feat: kubesphere 4.0 (#6115)

* feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> * feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> --------- Signed-off-by: ci-bot <ci-bot@kubesphere.io> Co-authored-by: ks-ci-bot <ks-ci-bot@example.com> Co-authored-by: joyceliu <joyceliu@yunify.com>
2024-09-06 11:05:52 +08:00
parent b5015ec7b9
commit 447a51f08b
8557 changed files with 546695 additions and 1146174 deletions
--- a/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go
+++ b/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go
@@ -1,18 +1,7 @@
 /*
-Copyright 2019 The KubeSphere Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+ * Please refer to the LICENSE file in the root directory of the project.
+ * https://github.com/kubesphere/kubesphere/blob/master/LICENSE
+ */

 package certificatesigningrequest

@@ -23,228 +12,87 @@ import (

 	certificatesv1 "k8s.io/api/certificates/v1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/apimachinery/pkg/util/wait"
-	certificatesinformers "k8s.io/client-go/informers/certificates/v1"
-	corev1informers "k8s.io/client-go/informers/core/v1"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/scheme"
-	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	certificateslisters "k8s.io/client-go/listers/certificates/v1"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/cache"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/ptr"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"

 	"kubesphere.io/kubesphere/pkg/constants"
-	"kubesphere.io/kubesphere/pkg/models/kubeconfig"
+	kscontroller "kubesphere.io/kubesphere/pkg/controller"
 )

 const (
-	// SuccessSynced is used as part of the Event 'reason' when a Foo is csrSynced
-	successSynced = "Synced"
-	// is csrSynced successfully
-	messageResourceSynced = "CertificateSigningRequest csrSynced successfully"
-	controllerName        = "csr-controller"
+	controllerName                 = "csr"
+	userKubeConfigSecretNameFormat = "kubeconfig-%s"
+	kubeconfigFileName             = "config"
+	privateKeyAnnotation           = "kubesphere.io/private-key"
 )

-type Controller struct {
-	k8sclient   kubernetes.Interface
-	csrInformer certificatesinformers.CertificateSigningRequestInformer
-	csrLister   certificateslisters.CertificateSigningRequestLister
-	csrSynced   cache.InformerSynced
-	cmSynced    cache.InformerSynced
-	// workqueue is a rate limited work queue. This is used to queue work to be
-	// processed instead of performing it as soon as a change happens. This
-	// means we can ensure we only process a fixed amount of resources at a
-	// time, and makes it easy to ensure we are never processing the same item
-	// simultaneously in two different workers.
-	workqueue workqueue.RateLimitingInterface
-	// recorder is an event recorder for recording Event resources to the
-	// Kubernetes API.
-	recorder           record.EventRecorder
-	kubeconfigOperator kubeconfig.Interface
+var _ kscontroller.Controller = &Reconciler{}
+var _ reconcile.Reconciler = &Reconciler{}
+
+type Reconciler struct {
+	client.Client
+	recorder record.EventRecorder
 }

-func NewController(k8sClient kubernetes.Interface, csrInformer certificatesinformers.CertificateSigningRequestInformer,
-	configMapInformer corev1informers.ConfigMapInformer, config *rest.Config) *Controller {
-	// Create event broadcaster
-	// Add sample-controller types to the default Kubernetes Scheme so Events can be
-	// logged for sample-controller types.
-
-	klog.V(4).Info("Creating event broadcaster")
-	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(klog.Infof)
-	eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: k8sClient.CoreV1().Events("")})
-	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: controllerName})
-	ctl := &Controller{
-		k8sclient:          k8sClient,
-		csrInformer:        csrInformer,
-		csrLister:          csrInformer.Lister(),
-		csrSynced:          csrInformer.Informer().HasSynced,
-		cmSynced:           configMapInformer.Informer().HasSynced,
-		kubeconfigOperator: kubeconfig.NewOperator(k8sClient, configMapInformer.Lister(), config),
-		workqueue:          workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "CertificateSigningRequest"),
-		recorder:           recorder,
-	}
-	klog.Info("Setting up event handlers")
-	csrInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc: ctl.enqueueCertificateSigningRequest,
-		UpdateFunc: func(old, new interface{}) {
-			ctl.enqueueCertificateSigningRequest(new)
-		},
-		DeleteFunc: ctl.enqueueCertificateSigningRequest,
-	})
-	return ctl
+func (r *Reconciler) Name() string {
+	return controllerName
 }

