Merge pull request #4458 from ks-ci-bot/cherry-pick-4457-to-release-3.2

[release-3.2] Namespace should not be filterd for Cluster Gateway

cmd/controller-manager/app/server.go

@@ -315,12 +315,11 @@ func run(s *options.KubeSphereControllerManagerOptions, ctx context.Context) err
 		klog.Fatalf("Unable to create ResourceQuota controller: %v", err)
 	}
 
-	helmReconciler := helm.Reconciler{}
 	if !s.GatewayOptions.IsEmpty() {
-		helmReconciler.WatchFiles = append(helmReconciler.WatchFiles, s.GatewayOptions.WatchesPath)
-	}
-	if err := helmReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatalf("Unable to create helm controller: %v", err)
+		helmReconciler := helm.Reconciler{GatewayOptions: s.GatewayOptions}
+		if err := helmReconciler.SetupWithManager(mgr); err != nil {
+			klog.Fatalf("Unable to create helm controller: %v", err)
+		}
 	}
 
 	// TODO(jeff): refactor config with CRD

config/gateway/values.yaml

@@ -14,6 +14,7 @@ controller:
     repository: kubesphere/nginx-ingress-controller
     tag: "v0.48.1"
     pullPolicy: IfNotPresent
+    digest: ""
 
 
 service:

pkg/controller/helm/helm_controller.go

@@ -23,25 +23,26 @@ import (
 	"k8s.io/klog"
 	ctrl "sigs.k8s.io/controller-runtime"
 
+	"kubesphere.io/kubesphere/pkg/simple/client/gateway"
+
 	"github.com/operator-framework/helm-operator-plugins/pkg/annotation"
 	"github.com/operator-framework/helm-operator-plugins/pkg/reconciler"
 	"github.com/operator-framework/helm-operator-plugins/pkg/watches"
 )
 
 type Reconciler struct {
-	WatchFiles []string
+	GatewayOptions *gateway.Options
 }
 
 // SetupWithManager creates reconilers for each helm package that defined in the WatchFiles.
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	var watchKinds []watches.Watch
-	for _, file := range r.WatchFiles {
-		ws, err := watches.Load(file)
-		if err != nil {
-			return err
-		}
-		watchKinds = append(watchKinds, ws...)
+
+	ws, err := watches.Load(r.GatewayOptions.WatchesPath)
+	if err != nil {
+		return err
 	}
+	watchKinds = append(watchKinds, ws...)
 
 	for _, w := range watchKinds {
 		// Register controller with the factory
@@ -58,7 +59,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 		r, err := reconciler.New(
 			reconciler.WithChart(*w.Chart),
 			reconciler.WithGroupVersionKind(w.GroupVersionKind),
-			reconciler.WithOverrideValues(w.OverrideValues),
+			reconciler.WithOverrideValues(r.defaultConfiguration()),
 			reconciler.SkipDependentWatches(w.WatchDependentResources != nil && !*w.WatchDependentResources),
 			reconciler.WithMaxConcurrentReconciles(maxConcurrentReconciles),
 			reconciler.WithReconcilePeriod(reconcilePeriod),
@@ -76,3 +77,14 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	}
 	return nil
 }
+
+func (r *Reconciler) defaultConfiguration() map[string]string {
+	var overrideValues = make(map[string]string)
+	if r.GatewayOptions.Repository != "" {
+		overrideValues["controller.image.repository"] = r.GatewayOptions.Repository
+	}
+	if r.GatewayOptions.Tag != "" {
+		overrideValues["controller.image.tag"] = r.GatewayOptions.Tag
+	}
+	return overrideValues
+}

pkg/controller/helm/helm_controller_test.go

@@ -27,6 +27,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
+	"kubesphere.io/kubesphere/pkg/simple/client/gateway"
+
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
@@ -79,8 +81,7 @@ var _ = Context("Helm reconcier", func() {
 			mgr, err := ctrl.NewManager(cfg, ctrl.Options{MetricsBindAddress: "0"})
 			Expect(err).NotTo(HaveOccurred(), "failed to create a manager")
 
