string
 }
 
 func (c *DefaultCacheOptions) GetCacheOptions() cache.Options {
@@ -47,14 +46,12 @@ func (c *KcpCacheOptions) GetCacheOptions() cache.Options {
 			},
 			&v1beta2.Kyma{}: {
 				Namespaces: map[string]cache.Config{
-					c.remoteNamespace: {},
-					c.kcpNamespace:    {},
+					c.kcpNamespace: {},
 				},
 			},
 			&v1beta2.ModuleTemplate{}: {
 				Namespaces: map[string]cache.Config{
-					c.remoteNamespace: {},
-					c.kcpNamespace:    {},
+					c.kcpNamespace: {},
 				},
 			},
 			&v1beta2.ModuleReleaseMeta{}: {
@@ -88,12 +85,11 @@ func (c *KcpCacheOptions) GetCacheOptions() cache.Options {
 	}
 }
 
-func GetCacheOptions(isKymaManaged bool, istioNamespace, kcpNamespace, remoteNamespace string) cache.Options {
+func GetCacheOptions(isKymaManaged bool, istioNamespace, kcpNamespace string) cache.Options {
 	if isKymaManaged {
 		options := &KcpCacheOptions{
-			istioNamespace:  istioNamespace,
-			kcpNamespace:    kcpNamespace,
-			remoteNamespace: remoteNamespace,
+			istioNamespace: istioNamespace,
+			kcpNamespace:   kcpNamespace,
 		}
 		return options.GetCacheOptions()
 	}

tests/e2e/rbac_privileges_test.go

@@ -199,38 +199,6 @@ var _ = Describe("RBAC Privileges", func() {
 			Expect(GetRoleBindingRolePolicyRules(ctx, kcpClient, "klm-controller-manager-watcher-certmanager",
 				"istio-system",
 				istioSystemKlmRoleBindings)).To(Equal(istioNamespaceRoleRules))
-
-			By("And KLM Service Account has the correct RoleBindings in kyma-system namespace")
-			remoteNamespaceRoleRules := []apirbacv1.PolicyRule{
-				{
-					APIGroups: []string{"operator.kyma-project.io"},
-					Resources: []string{"kymas"},
-					Verbs:     []string{"list", "watch", "delete", "get", "create", "patch", "update"},
-				},
-				{
-					APIGroups: []string{"operator.kyma-project.io"},
-					Resources: []string{"kymas/finalizers"},
-					Verbs:     []string{"update"},
-				},
-				{
-					APIGroups: []string{"operator.kyma-project.io"},
-					Resources: []string{"kymas/status"},
-					Verbs:     []string{"get", "patch", "update", "watch"},
-				},
-				{
-					APIGroups: []string{"operator.kyma-project.io"},
-					Resources: []string{"moduletemplates"},
-					Verbs:     []string{"list", "watch", "delete"},
-				},
-			}
-			kymaSystemKlmRoleBindings, err := ListKlmRoleBindings(kcpClient, ctx, "klm-controller-manager",
-				"kyma-system")
-			Expect(err).ToNot(HaveOccurred())
-			Expect(kymaSystemKlmRoleBindings.Items).To(HaveLen(1))
-
-			Expect(GetRoleBindingRolePolicyRules(ctx, kcpClient,
-				"klm-controller-manager-skr", "kyma-system",
-				kymaSystemKlmRoleBindings)).To(Equal(remoteNamespaceRoleRules))
 		})
 	})
 })

tests/integration/controller/eventfilters/suite_test.go

@@ -124,7 +124,7 @@ var _ = BeforeSuite(func() {
 				BindAddress: randomPort,
 			},
 			Scheme: k8sclientscheme.Scheme,
-			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace),
+			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace),
 		})
 	Expect(err).ToNot(HaveOccurred())
 

tests/integration/controller/kcp/suite_test.go

@@ -124,7 +124,7 @@ var _ = BeforeSuite(func() {
 				BindAddress: UseRandomPort,
 			},
 			Scheme: k8sclientscheme.Scheme,
-			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace),
+			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace),
 		})
 	Expect(err).ToNot(HaveOccurred())
 

tests/integration/controller/kyma/suite_test.go

@@ -122,7 +122,7 @@ var _ = BeforeSuite(func() {
 				BindAddress: randomPort,
 			},
 			Scheme: k8sclientscheme.Scheme,
-			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace),
+			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace),
 		})
 	Expect(err).ToNot(HaveOccurred())
 

tests/integration/controller/mandatorymodule/deletion/suite_test.go

@@ -106,7 +106,7 @@ var _ = BeforeSuite(func() {
 				BindAddress: useRandomPort,
 			},
 			Scheme: k8sclientscheme.Scheme,
-			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace),
+			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace),
 		})
 	Expect(err).ToNot(HaveOccurred())
 

tests/integration/controller/mandatorymodule/installation/suite_test.go

@@ -97,7 +97,7 @@ var _ = BeforeSuite(func() {
 				BindAddress: useRandomPort,
 			},
 			Scheme: k8sclientscheme.Scheme,
-			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace),
+			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace),
 		})
 	Expect(err).ToNot(HaveOccurred())
 

tests/integration/controller/manifest/custom_resource_check/suite_test.go

@@ -114,7 +114,7 @@ var _ = BeforeSuite(func() {
 	if !found {
 		metricsBindAddress = ":0"
 	}
-	cacheOpts := internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace)
+	cacheOpts := internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace)
 	syncPeriod := 2 * time.Second
 	cacheOpts.SyncPeriod = &syncPeriod
 

tests/integration/controller/manifest/suite_test.go

@@ -125,7 +125,7 @@ var _ = BeforeSuite(func() {
 				BindAddress: metricsBindAddress,
 			},
 			Scheme: k8sclientscheme.Scheme,
-			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace),
+			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace),
 		},
 	)
 	Expect(err).ToNot(HaveOccurred())

tests/integration/controller/moduletemplate/suite_test.go

@@ -90,7 +90,7 @@ var _ = BeforeSuite(func() {
 				BindAddress: randomPort,
 			},
 			Scheme: k8sclientscheme.Scheme,
-			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace),
+			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace),
 		})
 	Expect(err).ToNot(HaveOccurred())
 

tests/integration/controller/purge/suite_test.go

@@ -101,7 +101,7 @@ var _ = BeforeSuite(func() {
 				BindAddress: useRandomPort,
 			},
 			Scheme: k8sclientscheme.Scheme,
-			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace),
+			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace),
 		})
 	Expect(err).ToNot(HaveOccurred())
 

tests/integration/controller/withwatcher/suite_test.go

@@ -145,7 +145,7 @@ var _ = BeforeSuite(func() {
 				BindAddress: metricsBindAddress,
 			},
 			Scheme: k8sclientscheme.Scheme,
-			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace),
+			Cache:  internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace),
 		})
 	Expect(err).ToNot(HaveOccurred())