-func (c *Controller) Run(threadiness int, stopCh <-chan struct{}) error {
-	defer utilruntime.HandleCrash()
-	defer c.workqueue.ShutDown()
-
-	// Start the csrInformer factories to begin populating the csrInformer caches
-	klog.Info("Starting CSR controller")
-
-	// Wait for the caches to be csrSynced before starting workers
-	klog.Info("Waiting for csrInformer caches to sync")
-	if ok := cache.WaitForCacheSync(stopCh, c.csrSynced, c.cmSynced); !ok {
-		return fmt.Errorf("failed to wait for caches to sync")
-	}
-
-	klog.Info("Starting workers")
-
-	for i := 0; i < threadiness; i++ {
-		go wait.Until(c.runWorker, time.Second, stopCh)
-	}
-
-	klog.Info("Started workers")
-	<-stopCh
-	klog.Info("Shutting down workers")
-	return nil
+func (r *Reconciler) SetupWithManager(mgr *kscontroller.Manager) error {
+	r.recorder = mgr.GetEventRecorderFor(controllerName)
+	r.Client = mgr.GetClient()
+	return builder.
+		ControllerManagedBy(mgr).
+		For(&certificatesv1.CertificateSigningRequest{},
+			builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
+				csr := object.(*certificatesv1.CertificateSigningRequest)
+				return csr.Labels[constants.UsernameLabelKey] != ""
+			})),
+		).
+		Named(controllerName).
+		Complete(r)
 }

-func (c *Controller) enqueueCertificateSigningRequest(obj interface{}) {
-	var key string
-	var err error
-	if key, err = cache.MetaNamespaceKeyFunc(obj); err != nil {
-		utilruntime.HandleError(err)
-		return
-	}
-	c.workqueue.Add(key)
-}
-
-func (c *Controller) runWorker() {
-	for c.processNextWorkItem() {
-	}
-}
-
-func (c *Controller) processNextWorkItem() bool {
-	obj, shutdown := c.workqueue.Get()
-
-	if shutdown {
-		return false
-	}
-
-	// We wrap this block in a func so we can defer c.workqueue.Done.
-	err := func(obj interface{}) error {
-		// We call Done here so the workqueue knows we have finished
-		// processing this item. We also must remember to call Forget if we
-		// do not want this work item being re-queued. For example, we do
-		// not call Forget if a transient error occurs, instead the item is
-		// put back on the workqueue and attempted again after a back-off
-		// period.
-		defer c.workqueue.Done(obj)
-		var key string
-		var ok bool
-		// We expect strings to come off the workqueue. These are of the
-		// form namespace/name. We do this as the delayed nature of the
-		// workqueue means the items in the csrInformer cache may actually be
-		// more up to date that when the item was initially put onto the
-		// workqueue.
-		if key, ok = obj.(string); !ok {
-			// As the item in the workqueue is actually invalid, we call
-			// Forget here else we'd go into a loop of attempting to
-			// process a work item that is invalid.
-			c.workqueue.Forget(obj)
-			utilruntime.HandleError(fmt.Errorf("expected string in workqueue but got %#v", obj))
-			return nil
-		}
-		// Run the reconcile, passing it the namespace/name string of the
-		// Foo resource to be csrSynced.
-		if err := c.reconcile(key); err != nil {
-			// Put the item back on the workqueue to handle any transient errors.
-			c.workqueue.AddRateLimited(key)
-			return fmt.Errorf("error syncing '%s': %s, requeuing", key, err.Error())
-		}
-		// Finally, if no error occurs we Forget this item so it does not
-		// get queued again until another change happens.
-		c.workqueue.Forget(obj)
-		klog.Infof("Successfully csrSynced %s:%s", "key", key)
-		return nil
-	}(obj)
-
-	if err != nil {
-		utilruntime.HandleError(err)
-		return true
-	}
-
-	return true
-}
-
-// reconcile compares the actual state with the desired, and attempts to
-// converge the two. It then updates the Status block of the Foo resource
-// with the current status of the resource.
-func (c *Controller) reconcile(key string) error {
-
+func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	// Get the CertificateSigningRequest with this name
-	csr, err := c.csrLister.Get(key)
-	if err != nil {
-		// The resource may no longer exist, in which case we stop
-		// processing.
-		if errors.IsNotFound(err) {
-			utilruntime.HandleError(fmt.Errorf("csr '%s' in work queue no longer exists", key))
-			return nil
-		}
-		klog.Error(err)
-		return err
+	csr := &certificatesv1.CertificateSigningRequest{}
+	if err := r.Get(ctx, req.NamespacedName, csr); err != nil {
+		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}

