feat: kubesphere 4.0 (#6115)

* feat: kubesphere 4.0

Signed-off-by: ci-bot <ci-bot@kubesphere.io>

* feat: kubesphere 4.0

Signed-off-by: ci-bot <ci-bot@kubesphere.io>

---------

Signed-off-by: ci-bot <ci-bot@kubesphere.io>
Co-authored-by: ks-ci-bot <ks-ci-bot@example.com>
Co-authored-by: joyceliu <joyceliu@yunify.com>

vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/combined.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// Combine combines the DefinitionsSchemaResolver with a secondary schema resolver.
+// The resulting schema resolver uses the DefinitionsSchemaResolver for a GVK that DefinitionsSchemaResolver knows,
+// and the secondary otherwise.
+func (d *DefinitionsSchemaResolver) Combine(secondary SchemaResolver) SchemaResolver {
+	return &combinedSchemaResolver{definitions: d, secondary: secondary}
+}
+
+type combinedSchemaResolver struct {
+	definitions *DefinitionsSchemaResolver
+	secondary   SchemaResolver
+}
+
+// ResolveSchema takes a GroupVersionKind (GVK) and returns the OpenAPI schema
+// identified by the GVK.
+// If the DefinitionsSchemaResolver knows the gvk, the DefinitionsSchemaResolver handles the resolution,
+// otherwise, the secondary does.
+func (r *combinedSchemaResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.Schema, error) {
+	if _, ok := r.definitions.gvkToRef[gvk]; ok {
+		return r.definitions.ResolveSchema(gvk)
+	}
+	return r.secondary.ResolveSchema(gvk)
+}

vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/definitions.go

@@ -0,0 +1,114 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/endpoints/openapi"
+	"k8s.io/kube-openapi/pkg/common"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// DefinitionsSchemaResolver resolves the schema of a built-in type
+// by looking up the OpenAPI definitions.
+type DefinitionsSchemaResolver struct {
+	defs     map[string]common.OpenAPIDefinition
+	gvkToRef map[schema.GroupVersionKind]string
+}
+
+// NewDefinitionsSchemaResolver creates a new DefinitionsSchemaResolver.
+// An example working setup:
+// getDefinitions = "k8s.io/kubernetes/pkg/generated/openapi".GetOpenAPIDefinitions
+// scheme         = "k8s.io/client-go/kubernetes/scheme".Scheme
+func NewDefinitionsSchemaResolver(getDefinitions common.GetOpenAPIDefinitions, schemes ...*runtime.Scheme) *DefinitionsSchemaResolver {
+	gvkToRef := make(map[schema.GroupVersionKind]string)
+	namer := openapi.NewDefinitionNamer(schemes...)
+	defs := getDefinitions(func(path string) spec.Ref {
+		return spec.MustCreateRef(path)
+	})
+	for name := range defs {
+		_, e := namer.GetDefinitionName(name)
+		gvks := extensionsToGVKs(e)
+		for _, gvk := range gvks {
+			gvkToRef[gvk] = name
+		}
+	}
+	return &DefinitionsSchemaResolver{
+		gvkToRef: gvkToRef,
+		defs:     defs,
+	}
+}
+
+func (d *DefinitionsSchemaResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.Schema, error) {
+	ref, ok := d.gvkToRef[gvk]
+	if !ok {
+		return nil, fmt.Errorf("cannot resolve %v: %w", gvk, ErrSchemaNotFound)
+	}
+	s, err := PopulateRefs(func(ref string) (*spec.Schema, bool) {
+		// find the schema by the ref string, and return a deep copy
+		def, ok := d.defs[ref]
+		if !ok {
+			return nil, false
+		}
+		s := def.Schema
+		return &s, true
+	}, ref)
+	if err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+func extensionsToGVKs(extensions spec.Extensions) []schema.GroupVersionKind {
+	gvksAny, ok := extensions[extGVK]
+	if !ok {
+		return nil
+	}
+	gvks, ok := gvksAny.([]any)
+	if !ok {
+		return nil
+	}
+	result := make([]schema.GroupVersionKind, 0, len(gvks))
+	for _, gvkAny := range gvks {
+		// type check the map and all fields
+		gvkMap, ok := gvkAny.(map[string]any)
+		if !ok {
+			return nil
+		}
+		g, ok := gvkMap["group"].(string)
+		if !ok {
+			return nil
+		}
+		v, ok := gvkMap["version"].(string)
+		if !ok {
+			return nil
+		}
+		k, ok := gvkMap["kind"].(string)
+		if !ok {
+			return nil
+		}
+		result = append(result, schema.GroupVersionKind{
+			Group:   g,
+			Version: v,
+			Kind:    k,
+		})
+	}
+	return result
+}

vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/discovery.go

@@ -0,0 +1,104 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/discovery"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// ClientDiscoveryResolver uses client-go discovery to resolve schemas at run time.
+type ClientDiscoveryResolver struct {
+	Discovery discovery.DiscoveryInterface
+}
+
+var _ SchemaResolver = (*ClientDiscoveryResolver)(nil)
+
+func (r *ClientDiscoveryResolver) ResolveSchema(gvk schema.GroupVersionKind) (*spec.Schema, error) {
+	p, err := r.Discovery.OpenAPIV3().Paths()
+	if err != nil {
+		return nil, err
+	}
+	resourcePath := resourcePathFromGV(gvk.GroupVersion())
+	c, ok := p[resourcePath]
+	if !ok {
+		return nil, fmt.Errorf("cannot resolve group version %q: %w", gvk.GroupVersion(), ErrSchemaNotFound)
+	}
+	b, err := c.Schema(runtime.ContentTypeJSON)
+	if err != nil {
+		return nil, err
+	}
+	resp := new(schemaResponse)
+	err = json.Unmarshal(b, resp)
+	if err != nil {
+		return nil, err
+	}
+	ref, err := resolveRef(resp, gvk)
+	if err != nil {
+		return nil, err
+	}
+	s, err := PopulateRefs(func(ref string) (*spec.Schema, bool) {
+		s, ok := resp.Components.Schemas[strings.TrimPrefix(ref, refPrefix)]
+		return s, ok
+	}, ref)
+	if err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+func resolveRef(resp *schemaResponse, gvk schema.GroupVersionKind) (string, error) {
+	for ref, s := range resp.Components.Schemas {
+		var gvks []schema.GroupVersionKind
+		err := s.Extensions.GetObject(extGVK, &gvks)
+		if err != nil {
+			return "", err
+		}
+		for _, g := range gvks {
+			if g == gvk {
+				return ref, nil
+			}
+		}
+	}
+	return "", fmt.Errorf("cannot resolve group version kind %q: %w", gvk, ErrSchemaNotFound)
+}
+
+func resourcePathFromGV(gv schema.GroupVersion) string {
+	var resourcePath string
+	if len(gv.Group) == 0 {
+		resourcePath = fmt.Sprintf("api/%s", gv.Version)
+	} else {
+		resourcePath = fmt.Sprintf("apis/%s/%s", gv.Group, gv.Version)
+	}
+	return resourcePath
+}
+
+type schemaResponse struct {
+	Components struct {
+		Schemas map[string]*spec.Schema `json:"schemas"`
+	} `json:"components"`
+}
+
+const refPrefix = "#/components/schemas/"
+
+const extGVK = "x-kubernetes-group-version-kind"

vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/refs.go

@@ -0,0 +1,122 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// PopulateRefs recursively replaces Refs in the schema with the referred one.
+// schemaOf is the callback to find the corresponding schema by the ref.
+// This function will not mutate the original schema. If the schema needs to be
+// mutated, a copy will be returned, otherwise it returns the original schema.
+func PopulateRefs(schemaOf func(ref string) (*spec.Schema, bool), rootRef string) (*spec.Schema, error) {
+	visitedRefs := sets.New[string]()
+	rootSchema, ok := schemaOf(rootRef)
+	visitedRefs.Insert(rootRef)
+	if !ok {
+		return nil, fmt.Errorf("internal error: cannot resolve Ref for root schema %q: %w", rootRef, ErrSchemaNotFound)
+	}
+	return populateRefs(schemaOf, visitedRefs, rootSchema)
+}
+
+func populateRefs(schemaOf func(ref string) (*spec.Schema, bool), visited sets.Set[string], schema *spec.Schema) (*spec.Schema, error) {
+	result := *schema
+	changed := false
+
+	ref, isRef := refOf(schema)
+	if isRef {
+		if visited.Has(ref) {
+			return &spec.Schema{
+				// for circular ref, return an empty object as placeholder
+				SchemaProps: spec.SchemaProps{Type: []string{"object"}},
+			}, nil
+		}
+		visited.Insert(ref)
+		// restore visited state at the end of the recursion.
+		defer func() {
+			visited.Delete(ref)
+		}()
+		// replace the whole schema with the referred one.
+		resolved, ok := schemaOf(ref)
+		if !ok {
+			return nil, fmt.Errorf("internal error: cannot resolve Ref %q: %w", ref, ErrSchemaNotFound)
+		}
+		result = *resolved
+		changed = true
+	}
+	// schema is an object, populate its properties and additionalProperties
+	props := make(map[string]spec.Schema, len(schema.Properties))
+	propsChanged := false
+	for name, prop := range result.Properties {
+		populated, err := populateRefs(schemaOf, visited, &prop)
+		if err != nil {
+			return nil, err
+		}
+		if populated != &prop {
+			propsChanged = true
+		}
+		props[name] = *populated
+	}
+	if propsChanged {
+		changed = true
+		result.Properties = props
+	}
+	if result.AdditionalProperties != nil && result.AdditionalProperties.Schema != nil {
+		populated, err := populateRefs(schemaOf, visited, result.AdditionalProperties.Schema)
+		if err != nil {
+			return nil, err
+		}
+		if populated != result.AdditionalProperties.Schema {
+			changed = true
+			result.AdditionalProperties.Schema = populated
+		}
+	}
+	// schema is a list, populate its items
+	if result.Items != nil && result.Items.Schema != nil {
+		populated, err := populateRefs(schemaOf, visited, result.Items.Schema)
+		if err != nil {
+			return nil, err
+		}
+		if populated != result.Items.Schema {
+			changed = true
+			result.Items.Schema = populated
+		}
+	}
+	if changed {
+		return &result, nil
+	}
+	return schema, nil
+}
+
+func refOf(schema *spec.Schema) (string, bool) {
+	if schema.Ref.GetURL() != nil {
+		return schema.Ref.String(), true
+	}
+	// A Ref may be wrapped in allOf to preserve its description
+	// see https://github.com/kubernetes/kubernetes/issues/106387
+	// For kube-openapi, allOf is only used for wrapping a Ref.
+	for _, allOf := range schema.AllOf {
+		if ref, isRef := refOf(&allOf); isRef {
+			return ref, isRef
+		}
+	}
+	return "", false
+}

vendor/k8s.io/apiserver/pkg/cel/openapi/resolver/resolver.go

@@ -0,0 +1,39 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// SchemaResolver finds the OpenAPI schema for the given GroupVersionKind.
+// This interface uses the type defined by k8s.io/kube-openapi
+type SchemaResolver interface {
+	// ResolveSchema takes a GroupVersionKind (GVK) and returns the OpenAPI schema
+	// identified by the GVK.
+	// The function returns a non-nil error if the schema cannot be found or fail
+	// to resolve. The returned error wraps ErrSchemaNotFound if the resolution is
+	// attempted but the corresponding schema cannot be found.
+	ResolveSchema(gvk schema.GroupVersionKind) (*spec.Schema, error)
+}
+
+// ErrSchemaNotFound is wrapped and returned if the schema cannot be located
+// by the resolver.
+var ErrSchemaNotFound = fmt.Errorf("schema not found")