Merge branch 'main' into support-natural-language

KusionStack · Aug 25, 2024 · 341616a · 341616a
2 parents da5116c + 551e9f0
commit 341616a
Show file tree

Hide file tree

Showing 69 changed files with 2,715 additions and 768 deletions.
diff --git a/.all-contributorsrc b/.all-contributorsrc
@@ -218,8 +218,18 @@
       "contributions": [
         "code"
       ]
+    },
+    {
+      "login": "cheny-alf",
+      "name": "cheny-alf",
+      "avatar_url": "https://avatars.githubusercontent.com/u/71162267?v=4",
+      "profile": "https://github.com/cheny-alf",
+      "contributions": [
+        "test"
+      ]
     }
   ],
   "contributorsPerLine": 7,
-  "linkToUsage": false
+  "linkToUsage": false,
+  "commitType": "docs"
 }
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -46,6 +46,12 @@
 # /docs/ @doctocat
 /docs/ @elliotxx @panshuai-ps @adohe @ffforest @ruquanzhao
 
+# In this example, @doctocat owns any file in the `/ui`
+# directory in the root of your repository and any of its
+# subdirectories.
+# /ui/ @doctocat
+/ui/ @elliotxx @ruquanzhao @hai-tian
+
 # In this example, @octocat owns any file in the `/apps`
 # directory in the root of your repository except for the `/apps/github`
 # subdirectory, as its owners are left empty.

diff --git a/.goreleaser/.goreleaser-dev.yml b/.goreleaser/.goreleaser-dev.yml
@@ -91,7 +91,6 @@ dockers:
   goarch: amd64
   extra_files:
   - pkg/version/VERSION
-  - config/relationship.yaml
 - image_templates:
   - 'kusionstack/{{ .ProjectName }}:{{ .Tag }}-arm64'
   dockerfile: Dockerfile
@@ -107,7 +106,6 @@ dockers:
   goarch: arm64
   extra_files:
   - pkg/version/VERSION
-  - config/relationship.yaml
 
 docker_manifests:
   - name_template: "kusionstack/{{ .ProjectName }}:{{ .Tag }}"
@@ -118,4 +116,3 @@ docker_manifests:
     image_templates:
       - "kusionstack/{{ .ProjectName }}:{{ .Tag }}-amd64"
       - "kusionstack/{{ .ProjectName }}:{{ .Tag }}-arm64"
-
diff --git a/.goreleaser/.goreleaser.yml b/.goreleaser/.goreleaser.yml
@@ -173,7 +173,6 @@ dockers:
   goarch: amd64
   extra_files:
   - pkg/version/VERSION
-  - config/relationship.yaml
 - image_templates:
   - 'kusionstack/{{ .ProjectName }}:{{ .Tag }}-arm64'
   dockerfile: Dockerfile
@@ -189,7 +188,6 @@ dockers:
   goarch: arm64
   extra_files:
   - pkg/version/VERSION
-  - config/relationship.yaml
 
 docker_manifests:
   - name_template: "kusionstack/{{ .ProjectName }}:{{ .Tag }}"

diff --git a/Dockerfile b/Dockerfile
@@ -19,7 +19,6 @@ WORKDIR /
 
 COPY karpor .
 COPY cert-generator .
-COPY config/relationship.yaml .
 COPY pkg/version/VERSION .
 
