diff --git a/crds/embedded/cdi.yaml b/crds/embedded/cdi.yaml index 1f1de8316..af3ef6f6d 100644 --- a/crds/embedded/cdi.yaml +++ b/crds/embedded/cdi.yaml @@ -3,17 +3,19 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.13.0 - name: cdis.x.virtualization.deckhouse.io + name: dvpinternalcdis.internal.virtualization.deckhouse.io spec: - group: x.virtualization.deckhouse.io + group: internal.virtualization.deckhouse.io names: - kind: CDI - listKind: CDIList - plural: cdis + categories: + - dvpinternal + kind: DVPInternalCDI + listKind: DVPInternalCDIList + plural: dvpinternalcdis shortNames: - - xcdi - - xcdis - singular: cdi + - dvpcdi + - dvpcdis + singular: dvpinternalcdi scope: Cluster versions: - additionalPrinterColumns: diff --git a/crds/embedded/kubevirt.yaml b/crds/embedded/kubevirt.yaml index ec52253f0..5ced54ae6 100644 --- a/crds/embedded/kubevirt.yaml +++ b/crds/embedded/kubevirt.yaml @@ -1,25 +1,28 @@ # Source: # https://github.com/kubevirt/kubevirt/releases/download/v1.0.0/kubevirt-operator.yaml # Changes: +# - 2024.04.16 +# - Add prefixes xinternal, XInternal # - 2023.12.12 # - Add x.virtualization.deckhouse prefix # - Remove short names. # - Remove all category, add kubevirt category. + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: operator.kubevirt.io: "" - name: kubevirts.x.virtualization.deckhouse.io + name: dvpinternalkubevirts.internal.virtualization.deckhouse.io spec: - group: x.virtualization.deckhouse.io + group: internal.virtualization.deckhouse.io names: categories: - - kubevirt - kind: KubeVirt - plural: kubevirts - singular: kubevirt + - dvpinternal + kind: DVPInternalKubeVirt + plural: dvpinternalkubevirts + singular: dvpinternalkubevirt scope: Namespaced versions: - additionalPrinterColumns: diff --git a/docs/EXAMPLES.md b/docs/EXAMPLES.md index cba01902a..7ef97700f 100644 --- a/docs/EXAMPLES.md +++ b/docs/EXAMPLES.md @@ -336,12 +336,12 @@ kind: VirtualMachineBlockDeviceAttachment metadata: name: vmd-blank-attachment spec: - virtualMachine: linux-vm # имя виртуальной машины, к которой будет подключен диск + virtualMachine: linux-vm # Name of the virtual machine to attach disk to. blockDevice: type: ObjectRef objectRef: kind: VirtualDisk - name: vmd-blank # имя подключаемого диска + name: vmd-blank # Name of the disk that should be attached. ``` If you change the machine name in this resource to another machine name, the disk will be reconnected from one virtual machine to another. diff --git a/images/cdi-apiserver/werf.inc.yaml b/images/cdi-apiserver/werf.inc.yaml index bc3e7c863..f2ec11b5d 100644 --- a/images/cdi-apiserver/werf.inc.yaml +++ b/images/cdi-apiserver/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: cdi-artifact +- image: cdi-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/cdi-artifact/patches/005-override-crds.patch b/images/cdi-artifact/patches/005-override-crds.patch deleted file mode 100644 index f8ba49877..000000000 --- a/images/cdi-artifact/patches/005-override-crds.patch +++ /dev/null @@ -1,372 +0,0 @@ -diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go -index ef8b993f5..16b680fee 100644 ---- a/pkg/apiserver/apiserver.go -+++ b/pkg/apiserver/apiserver.go -@@ -44,6 +44,7 @@ import ( - - snapclient "github.com/kubernetes-csi/external-snapshotter/client/v6/clientset/versioned" - cdiuploadv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/upload/v1beta1" -+ - pkgcdiuploadv1 "kubevirt.io/containerized-data-importer/pkg/apis/upload/v1beta1" - "kubevirt.io/containerized-data-importer/pkg/apiserver/webhooks" - cdiclient "kubevirt.io/containerized-data-importer/pkg/client/clientset/versioned" -diff --git a/pkg/operator/resources/cluster/apiserver.go b/pkg/operator/resources/cluster/apiserver.go -index d6e14f339..bdcb1c593 100644 ---- a/pkg/operator/resources/cluster/apiserver.go -+++ b/pkg/operator/resources/cluster/apiserver.go -@@ -30,6 +30,7 @@ import ( - - cdicorev1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1" - cdiuploadv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/upload/v1beta1" -+ - "kubevirt.io/containerized-data-importer/pkg/operator/resources/utils" - ) - -@@ -118,7 +119,7 @@ func getAPIServerClusterPolicyRules() []rbacv1.PolicyRule { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "datavolumes", -@@ -130,7 +131,7 @@ func getAPIServerClusterPolicyRules() []rbacv1.PolicyRule { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "datasources", -@@ -141,7 +142,7 @@ func getAPIServerClusterPolicyRules() []rbacv1.PolicyRule { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "cdis", -@@ -152,7 +153,7 @@ func getAPIServerClusterPolicyRules() []rbacv1.PolicyRule { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "cdis/finalizers", -diff --git a/pkg/operator/resources/cluster/controller.go b/pkg/operator/resources/cluster/controller.go -index d29b0dd16..2097a7768 100644 ---- a/pkg/operator/resources/cluster/controller.go -+++ b/pkg/operator/resources/cluster/controller.go -@@ -154,7 +154,7 @@ func getControllerClusterPolicyRules() []rbacv1.PolicyRule { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "*", -diff --git a/pkg/operator/resources/cluster/cronjob.go b/pkg/operator/resources/cluster/cronjob.go -index c21285c4a..995bb9657 100644 ---- a/pkg/operator/resources/cluster/cronjob.go -+++ b/pkg/operator/resources/cluster/cronjob.go -@@ -38,7 +38,7 @@ func getCronJobClusterPolicyRules() []rbacv1.PolicyRule { - return []rbacv1.PolicyRule{ - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "dataimportcrons", -diff --git a/pkg/operator/resources/cluster/rbac.go b/pkg/operator/resources/cluster/rbac.go -index 264b83891..f63aa0efe 100644 ---- a/pkg/operator/resources/cluster/rbac.go -+++ b/pkg/operator/resources/cluster/rbac.go -@@ -38,7 +38,7 @@ func getAdminPolicyRules() []rbacv1.PolicyRule { - return []rbacv1.PolicyRule{ - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "datavolumes", -@@ -54,7 +54,7 @@ func getAdminPolicyRules() []rbacv1.PolicyRule { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "datavolumes/source", -@@ -87,7 +87,7 @@ func getViewPolicyRules() []rbacv1.PolicyRule { - return []rbacv1.PolicyRule{ - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "cdiconfigs", -@@ -108,7 +108,7 @@ func getViewPolicyRules() []rbacv1.PolicyRule { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "datavolumes/source", -@@ -124,7 +124,7 @@ func createConfigReaderClusterRole(name string) *rbacv1.ClusterRole { - rules := []rbacv1.PolicyRule{ - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "cdiconfigs", -diff --git a/pkg/operator/resources/crds_generated.go b/pkg/operator/resources/crds_generated.go -index dc4ba2ced..6148d5dc6 100644 ---- a/pkg/operator/resources/crds_generated.go -+++ b/pkg/operator/resources/crds_generated.go -@@ -8,16 +8,16 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: cdis.cdi.kubevirt.io -+ name: cdis.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - kind: CDI - listKind: CDIList - plural: cdis - shortNames: -- - cdi -- - cdis -+ - xcdi -+ - xcdis - singular: cdi - scope: Cluster - versions: -@@ -4514,9 +4514,9 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: cdiconfigs.cdi.kubevirt.io -+ name: cdiconfigs.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - kind: CDIConfig - listKind: CDIConfigList -@@ -4925,18 +4925,18 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: dataimportcrons.cdi.kubevirt.io -+ name: dataimportcrons.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - categories: -- - all -+ - kubevirt - kind: DataImportCron - listKind: DataImportCronList - plural: dataimportcrons - shortNames: -- - dic -- - dics -+ - xdic -+ - xdics - singular: dataimportcron - scope: Namespaced - versions: -@@ -5816,17 +5816,17 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: datasources.cdi.kubevirt.io -+ name: datasources.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - categories: -- - all -+ - kubevirt - kind: DataSource - listKind: DataSourceList - plural: datasources - shortNames: -- - das -+ - xdas - singular: datasource - scope: Namespaced - versions: -@@ -5967,18 +5967,18 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: datavolumes.cdi.kubevirt.io -+ name: datavolumes.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - categories: -- - all -+ - kubevirt - kind: DataVolume - listKind: DataVolumeList - plural: datavolumes - shortNames: -- - dv -- - dvs -+ - xdv -+ - xdvs - singular: datavolume - scope: Namespaced - versions: -@@ -6716,16 +6716,16 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: objecttransfers.cdi.kubevirt.io -+ name: objecttransfers.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - kind: ObjectTransfer - listKind: ObjectTransferList - plural: objecttransfers - shortNames: -- - ot -- - ots -+ - xot -+ - xots - singular: objecttransfer - scope: Cluster - versions: -@@ -6848,9 +6848,9 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: storageprofiles.cdi.kubevirt.io -+ name: storageprofiles.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - kind: StorageProfile - listKind: StorageProfileList -@@ -6975,9 +6975,9 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: volumeclonesources.cdi.kubevirt.io -+ name: volumeclonesources.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - kind: VolumeCloneSource - listKind: VolumeCloneSourceList -@@ -7055,9 +7055,9 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: volumeimportsources.cdi.kubevirt.io -+ name: volumeimportsources.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - kind: VolumeImportSource - listKind: VolumeImportSourceList -@@ -7296,9 +7296,9 @@ metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - creationTimestamp: null -- name: volumeuploadsources.cdi.kubevirt.io -+ name: volumeuploadsources.x.virtualization.deckhouse.io - spec: -- group: cdi.kubevirt.io -+ group: x.virtualization.deckhouse.io - names: - kind: VolumeUploadSource - listKind: VolumeUploadSourceList -diff --git a/pkg/operator/resources/operator/operator.go b/pkg/operator/resources/operator/operator.go -index 1ad35841f..bd6a40d77 100644 ---- a/pkg/operator/resources/operator/operator.go -+++ b/pkg/operator/resources/operator/operator.go -@@ -97,7 +97,7 @@ func getClusterPolicyRules() []rbacv1.PolicyRule { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - "upload.cdi.kubevirt.io", - }, - Resources: []string{ -@@ -523,7 +523,7 @@ _The CDI Operator does not support updates yet._ - "alm-examples": ` - [ - { -- "apiVersion":"cdi.kubevirt.io/v1beta1", -+ "apiVersion":"x.virtualization.deckhouse.io/v1beta1", - "kind":"CDI", - "metadata": { - "name":"cdi", -diff --git a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1alpha1/register.go b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1alpha1/register.go -index 2b59307be..dc8a31bca 100644 ---- a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1alpha1/register.go -+++ b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1alpha1/register.go -@@ -4,14 +4,12 @@ import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -- -- "kubevirt.io/containerized-data-importer-api/pkg/apis/core" - ) - - // SchemeGroupVersion is group version used to register these objects --var SchemeGroupVersion = schema.GroupVersion{Group: core.GroupName, Version: "v1alpha1"} -+var SchemeGroupVersion = schema.GroupVersion{Group: "x.virtualization.deckhouse.io", Version: "v1alpha1"} - --//CDIGroupVersionKind group version kind -+// CDIGroupVersionKind group version kind - var CDIGroupVersionKind = schema.GroupVersionKind{Group: SchemeGroupVersion.Group, Version: SchemeGroupVersion.Version, Kind: "CDI"} - - // Kind takes an unqualified kind and returns back a Group qualified GroupKind -diff --git a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/register.go b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/register.go -index 8aa80f3c5..f9806b5b5 100644 ---- a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/register.go -+++ b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/register.go -@@ -4,12 +4,10 @@ import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" -- -- "kubevirt.io/containerized-data-importer-api/pkg/apis/core" - ) - - // SchemeGroupVersion is group version used to register these objects --var SchemeGroupVersion = schema.GroupVersion{Group: core.GroupName, Version: "v1beta1"} -+var SchemeGroupVersion = schema.GroupVersion{Group: "x.virtualization.deckhouse.io", Version: "v1beta1"} - - // CDIGroupVersionKind group version kind - var CDIGroupVersionKind = schema.GroupVersionKind{Group: SchemeGroupVersion.Group, Version: SchemeGroupVersion.Version, Kind: "CDI"} diff --git a/images/cdi-artifact/patches/007-content-type-json.patch b/images/cdi-artifact/patches/007-content-type-json.patch new file mode 100644 index 000000000..591e78f5f --- /dev/null +++ b/images/cdi-artifact/patches/007-content-type-json.patch @@ -0,0 +1,100 @@ +diff --git a/cmd/cdi-apiserver/apiserver.go b/cmd/cdi-apiserver/apiserver.go +index 156b6fc..048e538 100644 +--- a/cmd/cdi-apiserver/apiserver.go ++++ b/cmd/cdi-apiserver/apiserver.go +@@ -25,9 +25,9 @@ import ( + "os" + + "github.com/kelseyhightower/envconfig" +- + snapclient "github.com/kubernetes-csi/external-snapshotter/client/v6/clientset/versioned" + "github.com/pkg/errors" ++ apiruntime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/clientcmd" + "k8s.io/klog/v2" +@@ -107,6 +107,7 @@ func main() { + if err != nil { + klog.Fatalf("Unable to get kube config: %v\n", errors.WithStack(err)) + } ++ cfg.ContentType = apiruntime.ContentTypeJSON + + client, err := kubernetes.NewForConfig(cfg) + if err != nil { +diff --git a/cmd/cdi-controller/controller.go b/cmd/cdi-controller/controller.go +index dbf6295..4c665eb 100644 +--- a/cmd/cdi-controller/controller.go ++++ b/cmd/cdi-controller/controller.go +@@ -154,7 +154,7 @@ func start() { + if err != nil { + klog.Fatalf("Unable to get kube config: %v\n", errors.WithStack(err)) + } +- ++ cfg.ContentType = apiruntime.ContentTypeJSON + client, err := kubernetes.NewForConfig(cfg) + if err != nil { + klog.Fatalf("Unable to get kube client: %v\n", errors.WithStack(err)) +@@ -178,8 +178,9 @@ func start() { + NewCache: getNewManagerCache(namespace), + Scheme: scheme, + } +- +- mgr, err := manager.New(config.GetConfigOrDie(), opts) ++ cfg = config.GetConfigOrDie() ++ cfg.ContentType = apiruntime.ContentTypeJSON ++ mgr, err := manager.New(cfg, opts) + if err != nil { + klog.Errorf("Unable to setup controller manager: %v", err) + os.Exit(1) +diff --git a/cmd/cdi-operator/operator.go b/cmd/cdi-operator/operator.go +index 0a9b30d..211f8cf 100644 +--- a/cmd/cdi-operator/operator.go ++++ b/cmd/cdi-operator/operator.go +@@ -29,6 +29,7 @@ import ( + promv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" + "go.uber.org/zap/zapcore" + extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ++ apiruntime "k8s.io/apimachinery/pkg/runtime" + apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" + "sigs.k8s.io/controller-runtime/pkg/client/config" + logf "sigs.k8s.io/controller-runtime/pkg/log" +@@ -82,6 +83,7 @@ func main() { + log.Error(err, "") + os.Exit(1) + } ++ cfg.ContentType = apiruntime.ContentTypeJSON + + managerOpts := manager.Options{ + Namespace: namespace, +diff --git a/cmd/cdi-uploadproxy/uploadproxy.go b/cmd/cdi-uploadproxy/uploadproxy.go +index fc55ae1..2d4fe58 100644 +--- a/cmd/cdi-uploadproxy/uploadproxy.go ++++ b/cmd/cdi-uploadproxy/uploadproxy.go +@@ -7,17 +7,17 @@ import ( + + "github.com/kelseyhightower/envconfig" + "github.com/pkg/errors" ++ apiruntime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/clientcmd" + "k8s.io/klog/v2" +- "sigs.k8s.io/controller-runtime/pkg/manager/signals" +- + cdiclient "kubevirt.io/containerized-data-importer/pkg/client/clientset/versioned" + "kubevirt.io/containerized-data-importer/pkg/uploadproxy" + "kubevirt.io/containerized-data-importer/pkg/util" + certfetcher "kubevirt.io/containerized-data-importer/pkg/util/cert/fetcher" + certwatcher "kubevirt.io/containerized-data-importer/pkg/util/cert/watcher" + cryptowatch "kubevirt.io/containerized-data-importer/pkg/util/tls-crypto-watch" ++ "sigs.k8s.io/controller-runtime/pkg/manager/signals" + ) + + const ( +@@ -79,6 +79,7 @@ func main() { + if err != nil { + klog.Fatalf("Unable to get kube config: %v\n", errors.WithStack(err)) + } ++ cfg.ContentType = apiruntime.ContentTypeJSON + client, err := kubernetes.NewForConfig(cfg) + if err != nil { + klog.Fatalf("Unable to get kube client: %v\n", errors.WithStack(err)) diff --git a/images/cdi-artifact/patches/README.md b/images/cdi-artifact/patches/README.md index 1224d9439..808661a9f 100644 --- a/images/cdi-artifact/patches/README.md +++ b/images/cdi-artifact/patches/README.md @@ -14,4 +14,7 @@ Also, remove short names and change categories. Just in case. Add `spec.customizeComponents` to the crd cdi to customize resources. -https://github.com/kubevirt/containerized-data-importer/pull/3070 \ No newline at end of file +https://github.com/kubevirt/containerized-data-importer/pull/3070 + +#### `007-content-type-json.patch` +set ContentTypeJson for kubernetes clients. \ No newline at end of file diff --git a/images/cdi-artifact/werf.inc.yaml b/images/cdi-artifact/werf.inc.yaml index 82226096c..8d53932ac 100644 --- a/images/cdi-artifact/werf.inc.yaml +++ b/images/cdi-artifact/werf.inc.yaml @@ -3,7 +3,7 @@ {{- $builderImage := "quay.io/kubevirt/kubevirt-cdi-bazel-builder:2310202104-20cced838" }} {{- $version := "1.58.0" }} -artifact: {{ $.ImageName }} +image: {{ $.ImageName }} from: {{ $builderImage }} git: - add: /images/{{ $.ImageName }} @@ -18,7 +18,11 @@ shell: setup: - git clone --depth 1 --branch v{{ $version }} https://github.com/kubevirt/containerized-data-importer.git /containerized-data-importer - cd /containerized-data-importer - - git apply /patches/*.patch + - | + for p in /patches/*.patch ; do + echo -n "Apply ${p} ... " + git apply ${p} || echo FAIL && echo OK + done - /entrypoint.sh make bazel-build-images DOCKER=0 - /entrypoint.sh bazel build --config=x86_64 --define container_prefix=kubevirt --define image_prefix= --define container_tag=latest //:container-images-bundle.tar - tar -C / --one-top-level -xf /containerized-data-importer/bazel-bin/container-images-bundle.tar diff --git a/images/cdi-cloner/werf.inc.yaml b/images/cdi-cloner/werf.inc.yaml index 1fdba5d75..1ab1ebc39 100644 --- a/images/cdi-cloner/werf.inc.yaml +++ b/images/cdi-cloner/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: cdi-artifact +- image: cdi-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/cdi-controller/werf.inc.yaml b/images/cdi-controller/werf.inc.yaml index aa04c5dac..431c271e0 100644 --- a/images/cdi-controller/werf.inc.yaml +++ b/images/cdi-controller/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: cdi-artifact +- image: cdi-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/cdi-importer/werf.inc.yaml b/images/cdi-importer/werf.inc.yaml index 411d6712c..f4cec75e2 100644 --- a/images/cdi-importer/werf.inc.yaml +++ b/images/cdi-importer/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: cdi-artifact +- image: cdi-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/cdi-operator/werf.inc.yaml b/images/cdi-operator/werf.inc.yaml index 4741798d8..3cd4e6447 100644 --- a/images/cdi-operator/werf.inc.yaml +++ b/images/cdi-operator/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: cdi-artifact +- image: cdi-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/cdi-uploadproxy/werf.inc.yaml b/images/cdi-uploadproxy/werf.inc.yaml index b47426583..82dc1887f 100644 --- a/images/cdi-uploadproxy/werf.inc.yaml +++ b/images/cdi-uploadproxy/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: cdi-artifact +- image: cdi-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/cdi-uploadserver/werf.inc.yaml b/images/cdi-uploadserver/werf.inc.yaml index 61b518826..e99d4895b 100644 --- a/images/cdi-uploadserver/werf.inc.yaml +++ b/images/cdi-uploadserver/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: cdi-artifact +- image: cdi-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/kube-api-proxy/.dockerignore b/images/kube-api-proxy/.dockerignore new file mode 100644 index 000000000..e5a9ac0a4 --- /dev/null +++ b/images/kube-api-proxy/.dockerignore @@ -0,0 +1,9 @@ +.git +*.log +*.swp + +templates +Chart.yaml + +golangci-lint +proxy diff --git a/images/kube-api-proxy/STRUCTURE.md b/images/kube-api-proxy/STRUCTURE.md new file mode 100644 index 000000000..51746e639 --- /dev/null +++ b/images/kube-api-proxy/STRUCTURE.md @@ -0,0 +1,451 @@ +# kube-api-proxy structure + +The idea of the proxy is simple: make controller connect to the local +proxy in the sidecar, so proxy will pass requests to real Kubernetes API Server. +Proxy may rewrite JSON payloads for different purposes, e.g. resources renaming. + +Proxy contains 2 proxy handlers: +- "client" proxy to handle usual API requests from the proxied controller to the Kubernetes API Server. +- "webhook" proxy to handle webhook requests from the Kubernetes API Server to the proxied controller. + + +Example setup: rename resources for Kubevirt. +```mermaid +%%{init: {"flowchart": {"htmlLabels": false}} }%% +flowchart TB + NoProxy-.->WithProxy + + subgraph NoProxy ["`**Original Kubevirt setup**`"] + direction TB + + subgraph np-virt-operator-deploy ["`Deploy/virt-operator`"] + np-virt-operator("`container + name: virt-operator`") + end + + subgraph np-virt-controller-deploy ["`Deploy/virt-controller`"] + np-virt-controller("`container + name: virt-controller`") + end + + np-kube-api["`Kubernetes API Server + with resources in apiGroup + *.kubevirt.io*`"] + + np-virt-operator <-- "Original resources + in API calls" --> np-kube-api + np-virt-controller <-- "Original resources + in API calls" --> np-kube-api + end + subgraph WithProxy ["`**Kubevirt with proxy**`"] + direction TB + + subgraph p-virt-operator-deploy ["`Deploy/virt-operator`"] + p-virt-operator("`container + name: virt-operator`") + p-virt-operator-proxy{{"container + name: proxy"}} + p-virt-operator -- "Original resources + in API calls" --> p-virt-operator-proxy + p-virt-operator-proxy -- "Restored resources + in API responses" --> p-virt-operator + end + + subgraph p-virt-controller-deploy ["`Deploy/virt-controller`"] + p-virt-controller("`container + name: virt-controller`") + p-virt-controller-proxy{{"container + name: proxy"}} + p-virt-controller -- "Original resources +in API calls" --> p-virt-controller-proxy + p-virt-controller-proxy -- "Restored resources + in API responses" --> p-virt-controller + end + + p-kube-api["`Kubernetes API Server + with resources in apiGroup + *.x.virtualization.deckhouse.io*`"] + + p-virt-operator-proxy <-- "Renamed resources in + API calls" --> p-kube-api + p-virt-controller-proxy <-- "Renamed resources in + API calls" --> p-kube-api + end +``` + +All DVP components: +```mermaid +%%{init: {"flowchart": {"htmlLabels": false}} }%% +flowchart + subgraph kubevirt ["Kubevirt"] + subgraph virt-operator-deploy ["`Deploy/virt-operator`"] + virt-operator("`container: + virt-operator`") + virt-operator-proxy{{"container: + proxy"}} + virt-operator --> virt-operator-proxy + virt-operator-proxy --> virt-operator + end + + subgraph p-virt-controller-deploy ["`Deploy/virt-controller`"] + virt-controller("`container: + virt-controller`") + virt-controller-proxy{{"container: + proxy"}} + virt-controller --> virt-controller-proxy + virt-controller-proxy --> virt-controller + end + subgraph p-virt-api-deploy ["`Deploy/virt-api`"] + virt-api("`container: + virt-api`") + virt-api-proxy{{"container: + proxy"}} + virt-api --> virt-api-proxy + virt-api-proxy --> virt-api + end + + subgraph p-virt-handler-deploy ["`DaemonSet/virt-handler`"] + virt-handler("`container: + virt-handler`") + virt-handler-proxy{{"container: + proxy"}} + virt-handler --> virt-handler-proxy + virt-handler-proxy --> virt-handler + end + end + + subgraph kubeapi ["control-plane"] + kube-api["`Kubernetes API Server`"] + end + + virt-operator-proxy <----> kube-api + virt-controller-proxy <----> kube-api + virt-api-proxy <----> kube-api + virt-handler-proxy <----> kube-api + + subgraph cdi ["CDI"] + subgraph cdi-operator-deploy ["`Deploy/cdi-operator`"] + cdi-operator-proxy{{"container: + proxy"}} + cdi-operator("`container: + virt-handler`") + cdi-operator --> cdi-operator-proxy + cdi-operator-proxy --> cdi-operator + end + + subgraph cdi-deployment-deploy ["`Deploy/cdi-deployment`"] + cdi-deployment-proxy{{"container: + proxy"}} + cdi-deployment("`container: + cdi-eployment`") + cdi-deployment --> cdi-deployment-proxy + cdi-deployment-proxy --> cdi-deployment + end + + subgraph cdi-api-deploy ["`Deploy/cdi-api`"] + cdi-api-proxy{{"container: + proxy"}} + cdi-api("`container: + cdi-api`") + cdi-api --> cdi-api-proxy + cdi-api-proxy --> cdi-api + end + + subgraph cdi-exportproxy-deploy ["`Deploy/cdi-exportproxy`"] + cdi-exportproxy-proxy{{"container: + proxy"}} + cdi-exportproxy("`container: + cdi-exportproxy`") + cdi-exportproxy --> cdi-exportproxy-proxy + cdi-exportproxy-proxy --> cdi-exportproxy + end + end + kube-api <----> cdi-operator-proxy + kube-api <----> cdi-deployment-proxy + kube-api <----> cdi-api-proxy + kube-api <----> cdi-exportproxy-proxy + + + subgraph d8virt ["D8 API"] + subgraph d8-virt-deploy ["Deploy/virtualization-controller"] + d8-virt-controller-proxy("`container: + proxy`") + d8-virt-controller("`container: + virtualization-controller`") + d8-virt-controller --> d8-virt-controller-proxy + d8-virt-controller-proxy --> d8-virt-controller + end + end + + kube-api <----> d8-virt-controller-proxy +``` + +Variation (block diagram seems not so powerful as flowchart) +```mermaid +block-beta + columns 5 + + %% Main containers in kubevirt Pods + virtoperator["virt-operator"] + virtapi["virt-api"] + virtcontroller["virt-controller"] + virthandler["virt-handler"] + virtexportproxy["virt-exportproxy"] + + %% Space for links. + space:5 + %% Links between containers. + virtoperator --> virtoperatorproxy + %%virtoperatorproxy --> virtoperator + virtapi --> virtapiproxy + virtcontroller --> virtcontrollerproxy + virthandler --> virthandlerproxy + virtexportproxy --> virtexportproxyproxy + + %% Proxies in kubevirt Pods. + virtoperatorproxy(["proxy"]) + virtapiproxy(["proxy"]) + virtcontrollerproxy(["proxy"]) + virthandlerproxy(["proxy"]) + virtexportproxyproxy(["proxy"]) + + space:5 + + space + kubeapiserver{{"Kubernetes API Server"}}:3 + space + + virtoperatorproxy --> kubeapiserver + %%kubeapiserver --> virtoperatorproxy + virtapiproxy --> kubeapiserver + virtcontrollerproxy --> kubeapiserver + virthandlerproxy --> kubeapiserver + virtexportproxyproxy --> kubeapiserver + + space:5 + cdioperatorproxy --> kubeapiserver + cdiapiproxy --> kubeapiserver + cdideploymentproxy --> kubeapiserver + cdiuploadproxyproxy --> kubeapiserver + virtualizationcontrollerproxy --> kubeapiserver + + %% Proxies in CDI