diff --git a/controllers/storagecluster/storageclient.go b/controllers/storagecluster/storageclient.go index d048ee52b3..e8c87a4bca 100644 --- a/controllers/storagecluster/storageclient.go +++ b/controllers/storagecluster/storageclient.go @@ -44,7 +44,7 @@ func (s *storageClient) ensureCreated(r *StorageClusterReconciler, storagecluste storageClient.Name = storagecluster.Name _, err := controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error { if storageClient.Status.ConsumerID == "" { - token, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil) + token, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil, storagecluster.UID) if err != nil { return fmt.Errorf("unable to generate onboarding token: %v", err) } diff --git a/controllers/util/k8sutil.go b/controllers/util/k8sutil.go index fb1e5504ea..95771759a9 100644 --- a/controllers/util/k8sutil.go +++ b/controllers/util/k8sutil.go @@ -13,8 +13,11 @@ import ( corev1 "k8s.io/api/core/v1" storagev1 "k8s.io/api/storage/v1" "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" + "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/config" ) const ( @@ -166,3 +169,36 @@ func GenerateNameForNonResilientCephBlockPoolSC(initData *ocsv1.StorageCluster) } return fmt.Sprintf("%s-ceph-non-resilient-rbd", initData.Name) } + +func GetStorageClusterInNamespace(ctx context.Context, cl client.Client, namespace string) (*ocsv1.StorageCluster, error) { + storageClusterList := &ocsv1.StorageClusterList{} + err := cl.List(ctx, storageClusterList, client.InNamespace(namespace), client.Limit(1)) + if err != nil { + return nil, fmt.Errorf("unable to list storageCluster(s) in namespace %s: %v", namespace, err) + } + + if len(storageClusterList.Items) == 0 { + return nil, fmt.Errorf("no storageCluster found in namespace %s", namespace) + } + if storageClusterList.Items[0].Status.Phase == PhaseIgnored { + return nil, fmt.Errorf("storageCluster with Phase 'Ignored' found. Please delete the storageCluster to proceed") + } + + return &storageClusterList.Items[0], nil +} + +func NewK8sClient(scheme *runtime.Scheme) (client.Client, error) { + klog.Info("Setting up k8s client") + + config, err := config.GetConfig() + if err != nil { + return nil, err + } + + k8sClient, err := client.New(config, client.Options{Scheme: scheme}) + if err != nil { + return nil, err + } + + return k8sClient, nil +} diff --git a/controllers/util/provider.go b/controllers/util/provider.go index ea21067943..231dfd8c13 100644 --- a/controllers/util/provider.go +++ b/controllers/util/provider.go @@ -13,14 +13,16 @@ import ( "os" "time" - "github.com/google/uuid" "github.com/red-hat-storage/ocs-operator/v4/services" + + "github.com/google/uuid" + "k8s.io/apimachinery/pkg/types" ) // GenerateClientOnboardingToken generates a ocs-client token valid for a duration of "tokenLifetimeInHours". // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath". // The storageQuotaInGiB is optional, and it is used to limit the storage of PVC in the application cluster. -func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotainGib *uint) (string, error) { +func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotainGib *uint, storageClusterUID types.UID) (string, error) { tokenExpirationDate := time.Now(). Add(time.Duration(tokenLifetimeInHours) * time.Hour). Unix() @@ -30,6 +32,7 @@ func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath stri ExpirationDate: tokenExpirationDate, SubjectRole: services.ClientRole, StorageQuotaInGiB: storageQuotainGib, + StorageCluster: storageClusterUID, } token, err := encodeAndSignOnboardingToken(privateKeyPath, ticket) @@ -41,7 +44,7 @@ func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath stri // GeneratePeerOnboardingToken generates a ocs-peer token valid for a duration of "tokenLifetimeInHours". // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath". -func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKeyPath