Ignore namespace not found error (#27)

Signed-off-by: Rokibul Hasan <mdrokibulhasan@appscode.com>

go.mod

@@ -5,15 +5,15 @@ go 1.22.0
 require (
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.71.2
 	github.com/spf13/cobra v1.8.0
-	go.bytebuilders.dev/license-verifier v0.14.0
+	go.bytebuilders.dev/license-verifier v0.14.3
 	gomodules.xyz/logs v0.0.7
 	gomodules.xyz/x v0.0.17
 	k8s.io/api v0.30.1
 	k8s.io/apimachinery v0.30.1
 	k8s.io/client-go v0.30.1
 	k8s.io/klog/v2 v2.120.1
 	k8s.io/utils v0.0.0-20240310230437-4693a0247e57
-	kmodules.xyz/client-go v0.30.27
+	kmodules.xyz/client-go v0.30.31
 	open-cluster-management.io/addon-framework v0.10.0
 	open-cluster-management.io/api v0.14.0
 	open-cluster-management.io/managed-serviceaccount v0.6.0

go.sum

@@ -343,8 +343,8 @@ github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
 github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
-go.bytebuilders.dev/license-verifier v0.14.0 h1:O6pXhz9vz7dPWIJATkX+JiMLhUD2ydzvKzf26c+3Jrw=
-go.bytebuilders.dev/license-verifier v0.14.0/go.mod h1:GB9XTSQUcllJ4AVq29TdJI6yRjoI86HGz0XMqq9nLwY=
+go.bytebuilders.dev/license-verifier v0.14.3 h1:5BTwmFEgCjSlAs2Nzh3/7+u//VoF93xjqywrJiqmZsg=
+go.bytebuilders.dev/license-verifier v0.14.3/go.mod h1:bNNaVbry3TZbu54pf57LkhjsFX94T6O62w0roiy1yiE=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
@@ -566,8 +566,8 @@ k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGc
 k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro=
 k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY=
 k8s.io/utils v0.0.0-20240310230437-4693a0247e57/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-kmodules.xyz/client-go v0.30.27 h1:pmM11k/XNVGTFp22qRsXBnGRnFeLNGX2lB9I0Gu+JWY=
-kmodules.xyz/client-go v0.30.27/go.mod h1:CAu+JlA8RVGtj6LQHu0Q1w2mnFUajuti49c7T1AvGdM=
+kmodules.xyz/client-go v0.30.31 h1:P+ZslW5QcgMnMoxo1ZMJrNNcwRwA1BiFct1JvcRQEj0=
+kmodules.xyz/client-go v0.30.31/go.mod h1:CAu+JlA8RVGtj6LQHu0Q1w2mnFUajuti49c7T1AvGdM=
 open-cluster-management.io/addon-framework v0.10.0 h1:bwI1XujcbkDoqlCFG1mKuwXNzoED4im/9/9BVu4xpRo=
 open-cluster-management.io/addon-framework v0.10.0/go.mod h1:HayKCznnlyW+0dUJQGj5sNR6i3tvylSySD3YnvZkBtY=
 open-cluster-management.io/api v0.14.0 h1:yjhnNeO/QudiIoEi0i/yUYmP3iElAfUgtj4pHMV+4uM=

pkg/agent/controller/managedclusterrolebinding_controller.go

@@ -21,6 +21,7 @@ import (
 
 	authzv1alpah1 "github.com/kluster-manager/cluster-auth/apis/authorization/v1alpha1"
 	"github.com/kluster-manager/cluster-auth/pkg/common"
+	"github.com/kluster-manager/cluster-auth/pkg/utils"
 
 	rbac "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -114,6 +115,14 @@ func (r *ManagedClusterRoleBindingReconciler) Reconcile(ctx context.Context, req
 		}
 	} else {
 		for _, ns := range managedCRB.RoleRef.Namespaces {
+			exist, err := utils.IsNamespaceExist(r.SpokeClient, ns)
+			if err != nil {
+				return reconcile.Result{}, err
+			}
+			if !exist {
+				continue
+			}
+
 			givenRolebinding := &rbac.RoleBinding{
 				TypeMeta: metav1.TypeMeta{
 					APIVersion: rbac.SchemeGroupVersion.String(),
@@ -132,7 +141,7 @@ func (r *ManagedClusterRoleBindingReconciler) Reconcile(ctx context.Context, req
 				},
 			}
 