Pods. + cdioperatorproxy(["proxy"]) + cdiapiproxy(["proxy"]) + cdideploymentproxy(["proxy"]) + cdiuploadproxyproxy(["proxy"]) + virtualizationcontrollerproxy(["proxy"]) + + %% Links inside CDI Pods. + space:5 + cdioperator --> cdioperatorproxy + cdiapi--> cdiapiproxy + cdideployment --> cdideploymentproxy + cdiuploadproxy --> cdiuploadproxyproxy + virtualizationcontroller --> virtualizationcontrollerproxy + + cdioperator["cdi-operator"] + cdiapi["cdi-api"] + cdideployment["cdi-deployment"] + cdiuploadproxy["cdi-uploadproxy"] + virtualizationcontroller["virtualization- + controller"] +``` + +### Changes to add proxy to the Pod +- Add a ConfigMap with a simple kubeconfig points to the local proxy. + ``` + ... + clusters: + - cluster: + server: http://127.0.0.1:23915 + ... + ``` +- Add a volume and a volumeMount to pass new kubeconfig as file to the main container. +- Set KUBECONFIG variable in the main container. File should contain configuration to connect to proxy port. + - Note: kubevirt containers use --kubeconfig flag, cdi containers use KUBECONFIG env variable. +- Add a new sidecar container with the proxy. + - Set WEBHOOK_ADDRESS if webhook proxying is required. + - Add volumeMount with a certificate and set WEBHOOK_CERT_FILE and WEBHOOK_KEY_FILE to use the certificate. + - Add port 24192 to the webhook Service to use the certificate without issuing new one with changed ServerName. + +## API client proxying + +Implemented rewrites: +- apiGroup, kind, metadata.ownerReferences for Kubevirt and CDI Custom Resources. +- metadata.ownerReferences for Pod +- rules for Role, ClusterRole +- webhooks[].rules for ValidatingWebhookConfiguration, MutatingWebhookConfiguration +- metadata.name, spec.group, spec.names for CustomResourceDefinition. +- patch /spec for CustomResourceDefinition. +- fieldSelector=metadata.name=&watch=true for CRD. +- request.resource, request.object, request.kind, etc. for AdmissionReview. + +TODO: +- labels and annotations for Kubevirt and CDI CRs and all kubevirt related resources, Nodes and Pods. +- patches in general. +- SubjectAccessReview https://dev-k8sref-io.web.app/docs/authorization/subjectaccessreview-v1/ + +```plantuml +@startuml +box "Pod with Controller" #fff +participant "container\nname: controller" as ctrl +note over ctrl +Use KUBECONFIG file to connect +to local proxy instead of +directly using API server: +""clusters:"" +""- cluster:"" +"" server: http://127.0.0.1:23915"" +endnote +queue "additional container\nname: proxy" as proxy +/ note over proxy +Listen on ""127.0.0.1:23915"" +and pass requests to +Kubernetes API Server +endnote +endbox +box "Control Plane" #fff +participant "Kubernetes\nAPI Server" as kube_api +endbox + +== Get, List, Delete operations == + +ctrl -> proxy : Request operation via endpoint:\n\n/apis/kubevirt.io/v1/virtualmachines +proxy -> kube_api : Rewrite endpoint, pass request to:\n\n/apis/x.virtualization.deckhouse.io↩︎\n/v1/prefixedvirtualmachines + +kube_api -> proxy : Response with renamed resources:\n\napiVersion: x.virtualization.deckhouse.io/v1\nkind: PrefixedVirtualMachine +proxy -> ctrl : Rewrite payload, pass\nresponse with restored resources:\n\napiVersion: kubevirt.io/v1\nkind: VirtualMachine + +== Create, Update, Patch operations == + +ctrl -> proxy : Request operation via endpoint:\n\n/apis/kubevirt.io/v1/virtualmachines\n\nA payload contains original resources:\n\napiVersion: kubevirt.io/v1\nkind: VirtualMachine +proxy -> kube_api : Rewrite endpoint and payload,\npass request with renamed resources:\n\n/apis/x.virtualization.deckhouse.io↩︎\n/v1/prefixedvirtualmachines\n\napiVersion: x.virtualization.deckhouse.io/v1\nkind: PrefixedVirtualMachine + +kube_api -> proxy : Response with renamed resources:\n\napiVersion: x.virtualization.deckhouse.io/v1\nkind: PrefixedVirtualMachine +proxy -> ctrl : Rewrite payload, pass\nresponse with restored resources:\n\napiVersion: kubevirt.io/v1\nkind: VirtualMachine + +== Watch operation == + +ctrl -> proxy : Request WATCH operation via endpoint:\n\n/apis/kubevirt.io↩︎\n/v1/virtualmachines?watch=true +activate proxy +proxy -> kube_api : Rewrite endpoint, pass request to:\n\n/apis/x.virtualization.deckhouse.io↩︎\n/v1/prefixedvirtualmachines?watch=true +activate kube_api + +kube_api -> kube_api : Generate\nWATCH\nevents + +kube_api -> proxy : ADDED, MODIFIED or DELETED\nevent with renamed resource:\n\napiVersion: x.virtualization.deckhouse.io/v1\nkind: PrefixedVirtualMachine +activate proxy +proxy -> ctrl : Rewrite payload, pass\nevent with restored resource:\n\napiVersion: kubevirt.io/v1\nkind: VirtualMachine +deactivate proxy + +kube_api -> proxy : BOOKMARK event with renamed resource:\n\napiVersion: x.virtualization.deckhouse.io/v1\nkind: PrefixedVirtualMachine +activate proxy +proxy -> ctrl : Rewrite payload, pass\nevent with restored resource:\n\napiVersion: kubevirt.io/v1\nkind: VirtualMachine +deactivate proxy + +kube_api -> proxy : Stop WATCH operation +deactivate kube_api +proxy -> ctrl : Stop WATCH operation +deactivate proxy + +@endplantuml +``` + + +## Webhook proxying + +Kubernetes API Server connects to proxy, so proxy will pass AdmissionReview to real webhook. Proxy may rewrite JSON payloads +for different purposes, e.g. resources renaming. + +Additional changes: + +- A targetPort in the webhook Service should point to proxy container. +- A proxy container should mount secret with certificates. + +```plantuml +@startuml +box "Pod with Controller" #fff +participant "container\nname: controller" as ctrl +queue "additional container\nname: proxy" as proxy +endbox +box "Control Plane" #fff +participant "Kubernetes\nAPI Server" as kube_api +endbox + +note over ctrl +Listen on ""0.0.0.0:9443"" +endnote +/ note over proxy +Listen on ""0.0.0.0:24192"" +and pass requests to +the controller ""127.0.0.1:9443"" +endnote +/ note over kube_api +Pass AdmissionReview to Pod +endnote + +== Webhook handling == + +kube_api -> proxy : Request admission review via\nconfigured endpoint:\n\n/validate-x-virtualization-↩︎\ndeckhouse-io-prefixed-virtualmachines\n\nA payload contains renamed resource:\n\napiVersion: x.virtualization.deckhouse.io/v1\nkind: PrefixedVirtualMachine +proxy -> ctrl : Rewrite admission review, pass\nrequest with restored resource:\n\napiVersion: kubevirt.io/v1\nkind: VirtualMachine + +... Validating webhook response ... +ctrl -> proxy : AdmissionReview response +proxy -> kube_api : No rewrite, pass as-is. + +... Mutating webhook response ... +ctrl -> proxy : AdmissionReview response\nwith the patch +proxy -> kube_api : Rewrite ownerRef patch if\nresponse.patchType == JSONPatch\nand patch operates on the ownerRef content + + +@enduml +``` + +```mermaid +--- +config: + htmlLabels: false +--- + +sequenceDiagram + + box Pod with controller + participant ctrl as container
name: controller + participant proxy as container
name: proxy + end + + Note over ctrl: Listen on 0.0.0.0:9443 + Note over proxy: Listen on 0.0.0.0:24192
and pass requests to
127.0.0.1:9443 + + box Control plane + participant kubeapi as Kubernetes
API Server + end + note over kubeapi: Request webhook with AdmissionReview + + kubeapi --> ctrl: Webhook handling + + kubeapi ->>+ proxy: Send AdmissionReview with
renamed resources
apiVersion: x.virtualization.deckhouse.io
PrefixedVirtualMachine + + proxy ->>+ ctrl: Proxy restores resource:
apiGroup, kind, ownerReferences
apiVersion: kubevirt.io
kind: VirtualMachine + + ctrl ->>- proxy: AdmissionReview
with webhook response + + alt Validating webhook response + proxy ->> kubeapi: No rewrite, pass as-is + else Mutating webhook response + proxy ->>- kubeapi: Rewrite patch if
ownerReferences is modified + end + + + + %%participant Bob + %% ctrl->>John: "`This **is** _Markdown_`" + %%loop HealthCheck + %% John->>John: Fight against hypochondria + %%end + %%Note right of John: Rational thoughts
prevail! + %%John-->>ctrl: Great! + %%John->>Bob: How about you? + %%Bob-->>John: Jolly good! +``` diff --git a/images/kube-api-proxy/Taskfile.dist.yaml b/images/kube-api-proxy/Taskfile.dist.yaml new file mode 100644 index 000000000..eca31a942 --- /dev/null +++ b/images/kube-api-proxy/Taskfile.dist.yaml @@ -0,0 +1,82 @@ +version: "3" + +silent: true + +includes: + my: + taskfile: Taskfile.my.yaml + optional: true + +vars: + DevRegistry: "dev-registry.deckhouse.io/virt/dev/$USER" + +tasks: + dev:build: + desc: "build latest image with proxy and test-controller" + cmds: + - | + docker build . -t {{.DevRegistry}}/kube-api-proxy:latest -f local/Dockerfile + docker push {{.DevRegistry}}/kube-api-proxy:latest + + dev:deploy: + desc: "apply manifest with proxy and test-controller" + cmds: + - | + if ! kubectl get no 2>&1 >/dev/null ; then + echo Restart cluster connection + exit 1 + fi + - | + kubectl -n kproxy apply -f local/proxy.yaml + + dev:restart: + desc: "restart deployment" + cmds: + - | + if ! kubectl get no 2>&1 >/dev/null ; then + echo Restart cluster connection + exit 1 + fi + - | + kubectl -n kproxy scale deployment/kube-api-proxy --replicas=0 + kubectl -n kproxy scale deployment/kube-api-proxy --replicas=1 + + dev:redeploy: + desc: "build, deploy, restart" + cmds: + - | + if ! kubectl get no 2>&1 >/dev/null ; then + echo Restart cluster connection + exit 1 + fi + - task: dev:build + - task: dev:deploy + - task: dev:restart + - | + sleep 3 + kubectl -n kproxy get all + + dev:curl: + desc: "run curl in proxy deployment" + cmds: + - | + kubectl -n kproxy exec -t deploy/kube-api-proxy -- curl {{.CLI_ARGS}} + + dev:kubectl: + desc: "run kubectl in proxy deployment" + cmds: + - | + kubectl -n kproxy exec -ti deploy/kube-api-proxy -- kubectl -s 127.0.0.1:23916 {{.CLI_ARGS}} + #kubectl -n d8-virtualization exec -ti deploy/virt-operator -- kubectl -s 127.0.0.1:23915 {{.CLI_ARGS}} + + logs:proxy: + desc: "Show proxy logs" + cmds: + - | + kubectl -n kproxy logs deployments/kube-api-proxy -c proxy-only -f + + logs:controller: + desc: "Show test-controller logs" + cmds: + - | + kubectl -n kproxy logs deployments/kube-api-proxy -c controller -f diff --git a/images/kube-api-proxy/cmd/kube-api-proxy/main.go b/images/kube-api-proxy/cmd/kube-api-proxy/main.go new file mode 100644 index 000000000..c37fda258 --- /dev/null +++ b/images/kube-api-proxy/cmd/kube-api-proxy/main.go @@ -0,0 +1,140 @@ +package main + +import ( + "kube-api-proxy/pkg/kubevirt" + logutil "kube-api-proxy/pkg/log" + "kube-api-proxy/pkg/proxy" + "kube-api-proxy/pkg/rewriter" + "kube-api-proxy/pkg/server" + "kube-api-proxy/pkg/target" + log "log/slog" + "os" +) + +// This proxy is a proof-of-concept of proxying Kubernetes API requests +// with rewrites. +// +// It assumes presence of KUBERNETES_* environment variables and files +// in /var/run/secrets/kubernetes.io/serviceaccount (token and ca.crt). +// +// A client behind the proxy should connect to 127.0.0.1:$PROXY_PORT +// using plain http. Example of kubeconfig file: +// apiVersion: v1 +// kind: Config +// clusters: +// - cluster: +// server: http://127.0.0.1:23915 +// name: proxy.api.server +// contexts: +// - context: +// cluster: proxy.api.server +// name: proxy.api.server +// current-context: proxy.api.server + +const ( + loopbackAddr = "127.0.0.1" + anyAddr = "0.0.0.0" + defaultAPIClientProxyPort = "23915" + defaultWebhookProxyPort = "24192" +) + +func main() { + log.Info("Start proxy 20240404.01") + + // Load rules from file or use default kubevirt rules. + rewriteRules := kubevirt.KubevirtRewriteRules + if os.Getenv("RULES_PATH") != "" { + rulesFromFile, err := rewriter.LoadRules(os.Getenv("RULES_PATH")) + if err != nil { + log.Error("Load rules from %s: %v", os.Getenv("RULES_PATH"), err) + os.Exit(1) + } + rewriteRules = rulesFromFile + } + + proxies := make([]*server.HTTPServer, 0) + + // Register direct proxy from local Kubernetes API client to Kubernetes API server. + if os.Getenv("CLIENT_PROXY") == "no" { + log.Info("Will not start client proxy: CLIENT_PROXY=no") + } else { + config, err := target.NewKubernetesTarget() + if err != nil { + log.Error("Load Kubernetes REST", logutil.SlogErr(err)) + os.Exit(1) + } + lAddr := server.ConstructListenAddr( + os.Getenv("CLIENT_PROXY_ADDRESS"), os.Getenv("CLIENT_PROXY_PORT"), + loopbackAddr, defaultAPIClientProxyPort) + rwr := &rewriter.RuleBasedRewriter{ + Rules: rewriteRules, + } + proxyHandler := &proxy.Handler{ + Name: "kube-api", + TargetClient: config.Client, + TargetURL: config.APIServerURL, + ProxyMode: proxy.ToRenamed, + Rewriter: rwr, + } + proxySrv := &server.HTTPServer{ + InstanceDesc: "API Client proxy", + ListenAddr: lAddr, + RootHandler: proxyHandler, + } + proxies = append(proxies, proxySrv) + } + + // Register reverse proxy from Kubernetes API server to local webhook server. + if os.Getenv("WEBHOOK_ADDRESS") == "" { + log.Info("Will not start webhook proxy for empty WEBHOOK_ADDRESS") + } else { + config, err := target.NewWebhookTarget() + if err != nil { + log.Error("Configure webhook client", logutil.SlogErr(err)) + os.Exit(1) + } + lAddr := server.ConstructListenAddr( + os.Getenv("WEBHOOK_PROXY_ADDRESS"), os.Getenv("WEBHOOK_PROXY_PORT"), + anyAddr, defaultWebhookProxyPort) + rwr := &rewriter.RuleBasedRewriter{ + Rules: rewriteRules, + } + proxyHandler := &proxy.Handler{ + Name: "webhook", + TargetClient: config.Client, + TargetURL: config.URL, + ProxyMode: proxy.ToOriginal, + Rewriter: rwr, + } + proxySrv := &server.HTTPServer{ + InstanceDesc: "Webhook proxy", + ListenAddr: lAddr, + RootHandler: proxyHandler, + CertManager: config.CertManager, + } + proxies = append(proxies, proxySrv) + } + + if len(proxies) == 0 { + log.Info("No proxies to start, exit") + return + } + + // Start proxies and block the main process until at least one proxy stops. + proxyGroup := server.NewRunnableGroup() + for i := range proxies { + proxyGroup.Add(proxies[i]) + } + // Block while proxies are running. + proxyGroup.Start() + + // Log errors for each instance and exit. + exitCode := 0 + for _, srv := range proxies { + if srv.Err != nil { + log.Error(srv.InstanceDesc, logutil.SlogErr(srv.Err)) + exitCode = 1 + } + } + os.Exit(exitCode) +} diff --git a/images/kube-api-proxy/go.mod b/images/kube-api-proxy/go.mod new file mode 100644 index 000000000..130933a28 --- /dev/null +++ b/images/kube-api-proxy/go.mod @@ -0,0 +1,46 @@ +module kube-api-proxy + +go 1.21 + +require ( + github.com/stretchr/testify v1.8.4 + github.com/tidwall/gjson v1.17.1 + github.com/tidwall/sjson v1.2.5 + k8s.io/apimachinery v0.28.0-beta.0 + k8s.io/client-go v0.28.0-beta.0 + sigs.k8s.io/controller-runtime v0.15.1-0.20230728161957-7f0c6dc440f3 + sigs.k8s.io/yaml v1.3.0 +) + +require ( + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/imdario/mergo v0.3.12 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect + github.com/tidwall/match v1.1.1 // indirect + github.com/tidwall/pretty v1.2.1 // indirect + golang.org/x/net v0.12.0 // indirect + golang.org/x/oauth2 v0.8.0 // indirect + golang.org/x/sys v0.10.0 // indirect + golang.org/x/term v0.10.0 // indirect + golang.org/x/text v0.11.0 // indirect + golang.org/x/time v0.3.