string) (string, error) { +func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageClusterUID types.UID) (string, error) { tokenExpirationDate := time.Now(). Add(time.Duration(tokenLifetimeInHours) * time.Hour). Unix() @@ -50,6 +53,7 @@ func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKeyPath string ID: uuid.New().String(), ExpirationDate: tokenExpirationDate, SubjectRole: services.PeerRole, + StorageCluster: storageClusterUID, } token, err := encodeAndSignOnboardingToken(privateKeyPath, ticket) if err != nil { diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml index 2547e7ca2d..9683139716 100644 --- a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml +++ b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml @@ -627,6 +627,10 @@ spec: - name: ONBOARDING_TOKEN_LIFETIME - name: UX_BACKEND_PORT - name: TLS_ENABLED + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace image: quay.io/ocs-dev/ocs-operator:latest imagePullPolicy: IfNotPresent name: ux-backend-server diff --git a/deploy/ocs-operator/manifests/ux_backend_role.yaml b/deploy/ocs-operator/manifests/ux_backend_role.yaml index f89b32672e..f334ad0e76 100644 --- a/deploy/ocs-operator/manifests/ux_backend_role.yaml +++ b/deploy/ocs-operator/manifests/ux_backend_role.yaml @@ -14,3 +14,10 @@ rules: verbs: - get - list +- apiGroups: + - ocs.openshift.io + resources: + - storageclusters + verbs: + - get + - list diff --git a/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/controllers/util/k8sutil.go b/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/controllers/util/k8sutil.go index fb1e5504ea..95771759a9 100644 --- a/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/controllers/util/k8sutil.go +++ b/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/controllers/util/k8sutil.go @@ -13,8 +13,11 @@ import ( corev1 "k8s.io/api/core/v1" storagev1 "k8s.io/api/storage/v1" "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" + "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/config" ) const ( @@ -166,3 +169,36 @@ func GenerateNameForNonResilientCephBlockPoolSC(initData *ocsv1.StorageCluster) } return fmt.Sprintf("%s-ceph-non-resilient-rbd", initData.Name) } + +func GetStorageClusterInNamespace(ctx context.Context, cl client.Client, namespace string) (*ocsv1.StorageCluster, error) { + storageClusterList := &ocsv1.StorageClusterList{} + err := cl.List(ctx, storageClusterList, client.InNamespace(namespace), client.Limit(1)) + if err != nil { + return nil, fmt.Errorf("unable to list storageCluster(s) in namespace %s: %v", namespace, err) + } + + if len(storageClusterList.Items) == 0 { + return nil, fmt.Errorf("no storageCluster found in namespace %s", namespace) + } + if storageClusterList.Items[0].Status.Phase == PhaseIgnored { + return nil, fmt.Errorf("storageCluster with Phase 'Ignored' found. Please delete the storageCluster to proceed") + } + + return &storageClusterList.Items[0], nil +} + +func NewK8sClient(scheme *runtime.Scheme) (client.Client, error) { + klog.Info("Setting up k8s client") + + config, err := config.GetConfig() + if err != nil { + return nil, err + } + + k8sClient, err := client.New(config, client.Options{Scheme: scheme}) + if err != nil { + return nil, err + } + + return k8sClient, nil +} diff --git a/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/controllers/util/provider.go b/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/controllers/util/provider.go index ea21067943..231dfd8c13 100644 --- a/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/controllers/util/provider.go +++ b/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/controllers/util/provider.go @@ -13,14 +13,16 @@ import ( "os" "time" - "github.com/google/uuid" "github.com/red-hat-storage/ocs-operator/v4/services" + + "github.com/google/uuid" + "k8s.io/apimachinery/pkg/types" ) // GenerateClientOnboardingToken generates a ocs-client token valid for a duration of "tokenLifetimeInHours". // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath". // The