-			reconciler := &Reconciler{}
-			reconciler.WatchFiles = append(reconciler.WatchFiles, f.Name())
+			reconciler := &Reconciler{GatewayOptions: &gateway.Options{WatchesPath: f.Name()}}
 			err = reconciler.SetupWithManager(mgr)
 			Expect(err).NotTo(HaveOccurred(), "failed to setup helm reconciler")
 

pkg/models/auth/password.go

@@ -76,7 +76,8 @@ func (p *passwordAuthenticator) Authenticate(_ context.Context, username, passwo
 				return nil, providerOptions.Name, err
 			}
 			linkedAccount, err := p.userGetter.findMappedUser(providerOptions.Name, authenticated.GetUserID())
-			if err != nil {
+			if err != nil && !errors.IsNotFound(err) {
+				klog.Error(err)
 				return nil, providerOptions.Name, err
 			}
 			// using this method requires you to manually provision users.

pkg/models/auth/password_test.go

@@ -19,9 +19,22 @@
 package auth
 
 import (
+	"context"
+	"reflect"
 	"testing"
 
+	"github.com/mitchellh/mapstructure"
 	"golang.org/x/crypto/bcrypt"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apiserver/pkg/authentication/user"
+	authuser "k8s.io/apiserver/pkg/authentication/user"
+	iamv1alpha2 "kubesphere.io/api/iam/v1alpha2"
+
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication"
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider"
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
+	fakeks "kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake"
+	ksinformers "kubesphere.io/kubesphere/pkg/client/informers/externalversions"
 )
 
 func TestEncryptPassword(t *testing.T) {
@@ -39,3 +52,197 @@ func hashPassword(password string) (string, error) {
 	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
 	return string(bytes), err
 }
+
+func Test_passwordAuthenticator_Authenticate(t *testing.T) {
+
+	oauthOptions := &authentication.Options{
+		OAuthOptions: &oauth.Options{
+			IdentityProviders: []oauth.IdentityProviderOptions{
+				{
+					Name:          "fakepwd",
+					MappingMethod: "auto",
+					Type:          "fakePasswordProvider",
+					Provider: oauth.DynamicOptions{
+						"identities": map[string]interface{}{
+							"user1": map[string]string{
+								"uid":      "100001",
+								"email":    "user1@kubesphere.io",
+								"username": "user1",
+								"password": "password",
+							},
+							"user2": map[string]string{
+								"uid":      "100002",
+								"email":    "user2@kubesphere.io",
+								"username": "user2",
+								"password": "password",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	identityprovider.RegisterGenericProvider(&fakePasswordProviderFactory{})
+	if err := identityprovider.SetupWithOptions(oauthOptions.OAuthOptions.IdentityProviders); err != nil {
+		t.Fatal(err)
+	}
+
+	ksClient := fakeks.NewSimpleClientset()
+	ksInformerFactory := ksinformers.NewSharedInformerFactory(ksClient, 0)
+	err := ksInformerFactory.Iam().V1alpha2().Users().Informer().GetIndexer().Add(newUser("user1", "100001", "fakepwd"))
+	err = ksInformerFactory.Iam().V1alpha2().Users().Informer().GetIndexer().Add(newUser("user3", "100003", ""))
+	err = ksInformerFactory.Iam().V1alpha2().Users().Informer().GetIndexer().Add(newActiveUser("user4", "password"))
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	authenticator := NewPasswordAuthenticator(
+		ksClient,
+		ksInformerFactory.Iam().V1alpha2().Users().Lister(),
+		oauthOptions,
+	)
+
+	type args struct {
+		ctx      context.Context
+		username string
+		password string
+	}
+	tests := []struct {