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.30.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/api v0.28.0-beta.0 // indirect + k8s.io/klog/v2 v2.100.1 // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect +) diff --git a/images/kube-api-proxy/go.sum b/images/kube-api-proxy/go.sum new file mode 100644 index 000000000..7c02f3e47 --- /dev/null +++ b/images/kube-api-proxy/go.sum @@ -0,0 +1,169 @@ +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= +github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= +github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= +github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U= +github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= +github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= +github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= +go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= +golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= +golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= +golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.28.0-beta.0 h1:RQib3xI/dxXb2TPvSVRLvAjBjOMnU7jD0GwIAbKwBqU= +k8s.io/api v0.28.0-beta.0/go.mod h1:AF3hqmc5wvnZD2G4klXcRB9jBn8XEkr+2KvFbpwbvnw= +k8s.io/apimachinery v0.28.0-beta.0 h1:n3ksD30Isi22awAww6cnQVC8JhnID1Ow4Jhi7ylEHNY= +k8s.io/apimachinery v0.28.0-beta.0/go.mod h1:xhQIsaL3hXneGluH+0pzF7kr+VYuLS/VcYJxF1xQf+g= +k8s.io/client-go v0.28.0-beta.0 h1:qOEJLbK9Keyf3VUwwKap8VvXAcqsITDrRzhaWb/0GHY= +k8s.io/client-go v0.28.0-beta.0/go.mod h1:oCV0v/fHTnc/TUMH0XJORY6kUDh2H6t5DcLv2ISSL/4= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.15.1-0.20230728161957-7f0c6dc440f3 h1:tvLrlfTOKA84WNRHf9N6AmGVQ+MBAbHlSqX2pDow6D8= +sigs.k8s.io/controller-runtime v0.15.1-0.20230728161957-7f0c6dc440f3/go.mod h1:l6pJAr9U2OCzEFeSM37u7Av5pYS5NNXDV5Mesb4Ybgg= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/images/kube-api-proxy/local/Dockerfile b/images/kube-api-proxy/local/Dockerfile new file mode 100644 index 000000000..8c7e3690e --- /dev/null +++ b/images/kube-api-proxy/local/Dockerfile @@ -0,0 +1,39 @@ +# Go builder. +FROM golang:1.21-alpine3.19 AS builder + +# Cache-friendly download of go dependencies. +ADD go.mod go.sum /app/ +WORKDIR /app +RUN go mod download + +ADD . /app + +RUN GOOS=linux \ + go build -o proxy ./cmd/kube-api-proxy + +# Go builder. +FROM golang:1.21-alpine3.19 AS builder-test-controller + +# Cache-friendly download of go dependencies. +ADD local/test-controller/go.mod local/test-controller/go.sum /app/ +WORKDIR /app +RUN go mod download + +ADD local/test-controller/main.go /app/ + +RUN GOOS=linux \ + go build -o test-controller . + +FROM alpine:3.19 +RUN apk --no-cache add ca-certificates bash sed tini curl && \ + kubectlArch=linux/amd64 && \ + echo "Download kubectl for ${kubectlArch}" && \ + wget https://storage.googleapis.com/kubernetes-release/release/v1.27.5/bin/${kubectlArch}/kubectl -O /bin/kubectl && \ + chmod +x /bin/kubectl +COPY --from=builder /app/proxy / +COPY --from=builder-test-controller /app/test-controller / +ADD local/proxy.kubeconfig / + +# Use user nobody. +USER 65534:65534 +WORKDIR / diff --git a/images/kube-api-proxy/local/proxy-gen-certs.sh b/images/kube-api-proxy/local/proxy-gen-certs.sh new file mode 100755 index 000000000..68d12bd3a --- /dev/null +++ b/images/kube-api-proxy/local/proxy-gen-certs.sh @@ -0,0 +1,79 @@ +#!/usr/bin/env bash + +NAMESPACE=kproxy +SERVICE_NAME=test-admission-webhook +CN="api proxying tests for validating webhook" +OUTDIR=proxy-certs + +COMMON_NAME=${SERVICE_NAME}.${NAMESPACE} + +set -eo pipefail + +echo ================================================================= +echo THIS SCRIPT IS NOT SECURE! USE IT ONLY FOR DEMONSTATION PURPOSES. +echo ================================================================= +echo + +mkdir -p ${OUTDIR} && cd ${OUTDIR} + +if [[ -e ca.csr ]] ; then + read -p "Regenerate certificates? (yes/no) [no]: " + if [[ ! $REPLY =~ ^[Yy][Ee][Ss]$ ]] + then + exit 0 + fi +fi + +RM_FILES="ca* cert*" +echo ">>> Remove ${RM_FILES}" +rm -f $RM_FILES + +echo ">>> Generate CA key and certificate" +cat <>> Generate cert.key and cert.crt" +cat < ./../../../../api + +// TODO: delete this replaces after fixing https://github.com/golang/go/issues/66403. +replace ( + github.com/cilium/proxy => github.com/cilium/proxy v0.0.0-20231202123106-38b645b854f3 + github.com/markbates/safe => github.com/markbates/safe v1.0.1 + k8s.io/api => k8s.io/api v0.29.2 + k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.29.2 + k8s.io/apimachinery => k8s.io/apimachinery v0.29.2 + k8s.io/apiserver => k8s.io/apiserver v0.29.2 + k8s.io/code-generator => k8s.io/code-generator v0.29.2 + k8s.io/component-base => k8s.io/component-base v0.29.2 + k8s.io/kms => k8s.io/kms v0.29.2 +) + +require ( + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/evanphx/json-patch/v5 v5.8.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.22.3 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/imdario/mergo v0.3.12 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/openshift/api v0.0.0-20230503133300-8bbcb7ca7183 // indirect + github.com/openshift/custom-resource-status v1.1.2 // indirect + github.com/pborman/uuid v1.2.1 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/prometheus/client_golang v1.18.0 // indirect + github.com/prometheus/client_model v0.5.0 // indirect + github.com/prometheus/common v0.45.0 // indirect + github.com/prometheus/procfs v0.12.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect + golang.org/x/net v0.19.0 // indirect + golang.org/x/oauth2 v0.12.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/term v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.3.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.31.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/component-base v0.29.2 // indirect + k8s.io/klog/v2 v2.110.1 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect + kubevirt.io/containerized-data-importer-api v1.57.0-alpha1 // indirect + kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect +) diff --git a/images/kube-api-proxy/local/test-controller/go.sum b/images/kube-api-proxy/local/test-controller/go.sum new file mode 100644 index 000000000..e0ca07bdf --- /dev/null +++ b/images/kube-api-proxy/local/test-controller/go.sum @@ -0,0 +1,484 @@ +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/deckhouse/virtualization/api v0.0.0-20240417135227-efb465e54575 h1:FdSicGvp9Gz1dvrzV7vVkMAlEMYUWMKq/QLKeZxZOtw= +github.com/deckhouse/virtualization/api v0.0.0-20240417135227-efb465e54575/go.mod h1:1tfoFeZmlKqq6jEuSfIpdrxsBpOcMajYaCbO94pVQLs= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.15.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= +github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= +github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns= +github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= +github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= +github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= +github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= +github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU= +github.com/onsi/ginkgo/v2 v2.1.6/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk= +github.com/onsi/ginkgo/v2 v2.3.0/go.mod h1:Eew0uilEqZmIEZr8JrvYlvOM7Rr6xzTmMV8AyFNU9d0= +github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= +github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw= +github.com/onsi/ginkgo/v2 v2.7.0/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= +github.com/onsi/ginkgo/v2 v2.8.1/go.mod h1:N1/NbDngAFcSLdyZ+/aYTYGSlq9qMCS/cNKGJjy+csc= +github.com/onsi/ginkgo/v2 v2.9.0/go.mod h1:4xkjoL/tZv4SMWeww56BU5kAt19mVB47gTWxmrTcxyk= +github.com/onsi/ginkgo/v2 v2.9.1/go.mod h1:FEcmzVcCHl+4o9bQZVab+4dC9+j+91t2FHSzmGAPfuo= +github.com/onsi/ginkgo/v2 v2.9.2/go.mod h1:WHcJJG2dIlcCqVfBAwUCrJxSPFb6v4azBwgxeMeDuts= +github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= +github.com/onsi/ginkgo/v2 v2.9.7/go.mod h1:cxrmXWykAwTwhQsJOPfdIDiJ+l2RYq7U8hFU+M/1uw0= +github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= +github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= +github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= +github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo= +github.com/onsi/gomega v1.21.1/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc= +github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ1tuM= +github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= +github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM= +github.com/onsi/gomega v1.26.0/go.mod h1:r+zV744Re+DiYCIPRlYOTxn0YkOLcAnW8k1xXdMPGhM= +github.com/onsi/gomega v1.27.1/go.mod h1:aHX5xOykVYzWOV4WqQy0sy8BQptgukenXpCXfadcIAw= +github.com/onsi/gomega v1.27.3/go.mod h1:5vG284IBtfDAmDyrK+eGyZmUgUlmi+Wngqo557cZ6Gw= +github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3q3fQ= +github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= +github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4= +github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= +github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/openshift/api v0.0.0-20230503133300-8bbcb7ca7183 h1:t/CahSnpqY46sQR01SoS+Jt0jtjgmhgE6lFmRnO4q70= +github.com/openshift/api v0.0.0-20230503133300-8bbcb7ca7183/go.mod h1:4VWG+W22wrB4HfBL88P40DxLEpSOaiBVxUnfalfJo9k= +github.com/openshift/custom-resource-status v1.1.2 h1:C3DL44LEbvlbItfd8mT5jWrqPfHnSOQoQf/sypqA6A4= +github.com/openshift/custom-resource-status v1.1.2/go.mod h1:DB/Mf2oTeiAmVVX1gN+NEqweonAPY0TKUwADizj8+ZA= +github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= +github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= +github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= +github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= +github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= +github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= +golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= +golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= +golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= +golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= +golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= +golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= +golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A= +k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0= +k8s.io/apiextensions-apiserver v0.29.2 h1:UK3xB5lOWSnhaCk0RFZ0LUacPZz9RY4wi/yt2Iu+btg= +k8s.io/apiextensions-apiserver v0.29.2/go.mod h1:aLfYjpA5p3OwtqNXQFkhJ56TB+spV8Gc4wfMhUA3/b8= +k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8= +k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= +k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= +k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= +k8s.io/code-generator v0.29.2/go.mod h1:FwFi3C9jCrmbPjekhaCYcYG1n07CYiW1+PAPCockaos= +k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8= +k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM= +k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.40.