storageQuotaInGiB is optional, and it is used to limit the storage of PVC in the application cluster. -func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotainGib *uint) (string, error) { +func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotainGib *uint, storageClusterUID types.UID) (string, error) { tokenExpirationDate := time.Now(). Add(time.Duration(tokenLifetimeInHours) * time.Hour). Unix() @@ -30,6 +32,7 @@ func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath stri ExpirationDate: tokenExpirationDate, SubjectRole: services.ClientRole, StorageQuotaInGiB: storageQuotainGib, + StorageCluster: storageClusterUID, } token, err := encodeAndSignOnboardingToken(privateKeyPath, ticket) @@ -41,7 +44,7 @@ func GenerateClientOnboardingToken(tokenLifetimeInHours int, privateKeyPath stri // GeneratePeerOnboardingToken generates a ocs-peer token valid for a duration of "tokenLifetimeInHours". // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath". -func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKeyPath string) (string, error) { +func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageClusterUID types.UID) (string, error) { tokenExpirationDate := time.Now(). Add(time.Duration(tokenLifetimeInHours) * time.Hour). Unix() @@ -50,6 +53,7 @@ func GeneratePeerOnboardingToken(tokenLifetimeInHours int, privateKeyPath string ID: uuid.New().String(), ExpirationDate: tokenExpirationDate, SubjectRole: services.PeerRole, + StorageCluster: storageClusterUID, } token, err := encodeAndSignOnboardingToken(privateKeyPath, ticket) if err != nil { diff --git a/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/services/types.go b/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/services/types.go index 66baf99452..bde6f900f4 100644 --- a/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/services/types.go +++ b/metrics/vendor/github.com/red-hat-storage/ocs-operator/v4/services/types.go @@ -1,5 +1,7 @@ package services +import "k8s.io/apimachinery/pkg/types" + type OnboardingSubjectRole string const ( @@ -12,4 +14,5 @@ type OnboardingTicket struct { ExpirationDate int64 `json:"expirationDate,string"` SubjectRole OnboardingSubjectRole `json:"subjectRole"` StorageQuotaInGiB *uint `json:"storageQuotaInGiB,omitempty"` + StorageCluster types.UID `json:"storageCluster"` } diff --git a/metrics/vendor/modules.txt b/metrics/vendor/modules.txt index 5ee4ca9e59..e2e2bf0889 100644 --- a/metrics/vendor/modules.txt +++ b/metrics/vendor/modules.txt @@ -756,6 +756,7 @@ sigs.k8s.io/container-object-storage-interface-api/apis/objectstorage/v1alpha1 ## explicit; go 1.22.0 sigs.k8s.io/controller-runtime/pkg/client sigs.k8s.io/controller-runtime/pkg/client/apiutil +sigs.k8s.io/controller-runtime/pkg/client/config sigs.k8s.io/controller-runtime/pkg/event sigs.k8s.io/controller-runtime/pkg/internal/log sigs.k8s.io/controller-runtime/pkg/log diff --git a/metrics/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go b/metrics/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go new file mode 100644 index 0000000000..5f0a6d4b1d --- /dev/null +++ b/metrics/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go @@ -0,0 +1,181 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package config + +import ( + "flag" + "fmt" + "os" + "os/user" + "path/filepath" + + "k8s.io/client-go/rest" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + logf "sigs.k8s.io/controller-runtime/pkg/internal/log" +) + +// KubeconfigFlagName is the name of the kubeconfig flag +const KubeconfigFlagName = "kubeconfig" + +var ( + kubeconfig string + log = logf.RuntimeLog.WithName("client").WithName("config") +) + +// init registers the "kubeconfig" flag to the default command line FlagSet. +// TODO: This should be removed, as it potentially leads to redefined flag errors for users, if they already +// have registered the "kubeconfig" flag to the command line FlagSet in other parts of their code. +func