 RUN apk update && apk add --no-cache aws-cli

diff --git a/README-pt.md b/README-pt.md
@@ -21,7 +21,8 @@
 </p>
 
 [![Karpor](https://github.com/KusionStack/karpor/actions/workflows/release.yaml/badge.svg)](https://github.com/KusionStack/karpor/actions/workflows/release.yaml)
-[![GitHub release](https://img.shields.io/github/release/KusionStack/karpor.svg)](https://github.com/KusionStack/karpor/releases)
+[![GitHub Release](https://img.shields.io/github/release/KusionStack/karpor.svg)](https://github.com/KusionStack/karpor/releases)
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/karpor)](https://artifacthub.io/packages/helm/kusionstack/karpor)
 [![Go Report Card](https://goreportcard.com/badge/github.com/KusionStack/karpor)](https://goreportcard.com/report/github.com/KusionStack/karpor)
 [![Coverage Status](https://coveralls.io/repos/github/KusionStack/karpor/badge.svg)](https://coveralls.io/github/KusionStack/karpor)
 [![Go Reference](https://pkg.go.dev/badge/github.com/KusionStack/karpor.svg)](https://pkg.go.dev/github.com/KusionStack/karpor)
@@ -157,6 +158,7 @@ Agradecemos a essas pessoas maravilhosas! Venha e [junte-se](https://kusionstack
     </tr>
     <tr>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/iamryanchia"><img src="https://avatars.githubusercontent.com/u/41557860?v=4?s=80" width="80px;" alt="iamryanchia"/><br /><sub><b>iamryanchia</b></sub></a><br /><a href="https://github.com/KusionStack/karpor/commits?author=iamryanchia" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/cheny-alf"><img src="https://avatars.githubusercontent.com/u/71162267?v=4?s=80" width="80px;" alt="cheny-alf"/><br /><sub><b>cheny-alf</b></sub></a><br /><a href="https://github.com/KusionStack/karpor/commits?author=cheny-alf" title="Tests">⚠️</a></td>
     </tr>
   </tbody>
 </table>

diff --git a/README-zh.md b/README-zh.md
@@ -20,7 +20,8 @@
 </p>
 
 [![Karpor](https://github.com/KusionStack/karpor/actions/workflows/release.yaml/badge.svg)](https://github.com/KusionStack/karpor/actions/workflows/release.yaml)
-[![GitHub release](https://img.shields.io/github/release/KusionStack/karpor.svg)](https://github.com/KusionStack/karpor/releases)
+[![GitHub Release](https://img.shields.io/github/release/KusionStack/karpor.svg)](https://github.com/KusionStack/karpor/releases)
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/karpor)](https://artifacthub.io/packages/helm/kusionstack/karpor)
 [![Go Report Card](https://goreportcard.com/badge/github.com/KusionStack/karpor)](https://goreportcard.com/report/github.com/KusionStack/karpor)
 [![Coverage Status](https://coveralls.io/repos/github/KusionStack/karpor/badge.svg)](https://coveralls.io/github/KusionStack/karpor)
 [![Go Reference](https://pkg.go.dev/badge/github.com/KusionStack/karpor.svg)](https://pkg.go.dev/github.com/KusionStack/karpor)
@@ -160,6 +161,7 @@ Karpor 仍处于初期阶段，仍有许多功能需要构建，因此我们欢
     </tr>
     <tr>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/iamryanchia"><img src="https://avatars.githubusercontent.com/u/41557860?v=4?s=80" width="80px;" alt="iamryanchia"/><br /><sub><b>iamryanchia</b></sub></a><br /><a href="https://github.com/KusionStack/karpor/commits?author=iamryanchia" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/cheny-alf"><img src="https://avatars.githubusercontent.com/u/71162267?v=4?s=80" width="80px;" alt="cheny-alf"/><br /><sub><b>cheny-alf</b></sub></a><br /><a href="https://github.com/KusionStack/karpor/commits?author=cheny-alf" title="Tests">⚠️</a></td>
     </tr>
   </tbody>
 </table>