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +kubevirt.io/api v1.0.0 h1:RBdXP5CDhE0v5qL2OUQdrYyRrHe/F68Z91GWqBDF6nw= +kubevirt.io/api v1.0.0/go.mod h1:CJ4vZsaWhVN3jNbyc9y3lIZhw8nUHbWjap0xHABQiqc= +kubevirt.io/containerized-data-importer-api v1.57.0-alpha1 h1:IWo12+ei3jltSN5jQN1xjgakfvRSF3G3Rr4GXVOOy2I= +kubevirt.io/containerized-data-importer-api v1.57.0-alpha1/go.mod h1:Y/8ETgHS1GjO89bl682DPtQOYEU/1ctPFBz6Sjxm4DM= +kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90 h1:QMrd0nKP0BGbnxTqakhDZAUhGKxPiPiN5gSDqKUmGGc= +kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90/go.mod h1:018lASpFYBsYN6XwmA2TIrPCx6e0gviTd/ZNtSitKgc= +sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0= +sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/images/kube-api-proxy/local/test-controller/main.go b/images/kube-api-proxy/local/test-controller/main.go new file mode 100644 index 000000000..916880a3a --- /dev/null +++ b/images/kube-api-proxy/local/test-controller/main.go @@ -0,0 +1,353 @@ +package main + +import ( + "context" + "flag" + "fmt" + "os" + "runtime" + "strconv" + + virtv1alpha2 "github.com/deckhouse/virtualization/api/core/v1alpha2" + "github.com/go-logr/logr" + "go.uber.org/zap/zapcore" + corev1 "k8s.io/api/core/v1" + extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + apiruntime "k8s.io/apimachinery/pkg/runtime" + clientgoscheme "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/tools/record" + kvv1 "kubevirt.io/api/core/v1" + "sigs.k8s.io/controller-runtime/pkg/builder" + "sigs.k8s.io/controller-runtime/pkg/cache" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/config" + "sigs.k8s.io/controller-runtime/pkg/controller" + "sigs.k8s.io/controller-runtime/pkg/event" + "sigs.k8s.io/controller-runtime/pkg/handler" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/manager/signals" + "sigs.k8s.io/controller-runtime/pkg/predicate" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + "sigs.k8s.io/controller-runtime/pkg/source" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +var ( + log = logf.Log.WithName("cmd") + resourcesSchemeFuncs = []func(*apiruntime.Scheme) error{ + clientgoscheme.AddToScheme, + extv1.AddToScheme, + kvv1.AddToScheme, + virtv1alpha2.AddToScheme, + } +) + +const ( + podNamespaceVar = "POD_NAMESPACE" + defaultVerbosity = "1" +) + +func setupLogger() { + verbose := defaultVerbosity + if verboseEnvVarVal := os.Getenv("VERBOSITY"); verboseEnvVarVal != "" { + verbose = verboseEnvVarVal + } + // visit actual flags passed in and if passed check -v and set verbose + if fv := flag.Lookup("v"); fv != nil { + verbose = fv.Value.String() + } + if verbose == defaultVerbosity { + log.V(1).Info(fmt.Sprintf("Note: increase the -v level in the controller deployment for more detailed logging, eg. -v=%d or -v=%d\n", 2, 3)) + } + verbosityLevel, err := strconv.Atoi(verbose) + debug := false + if err == nil && verbosityLevel > 1 { + debug = true + } + + // The logger instantiated here can be changed to any logger + // implementing the logr.Logger interface. This logger will + // be propagated through the whole operator, generating + // uniform and structured logs. + logf.SetLogger(zap.New(zap.Level(zapcore.Level(-1*verbosityLevel)), zap.UseDevMode(debug))) +} + +func printVersion() { + log.Info(fmt.Sprintf("Go Version: %s", runtime.Version())) + log.Info(fmt.Sprintf("Go OS/Arch: %s/%s", runtime.GOOS, runtime.GOARCH)) +} + +func main() { + flag.Parse() + + setupLogger() + printVersion() + + // Get a config to talk to the apiserver + cfg, err := config.GetConfig() + if err != nil { + log.Error(err, "") + os.Exit(1) + } + + leaderElectionNS := os.Getenv(podNamespaceVar) + if leaderElectionNS == "" { + leaderElectionNS = "default" + } + + // Setup scheme for all resources + scheme := apiruntime.NewScheme() + for _, f := range resourcesSchemeFuncs { + err = f(scheme) + if err != nil { + log.Error(err, "Failed to add to scheme") + os.Exit(1) + } + } + + managerOpts := manager.Options{ + // This controller watches resources in all namespaces. + LeaderElection: false, + LeaderElectionNamespace: leaderElectionNS, + LeaderElectionID: "test-controller-leader-election-helper", + LeaderElectionResourceLock: "leases", + Scheme: scheme, + } + + // Create a new Manager to provide shared dependencies and start components + mgr, err := manager.New(cfg, managerOpts) + if err != nil { + log.Error(err, "") + os.Exit(1) + } + + log.Info("Bootstrapping the Manager.") + + // Setup context to gracefully handle termination. + ctx := signals.SetupSignalHandler() + + // Add initial lister to sync rules and routes at start. + initLister := &InitialLister{ + client: mgr.GetClient(), + log: log, + } + err = mgr.Add(initLister) + if err != nil { + log.Error(err, "add initial lister to the manager") + } + + // + if _, err := NewController(ctx, mgr, log); err != nil { + log.Error(err, "") + os.Exit(1) + } + + // Start the Manager. + if err := mgr.Start(ctx); err != nil { + log.Error(err, "manager exited non-zero") + os.Exit(1) + } +} + +// InitialLister is a Runnable implementatin to access existing objects +// before handling any event with Reconcile method. +type InitialLister struct { + log logr.Logger + client client.Client +} + +func (i *InitialLister) Start(ctx context.Context) error { + cl := i.client + + // List VMs, Pods, CRDs before starting manager. + vms := virtv1alpha2.VirtualMachineList{} + err := cl.List(ctx, &vms) + if err != nil { + i.log.Error(err, "list VMs") + return err + } + log.Info(fmt.Sprintf("List returns %d VMs", len(vms.Items))) + for _, vm := range vms.Items { + i.log.Info(fmt.Sprintf("observe VM %s/%s at start", vm.GetNamespace(), vm.GetName())) + } + + pods := corev1.PodList{} + err = cl.List(ctx, &pods, client.InNamespace("")) + if err != nil { + i.log.Error(err, "list Pods") + return err + } + log.Info(fmt.Sprintf("List returns %d Pods", len(pods.Items))) + for _, pod := range pods.Items { + i.log.Info(fmt.Sprintf("observe Pod %s/%s at start", pod.GetNamespace(), pod.GetName())) + } + + crds := extv1.CustomResourceDefinitionList{} + err = cl.List(ctx, &crds, client.InNamespace("")) + if err != nil { + i.log.Error(err, "list Pods") + return err + } + log.Info(fmt.Sprintf("List returns %d CRDs", len(crds.Items))) + for _, crd := range crds.Items { + i.log.Info(fmt.Sprintf("observe CRD %s/%s at start", crd.GetNamespace(), crd.GetName())) + } + + i.log.Info("Initial listing done, proceed to manager Start") + return nil +} + +const ( + controllerName = "test-controller" +) + +func NewController( + ctx context.Context, + mgr manager.Manager, + log logr.Logger, +) (controller.Controller, error) { + reconciler := &VMReconciler{ + Client: mgr.GetClient(), + Cache: mgr.GetCache(), + Recorder: mgr.GetEventRecorderFor(controllerName), + Scheme: mgr.GetScheme(), + Log: log, + } + + c, err := controller.New(controllerName, mgr, controller.Options{Reconciler: reconciler}) + if err != nil { + return nil, err + } + + if err = SetupWatches(ctx, mgr, c, log); err != nil { + return nil, err + } + + if err = SetupWebhooks(ctx, mgr, reconciler); err != nil { + return nil, err + } + + log.Info("Initialized controller with test watches") + return c, nil +} + +// SetupWatches subscripts controller to Pods, CRDs and DVP VMs. +func SetupWatches(ctx context.Context, mgr manager.Manager, ctr controller.Controller, log logr.Logger) error { + if err := ctr.Watch(source.Kind(mgr.GetCache(), &virtv1alpha2.VirtualMachine{}), &handler.EnqueueRequestForObject{}, + //if err := ctr.Watch(source.Kind(mgr.GetCache(), &corev1.Pod{}), &handler.EnqueueRequestForObject{}, + predicate.Funcs{ + CreateFunc: func(e event.CreateEvent) bool { + log.Info(fmt.Sprintf("Got CREATE event for VM %s/%s gvk %v", e.Object.GetNamespace(), e.Object.GetName(), e.Object.GetObjectKind().GroupVersionKind())) + return true + }, + DeleteFunc: func(e event.DeleteEvent) bool { + log.Info(fmt.Sprintf("Got DELETE event for VM %s/%s gvk %v", e.Object.GetNamespace(), e.Object.GetName(), e.Object.GetObjectKind().GroupVersionKind())) + return true + }, + UpdateFunc: func(e event.UpdateEvent) bool { + log.Info(fmt.Sprintf("Got UPDATE event for VM %s/%s gvk %v", e.ObjectNew.GetNamespace(), e.ObjectNew.GetName(), e.ObjectNew.GetObjectKind().GroupVersionKind())) + return true + }, + }, + ); err != nil { + return fmt.Errorf("error setting watch on DVP VMs: %w", err) + } + + if err := ctr.Watch(source.Kind(mgr.GetCache(), &corev1.Pod{}), &handler.EnqueueRequestForObject{}, + predicate.Funcs{ + CreateFunc: func(e event.CreateEvent) bool { + log.Info(fmt.Sprintf("Got CREATE event for Pod %s/%s gvk %v", e.Object.GetNamespace(), e.Object.GetName(), e.Object.GetObjectKind().GroupVersionKind())) + return true + }, + DeleteFunc: func(e event.DeleteEvent) bool { + log.Info(fmt.Sprintf("Got DELETE event for Pod %s/%s gvk %v", e.Object.GetNamespace(), e.Object.GetName(), e.Object.GetObjectKind().GroupVersionKind())) + return true + }, + UpdateFunc: func(e event.UpdateEvent) bool { + log.Info(fmt.Sprintf("Got UPDATE event for Pod %s/%s gvk %v", e.ObjectNew.GetNamespace(), e.ObjectNew.GetName(), e.ObjectNew.GetObjectKind().GroupVersionKind())) + return true + }, + }, + ); err != nil { + return fmt.Errorf("error setting watch on Pods: %w", err) + } + + if err := ctr.Watch(source.Kind(mgr.GetCache(), &extv1.CustomResourceDefinition{}), &handler.EnqueueRequestForObject{}, + predicate.Funcs{ + CreateFunc: func(e event.CreateEvent) bool { + log.Info(fmt.Sprintf("Got CREATE event for CRD %s/%s gvk %v", e.Object.GetNamespace(), e.Object.GetName(), e.Object.GetObjectKind().GroupVersionKind())) + return true + }, + DeleteFunc: func(e event.DeleteEvent) bool { + log.Info(fmt.Sprintf("Got DELETE event for CRD %s/%s gvk %v", e.Object.GetNamespace(), e.Object.GetName(), e.Object.GetObjectKind().GroupVersionKind())) + return true + }, + UpdateFunc: func(e event.UpdateEvent) bool { + log.Info(fmt.Sprintf("Got UPDATE event for CRD %s/%s gvk %v", e.ObjectNew.GetNamespace(), e.ObjectNew.GetName(), e.ObjectNew.GetObjectKind().GroupVersionKind())) + return true + }, + }, + ); err != nil { + return fmt.Errorf("error setting watch on CRDs: %w", err) + } + + return nil +} + +func SetupWebhooks(ctx context.Context, mgr manager.Manager, validator admission.CustomValidator) error { + return builder.WebhookManagedBy(mgr). + For(&kvv1.VirtualMachine{}). + WithValidator(validator). + Complete() +} + +type VMReconciler struct { + Client client.Client + Cache cache.Cache + Recorder record.EventRecorder + Scheme *apiruntime.Scheme + Log logr.Logger +} + +func (r *VMReconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) { + r.Log.Info(fmt.Sprintf("Got request for %s", req.String())) + return reconcile.Result{}, nil +} + +func (r *VMReconciler) ValidateCreate(ctx context.Context, obj apiruntime.Object) (admission.Warnings, error) { + vm, ok := obj.(*kvv1.VirtualMachine) + if !ok { + return nil, fmt.Errorf("expected a new VirtualMachine but got a %T", obj) + } + + warnings := admission.Warnings{ + fmt.Sprintf("Validate new VM %s is OK, got kind %s, apiVersion %s", vm.GetName(), vm.GetObjectKind(), vm.APIVersion), + } + return warnings, nil +} + +func (r *VMReconciler) ValidateUpdate(ctx context.Context, _, newObj apiruntime.Object) (admission.Warnings, error) { + vm, ok := newObj.(*kvv1.VirtualMachine) + if !ok { + return nil, fmt.Errorf("expected a new VirtualMachine but got a %T", newObj) + } + + warnings := admission.Warnings{ + fmt.Sprintf("Validate updated VM %s is OK, got kind %s, apiVersion %s", vm.GetName(), vm.GetObjectKind(), vm.APIVersion), + } + return warnings, nil +} + +func (v *VMReconciler) ValidateDelete(_ context.Context, obj apiruntime.Object) (admission.Warnings, error) { + vm, ok := obj.(*kvv1.VirtualMachine) + if !ok { + return nil, fmt.Errorf("expected a deleted VirtualMachine but got a %T", obj) + } + + warnings := admission.Warnings{ + fmt.Sprintf("Validate deleted VM %s is OK, got kind %s, apiVersion %s", vm.GetName(), vm.GetObjectKind(), vm.APIVersion), + } + return warnings, nil +} diff --git a/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules.go b/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules.go new file mode 100644 index 000000000..81d735bc5 --- /dev/null +++ b/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules.go @@ -0,0 +1,551 @@ +package kubevirt + +import ( + . "kube-api-proxy/pkg/rewriter" +) + +var KubevirtRewriteRules = &RewriteRules{ + KindPrefix: "DVPInternal", // KV + ResourceTypePrefix: "dvpinternal", // kv + ShortNamePrefix: "dvp", + Categories: []string{"dvpinternal"}, + RenamedGroup: "internal.virtualization.deckhouse.io", + Rules: KubevirtAPIGroupsRules, + Webhooks: KubevirtWebhooks, +} + +// TODO create generator in golang to produce below rules from Kubevirt and CDI sources so proxy can work with future versions. + +var KubevirtAPIGroupsRules = map[string]APIGroupRule{ + "cdi.kubevirt.io": { + GroupRule: GroupRule{ + Group: "cdi.kubevirt.io", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + }, + ResourceRules: map[string]ResourceRule{ + // cdiconfigs.cdi.kubevirt.io + "cdiconfigs": { + Kind: "CDIConfig", + ListKind: "CDIConfigList", + Plural: "cdiconfigs", + Singular: "cdiconfig", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{}, + ShortNames: []string{}, + }, + // cdis.cdi.kubevirt.io + "cdis": { + Kind: "CDI", + ListKind: "CDIList", + Plural: "cdis", + Singular: "cdi", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{}, + ShortNames: []string{"cdi", "cdis"}, + }, + // dataimportcrons.cdi.kubevirt.io + "dataimportcrons": { + Kind: "DataImportCron", + ListKind: "DataImportCronList", + Plural: "dataimportcrons", + Singular: "dataimportcron", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{"all"}, + ShortNames: []string{"dic", "dics"}, + }, + // datasources.cdi.kubevirt.io + "datasources": { + Kind: "DataSource", + ListKind: "DataSourceList", + Plural: "datasources", + Singular: "datasource", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{"all"}, + ShortNames: []string{"das"}, + }, + // datavolumes.cdi.kubevirt.io + "datavolumes": { + Kind: "DataVolume", + ListKind: "DataVolumeList", + Plural: "datavolumes", + Singular: "datavolume", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{"all"}, + ShortNames: []string{"dv", "dvs"}, + }, + // objecttransfers.cdi.kubevirt.io + "objecttransfers": { + Kind: "ObjectTransfer", + ListKind: "ObjectTransferList", + Plural: "objecttransfers", + Singular: "objecttransfer", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{}, + ShortNames: []string{"ot", "ots"}, + }, + // storageprofiles.cdi.kubevirt.io + "storageprofiles": { + Kind: "StorageProfile", + ListKind: "StorageProfileList", + Plural: "storageprofiles", + Singular: "storageprofile", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{}, + ShortNames: []string{}, + }, + // volumeclonesources.cdi.kubevirt.io + "volumeclonesources": { + Kind: "VolumeCloneSource", + ListKind: "VolumeCloneSourceList", + Plural: "volumeclonesources", + Singular: "volumeclonesource", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{}, + ShortNames: []string{}, + }, + // volumeimportsources.cdi.kubevirt.io + "volumeimportsources": { + Kind: "VolumeImportSource", + ListKind: "VolumeImportSourceList", + Plural: "volumeimportsources", + Singular: "volumeimportsource", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{}, + ShortNames: []string{}, + }, + // volumeuploadsources.cdi.kubevirt.io + "volumeuploadsources": { + Kind: "VolumeUploadSource", + ListKind: "VolumeUploadSourceList", + Plural: "volumeuploadsources", + Singular: "volumeuploadsource", + Versions: []string{"v1beta1"}, + PreferredVersion: "v1beta1", + Categories: []string{}, + ShortNames: []string{}, + }, + }, + }, + "kubevirt.io": { + GroupRule: GroupRule{ + Group: "kubevirt.io", + Versions: []string{"v1", "v1alpha3"}, + PreferredVersion: "v1", + }, + ResourceRules: map[string]ResourceRule{ + // kubevirts.kubevirt.io + "kubevirts": { + Kind: "KubeVirt", + ListKind: "KubeVirtList", + Plural: "kubevirts", + Singular: "kubevirt", + Versions: []string{"v1", "v1alpha3"}, + PreferredVersion: "v1", + Categories: []string{"all"}, + ShortNames: []string{"kv", "kvs"}, + }, + // virtualmachines.kubevirt.io + "virtualmachines": { + Kind: "VirtualMachine", + ListKind: "VirtualMachineList", + Plural: "virtualmachines", + Singular: "virtualmachine", + Versions: []string{"v1", "v1alpha3"}, + PreferredVersion: "v1", + Categories: []string{"all"}, + ShortNames: []string{"vm", "vms"}, + }, + // virtualmachineinstances.kubevirt.io + "virtualmachineinstances": { + Kind: "VirtualMachineInstance", + ListKind: "VirtualMachineInstanceList", + Plural: "virtualmachineinstances", + Singular: "virtualmachineinstance", + Versions: []string{"v1", "v1alpha3"}, + PreferredVersion: "v1", + Categories: []string{"all"}, + ShortNames: []string{"vmi", "vmsi"}, + }, + // virtualmachineinstancemigrations.kubevirt.io + "virtualmachineinstancemigrations": { + Kind: "VirtualMachineInstanceMigration", + ListKind: "VirtualMachineInstanceMigrationList", + Plural: "virtualmachineinstancemigrations", + Singular: "virtualmachineinstancemigration", + Versions: []string{"v1", "v1alpha3"}, + PreferredVersion: "v1", + Categories: []string{"all"}, + ShortNames: []string{"vmim", "vmims"}, + }, + // virtualmachineinstancepresets.kubevirt.io + "virtualmachineinstancepresets": { + Kind: "VirtualMachineInstancePreset", + ListKind: "VirtualMachineInstancePresetList", + Plural: "virtualmachineinstancepresets", + Singular: "virtualmachineinstancepreset", + Versions: []string{"v1", "v1alpha3"}, + PreferredVersion: "v1", + Categories: []string{"all"}, + ShortNames: []string{"vmipreset", "vmipresets"}, + }, + // virtualmachineinstancereplicasets.kubevirt.io + "virtualmachineinstancereplicasets": { + Kind: "VirtualMachineInstanceReplicaSet", + ListKind: "VirtualMachineInstanceReplicaSetList", + Plural: "virtualmachineinstancereplicasets", + Singular: "virtualmachineinstancereplicaset", + Versions: []string{"v1", "v1alpha3"}, + PreferredVersion: "v1", + Categories: []string{"all"}, + ShortNames: []string{"vmirs", "vmirss"}, + }, + }, + }, + "clone.kubevirt.io": { + GroupRule: GroupRule{ + Group: "clone.kubevirt.io", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + }, + ResourceRules: map[string]ResourceRule{ + // virtualmachineclones.clone.kubevirt.io + "virtualmachineclones": { + Kind: "VirtualMachineClone", + ListKind: "VirtualMachineCloneList", + Plural: "virtualmachineclones", + Singular: "virtualmachineclone", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + Categories: []string{"all"}, + ShortNames: []string{"vmclone", "vmclones"}, + }, + }, + }, + "export.kubevirt.io": { + GroupRule: GroupRule{ + Group: "export.kubevirt.io", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + }, + ResourceRules: map[string]ResourceRule{ + // virtualmachineexports.export.kubevirt.io + "virtualmachineexports": { + Kind: "VirtualMachineExport", + ListKind: "VirtualMachineExportList", + Plural: "virtualmachineexports", + Singular: "virtualmachineexport", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + Categories: []string{"all"}, + ShortNames: []string{"vmexport", "vmexports"}, + }, + }, + }, + "instancetype.kubevirt.io": { + GroupRule: GroupRule{ + Group: "instancetype.kubevirt.io", + Versions: []string{"v1alpha1", "v1alpha2"}, + PreferredVersion: "v1alpha2", + }, + ResourceRules: map[string]ResourceRule{ + // virtualmachineinstancetypes.instancetype.kubevirt.io + "virtualmachineinstancetypes": { + Kind: "VirtualMachineInstancetype", + ListKind: "VirtualMachineInstancetypeList", + Plural: "virtualmachineinstancetypes", + Singular: "virtualmachineinstancetype", + Versions: []string{"v1alpha1", "v1alpha2"}, + PreferredVersion: "v1alpha2", + Categories: []string{"all"}, + ShortNames: []string{"vminstancetype", "vminstancetypes", "vmf", "vmfs"}, + }, + // virtualmachinepreferences.instancetype.kubevirt.io + "virtualmachinepreferences": { + Kind: "VirtualMachinePreference", + ListKind: "VirtualMachinePreferenceList", + Plural: "virtualmachinepreferences", + Singular: "virtualmachinepreference", + Versions: []string{"v1alpha1", "v1alpha2"}, + PreferredVersion: "v1alpha2", + Categories: []string{"all"}, + ShortNames: []string{"vmpref", "vmprefs", "vmp", "vmps"}, + }, + // virtualmachineclusterinstancetypes.instancetype.kubevirt.io + "virtualmachineclusterinstancetypes": { + Kind: "VirtualMachineClusterInstancetype", + ListKind: "VirtualMachineClusterInstancetypeList", + Plural: "virtualmachineclusterinstancetypes", + Singular: "virtualmachineclusterinstancetype", + Versions: []string{"v1alpha1", "v1alpha2"}, + PreferredVersion: "v1alpha2", + Categories: []string{}, + ShortNames: []string{"vmclusterinstancetype", "vmclusterinstancetypes", "vmcf", "vmcfs"}, + }, + // virtualmachineclusterpreferences.instancetype.kubevirt.io + "virtualmachineclusterpreferences": { + Kind: "VirtualMachineClusterPreference", + ListKind: "VirtualMachineClusterPreferenceList", + Plural: "virtualmachineclusterpreferences", + Singular: "virtualmachineclusterpreference", + Versions: []string{"v1alpha1", "v1alpha2"}, + PreferredVersion: "v1alpha2", + Categories: []string{}, + ShortNames: []string{"vmcp", "vmcps"}, + }, + }, + }, + "migrations.kubevirt.io": { + GroupRule: GroupRule{ + Group: "migrations.kubevirt.io", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + }, + ResourceRules: map[string]ResourceRule{ + // migrationpolicies.migrations.kubevirt.io + "migrationpolicies": { + Kind: "MigrationPolicy", + ListKind: "MigrationPolicyList", + Plural: "migrationpolicies", + Singular: "migrationpolicy", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + Categories: []string{"all"}, + ShortNames: []string{}, + }, + }, + }, + "pool.kubevirt.io": { + GroupRule: GroupRule{ + Group: "pool.kubevirt.io", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + }, + ResourceRules: map[string]ResourceRule{ + // virtualmachinepools.pool.kubevirt.io + "virtualmachinepools": { + Kind: "VirtualMachinePool", + ListKind: "VirtualMachinePoolList", + Plural: "virtualmachinepools", + Singular: "virtualmachinepool", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + Categories: []string{"all"}, + ShortNames: []string{"vmpool", "vmpools"}, + }, + }, + }, + "snapshot.kubevirt.io": { + GroupRule: GroupRule{ + Group: "snapshot.kubevirt.io", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + }, + ResourceRules: map[string]ResourceRule{ + // virtualmachinerestores.snapshot.kubevirt.io + "virtualmachinerestores": { + Kind: "VirtualMachineRestore", + ListKind: "VirtualMachineRestoreList", + Plural: "virtualmachinerestores", + Singular: "virtualmachinerestore", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + Categories: []string{"all"}, + ShortNames: []string{"vmrestore", "vmrestores"}, + }, + // virtualmachinesnapshotcontents.snapshot.kubevirt.io + "virtualmachinesnapshotcontents": { + Kind: "VirtualMachineSnapshotContent", + ListKind: "VirtualMachineSnapshotContentList", + Plural: "virtualmachinesnapshotcontents", + Singular: "virtualmachinesnapshotcontent", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + Categories: []string{"all"}, + ShortNames: []string{"vmsnapshotcontent", "vmsnapshotcontents"}, + }, + // virtualmachinesnapshots.snapshot.kubevirt.io + "virtualmachinesnapshots": { + Kind: "VirtualMachineSnapshot", + ListKind: "VirtualMachineSnapshotList", + Plural: "virtualmachinesnapshots", + Singular: "virtualmachinesnapshot", + Versions: []string{"v1alpha1"}, + PreferredVersion: "v1alpha1", + Categories: []string{"all"}, + ShortNames: []string{"vmsnapshot", "vmsnapshots"}, + }, + }, + }, +} + +var KubevirtWebhooks = map[string]WebhookRule{ + // CDI webhooks. + // Run this in original CDI installation: + // kubectl get validatingwebhookconfiguration,mutatingwebhookconfiguration -l cdi.kubevirt.io -o json | jq '.items[] | .webhooks[] | {"path": .clientConfig.service.path, "group": (.rules[]|.apiGroups|join(",")), "resource": (.rules[]|.resources|join(",")) } | "\""+.path +"\": {\nPath: \"" + .path + "\",\nGroup: \"" + .group + "\",\nResource: \"" + .resource + "\",\n}," ' -r + // TODO create generator in golang to extract these rules from resource definitions in the cdi-operator package. + "/datavolume-mutate": { + Path: "/datavolume-mutate", + Group: "cdi.kubevirt.io", + Resource: "datavolumes", + }, + "/dataimportcron-validate": { + Path: "/dataimportcron-validate", + Group: "cdi.kubevirt.io", + Resource: "dvpinternaldataimportcrons", + }, + "/datavolume-validate": { + Path: "/datavolume-validate", + Group: "cdi.kubevirt.io", + Resource: "datavolumes", + }, + "/cdi-validate": { + Path: "/cdi-validate", + Group: "cdi.kubevirt.io", + Resource: "cdis", + }, + "/objecttransfer-validate": { + Path: "/objecttransfer-validate", + Group: "cdi.kubevirt.io", + Resource: "objecttransfers", + }, + "/populator-validate": { + Path: "/populator-validate", + Group: "cdi.kubevirt.io", + Resource: "volumeimportsources", // Also, volumeuploadsources. This field for logging only. + }, + + // Kubevirt webhooks. + // Run this in original Kubevirt installation: + // kubectl get validatingwebhookconfiguration,mutatingwebhookconfiguration -l kubevirt.io -o json | jq '.items[] | .webhooks[] | {"path": .clientConfig.service.path, "group": (.rules[]|.apiGroups|join(",")), "resource": (.rules[]|.resources|join(",")) } | "\""+.path +"\": {\nPath: \"" + .path + "\",\nGroup: \"" + .group + "\",\nResource: \"" + .resource + "\",\n}," ' + // TODO create generator in golang to extract these rules from resource definitions in the virt-operator package. + "/virtualmachineinstances-validate-create": { + Path: "/virtualmachineinstances-validate-create", + Group: "kubevirt.io", + Resource: "virtualmachineinstances", + }, + "/virtualmachineinstances-validate-update": { + Path: "/virtualmachineinstances-validate-update", + Group: "kubevirt.io", + Resource: "virtualmachineinstances", + }, + "/virtualmachines-validate": { + Path: "/virtualmachines-validate", + Group: "kubevirt.io", + Resource: "virtualmachines", + }, + "/virtualmachinereplicaset-validate": { + Path: "/virtualmachinereplicaset-validate", + Group: "kubevirt.io", + Resource: "virtualmachineinstancereplicasets", + }, + "/virtualmachinepool-validate": { + Path: "/virtualmachinepool-validate", + Group: "pool.kubevirt.io", + Resource: "virtualmachinepools", + }, + "/vmipreset-validate": { + Path: "/vmipreset-validate", + Group: "kubevirt.io", + Resource: "virtualmachineinstancepresets", + }, + "/migration-validate-create": { + Path: "/migration-validate-create", + Group: "kubevirt.io", + Resource: "virtualmachineinstancemigrations", + }, + "/migration-validate-update": { + Path: "/migration-validate-update", + Group: "kubevirt.io", + Resource: "virtualmachineinstancemigrations", + }, + "/virtualmachinesnapshots-validate": { + Path: "/virtualmachinesnapshots-validate", + Group: "snapshot.kubevirt.io", + Resource: "virtualmachinesnapshots", + }, + "/virtualmachinerestores-validate": { + Path: "/virtualmachinerestores-validate", + Group: "snapshot.kubevirt.io", + Resource: "virtualmachinerestores", + }, + "/virtualmachineexports-validate": { + Path: "/virtualmachineexports-validate", + Group: "export.kubevirt.io", + Resource: "virtualmachineexports", + }, + "/virtualmachineinstancetypes-validate": { + Path: "/virtualmachineinstancetypes-validate", + Group: "instancetype.kubevirt.io", + Resource: "virtualmachineinstancetypes", + }, + "/virtualmachineclusterinstancetypes-validate": { + Path: "/virtualmachineclusterinstancetypes-validate", + Group: "instancetype.kubevirt.io", + Resource: "virtualmachineclusterinstancetypes", + }, + "/virtualmachinepreferences-validate": { + Path: "/virtualmachinepreferences-validate", + Group: "instancetype.kubevirt.io", + Resource: "virtualmachinepreferences", + }, + "/virtualmachineclusterpreferences-validate": { + Path: "/virtualmachineclusterpreferences-validate", + Group: "instancetype.kubevirt.io", + Resource: "virtualmachineclusterpreferences", + }, + "/status-validate": { + Path: "/status-validate", + Group: "kubevirt.io", + Resource: "virtualmachines/status,virtualmachineinstancereplicasets/status,virtualmachineinstancemigrations/status", + }, + "/migration-policy-validate-create": { + Path: "/migration-policy-validate-create", + Group: "migrations.kubevirt.io", + Resource: "migrationpolicies", + }, + "/vm-clone-validate-create": { + Path: "/vm-clone-validate-create", + Group: "clone.kubevirt.io", + Resource: "virtualmachineclones", + }, + "/kubevirt-validate-delete": { + Path: "/kubevirt-validate-delete", + Group: "kubevirt.io", + Resource: "kubevirts", + }, + "/kubevirt-validate-update": { + Path: "/kubevirt-validate-update", + Group: "kubevirt.io", + Resource: "kubevirts", + }, + "/virtualmachines-mutate": { + Path: "/virtualmachines-mutate", + Group: "kubevirt.io", + Resource: "virtualmachines", + }, + "/virtualmachineinstances-mutate": { + Path: "/virtualmachineinstances-mutate", + Group: "kubevirt.io", + Resource: "virtualmachineinstances", + }, + "/migration-mutate-create": { + Path: "/migration-mutate-create", + Group: "kubevirt.io", + Resource: "virtualmachineinstancemigrations", + }, + "/vm-clone-mutate-create": { + Path: "/vm-clone-mutate-create", + Group: "clone.kubevirt.io", + Resource: "virtualmachineclones", + }, +} diff --git a/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules_test.go b/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules_test.go new file mode 100644 index 000000000..2303572b2 --- /dev/null +++ b/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules_test.go @@ -0,0 +1,17 @@ +package kubevirt + +import ( + "fmt" + "testing" + + "sigs.k8s.io/yaml" +) + +func TestKubevirtRulesToYAML(t *testing.T) { + b, err := yaml.Marshal(KubevirtRewriteRules) + if err != nil { + t.Fatalf("should marshal kubevirt rules without error: %v", err) + } + + fmt.Printf("%s\n", string(b)) +} diff --git a/images/kube-api-proxy/pkg/log/body.go b/images/kube-api-proxy/pkg/log/body.go new file mode 100644 index 000000000..6902c6388 --- /dev/null +++ b/images/kube-api-proxy/pkg/log/body.go @@ -0,0 +1,55 @@ +package log + +import ( + "bytes" + "fmt" + "io" +) + +type ReaderLogger struct { + wrappedReader io.ReadCloser + buf bytes.Buffer +} + +func NewReaderLogger(r io.Reader) *ReaderLogger { + rdr := &ReaderLogger{} + rdr.wrappedReader = io.NopCloser(io.TeeReader(r, &rdr.buf)) + return rdr +} + +func (r *ReaderLogger) Read(p []byte) (n int, err error) { + return r.wrappedReader.Read(p) +} + +func (r *ReaderLogger) Close() error { + return r.wrappedReader.Close() +} + +func HeadString(obj interface{}, limit int) string { + readLog, ok := obj.(*ReaderLogger) + if !ok { + return "" + } + bufLen := readLog.buf.Len() + bufStr := readLog.buf.String() + if bufLen < limit { + return bufStr + } + return bufStr[0:limit] +} + +func HeadStringEx(obj interface{}, limit int) string { + s := HeadString(obj, limit) + if s == "" { + return "" + } + return fmt.Sprintf("[%d] %s", len(s), s) +} + +func HasData(obj interface{}) bool { + readLog, ok := obj.(*ReaderLogger) + if !ok { + return false + } + return readLog.buf.Len() > 0 +} diff --git a/images/kube-api-proxy/pkg/log/error.go b/images/kube-api-proxy/pkg/log/error.go new file mode 100644 index 000000000..07938567d --- /dev/null +++ b/images/kube-api-proxy/pkg/log/error.go @@ -0,0 +1,7 @@ +package log + +import "log/slog" + +func SlogErr(err error) slog.Attr { + return slog.Any("err", err) +} diff --git a/images/kube-api-proxy/pkg/proxy/doc.go b/images/kube-api-proxy/pkg/proxy/doc.go new file mode 100644 index 000000000..301388b37 --- /dev/null +++ b/images/kube-api-proxy/pkg/proxy/doc.go @@ -0,0 +1,39 @@ +package proxy + +// Proxy handler implements 2 types of proxy: +// - proxy for client interaction with Kubernetes API Server +// - proxy to deliver AdmissionReview requests from Kubernetes API Server to webhook server +// +// Proxy for webhooks acts as follows: +// ServerHTTP method reads request from Kubernetes API Server, restores apiVersion, kind and +// ownerRefs, sends it to real webhook, renames apiVersion, kind, and ownerRefs +// and sends it back to Kubernetes API Server. +// +// +--------------------------------------------+ +// | Kubernetes API Server | +// +--------------------------------------------+ +// | ^ +// | | +// 1. AdmissionReview request 4. AdmissionReview response +// webhook.srv:443/webhook-endpoint | +// apiVersion: renamed-group.io | +// kind: PrefixedResource | +// | | +// v | +// +-----------------------------------------------------+ +// | Proxy | +// | 2. Restore 3. Rename | +// | apiVersion, kind field if Admission response | +// | in Admission request has patchType: JSONPatch | +// | in Admission request rename kind in ownerRef | +// +-----------------------------------------------------+ +// | ^ +// 127.0.0.1:9443/webhook-endpoint | +// apiVersion: original-group.io | +// kind: Resource | +// | | +// v | +// +-------------------------------------------------------+ +// | Webhook | +// | handles request ---> sends response | +// +-------------------------------------------------------+ diff --git a/images/kube-api-proxy/pkg/proxy/handler.go b/images/kube-api-proxy/pkg/proxy/handler.go new file mode 100644 index 000000000..ee2098d43 --- /dev/null +++ b/images/kube-api-proxy/pkg/proxy/handler.go @@ -0,0 +1,420 @@ +package proxy + +import ( + "bytes" + "compress/flate" + "compress/gzip" + "fmt" + "io" + "log/slog" + "net/http" + "net/url" + "strconv" + "strings" + "sync" + + logutil "kube-api-proxy/pkg/log" + "kube-api-proxy/pkg/rewriter" +) + +type ProxyMode string + +const ( + // ToOriginal mode indicates that resource should be restored when passed to target and renamed when passing back to client. + ToOriginal ProxyMode = "original" + // ToRenamed mode indicates that resource should be renamed when passed to target and restored when passing back to client. + ToRenamed ProxyMode = "renamed" +) + +func ToTargetAction(proxyMode ProxyMode) rewriter.Action { + if proxyMode == ToRenamed { + return rewriter.Rename + } + return rewriter.Restore +} + +func FromTargetAction(proxyMode ProxyMode) rewriter.Action { + if proxyMode == ToRenamed { + return rewriter.Restore + } + return rewriter.Rename +} + +type Handler struct { + Name string + // ProxyPass is a target http client to send requests to. + // An allusion to nginx proxy_pass directive. + TargetClient *http.Client + TargetURL *url.URL + ProxyMode ProxyMode + Rewriter *rewriter.RuleBasedRewriter + m sync.Mutex +} + +func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) { + if req == nil { + slog.Error("req is nil. something wrong") + return + } + if req.URL == nil { + slog.Error(fmt.Sprintf("req.URL is nil. something wrong. method %s RequestURI '%s' Headers %+v", req.Method, req.RequestURI, req.Header)) + return + } + + // Parse request url, prepare path rewrite. + targetReq := rewriter.NewTargetRequest(h.Rewriter, req) + + resource := targetReq.ResourceForLog() + + logger := slog.With( + slog.String("request", fmt.Sprintf("%s %s", req.Method, req.URL.Path)), + slog.String("resource", resource), + slog.String("proxy.name", h.Name), + ) + + // Set target address, cleanup RequestURI. + req.RequestURI = "" + req.URL.Scheme = h.TargetURL.Scheme + req.URL.Host = h.TargetURL.Host + + // Log request path. + rwrReq := " NO" + if targetReq.ShouldRewriteRequest() { + rwrReq = "REQ" + } + rwrResp := " NO" + if targetReq.ShouldRewriteResponse() { + rwrResp = "RESP" + } + if targetReq.Path() != req.URL.Path { + logger.Info(fmt.Sprintf("%s [%s,%s] %s -> %s", req.Method, rwrReq, rwrResp, req.URL.String(), targetReq.Path())) + } else { + logger.Info(fmt.Sprintf("%s [%s,%s] %s", req.Method, rwrReq, rwrResp, req.URL.String())) + } + + // TODO(development): Mute some logging for development: election, non-rewritable resources. + isMute := false + if !targetReq.ShouldRewriteRequest() && !targetReq.ShouldRewriteResponse() { + isMute = true + } + switch resource { + case "leases": + isMute = true + case "endpoints": + isMute = true + case "clusterrolebindings": + isMute = false + case "clustervirtualmachineimages": + isMute = false + } + if isMute { + logger = slog.New(slog.NewTextHandler(io.Discard, nil)) + } + + logger.Info(fmt.Sprintf("Request: orig headers: %+v", req.Header)) + + // Modify req to send it to target. + err := h.transformRequest(targetReq, req) + //targetReq, err := p.Rewriter.RewriteToTarget(req) + if err != nil { + logger.Error(fmt.Sprintf("Error rewriting request: %s", req.URL.String()), logutil.SlogErr(err)) + http.Error(w, "can't rewrite request", http.StatusBadRequest) + return + } + + logger.Info(fmt.Sprintf("Request: target headers: %+v", req.Header)) + + // Wrap reader to log content after transferring request Body. + if req.Body != nil { + req.Body = logutil.NewReaderLogger(req.Body) + } + + resp, err := h.TargetClient.Do(req) + if err != nil { + logger.Error("Proxy pass request error", logutil.SlogErr(err)) + http.Error(w, "Proxy pass request error", http.StatusInternalServerError) + // TODO return apimachinery NewInternalError + // https://github.com/kubernetes/apimachinery/blob/master/pkg/api/errors/errors.go + return + } + defer resp.Body.Close() + + // TODO handle resp.Status 3xx, 4xx, 5xx, etc. + + // TODO delete after development: Log head of the request body. + if logutil.HasData(req.Body) { + limit := 512 + switch resource { + case "virtualmachines", + "virtualmachines/status", + "virtualmachineinstances", + "virtualmachineinstances/status", + "clustervirtualmachineimages", + "clustervirtualmachineimages/status", + "clusterrolebindings", + "customresourcedefinitions": + limit = 32000 + } + logger.Info(fmt.Sprintf("Request: Rewritten body: %s", logutil.HeadStringEx(req.Body, limit))) + } + + if !targetReq.ShouldRewriteResponse() { + // Pass response as-is without rewriting. + logger.Info(fmt.Sprintf("RESPONSE PASS: Status %s, Headers %+v", resp.Status, resp.Header)) + passResponse(w, resp, logger) + return + } + + if targetReq.IsWatch() { + logger.Info(fmt.Sprintf("RESPONSE REWRITE STREAM Status %s, Headers %+v", resp.Status, resp.Header)) + + h.transformStream(targetReq, w, resp, logger) + return + } + + // One-time rewrite is required for client or webhook requests. + logger.Info(fmt.Sprintf("RESPONSE REWRITE ONCE Status %s, Headers %+v", resp.Status, resp.Header)) + + h.transformResponse(targetReq, w, resp, logger) + return +} + +func copyHeader(dst, src http.Header) { + for header, values := range src { + // Do not override dst header with the header from the src. + if len(dst.Values(header)) > 0 { + continue + } + for _, value := range values { + dst.Add(header, value) + } + } +} + +func encodingAwareBodyReader(resp *http.Response) (io.ReadCloser, error) { + if resp == nil { + return nil, nil + } + body := resp.Body + if body == nil { + return nil, nil + } + + var reader io.ReadCloser + var err error + + encoding := resp.Header.Get("Content-Encoding") + switch encoding { + case "gzip": + reader, err = gzip.NewReader(body) + if err != nil { + return nil, fmt.Errorf("errorf making gzip reader: %v", err) + } + return io.NopCloser(reader), nil + case "deflate": + return flate.NewReader(body), nil + } + + return body, nil +} + +// transformRequest transforms request headers and rewrites request payload to use +// request as client to the target. +// TargetMode field defines either transformer should rename resources +// if request is from the client, or restore resources if it is a call +// from the API Server to the webhook. +func (h *Handler) transformRequest(targetReq *rewriter.TargetRequest, req *http.Request) error { + if req == nil || req.URL == nil { + return fmt.Errorf("request to rewrite is empty") + } + + // Rewrite incoming payload, e.g. create, put, etc. + if targetReq.ShouldRewriteRequest() && req.Body != nil { + // Read whole request body to rewrite. + bodyBytes, err := io.ReadAll(req.Body) + if err != nil { + return fmt.Errorf("read request body: %w", err) + } + + var newBody []byte + switch req.Method { + case http.MethodPatch: + newBody, err = h.Rewriter.RewritePatch(targetReq, bodyBytes) + default: + newBody, err = h.Rewriter.RewriteJSONPayload(targetReq, bodyBytes, ToTargetAction(h.ProxyMode)) + } + if err != nil { + return err + } + + // Put new Body reader to req and fix Content-Length header. + newBodyLen := len(newBody) + if newBodyLen > 0 { + // Fix content-length if needed. + req.ContentLength = int64(newBodyLen) + if req.Header.Get("Content-Length") != "" { + req.Header.Set("Content-Length", strconv.Itoa(newBodyLen)) + } + req.Body = io.NopCloser(bytes.NewBuffer(newBody)) + } + } + + if targetReq.ShouldRewriteResponse() { + // Rewriter not work with protobuf, force JSON + // in Accept header. + newAccept := make([]string, 0) + for _, hdr := range req.Header.Values("Accept") { + if strings.Contains(hdr, "application/vnd.kubernetes.protobuf") { + newAccept = append(newAccept, "application/json") + continue + } + // Quickly support kubectl with simple hack + if strings.Contains(hdr, "application/json") && strings.Contains(hdr, "as=Table") { + newAccept = append(newAccept, "application/json") + continue + } + newAccept = append(newAccept, hdr) + } + //req.Header.Set("Accept", newAccept) + + //req.Header.Del("Accept") + req.Header["Accept"] = newAccept + + // Force JSON for watches of core resources and