+		name                  string
+		passwordAuthenticator PasswordAuthenticator
+		args                  args
+		want                  authuser.Info
+		want1                 string
+		wantErr               bool
+	}{
+		{
+			name:                  "Should successfully with existing provider user",
+			passwordAuthenticator: authenticator,
+			args: args{
+				ctx:      context.Background(),
+				username: "user1",
+				password: "password",
+			},
+			want: &user.DefaultInfo{
+				Name: "user1",
+			},
+			wantErr: false,
+		},
+		{
+			name:                  "Should return register user",
+			passwordAuthenticator: authenticator,
+			args: args{
+				ctx:      context.Background(),
+				username: "user2",
+				password: "password",
+			},
+			want: &user.DefaultInfo{
+				Name: "system:pre-registration",
+				Extra: map[string][]string{
+					"email":    {"user2@kubesphere.io"},
+					"idp":      {"fakepwd"},
+					"uid":      {"100002"},
+					"username": {"user2"},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name:                  "Should failed login",
+			passwordAuthenticator: authenticator,
+			args: args{
+				ctx:      context.Background(),
+				username: "user3",
+				password: "password",
+			},
+			wantErr: true,
+		},
+		{
+			name:                  "Should successfully with internal user",
+			passwordAuthenticator: authenticator,
+			args: args{
+				ctx:      context.Background(),
+				username: "user4",
+				password: "password",
+			},
+			want: &user.DefaultInfo{
+				Name: "user4",
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := tt.passwordAuthenticator
+			got, _, err := p.Authenticate(tt.args.ctx, tt.args.username, tt.args.password)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("passwordAuthenticator.Authenticate() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("passwordAuthenticator.Authenticate() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+type fakePasswordProviderFactory struct {
+}
+
+type fakePasswordProvider struct {
+	Identities map[string]fakePasswordIdentity `json:"identities"`
+}
+
+type fakePasswordIdentity struct {
+	UID      string `json:"uid"`
+	Username string `json:"username"`
+	Email    string `json:"email"`
+	Password string `json:"password"`
+}
+
+func (f fakePasswordIdentity) GetUserID() string {
+	return f.UID
+}
+
+func (f fakePasswordIdentity) GetUsername() string {
+	return f.Username
+}
+
+func (f fakePasswordIdentity) GetEmail() string {
+	return f.Email
+}
+
+func (fakePasswordProviderFactory) Type() string {
+	return "fakePasswordProvider"
+}
+
+func (fakePasswordProviderFactory) Create(options oauth.DynamicOptions) (identityprovider.GenericProvider, error) {
+	var fakeProvider fakePasswordProvider
+	if err := mapstructure.Decode(options, &fakeProvider); err != nil {
+		return nil, err
+	}
+	return &fakeProvider, nil
+}
+
+func (l fakePasswordProvider) Authenticate(username string, password string) (identityprovider.Identity, error) {
+	if i, ok := l.Identities[username]; ok && i.Password == password {
+		return i, nil
+	}
+	return nil, errors.NewUnauthorized("authorization failed")
+}
+
+func encrypt(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	return string(bytes), err
+}
+
+func newActiveUser(username string, password string) *iamv1alpha2.User {
+	u := newUser(username, "", "")
+	password, _ = encrypt(password)
+	u.Spec.EncryptedPassword = password
+	s := iamv1alpha2.UserActive
+	u.Status.State = &s
+	return u
+}