-	// csr create by kubesphere auto approve
+	// csr create by kubesphere auto approval
 	if username := csr.Labels[constants.UsernameLabelKey]; username != "" {
-		err = c.Approve(csr)
-		if err != nil {
-			klog.Error(err)
-			return err
+		if err := r.Approve(csr); err != nil {
+			return ctrl.Result{}, err
 		}
 		// certificate data is not empty
 		if len(csr.Status.Certificate) > 0 {
-			err = c.UpdateKubeconfig(csr)
-			if err != nil {
+			if err := r.UpdateKubeConfig(ctx, username, csr); err != nil {
 				// kubeconfig not generated
-				klog.Error(err)
-				return err
+				return ctrl.Result{}, err
 			}
 			// release
-			err := c.k8sclient.CertificatesV1().CertificateSigningRequests().Delete(context.Background(), csr.Name, *metav1.NewDeleteOptions(0))
-			if err != nil {
-				klog.Error(err)
-				return err
+			if err := r.Delete(ctx, csr, &client.DeleteOptions{GracePeriodSeconds: ptr.To[int64](0)}); err != nil {
+				return ctrl.Result{}, err
 			}
 		}
 	}

-	c.recorder.Event(csr, corev1.EventTypeNormal, successSynced, messageResourceSynced)
-	return nil
+	r.recorder.Event(csr, corev1.EventTypeNormal, kscontroller.Synced, kscontroller.MessageResourceSynced)
+	return ctrl.Result{}, nil
 }

-func (c *Controller) Start(ctx context.Context) error {
-	return c.Run(4, ctx.Done())
-}
-
-func (c *Controller) Approve(csr *certificatesv1.CertificateSigningRequest) error {
+func (r *Reconciler) Approve(csr *certificatesv1.CertificateSigningRequest) error {
 	// is approved
 	if len(csr.Status.Certificate) > 0 {
 		return nil
@@ -262,20 +110,50 @@ func (c *Controller) Approve(csr *certificatesv1.CertificateSigningRequest) erro
 	}

 	// approve csr
-	_, err := c.k8sclient.CertificatesV1().CertificateSigningRequests().UpdateApproval(context.Background(), csr.Name, csr, metav1.UpdateOptions{})
-	if err != nil {
-		klog.Errorln(err)
+	if err := r.SubResource("approval").Update(context.Background(), csr, &client.SubResourceUpdateOptions{SubResourceBody: csr}); err != nil {
 		return err
 	}
-
 	return nil
 }

-func (c *Controller) UpdateKubeconfig(csr *certificatesv1.CertificateSigningRequest) error {
-	username := csr.Labels[constants.UsernameLabelKey]
-	err := c.kubeconfigOperator.UpdateKubeconfig(username, csr)
+func (r *Reconciler) UpdateKubeConfig(ctx context.Context, username string, csr *certificatesv1.CertificateSigningRequest) error {
+	secretName := fmt.Sprintf(userKubeConfigSecretNameFormat, username)
+	secret := &corev1.Secret{}
+	if err := r.Get(ctx, types.NamespacedName{Namespace: constants.KubeSphereNamespace, Name: secretName}, secret); err != nil {
+		return client.IgnoreNotFound(err)
+	}
+	secret = applyCert(secret, csr)
+	if err := r.Update(ctx, secret); err != nil {
+		klog.Errorf("Failed to update secret %s: %v", secretName, err)
+		return err
+	}
+	return nil
+}
+
+func applyCert(secret *corev1.Secret, csr *certificatesv1.CertificateSigningRequest) *corev1.Secret {
+	data := secret.Data[kubeconfigFileName]
+	kubeconfig, err := clientcmd.Load(data)
 	if err != nil {
 		klog.Error(err)
+		return secret
 	}
-	return err
+
+	username := secret.Labels[constants.UsernameLabelKey]
+	privateKey := csr.Annotations[privateKeyAnnotation]
+	clientCert := csr.Status.Certificate
+	kubeconfig.AuthInfos = map[string]*clientcmdapi.AuthInfo{
+		username: {
+			ClientKeyData:         []byte(privateKey),
+			ClientCertificateData: clientCert,
+		},
+	}
+
+	data, err = clientcmd.Write(*kubeconfig)
+	if err != nil {
+		return secret
+	}
+
+	delete(secret.Annotations, "csr")
+	secret.StringData = map[string]string{kubeconfigFileName: string(data)}
+	return secret
 }