feat: kubesphere 4.0 (#6115)

* feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> * feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> --------- Signed-off-by: ci-bot <ci-bot@kubesphere.io> Co-authored-by: ks-ci-bot <ks-ci-bot@example.com> Co-authored-by: joyceliu <joyceliu@yunify.com>
2024-09-06 11:05:52 +08:00
parent b5015ec7b9
commit 447a51f08b
8557 changed files with 546695 additions and 1146174 deletions
--- a/pkg/controller/config/config_webhook.go
+++ b/pkg/controller/config/config_webhook.go
@@ -0,0 +1,97 @@
+/*
+ * Please refer to the LICENSE file in the root directory of the project.
+ * https://github.com/kubesphere/kubesphere/blob/master/LICENSE
+ */
+
+package config
+
+import (
+	"context"
+
+	kscontroller "kubesphere.io/kubesphere/pkg/controller"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"kubesphere.io/kubesphere/pkg/constants"
+	"kubesphere.io/kubesphere/pkg/controller/config/identityprovider"
+	"kubesphere.io/kubesphere/pkg/controller/config/oauthclient"
+)
+
+func (w *Webhook) ValidateCreate(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
+	secret := obj.(*v1.Secret)
+	validator := w.factory.GetValidator(secret.Type)
+	if validator != nil {
+		return validator.ValidateCreate(ctx, secret)
+	}
+	return nil, nil
+}
+
+func (w *Webhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (warnings admission.Warnings, err error) {
+	newSecret := newObj.(*v1.Secret)
+	oldSecret := oldObj.(*v1.Secret)
+	if validator := w.factory.GetValidator(newSecret.Type); validator != nil {
+		return validator.ValidateUpdate(ctx, oldSecret, newSecret)
+	}
+	return nil, nil
+}
+
+func (w *Webhook) ValidateDelete(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
+	secret := obj.(*v1.Secret)
+	validator := w.factory.GetValidator(secret.Type)
+	if validator != nil {
+		return validator.ValidateDelete(ctx, secret)
+	}
+	return nil, nil
+}
+
+func (w *Webhook) Default(ctx context.Context, obj runtime.Object) error {
+	secret := obj.(*v1.Secret)
+	if secret.Namespace != constants.KubeSphereNamespace {
+		return nil
+	}
+
+	defaulter := w.factory.GetDefaulter(secret.Type)
+	if defaulter != nil {
+		return defaulter.Default(ctx, secret)
+	}
+
+	return nil
+}
+
+var _ admission.CustomDefaulter = &Webhook{}
+var _ admission.CustomValidator = &Webhook{}
+var _ kscontroller.Controller = &Webhook{}
+
+const webhookName = "kubesphere-config-webhook"
+
+func (w *Webhook) Name() string {
+	return webhookName
+}
+
+type Webhook struct {
+	client.Client
+	factory *WebhookFactory
+}
+
+func (w *Webhook) SetupWithManager(mgr *kscontroller.Manager) error {
+	factory := NewWebhookFactory()
+	oauthWebhookHandler := &oauthclient.WebhookHandler{Client: mgr.GetClient()}
+	factory.RegisterValidator(oauthWebhookHandler)
+	factory.RegisterDefaulter(oauthWebhookHandler)
+	identityProviderWebhookHandler := &identityprovider.WebhookHandler{Client: mgr.GetClient()}
+	factory.RegisterValidator(identityProviderWebhookHandler)
+	factory.RegisterDefaulter(identityProviderWebhookHandler)
+
+	w.Client = mgr.GetClient()
+	w.factory = factory
+
+	return ctrl.NewWebhookManagedBy(mgr).
+		WithValidator(w).
+		WithDefaulter(w).
+		For(&v1.Secret{}).
+		Complete()
+}
--- a/pkg/controller/config/identityprovider/webhook.go
+++ b/pkg/controller/config/identityprovider/webhook.go
@@ -0,0 +1,102 @@
+/*
+ * Please refer to the LICENSE file in the root directory of the project.