init() { + RegisterFlags(flag.CommandLine) +} + +// RegisterFlags registers flag variables to the given FlagSet if not already registered. +// It uses the default command line FlagSet, if none is provided. Currently, it only registers the kubeconfig flag. +func RegisterFlags(fs *flag.FlagSet) { + if fs == nil { + fs = flag.CommandLine + } + if f := fs.Lookup(KubeconfigFlagName); f != nil { + kubeconfig = f.Value.String() + } else { + fs.StringVar(&kubeconfig, KubeconfigFlagName, "", "Paths to a kubeconfig. Only required if out-of-cluster.") + } +} + +// GetConfig creates a *rest.Config for talking to a Kubernetes API server. +// If --kubeconfig is set, will use the kubeconfig file at that location. Otherwise will assume running +// in cluster and use the cluster provided kubeconfig. +// +// It also applies saner defaults for QPS and burst based on the Kubernetes +// controller manager defaults (20 QPS, 30 burst) +// +// Config precedence: +// +// * --kubeconfig flag pointing at a file +// +// * KUBECONFIG environment variable pointing at a file +// +// * In-cluster config if running in cluster +// +// * $HOME/.kube/config if exists. +func GetConfig() (*rest.Config, error) { + return GetConfigWithContext("") +} + +// GetConfigWithContext creates a *rest.Config for talking to a Kubernetes API server with a specific context. +// If --kubeconfig is set, will use the kubeconfig file at that location. Otherwise will assume running +// in cluster and use the cluster provided kubeconfig. +// +// It also applies saner defaults for QPS and burst based on the Kubernetes +// controller manager defaults (20 QPS, 30 burst) +// +// Config precedence: +// +// * --kubeconfig flag pointing at a file +// +// * KUBECONFIG environment variable pointing at a file +// +// * In-cluster config if running in cluster +// +// * $HOME/.kube/config if exists. +func GetConfigWithContext(context string) (*rest.Config, error) { + cfg, err := loadConfig(context) + if err != nil { + return nil, err + } + if cfg.QPS == 0.0 { + cfg.QPS = 20.0 + } + if cfg.Burst == 0 { + cfg.Burst = 30 + } + return cfg, nil +} + +// loadInClusterConfig is a function used to load the in-cluster +// Kubernetes client config. This variable makes is possible to +// test the precedence of loading the config. +var loadInClusterConfig = rest.InClusterConfig + +// loadConfig loads a REST Config as per the rules specified in GetConfig. +func loadConfig(context string) (config *rest.Config, configErr error) { + // If a flag is specified with the config location, use that + if len(kubeconfig) > 0 { + return loadConfigWithContext("", &clientcmd.ClientConfigLoadingRules{ExplicitPath: kubeconfig}, context) + } + + // If the recommended kubeconfig env variable is not specified, + // try the in-cluster config. + kubeconfigPath := os.Getenv(clientcmd.RecommendedConfigPathEnvVar) + if len(kubeconfigPath) == 0 { + c, err := loadInClusterConfig() + if err == nil { + return c, nil + } + + defer func() { + if configErr != nil { + log.Error(err, "unable to load in-cluster config") + } + }() + } + + // If the recommended kubeconfig env variable is set, or there + // is no in-cluster config, try the default recommended locations. + // + // NOTE: For default config file locations, upstream only checks + // $HOME for the user's home directory, but we can also try + // os/user.HomeDir when $HOME is unset. + // + // TODO(jlanford): could this be done upstream? + loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() + if _, ok := os.LookupEnv("HOME"); !ok { + u, err := user.Current() + if err != nil { + return nil, fmt.Errorf("could not get current user: %w", err) + } + loadingRules.Precedence = append(loadingRules.Precedence, filepath.Join(u.HomeDir, clientcmd.RecommendedHomeDir, clientcmd.RecommendedFileName)) + } + + return loadConfigWithContext("", loadingRules, context) +} + +func loadConfigWithContext(apiServerURL string, loader clientcmd.ClientConfigLoader, context