diff --git a/README.md b/README.md
@@ -20,7 +20,8 @@
 </p>
 
 [![Karpor](https://github.com/KusionStack/karpor/actions/workflows/release.yaml/badge.svg)](https://github.com/KusionStack/karpor/actions/workflows/release.yaml)
-[![GitHub release](https://img.shields.io/github/release/KusionStack/karpor.svg)](https://github.com/KusionStack/karpor/releases)
+[![GitHub Release](https://img.shields.io/github/release/KusionStack/karpor.svg)](https://github.com/KusionStack/karpor/releases)
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/karpor)](https://artifacthub.io/packages/helm/kusionstack/karpor)
 [![Go Report Card](https://goreportcard.com/badge/github.com/KusionStack/karpor)](https://goreportcard.com/report/github.com/KusionStack/karpor)
 [![Coverage Status](https://coveralls.io/repos/github/KusionStack/karpor/badge.svg)](https://coveralls.io/github/KusionStack/karpor)
 [![Go Reference](https://pkg.go.dev/badge/github.com/KusionStack/karpor.svg)](https://pkg.go.dev/github.com/KusionStack/karpor)
@@ -160,6 +161,7 @@ Thanks to these wonderful people! Come and [join us](https://kusionstack.io/karp
     </tr>
     <tr>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/iamryanchia"><img src="https://avatars.githubusercontent.com/u/41557860?v=4?s=80" width="80px;" alt="iamryanchia"/><br /><sub><b>iamryanchia</b></sub></a><br /><a href="https://github.com/KusionStack/karpor/commits?author=iamryanchia" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/cheny-alf"><img src="https://avatars.githubusercontent.com/u/71162267?v=4?s=80" width="80px;" alt="cheny-alf"/><br /><sub><b>cheny-alf</b></sub></a><br /><a href="https://github.com/KusionStack/karpor/commits?author=cheny-alf" title="Tests">⚠️</a></td>
     </tr>
   </tbody>
 </table>

diff --git a/cmd/karpor/app/options/recommended.go b/cmd/karpor/app/options/recommended.go
@@ -16,12 +16,13 @@ package options
 
 import (
 	"fmt"
-
-	"github.com/spf13/pflag"
+	"time"
 
 	karporopenapi "github.com/KusionStack/karpor/pkg/kubernetes/generated/openapi"
 	k8sopenapi "github.com/KusionStack/karpor/pkg/kubernetes/openapi"
+	"github.com/KusionStack/karpor/pkg/kubernetes/registry"
 	"github.com/KusionStack/karpor/pkg/kubernetes/scheme"
+	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/admission"
@@ -39,6 +40,7 @@ import (
 	"k8s.io/component-base/featuregate"
 	"k8s.io/kube-openapi/pkg/common"
 	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
+	"k8s.io/kubernetes/pkg/serviceaccount"
 )
 
 // RecommendedOptions contains the recommended options for running an API server.
@@ -63,6 +65,10 @@ type RecommendedOptions struct {
 	EgressSelector *options.EgressSelectorOptions
 	// Traces contains options to control distributed request tracing.
 	Traces *options.TracingOptions
+
+	ServiceAccountSigningKeyFile     string
+	ServiceAccountIssuer             serviceaccount.TokenGenerator
+	ServiceAccountTokenMaxExpiration time.Duration
 }
 
 func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptions {
@@ -77,6 +83,7 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio
 		Authentication: kubeoptions.NewBuiltInAuthenticationOptions().
 			WithAnonymous().
 			WithClientCert().
+			WithServiceAccounts().
 			WithRequestHeader(),
 		Authorization:              kubeoptions.NewBuiltInAuthorizationOptions(),
 		Audit:                      options.NewAuditOptions(),
@@ -100,6 +107,8 @@ func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet) {
 	o.Admission.AddFlags(fs)
 	o.EgressSelector.AddFlags(fs)
 	o.Traces.AddFlags(fs)
+	fs.StringVar(&o.ServiceAccountSigningKeyFile, "service-account-signing-key-file", "",
+		"Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key.")
 }
 
 // ApplyTo adds RecommendedOptions to the server configuration.
@@ -167,6 +176,14 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig) error {
 	return nil
 }
 
+// ApplyToExtraConfig adds RecommendedOptions to the extra server configuration.
+func (o *RecommendedOptions) ApplyToExtraConfig(config *registry.ExtraConfig) error {
+	config.ServiceAccountIssuer = o.ServiceAccountIssuer
+	config.ServiceAccountMaxExpiration = o.ServiceAccountTokenMaxExpiration
+	config.ExtendExpiration = o.Authentication.ServiceAccounts.ExtendExpiration
+	return nil
+}
+
 func (o *RecommendedOptions) Validate() []error {
 	errors := []error{}
 	errors = append(errors, o.ServerRun.Validate()...)