+ * https://github.com/kubesphere/kubesphere/blob/master/LICENSE
+ */
+
+package identityprovider
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider"
+)
+
+var once sync.Once
+
+type WebhookHandler struct {
+	client.Client
+	getter identityprovider.ConfigurationGetter
+}
+
+func (w *WebhookHandler) Default(_ context.Context, secret *corev1.Secret) error {
+	configuration, err := identityprovider.UnmarshalFrom(secret)
+	if err != nil {
+		return err
+	}
+	if configuration.Name != "" {
+		if secret.Labels == nil {
+			secret.Labels = make(map[string]string)
+		}
+		secret.Labels[identityprovider.SecretTypeIdentityProvider] = configuration.Name
+	}
+	return nil
+}
+
+func (w *WebhookHandler) ValidateCreate(ctx context.Context, secret *corev1.Secret) (admission.Warnings, error) {
+	idp, err := identityprovider.UnmarshalFrom(secret)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal identity provider: %v", err)
+	}
+
+	if idp.Name == "" {
+		return nil, errors.New("invalid Identity Provider, please ensure that the provider name is not empty")
+	}
+
+	exists, err := w.isClientExist(ctx, idp.Name)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check identity provider: %v", err)
+	}
+
+	if exists {
+		return nil, fmt.Errorf("invalid provider, provider name '%s' already exists", idp.Name)
+	}
+
+	return nil, nil
+}
+
+func (w *WebhookHandler) ValidateUpdate(_ context.Context, old, new *corev1.Secret) (admission.Warnings, error) {
+	oldIdp, err := identityprovider.UnmarshalFrom(old)
+	if err != nil {
+		return nil, err
+	}
+
+	newIdp, err := identityprovider.UnmarshalFrom(new)
+	if err != nil {
+		return nil, err
+	}
+
+	if newIdp.Name != oldIdp.Name {
+		return nil, fmt.Errorf("the provider name is immutable, old: %s, new: %s", oldIdp.Name, newIdp.Name)
+	}
+	return nil, nil
+}
+
+func (w *WebhookHandler) ValidateDelete(_ context.Context, _ *corev1.Secret) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (w *WebhookHandler) ConfigType() corev1.SecretType {
+	return identityprovider.SecretTypeIdentityProvider
+}
+
+func (w *WebhookHandler) isClientExist(ctx context.Context, clientName string) (bool, error) {
+	once.Do(func() {
+		w.getter = identityprovider.NewConfigurationGetter(w.Client)
+	})
+
+	_, err := w.getter.GetConfiguration(ctx, clientName)
+	if err != nil {
+		if errors.Is(identityprovider.ErrorIdentityProviderNotFound, err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to get identity provider: %v", err)
+	}
+	return true, nil
+}
--- a/pkg/controller/config/oauthclient/webhook.go
+++ b/pkg/controller/config/oauthclient/webhook.go
@@ -0,0 +1,131 @@
+/*
+ * Please refer to the LICENSE file in the root directory of the project.
+ * https://github.com/kubesphere/kubesphere/blob/master/LICENSE
+ */
+
+package oauthclient
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"math/rand"
+	"sync"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
+)
+
+var once sync.Once
+
+type WebhookHandler struct {
+	client.Client
+	getter oauth.ClientGetter
+}
+
+func (v *WebhookHandler) Default(_ context.Context, secret *v1.Secret) error {
+	oc, err := oauth.UnmarshalFrom(secret)
+	if err != nil {
+		return err
+	}
+	if oc.GrantMethod == "" {
+		oc.GrantMethod = oauth.GrantMethodAuto
+	}
+	if oc.Secret == "" {
+		oc.Secret = generatePassword(32)
+	}
+	if secret.Labels == nil {
+		secret.Labels = make(map[string]string)
+	}
+	secret.Labels[oauth.SecretTypeOAuthClient] = oc.Name
+	return oauth.MarshalInto(oc, secret)
+}
+
+func (v *WebhookHandler) ValidateCreate(ctx context.Context, secret *corev1.Secret) (admission.Warnings, error) {
+	oc, err := oauth.UnmarshalFrom(secret)
+	if err != nil {
+		return nil, err
+	}
+	if oc.Name != "" {
+		exist, err := v.clientExist(ctx, oc.Name)
+		if err != nil {
+			return nil, err
+		}
+		if exist {
+			return nil, fmt.Errorf("invalid OAuth client, client name '%s' already exists", oc.Name)
+		}
+	}
+
+	return validate(oc)
+}
+
+func (v *WebhookHandler) ValidateUpdate(_ context.Context, old, new *corev1.Secret) (admission.Warnings, error) {
+	newOc, err := oauth.UnmarshalFrom(new)
+	if err != nil {
+		return nil, err
+	}
+	oldOc, err := oauth.UnmarshalFrom(old)
+	if err != nil {
+		return nil, err
+	}
+	if newOc.Name != oldOc.Name {
+		return nil, fmt.Errorf("cannot change client name")
+	}
+	return validate(newOc)
+}
+
+func (v *WebhookHandler) ValidateDelete(_ context.Context, _ *corev1.Secret) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (v *WebhookHandler) ConfigType() corev1.SecretType {
+	return oauth.SecretTypeOAuthClient
+}
+
+// validate performs general validation for the OAuth client.