string) (*rest.Config, error) { + return clientcmd.NewNonInteractiveDeferredLoadingClientConfig( + loader, + &clientcmd.ConfigOverrides{ + ClusterInfo: clientcmdapi.Cluster{ + Server: apiServerURL, + }, + CurrentContext: context, + }).ClientConfig() +} + +// GetConfigOrDie creates a *rest.Config for talking to a Kubernetes apiserver. +// If --kubeconfig is set, will use the kubeconfig file at that location. Otherwise will assume running +// in cluster and use the cluster provided kubeconfig. +// +// Will log an error and exit if there is an error creating the rest.Config. +func GetConfigOrDie() *rest.Config { + config, err := GetConfig() + if err != nil { + log.Error(err, "unable to get kubeconfig") + os.Exit(1) + } + return config +} diff --git a/metrics/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/doc.go b/metrics/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/doc.go new file mode 100644 index 0000000000..796c9cf590 --- /dev/null +++ b/metrics/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/doc.go @@ -0,0 +1,18 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package config contains libraries for initializing REST configs for talking to the Kubernetes API +package config diff --git a/onboarding-validation-keys-generator/main.go b/onboarding-validation-keys-generator/main.go index b4a05ad31b..77462d02a4 100644 --- a/onboarding-validation-keys-generator/main.go +++ b/onboarding-validation-keys-generator/main.go @@ -5,15 +5,16 @@ import ( "crypto/rsa" "crypto/x509" "encoding/pem" - v1 "github.com/red-hat-storage/ocs-operator/api/v4/v1" + + ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1" "github.com/red-hat-storage/ocs-operator/v4/controllers/util" + "golang.org/x/net/context" corev1 "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/client/config" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" ) @@ -24,9 +25,18 @@ const ( ) func main() { - cl, err := newClient() + + scheme := runtime.NewScheme() + if err := corev1.AddToScheme(scheme); err != nil { + klog.Exitf("failed to add corev1 to scheme. %v", err) + } + if err := ocsv1.AddToScheme(scheme); err != nil { + klog.Exitf("failed to add ocsv1 to scheme. %v", err) + } + + cl, err := util.NewK8sClient(scheme) if err != nil { - klog.Exitf("failed to create client: %v", err) + klog.Exitf("failed to create kube client: %v", err) } ctx := context.Background() @@ -44,15 +54,10 @@ func main() { privatePem := convertRsaPrivateKeyAsPemStr(privateKey) publicPem := convertRsaPublicKeyAsPemStr(publicKey) - storageClusterList := &v1.StorageClusterList{} - err = cl.List(ctx, storageClusterList, client.InNamespace(namespace)) + storageCluster, err := util.GetStorageClusterInNamespace(ctx, cl, namespace) if err != nil { - klog.Exitf("unable to list storageCluster(s) in %v namespace, %v", namespace, err) + klog.Exitf("failed to get storage cluster: %v", err) } - if len(storageClusterList.Items) != 1 { - klog.Exitf("unexpected number of storageCluster(s) found in %v namespace, expected: 1 actual: %v", namespace, len(storageClusterList.Items)) - } - storageCluster := &storageClusterList.Items[0] // In situations where there is a risk of one secret being updated and potentially // failing to update another, it is recommended not to rely solely on clientset update mechanisms. @@ -105,27 +110,6 @@ func main() { } -func newClient() (client.Client, error) { - klog.Info("Setting up k8s client") - scheme := runtime.NewScheme() - if err := v1.AddToScheme(scheme); err != nil { - return nil, err - } - if err := corev1.AddToScheme(scheme); err != nil { - return nil, err - } - config, err := config.GetConfig() - if err != nil { - return nil, err - } - k8sClient, err := client.New(config, client.Options{Scheme: scheme}) - if err != nil { - return nil, err - } - - return k8sClient, nil -} - func convertRsaPrivateKeyAsPemStr(privateKey *rsa.PrivateKey) string { privteKeyBytes := x509.MarshalPKCS1PrivateKey(privateKey) privateKeyPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privteKeyBytes}) diff --git a/rbac/ux_backend_role.yaml b/rbac/ux_backend_role.yaml index f89b32672e..f334ad0e76 100644 --- a/rbac/ux_backend_role.yaml +++ b/rbac/ux_backend_role.yaml @@ -14,3 +14,10 @@ rules: verbs: - get - list +- apiGroups: + - ocs.openshift.io + resources: + - storageclusters + verbs: + - get + - list diff --git a/services/provider/server/server.go b/services/provider/server/server.go index f12e7e021f..7eed078a75 100644 --- a/services/provider/server/server.go +++ b/services/provider/server/server.go @@ -49,7 +49,6 @@ import ( "k8s.io/apimachinery/pkg/types" klog "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/client/config" ) const ( @@ -74,7 +73,12 @@ type OCSProviderServer struct { } func NewOCSProviderServer(ctx context.Context, namespace string) (*OCSProviderServer, error) { - client, err := newClient() + scheme, err := newScheme() + if err != nil { + return nil, fmt.Errorf("failed to create new scheme. %v", err) + } + + client, err := util.NewK8sClient(scheme) if err != nil { return nil, fmt.Errorf("failed to create new client. %v", err) } @@ -121,6 +125,19 @@ func (s *OCSProviderServer) OnboardConsumer(ctx context.Context, req *pb.Onboard klog.Errorf("failed to validate onboarding ticket for consumer %q. %v", req.ConsumerName, err) return nil, status.Errorf(codes.InvalidArgument, "onboarding ticket is not valid. %v", err) } + storageCluster, err := util.GetStorageClusterInNamespace(ctx, s.client, s.namespace) + if err != nil { + return nil, status.Errorf(codes.Internal, "failed to get storageCluster. %v", err) + } + + if storageCluster.UID != onboardingTicket.StorageCluster { + return nil, status.Errorf(codes.InvalidArgument, "onboarding ticket storageCluster not match existing storageCluster.") + } + + if !storageCluster.Spec.AllowRemoteStorageConsumers { + return nil, status.Errorf(codes.PermissionDenied, "onboarding remote storageConsumer(s) is not allowed.") + } + storageQuotaInGiB := ptr.Deref(onboardingTicket.StorageQuotaInGiB, 0) if onboardingTicket.SubjectRole != services.ClientRole { @@ -195,7 +212,7 @@ func (s *OCSProviderServer) GetStorageConfig(ctx context.Context, req *pb.Storag return nil, status.Errorf(codes.Internal, "Failed to construct status response: %v", err) } - storageCluster, err := s.getStorageCluster(ctx) + storageCluster, err := util.GetStorageClusterInNamespace(ctx, s.client, s.namespace) if err != nil { return nil, err } @@ -250,7 +267,7 @@ func (s *OCSProviderServer) Start(port int, opts []grpc.ServerOption) { } } -func newClient() (client.Client, error) { +func newScheme() (*runtime.Scheme, error) { scheme := runtime.NewScheme() err := ocsv1alpha1.AddToScheme(scheme) if err != nil { @@ -277,19 +294,9 @@ func newClient() (client.Client, error) { return nil, fmt.Errorf("failed to add routev1 to scheme. %v", err) } - config, err := config.GetConfig() - if err != nil { - klog.Error(err, "failed to get rest.config") - return nil, err - } - client, err := client.New(config, client.Options{Scheme: scheme}) - if err != nil { - klog.Error(err, "failed to create controller-runtime client") - return nil, err - } - - return client, nil + return scheme, nil } + func (s *OCSProviderServer) getExternalResources(ctx context.Context, consumerResource *ocsv1alpha1.StorageConsumer) ([]*pb.ExternalResource, error) { var extR []*pb.ExternalResource @@ -762,7 +769,7 @@ func (s *OCSProviderServer) GetStorageClaimConfig(ctx context.Context, req *pb.S "csi.storage.k8s.io/controller-expand-secret-name": provisionerSecretName, } - storageCluster, err := s.getStorageCluster(ctx) + storageCluster, err := util.GetStorageClusterInNamespace(ctx, s.client, s.namespace) if err != nil { return nil, err } @@ -855,7 +862,7 @@ func (s *OCSProviderServer) ReportStatus(ctx context.Context, req *pb.ReportStat return nil, status.Errorf(codes.Internal, "Failed to construct status response: %v", err) } - storageCluster, err := s.getStorageCluster(ctx) + storageCluster, err := util.GetStorageClusterInNamespace(ctx, s.client, s.namespace) if err != nil { return nil, err } @@ -896,34 +903,6 @@ func (s *OCSProviderServer) getOCSSubscriptionChannel(ctx context.Context) (stri return subscription.Spec.Channel, nil } -func (s *OCSProviderServer) getStorageCluster(ctx context.Context) (*ocsv1.StorageCluster, error) { - scList := &ocsv1.StorageClusterList{} - if err := s.client.List(ctx, scList, client.InNamespace(s.namespace)); err != nil { - return nil, status.Errorf(codes.Internal, "failed to list storage clusters: %v", err) - } - - var foundSc *ocsv1.StorageCluster - for i := range scList.Items { - sc := &scList.Items[i] - if sc.Status.Phase == util.PhaseIgnored { - continue // Skip Ignored storage cluster - } - if sc.Spec.AllowRemoteStorageConsumers { - if foundSc != nil { - // This means we have already found one storage cluster, so this is a second one - return nil, status.Errorf(codes.FailedPrecondition, "multiple provider storage clusters found") - } - foundSc = sc - } - } - - if foundSc == nil { - return nil, status.Errorf(codes.NotFound, "no provider storage cluster found") - } - - return foundSc, nil -} - func isEncryptionInTransitEnabled(networkSpec *rookCephv1.NetworkSpec) bool { return networkSpec != nil && networkSpec.Connections != nil && diff --git a/services/types.go b/services/types.go index 66baf99452..bde6f900f4 100644 --- a/services/types.go +++ b/services/types.go @@ -1,5 +1,7 @@ package services +import "k8s.io/apimachinery/pkg/types" + type OnboardingSubjectRole string const ( @@ -12,4 +14,5 @@ type OnboardingTicket struct { ExpirationDate int64 `json:"expirationDate,string"` SubjectRole OnboardingSubjectRole `json:"subjectRole"` StorageQuotaInGiB *uint `json:"storageQuotaInGiB,omitempty"` + StorageCluster types.UID `json:"storageCluster"` } diff --git a/services/ux-backend/handlers/onboarding/clienttokens/handler.go b/services/ux-backend/handlers/onboarding/clienttokens/handler.go index cd4cc5c932..3d32567239 100644 --- a/services/ux-backend/handlers/onboarding/clienttokens/handler.go +++ b/services/ux-backend/handlers/onboarding/clienttokens/handler.go @@ -11,6 +11,7 @@ import ( "k8s.io/klog/v2" "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" ) const ( @@ -23,16 +24,16 @@ var unitToGib = map[string]uint{ "Pi": 1024 * 1024, } -func HandleMessage(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int) { +func HandleMessage(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int, cl client.Client, namespace string) { switch r.Method { case "POST": - handlePost(w, r, tokenLifetimeInHours) + handlePost(w, r, tokenLifetimeInHours, cl, namespace) default: handleUnsupportedMethod(w, r) } } -func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int) { +func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int, cl client.Client, namespace string) { var storageQuotaInGiB *uint // When ContentLength is 0 that means request body is empty and // storage quota is unlimited @@ -59,7 +60,13 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int storageQuotaInGiB = ptr.To(unitAsGiB * quota.Value) } - if onboardingToken, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, storageQuotaInGiB); err != nil { + storageCluster, err := util.GetStorageClusterInNamespace(r.Context(), cl, namespace) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + + if onboardingToken, err := util.GenerateClientOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, storageQuotaInGiB, storageCluster.UID); err != nil { klog.Errorf("failed to get onboarding token: %v", err) w.WriteHeader(http.StatusInternalServerError) w.Header().Set("Content-Type", handlers.ContentTypeTextPlain) diff --git a/services/ux-backend/handlers/onboarding/peertokens/handler.go b/services/ux-backend/handlers/onboarding/peertokens/handler.go index 9dfd8ff414..5d8f252872 100644 --- a/services/ux-backend/handlers/onboarding/peertokens/handler.go +++ b/services/ux-backend/handlers/onboarding/peertokens/handler.go @@ -8,23 +8,31 @@ import ( "github.com/red-hat-storage/ocs-operator/v4/services/ux-backend/handlers" "k8s.io/klog/v2" + "sigs.k8s.io/controller-runtime/pkg/client" ) const ( onboardingPrivateKeyFilePath = "/etc/private-key/key" ) -func HandleMessage(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int) { +func HandleMessage(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int, cl client.Client, namespace string) { switch r.Method { case "POST": - handlePost(w, r, tokenLifetimeInHours) + handlePost(w, r, tokenLifetimeInHours, cl, namespace) default: handleUnsupportedMethod(w, r) } } -func handlePost(w http.ResponseWriter, _ *http.Request, tokenLifetimeInHours int) { - if onboardingToken, err := util.GeneratePeerOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath); err != nil { +func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int, cl client.Client, namespace string) { + + storageCluster, err := util.GetStorageClusterInNamespace(r.Context(), cl, namespace) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + + if onboardingToken, err := util.GeneratePeerOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, storageCluster.UID); err != nil { klog.Errorf("failed to get onboarding token: %v", err) w.WriteHeader(http.StatusInternalServerError) w.Header().Set("Content-Type", handlers.ContentTypeTextPlain) diff --git a/services/ux-backend/main.go b/services/ux-backend/main.go index a88c1762b2..42abc96137 100644 --- a/services/ux-backend/main.go +++ b/services/ux-backend/main.go @@ -7,9 +7,13 @@ import ( "os" "strconv" + ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1" + "github.com/red-hat-storage/ocs-operator/v4/controllers/util" "github.com/red-hat-storage/ocs-operator/v4/services/ux-backend/handlers/onboarding/clienttokens" "github.com/red-hat-storage/ocs-operator/v4/services/ux-backend/handlers/onboarding/peertokens" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/klog/v2" ) @@ -63,18 +67,33 @@ func main() { os.Exit(-1) } + namespace := util.GetPodNamespace() + + scheme := runtime.NewScheme() + if err := corev1.AddToScheme(scheme); err != nil { + klog.Exitf("failed to add corev1 to scheme. %v", err) + } + if err := ocsv1.AddToScheme(scheme); err != nil { + klog.Exitf("failed to add ocsv1 to scheme. %v", err) + } + + cl, err := util.NewK8sClient(scheme) + if err != nil { + klog.Exitf("failed to create kube client: %v", err) + } + // TODO: remove '/onboarding-tokens' in the future http.HandleFunc("/onboarding-tokens", func(w http.ResponseWriter, r *http.Request) { // Set the Deprecation header w.Header().Set("Deprecation", "true") // Standard "Deprecation" header w.Header().Set("Link", "/onboarding/client-tokens; rel=\"alternate\"") - clienttokens.HandleMessage(w, r, config.tokenLifetimeInHours) + clienttokens.HandleMessage(w, r, config.tokenLifetimeInHours, cl, namespace) }) http.HandleFunc("/onboarding/client-tokens", func(w http.ResponseWriter, r *http.Request) { - clienttokens.HandleMessage(w, r, config.tokenLifetimeInHours) + clienttokens.HandleMessage(w, r, config.tokenLifetimeInHours, cl, namespace) }) http.HandleFunc("/onboarding/peer-tokens", func(w http.ResponseWriter, r *http.Request) { - peertokens.HandleMessage(w, r, config.tokenLifetimeInHours) + peertokens.HandleMessage(w, r, config.tokenLifetimeInHours, cl, namespace) }) klog.Info("ux backend server listening on port ", config.listenPort) diff --git a/tools/csv-merger/csv-merger.go b/tools/csv-merger/csv-merger.go index a39e88894c..73fb87af0c 100644 --- a/tools/csv-merger/csv-merger.go +++ b/tools/csv-merger/csv-merger.go @@ -674,6 +674,14 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec { Name: "TLS_ENABLED", Value: os.Getenv("TLS_ENABLED"), }, + { + Name: util.PodNamespaceEnvVar, + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + FieldPath: "metadata.namespace", + }, + }, + }, }, SecurityContext: &corev1.SecurityContext{ RunAsNonRoot: ptr.To(true),