diff --git a/cmd/karpor/app/server.go b/cmd/karpor/app/server.go
@@ -24,6 +24,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"time"
 
 	"github.com/KusionStack/karpor/cmd/karpor/app/options"
 	"github.com/KusionStack/karpor/pkg/kubernetes/registry"
@@ -39,11 +40,16 @@ import (
 	"k8s.io/apiserver/pkg/features"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/util/keyutil"
 	"k8s.io/klog/v2"
+	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
+	"k8s.io/kubernetes/pkg/serviceaccount"
 	netutils "k8s.io/utils/net"
 )
 
 const defaultEtcdPathPrefix = "/registry/karpor"
+const defaultTokenIssuer = "karpor"
+const defaultTokenMaxExpiration = 8760 * time.Hour
 
 // Options contains state for master/api server
 type Options struct {
@@ -151,6 +157,38 @@ func (o *Options) Validate(args []string) error {
 
 // Complete fills in fields required to have valid data
 func (o *Options) Complete() error {
+	// generate token issuer
+	if len(o.RecommendedOptions.Authentication.ServiceAccounts.Issuers) == 0 || o.RecommendedOptions.Authentication.ServiceAccounts.Issuers[0] == "" {
+		o.RecommendedOptions.Authentication.ServiceAccounts.Issuers = []string{defaultTokenIssuer}
+	}
+
+	// set default token max expiration
+	o.RecommendedOptions.ServiceAccountTokenMaxExpiration = defaultTokenMaxExpiration
+	if o.RecommendedOptions.Authentication.ServiceAccounts.MaxExpiration != 0 {
+		o.RecommendedOptions.ServiceAccountTokenMaxExpiration = o.RecommendedOptions.Authentication.ServiceAccounts.MaxExpiration
+	}
+
+	// complete two content-related keys with each other
+	if o.RecommendedOptions.ServiceAccountSigningKeyFile == "" && (len(o.RecommendedOptions.Authentication.ServiceAccounts.KeyFiles) == 0 ||
+		o.RecommendedOptions.Authentication.ServiceAccounts.KeyFiles[0] == "") {
+		return fmt.Errorf("no valid serviceaccounts signing key file")
+	}
+	if o.RecommendedOptions.ServiceAccountSigningKeyFile == "" {
+		o.RecommendedOptions.ServiceAccountSigningKeyFile = o.RecommendedOptions.Authentication.ServiceAccounts.KeyFiles[0]
+	}
+	if len(o.RecommendedOptions.Authentication.ServiceAccounts.KeyFiles) == 0 {
+		o.RecommendedOptions.Authentication.ServiceAccounts.KeyFiles = []string{o.RecommendedOptions.ServiceAccountSigningKeyFile}
+	}
+
+	// create token generator
+	sk, err := keyutil.PrivateKeyFromFile(o.RecommendedOptions.ServiceAccountSigningKeyFile)
+	if err != nil {
+		return fmt.Errorf("failed to parse key-file for token generator: %w", err)
+	}
+	o.RecommendedOptions.ServiceAccountIssuer, err = serviceaccount.JWTTokenGenerator(o.RecommendedOptions.Authentication.ServiceAccounts.Issuers[0], sk)
+	if err != nil {
+		return fmt.Errorf("create token generator failed: %w", err)
+	}
 	return nil
 }
 