-			_, err := cu.CreateOrPatch(context.Background(), r.SpokeClient, givenRolebinding, func(obj client.Object, createOp bool) client.Object {
+			_, err = cu.CreateOrPatch(context.Background(), r.SpokeClient, givenRolebinding, func(obj client.Object, createOp bool) client.Object {
 				in := obj.(*rbac.RoleBinding)
 				in.Subjects = givenRolebinding.Subjects
 				in.RoleRef = givenRolebinding.RoleRef

pkg/manager/agent-manifests/cluster-auth/templates/cluster-role.yaml

@@ -10,7 +10,7 @@ rules:
   - ""
   resources:
   - namespaces
-  verbs: ["get"]
+  verbs: ["get", "list", "watch"]
 # create/update rbac objects
 - apiGroups:
   - rbac.authorization.k8s.io

pkg/utils/util.go

@@ -17,10 +17,16 @@ limitations under the License.
 package utils
 
 import (
+	"context"
 	"errors"
 	"strings"
 
 	authorizationv1alpha1 "github.com/kluster-manager/cluster-auth/apis/authorization/v1alpha1"
+
+	corev1 "k8s.io/api/core/v1"
+	kerr "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 func GetUserIDAndHubOwnerIDFromLabelValues(object *authorizationv1alpha1.ManagedClusterRoleBinding) (string, string) {
@@ -49,3 +55,14 @@ func ExtractServiceAccountNameAndNamespace(s string) (name, namespace string, er
 	}
 	return "", "", errors.New("account username is invalid")
 }
+
+func IsNamespaceExist(kc client.Client, name string) (bool, error) {
+	var ns corev1.Namespace
+	err := kc.Get(context.Background(), types.NamespacedName{Name: name}, &ns)
+	if err != nil && kerr.IsNotFound(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	return true, nil
+}

vendor/kmodules.xyz/client-go/Makefile

@@ -56,7 +56,7 @@ OS   := $(if $(GOOS),$(GOOS),$(shell go env GOOS))
 ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
 
 BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian12
-BASEIMAGE_DBG    ?= debian:bookworm
+BASEIMAGE_DBG    ?= debian:12
 
 GO_VERSION       ?= 1.23
 BUILD_IMAGE      ?= ghcr.io/appscode/golang-dev:$(GO_VERSION)

vendor/kmodules.xyz/client-go/api/v1/cluster.go

@@ -50,19 +50,28 @@ const (
 )
 
 type ClusterMetadata struct {
-	UID         string          `json:"uid" protobuf:"bytes,1,opt,name=uid"`
-	Name        string          `json:"name,omitempty" protobuf:"bytes,2,opt,name=name"`
-	DisplayName string          `json:"displayName,omitempty" protobuf:"bytes,3,opt,name=displayName"`
-	Provider    HostingProvider `json:"provider,omitempty" protobuf:"bytes,4,opt,name=provider,casttype=HostingProvider"`
-	OwnerID     string          `json:"ownerID,omitempty" protobuf:"bytes,5,opt,name=ownerID"`
-	OwnerType   string          `json:"ownerType,omitempty" protobuf:"bytes,6,opt,name=ownerType"`
-	APIEndpoint string          `json:"apiEndpoint,omitempty" protobuf:"bytes,7,opt,name=apiEndpoint"`
-	CABundle    string          `json:"caBundle,omitempty" protobuf:"bytes,8,opt,name=caBundle"`
+	UID          string          `json:"uid" protobuf:"bytes,1,opt,name=uid"`
+	Name         string          `json:"name,omitempty" protobuf:"bytes,2,opt,name=name"`
+	DisplayName  string          `json:"displayName,omitempty" protobuf:"bytes,3,opt,name=displayName"`
+	Provider     HostingProvider `json:"provider,omitempty" protobuf:"bytes,4,opt,name=provider,casttype=HostingProvider"`
+	OwnerID      string          `json:"ownerID,omitempty" protobuf:"bytes,5,opt,name=ownerID"`
+	OwnerType    string          `json:"ownerType,omitempty" protobuf:"bytes,6,opt,name=ownerType"`
+	APIEndpoint  string          `json:"apiEndpoint,omitempty" protobuf:"bytes,7,opt,name=apiEndpoint"`
+	CABundle     string          `json:"caBundle,omitempty" protobuf:"bytes,8,opt,name=caBundle"`
+	ManagerID    string          `json:"managerID,omitempty" protobuf:"bytes,9,opt,name=managerID"`
+	HubClusterID string          `json:"hubClusterID,omitempty" protobuf:"bytes,10,opt,name=hubClusterID"`
+}
+
+func (md ClusterMetadata) Manager() string {
+	if md.ManagerID != "" && md.ManagerID != "0" {
+		return md.ManagerID
+	}
+	return md.OwnerID
 }
 
 func (md ClusterMetadata) State() string {
 	hasher := hmac.New(sha256.New, []byte(md.UID))
-	state := fmt.Sprintf("%s,%s", md.APIEndpoint, md.OwnerID)
+	state := fmt.Sprintf("%s,%s", md.APIEndpoint, md.Manager())
 	hasher.Write([]byte(state))
 	return base64.URLEncoding.EncodeToString(hasher.Sum(nil))
 }