pkg/models/resources/v1alpha3/pod/pods.go

@@ -28,9 +28,10 @@ import (
 )
 
 const (
-	filedNameName    = "nodeName"
-	filedPVCName     = "pvcName"
-	filedServiceName = "serviceName"
+	fieldNodeName    = "nodeName"
+	fieldPVCName     = "pvcName"
+	fieldServiceName = "serviceName"
+	fieldStatus      = "status"
 )
 
 type podsGetter struct {
@@ -82,12 +83,14 @@ func (p *podsGetter) filter(object runtime.Object, filter query.Filter) bool {
 		return false
 	}
 	switch filter.Field {
-	case filedNameName:
+	case fieldNodeName:
 		return pod.Spec.NodeName == string(filter.Value)
-	case filedPVCName:
+	case fieldPVCName:
 		return p.podBindPVC(pod, string(filter.Value))
-	case filedServiceName:
+	case fieldServiceName:
 		return p.podBelongToService(pod, string(filter.Value))
+	case fieldStatus:
+		return string(pod.Status.Phase) == string(filter.Value)
 	default:
 		return v1alpha3.DefaultObjectMetaFilter(pod.ObjectMeta, filter)
 	}

pkg/models/resources/v1alpha3/pod/pods_test.go

@@ -51,7 +51,7 @@ func TestListPods(t *testing.T) {
 				Filters:   map[query.Field]query.Value{query.FieldNamespace: query.Value("default")},
 			},
 			&api.ListResult{
-				Items:      []interface{}{foo4, foo3, foo2, foo1},
+				Items:      []interface{}{foo5, foo4, foo3, foo2, foo1},
 				TotalItems: len(pods),
 			},
 			nil,
@@ -68,7 +68,7 @@ func TestListPods(t *testing.T) {
 				Ascending: false,
 				Filters: map[query.Field]query.Value{
 					query.FieldNamespace: query.Value("default"),
-					filedPVCName:         query.Value(foo4.Spec.Volumes[0].PersistentVolumeClaim.ClaimName),
+					fieldPVCName:         query.Value(foo4.Spec.Volumes[0].PersistentVolumeClaim.ClaimName),
 				},
 			},
 			&api.ListResult{
@@ -77,6 +77,27 @@ func TestListPods(t *testing.T) {
 			},
 			nil,
 		},
+		{
+			"test status filter",
+			"default",
+			&query.Query{
+				Pagination: &query.Pagination{
+					Limit:  10,
+					Offset: 0,
+				},
+				SortBy:    query.FieldName,
+				Ascending: false,
+				Filters: map[query.Field]query.Value{
+					query.FieldNamespace: query.Value("default"),
+					fieldStatus:          query.Value(corev1.PodRunning),
+				},
+			},
+			&api.ListResult{
+				Items:      []interface{}{foo5},
+				TotalItems: 1,
+			},
+			nil,
+		},
 	}
 
 	getter := prepare()
@@ -133,7 +154,16 @@ var (
 			},
 		},
 	}
-	pods = []interface{}{foo1, foo2, foo3, foo4}
+	foo5 = &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo5",
+			Namespace: "default",
+		},
+		Status: corev1.PodStatus{
+			Phase: corev1.PodRunning,
+		},
+	}
+	pods = []interface{}{foo1, foo2, foo3, foo4, foo5}
 )
 
 func prepare() v1alpha3.Interface {

pkg/simple/client/gateway/options.go

@@ -26,6 +26,8 @@ import (
 type Options struct {
 	WatchesPath string `json:"watchesPath,omitempty" yaml:"watchesPath"`
 	Namespace   string `json:"namespace,omitempty" yaml:"namespace"`
+	Repository  string `json:"repository,omitempty" yaml:"repository"`
+	Tag         string `json:"tag,omitempty" yaml:"tag"`
 }
 
 // NewGatewayOptions creates a default Gateway Option
@@ -33,6 +35,8 @@ func NewGatewayOptions() *Options {
 	return &Options{
 		WatchesPath: "",
 		Namespace:   "", //constants.KubeSphereControlNamespace
+		Repository:  "",
+		Tag:         "",
 	}
 }
 
@@ -59,4 +63,6 @@ func (s *Options) ApplyTo(options *Options) {
 func (s *Options) AddFlags(fs *pflag.FlagSet, c *Options) {
 	fs.StringVar(&s.WatchesPath, "watches-path", c.WatchesPath, "Path to the watches file to use.")
 	fs.StringVar(&s.Namespace, "namespace", c.Namespace, "Working Namespace of the Gateway's Ingress Controller.")
+	fs.StringVar(&s.Repository, "repository", c.Repository, "The Gateway Controller's image repository")
+	fs.StringVar(&s.Tag, "tag", c.Tag, "The Gateway Controller's image tag")
 }

pkg/simple/client/monitoring/prometheus/promql.go

@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"strings"
 
+	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/simple/client/monitoring"
 )
 
@@ -482,13 +483,20 @@ func makeIngressMetricExpr(tmpl string, o monitoring.QueryOptions) string {
 	// For monitoring ingress in the specific namespace
 	// GET /namespaces/{namespace}/ingress/{ingress} or
 	// GET /namespaces/{namespace}/ingress
-	if o.NamespaceName != "" {
+	if o.NamespaceName != constants.KubeSphereNamespace {
 		if o.Ingress != "" {
 			ingressSelector = fmt.Sprintf(`exported_namespace="%s", ingress="%s"`, o.NamespaceName, o.Ingress)
 		} else {
 			ingressSelector = fmt.Sprintf(`exported_namespace="%s", ingress=~"%s"`, o.NamespaceName, o.ResourceFilter)
 		}
+	} else {
+		if o.Ingress != "" {
+			ingressSelector = fmt.Sprintf(`ingress="%s"`, o.Ingress)
+		} else {
+			ingressSelector = fmt.Sprintf(`ingress=~"%s"`, o.ResourceFilter)
+		}
 	}
+
 	// job is a reqiuried filter
 	// GET /namespaces/{namespace}/ingress?job=xxx&pod=xxx
 	if o.Job != "" {