@@ -160,9 +198,16 @@ func (o *Options) Config() (*server.Config, error) {
 		GenericConfig: genericapiserver.NewRecommendedConfig(scheme.Codecs),
 		ExtraConfig:   &registry.ExtraConfig{},
 	}
+	// always allow access if readOnlyMode is open
+	if o.CoreOptions.ReadOnlyMode {
+		o.RecommendedOptions.Authorization.Modes = []string{authzmodes.ModeAlwaysAllow}
+	}
 	if err := o.RecommendedOptions.ApplyTo(config.GenericConfig); err != nil {
 		return nil, err
 	}
+	if err := o.RecommendedOptions.ApplyToExtraConfig(config.ExtraConfig); err != nil {
+		return nil, err
+	}
 	if err := o.SearchStorageOptions.ApplyTo(config.ExtraConfig); err != nil {
 		return nil, err
 	}

diff --git a/config/default-rbac.yaml → config/default-anonymous-rbac.yaml b/config/default-rbac.yaml → config/default-anonymous-rbac.yaml
@@ -3,13 +3,6 @@ kind: ClusterRole
 metadata:
   name: anonymous
 rules:
-  - nonResourceURLs:
-      - /rest-api/v1/resource-group-rule
-      - /rest-api/v1/resource-group-rule/*
-      - /rest-api/v1/cluster
-      - /rest-api/v1/cluster/*
-    verbs:
-      - '*'
   - nonResourceURLs:
       - /
       - /rest-api/*
@@ -25,6 +18,9 @@ rules:
       - /insightDetail/*
       - /cluster
       - /cluster/*
+      - /login
+      - /livez
+      - /readyz
     verbs:
       - get
 ---

diff --git a/config/default-karpor-admin-rbac.yaml b/config/default-karpor-admin-rbac.yaml
@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: karpor-admin
+rules:
+  - nonResourceURLs:
+      - /rest-api/v1/resource-group-rule
+      - /rest-api/v1/resource-group-rule/*
+      - /rest-api/v1/cluster
+      - /rest-api/v1/cluster/*
+    verbs:
+      - '*'
+  - nonResourceURLs:
+      - /
+      - /rest-api/*
+      - /endpoints
+      - /public/*
+      - /docs/*
+      - /server-configs
+      - /search
+      - /search/*
+      - /insight
+      - /insight/*
+      - /insightDetail
+      - /insightDetail/*
+      - /cluster
+      - /cluster/*
+      - /login
+      - /rest-api/v1/authn
+      - /livez
+      - /readyz
+    verbs:
+      - get
diff --git a/config/default-karpor-guest-rbac.yaml b/config/default-karpor-guest-rbac.yaml
@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: karpor-guest
+rules:
+  - nonResourceURLs:
+      - /rest-api/v1/resource-group-rule
+      - /rest-api/v1/resource-group-rule/*
+      - /rest-api/v1/cluster
+      - /rest-api/v1/cluster/*
+      - /rest-api/v1/authn
+      - /
+      - /rest-api/*
+      - /endpoints
+      - /public/*
+      - /docs/*
+      - /server-configs
+      - /search
+      - /search/*
+      - /insight
+      - /insight/*
+      - /insightDetail
+      - /insightDetail/*
+      - /cluster
+      - /cluster/*
+      - /login
+      - /livez
+      - /readyz
+    verbs:
+      - get
diff --git a/config/relationship.yaml → config/default-relationship.yaml b/config/relationship.yaml → config/default-relationship.yaml
diff --git a/config/embed.go b/config/embed.go
@@ -16,10 +16,19 @@ package config
 
 import _ "embed"
 
-var DefaultConfig = [][]byte{DefaultSyncStrategy, DefaultRBAC}
+var DefaultConfig = [][]byte{DefaultSyncStrategy, DefaultAnonymousRBAC, DefaultGuestRBAC, DefaultAdminRBAC}
+
+//go:embed default-anonymous-rbac.yaml
+var DefaultAnonymousRBAC []byte
+
+//go:embed default-karpor-admin-rbac.yaml
+var DefaultAdminRBAC []byte
+
+//go:embed default-karpor-guest-rbac.yaml
+var DefaultGuestRBAC []byte
+
+//go:embed default-relationship.yaml
+var DefaultRelationship []byte
 
 //go:embed default-sync-strategy.yaml
 var DefaultSyncStrategy []byte
-
-//go:embed default-rbac.yaml
-var DefaultRBAC []byte