+func validate(oc *oauth.Client) (admission.Warnings, error) {
+	if oc.Name == "" {
+		return nil, fmt.Errorf("invalid OAuth client, please ensure that the client name is not empty")
+	}
+
+	if err := oauth.ValidateClient(*oc); err != nil {
+		return nil, err
+	}
+
+	// Other scope values MAY be present.
+	// Scope values used that are not understood by an implementation SHOULD be ignored.
+	if !oauth.IsValidScopes(oc.ScopeRestrictions) {
+		warnings := fmt.Sprintf("some requested scopes were invalid: %v", oc.ScopeRestrictions)
+		return []string{warnings}, nil
+	}
+	return nil, nil
+}
+
+func (v *WebhookHandler) clientExist(ctx context.Context, clientName string) (bool, error) {
+	once.Do(func() {
+		v.getter = oauth.NewOAuthClientGetter(v.Client)
+	})
+
+	if _, err := v.getter.GetOAuthClient(ctx, clientName); err != nil {
+		if errors.Is(err, oauth.ErrorClientNotFound) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
+
+func generatePassword(length int) string {
+	characters := "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+	password := make([]byte, length)
+	r := rand.New(rand.NewSource(time.Now().UnixNano()))
+	for i := range password {
+		password[i] = characters[r.Intn(len(characters))]
+	}
+	return string(password)
+}
--- a/pkg/controller/config/webhook_factory.go
+++ b/pkg/controller/config/webhook_factory.go
@@ -0,0 +1,54 @@
+/*
+ * Please refer to the LICENSE file in the root directory of the project.
+ * https://github.com/kubesphere/kubesphere/blob/master/LICENSE
+ */
+
+package config
+
+import (
+	"context"
+
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	v1 "k8s.io/api/core/v1"
+)
+
+type ValidatorInterface interface {
+	ValidateCreate(ctx context.Context, secret *v1.Secret) (admission.Warnings, error)
+	ValidateUpdate(ctx context.Context, old, new *v1.Secret) (admission.Warnings, error)
+	ValidateDelete(ctx context.Context, secret *v1.Secret) (admission.Warnings, error)
+	ConfigType() v1.SecretType
+}
+
+type DefaulterInterface interface {
+	Default(ctx context.Context, secret *v1.Secret) error
+	ConfigType() v1.SecretType
+}
+
+func (w *WebhookFactory) RegisterValidator(validator ValidatorInterface) {
+	w.validators[validator.ConfigType()] = validator
+}
+
+func (w *WebhookFactory) RegisterDefaulter(defaulter DefaulterInterface) {
+	w.defaulters[defaulter.ConfigType()] = defaulter
+}
+
+func (w *WebhookFactory) GetValidator(secretType v1.SecretType) ValidatorInterface {
+	return w.validators[secretType]
+}
+
+func (w *WebhookFactory) GetDefaulter(secretType v1.SecretType) DefaulterInterface {
+	return w.defaulters[secretType]
+}
+
+type WebhookFactory struct {
+	validators map[v1.SecretType]ValidatorInterface
+	defaulters map[v1.SecretType]DefaulterInterface
+}
+
+func NewWebhookFactory() *WebhookFactory {
+	return &WebhookFactory{
+		validators: make(map[v1.SecretType]ValidatorInterface),
+		defaulters: make(map[v1.SecretType]DefaulterInterface),
+	}
+}