CRDs. + if targetReq.IsWatch() && (targetReq.IsCRD() || targetReq.IsCore()) { + if len(req.Header.Values("Accept")) == 0 { + req.Header["Accept"] = []string{"application/json"} + } + } + } + + // Set new endpoint path and query. + req.URL.Path = targetReq.Path() + req.URL.RawQuery = targetReq.RawQuery() + + return nil +} + +func passResponse(w http.ResponseWriter, resp *http.Response, logger *slog.Logger) { + copyHeader(w.Header(), resp.Header) + w.WriteHeader(resp.StatusCode) + + if resp.StatusCode != http.StatusOK { + resp.Body = logutil.NewReaderLogger(resp.Body) + } + + dst := &immediateWriter{dst: w} + _, err := io.Copy(dst, resp.Body) + if err != nil { + logger.Error(fmt.Sprintf("copy response: %v", err)) + } + + if logutil.HasData(resp.Body) { + limit := 1024 + logger.Info(fmt.Sprintf("Pass through non 200 response: status %d %s", resp.StatusCode, logutil.HeadStringEx(resp.Body, limit))) + } + + return +} + +// transformResponse rewrites payloads in responses from the target. +// +// ProxyMode field defines either rewriter should restore, or rename resources. +func (h *Handler) transformResponse(targetReq *rewriter.TargetRequest, w http.ResponseWriter, resp *http.Response, logger *slog.Logger) { + // Rewrite supports only json responses for now. + // TODO detect content type from content, header in response may be inaccurate, e.g. from webhooks. + contentType := resp.Header.Get("Content-Type") + if !strings.HasPrefix(contentType, "application/json") { + logger.Warn(fmt.Sprintf("Will not transform non JSON response from target: Content-type=%s", contentType)) + passResponse(w, resp, logger) + return + } + + // Add gzip decoder if needed. + var err error + resp.Body, err = encodingAwareBodyReader(resp) + if err != nil { + logger.Error("Error decoding response body", logutil.SlogErr(err)) + http.Error(w, "can't decode response body", http.StatusInternalServerError) + return + } + + // Read response body to buffer. Wrap Body to log it later. + bodyReader := logutil.NewReaderLogger(resp.Body) + bodyBytes, err := io.ReadAll(bodyReader) + if err != nil { + logger.Error("Error reading response payload", logutil.SlogErr(err)) + http.Error(w, "Error reading response payload", http.StatusBadGateway) + return + } + + { + limit := 1024 + logger.Info(fmt.Sprintf("Response: original body: [%d] %s", len(bodyBytes), logutil.HeadStringEx(bodyReader, limit))) + } + + //return tr.Rewriter.RewriteJSONPayload(tr.TargetReq, bodyBytes, FromTargetAction(tr.ProxyMode)) + //bodyBytes, err := h.Rewriter.RewriteFromTarget(targetReq, resp, logger) + bodyBytes, err = h.Rewriter.RewriteJSONPayload(targetReq, bodyBytes, FromTargetAction(h.ProxyMode)) + if err != nil { + logger.Error("Error rewriting response", logutil.SlogErr(err)) + http.Error(w, "can't rewrite response", http.StatusInternalServerError) + return + } + + { + limit := 1024 + if len(bodyBytes) < limit { + limit = len(bodyBytes) + } + logger.Info(fmt.Sprintf("Response: rewritten bytes: [%d] %s", len(bodyBytes), string(bodyBytes[:limit]))) + } + + copyHeader(w.Header(), resp.Header) + // Fix Content headers. + // bodyBytes are always decoded from gzip. Delete header to not break our client. + w.Header().Del("Content-Encoding") + if bodyBytes != nil { + w.Header().Set("Content-Length", strconv.Itoa(len(bodyBytes))) + } + w.WriteHeader(resp.StatusCode) + + if bodyBytes != nil { + resp.Body = io.NopCloser(bytes.NewBuffer(bodyBytes)) + _, err := io.Copy(w, resp.Body) + if err != nil { + logger.Error(fmt.Sprintf("error writing response from target: %v", err)) + } + } + + return +} + +func (h *Handler) transformStream(targetReq *rewriter.TargetRequest, w http.ResponseWriter, resp *http.Response, logger *slog.Logger) { + copyHeader(w.Header(), resp.Header) + w.WriteHeader(resp.StatusCode) + + // Start stream handler and lock ServeHTTP while proxying watch events stream. + wsr, err := NewStreamHandler(resp.Body, w, resp.Header.Get("Content-Type"), h.Rewriter, targetReq, logger) + if err != nil { + logger.Error("Error watching stream", logutil.SlogErr(err)) + http.Error(w, fmt.Sprintf("watch stream: %v", err), http.StatusInternalServerError) + return + } + <-wsr.DoneChan() + return +} + +type immediateWriter struct { + dst io.Writer +} + +func (iw *immediateWriter) Write(p []byte) (n int, err error) { + n, err = iw.dst.Write(p) + + if flusher, ok := iw.dst.(http.Flusher); ok { + flusher.Flush() + } + + return +} diff --git a/images/kube-api-proxy/pkg/proxy/stream_handler.go b/images/kube-api-proxy/pkg/proxy/stream_handler.go new file mode 100644 index 000000000..ec95dbf15 --- /dev/null +++ b/images/kube-api-proxy/pkg/proxy/stream_handler.go @@ -0,0 +1,219 @@ +package proxy + +import ( + "bytes" + "encoding/json" + "fmt" + "io" + log "log/slog" + "mime" + "net/http" + + "github.com/tidwall/gjson" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/serializer/streaming" + apiutilnet "k8s.io/apimachinery/pkg/util/net" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/kubernetes/scheme" + + logutil "kube-api-proxy/pkg/log" + "kube-api-proxy/pkg/rewriter" +) + +// StreamHandler reads a stream from the target, transforms events +// and sends them to the client. +type StreamHandler struct { + r io.ReadCloser + w io.Writer + rewriter *rewriter.RuleBasedRewriter + targetReq *rewriter.TargetRequest + decoder streaming.Decoder + done chan struct{} + log *log.Logger +} + +// NewStreamHandler starts a go routine to pass rewritten Watch Events +// from server to client. +// Sources: +// k8s.io/apimachinery@v0.26.1/pkg/watch/streamwatcher.go:100 receive method +// k8s.io/kubernetes@v1.13.0/staging/src/k8s.io/client-go/rest/request.go:537 wrapperFn, create framer. +// k8s.io/kubernetes@v1.13.0/staging/src/k8s.io/client-go/rest/request.go:598 instantiate watch NewDecoder +func NewStreamHandler(r io.ReadCloser, w io.Writer, contentType string, rewriter *rewriter.RuleBasedRewriter, targetReq *rewriter.TargetRequest, logger *log.Logger) (*StreamHandler, error) { + reader := logutil.NewReaderLogger(r) + wsr := &StreamHandler{ + r: reader, + w: w, + rewriter: rewriter, + targetReq: targetReq, + done: make(chan struct{}), + log: logger, + } + decoder, err := wsr.createWatchDecoder(contentType) + if err != nil { + return nil, err + } + wsr.decoder = decoder + + // Start stream proxying. + go wsr.proxy() + return wsr, nil +} + +// proxy reads result from the decoder in a loop, rewrites and writes to a client. +// Sources +// k8s.io/apimachinery@v0.26.1/pkg/watch/streamwatcher.go:100 receive method +func (s *StreamHandler) proxy() { + defer utilruntime.HandleCrash() + defer s.Stop() + for { + // Read event from the server. + var got metav1.WatchEvent + s.log.Info("Start decode from stream") + res, _, err := s.decoder.Decode(nil, &got) + s.log.Info("Got decoded WatchEvent from stream") + if err != nil { + switch err { + case io.EOF: + // watch closed normally + s.log.Info("Catch EOF from target, stop proxying the stream") + case io.ErrUnexpectedEOF: + s.log.Error("Unexpected EOF during watch stream event decoding", logutil.SlogErr(err)) + default: + if apiutilnet.IsProbableEOF(err) || apiutilnet.IsTimeout(err) { + s.log.Error("Unable to decode an event from the watch stream", logutil.SlogErr(err)) + } else { + s.log.Error("Unable to decode an event from the watch stream", logutil.SlogErr(err)) + //select { + //case <-sw.done: + //case sw.result <- Event{ + // Type: Error, + // Object: sw.reporter.AsObject(fmt.Errorf("unable to decode an event from the watch stream: %v", err)), + //}: + //} + } + } + //s.log.Info("captured bytes from the stream", logutil.HeadStringEx(s.r, 65536)) + return + } + + if res != &got { + s.log.Error("unable to decode to metav1.Event") + continue + } + + switch got.Type { + case string(watch.Added), string(watch.Modified), string(watch.Deleted), string(watch.Error), string(watch.Bookmark): + default: + s.log.Error(fmt.Sprintf("got invalid watch event type: %v", got.Type)) + continue + } + + { + group := gjson.GetBytes(got.Object.Raw, "apiVersion").String() + kind := gjson.GetBytes(got.Object.Raw, "kind").String() + name := gjson.GetBytes(got.Object.Raw, "metadata.name").String() + ns := gjson.GetBytes(got.Object.Raw, "metadata.namespace").String() + s.log.Info(fmt.Sprintf("Receive '%s' watch event with %s/%s %s/%s object", got.Type, group, kind, ns, name)) + } + + // TODO add pass-as-is for non rewritable objects. + + // Restore object. Watch responses are always from the Kubernetes API server, no need to rename. + objBytes, err := s.rewriter.RewriteJSONPayload(s.targetReq, got.Object.Raw, rewriter.Restore) + //var objBytes []byte + //switch { + //case s.targetReq.IsCore(): + // s.log.Info(fmt.Sprintf("Watch REWRITE CORE event '%s'", got.Type)) + // objBytes, err = rewriter.RewriteOwnerReferences(s.rewriter.Rules, got.Object.Raw, rewriter.Restore) + //case s.targetReq.IsCRD(): + // s.log.Info(fmt.Sprintf("Watch REWRITE CRD event '%s'", got.Type)) + // objBytes, err = rewriter.RewriteCRDOrList(s.rewriter.Rules, got.Object.Raw, rewriter.Restore, s.targetReq.OrigGroup()) + //case s.targetReq.OrigResourceType() != "": + // s.log.Info(fmt.Sprintf("Watch REWRITE event '%s'", got.Type)) + // objBytes, err = rewriter.RestoreResource(s.rewriter.Rules, got.Object.Raw, s.targetReq.OrigGroup()) + //default: + // objBytes = got.Object.Raw + //} + if err != nil { + s.log.Error(fmt.Sprintf("rewrite event '%s'", got.Type), logutil.SlogErr(err)) + continue + } + + // Write event to the client. + ev := metav1.WatchEvent{ + Type: got.Type, + Object: runtime.RawExtension{ + Raw: objBytes, + }, + } + evBytes, err := json.Marshal(ev) + if err != nil { + s.log.Error("encode restored event to bytes", logutil.SlogErr(err)) + continue + } + l := len(evBytes) + if l > 1300 { + l = 1300 + } + s.log.Info(fmt.Sprintf("restored event: %s", string(evBytes)[0:l])) + + _, err = io.Copy(s.w, io.NopCloser(bytes.NewBuffer(evBytes))) + if err != nil { + s.log.Error("write event", logutil.SlogErr(err)) + } + // Flush to send buffered content to the client. + if wr, ok := s.w.(http.Flusher); ok { + wr.Flush() + } + + // Check if application is stopped. + select { + case <-s.done: + return + default: + } + } +} + +func (s *StreamHandler) Stop() { + select { + case <-s.done: + default: + close(s.done) + } +} + +func (s *StreamHandler) DoneChan() chan struct{} { + return s.done +} + +// createSerializers +// Source +// k8s.io/client-go@v0.26.1/rest/request.go:765 newStreamWatcher +// k8s.io/apimachinery@v0.26.1/pkg/runtime/negotiate.go:70 StreamDecoder +func (s *StreamHandler) createWatchDecoder(contentType string) (streaming.Decoder, error) { + mediaType, _, err := mime.ParseMediaType(contentType) + if err != nil { + s.log.Info("Unexpected media type from the server: %q: %v", contentType, err) + } + + negotiatedSerializer := scheme.Codecs.WithoutConversion() + mediaTypes := negotiatedSerializer.SupportedMediaTypes() + info, ok := runtime.SerializerInfoForMediaType(mediaTypes, mediaType) + if !ok { + if len(contentType) != 0 || len(mediaTypes) == 0 { + return nil, fmt.Errorf("no matching serializer for media type '%s'", contentType) + } + info = mediaTypes[0] + } + if info.StreamSerializer == nil { + return nil, fmt.Errorf("no serializer for content type %s", contentType) + } + + // A chain of the framer and the serializer will split body stream into JSON objects. + frameReader := info.StreamSerializer.Framer.NewFrameReader(s.r) + streamingDecoder := streaming.NewDecoder(frameReader, info.StreamSerializer.Serializer) + return streamingDecoder, nil +} diff --git a/images/kube-api-proxy/pkg/rewriter/admission_configuration.go b/images/kube-api-proxy/pkg/rewriter/admission_configuration.go new file mode 100644 index 000000000..881ae2837 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/admission_configuration.go @@ -0,0 +1,46 @@ +package rewriter + +const ( + ValidatingWebhookConfigurationKind = "ValidatingWebhookConfiguration" + ValidatingWebhookConfigurationListKind = "ValidatingWebhookConfigurationList" + MutatingWebhookConfigurationKind = "MutatingWebhookConfiguration" + MutatingWebhookConfigurationListKind = "MutatingWebhookConfigurationList" +) + +func RewriteValidatingOrList(rules *RewriteRules, obj []byte, action Action) ([]byte, error) { + if action == Rename { + return RewriteResourceOrList(obj, ValidatingWebhookConfigurationListKind, func(singleObj []byte) ([]byte, error) { + return RewriteArray(singleObj, "webhooks", func(webhook []byte) ([]byte, error) { + return RewriteArray(webhook, "rules", func(item []byte) ([]byte, error) { + return renameRoleRule(rules, item) + }) + }) + }) + } + return RewriteResourceOrList(obj, ValidatingWebhookConfigurationListKind, func(singleObj []byte) ([]byte, error) { + return RewriteArray(singleObj, "webhooks", func(webhook []byte) ([]byte, error) { + return RewriteArray(webhook, "rules", func(item []byte) ([]byte, error) { + return restoreRoleRule(rules, item) + }) + }) + }) +} + +func RewriteMutatingOrList(rules *RewriteRules, obj []byte, action Action) ([]byte, error) { + if action == Rename { + return RewriteResourceOrList(obj, MutatingWebhookConfigurationListKind, func(singleObj []byte) ([]byte, error) { + return RewriteArray(singleObj, "webhooks", func(webhook []byte) ([]byte, error) { + return RewriteArray(webhook, "rules", func(item []byte) ([]byte, error) { + return renameRoleRule(rules, item) + }) + }) + }) + } + return RewriteResourceOrList(obj, MutatingWebhookConfigurationListKind, func(singleObj []byte) ([]byte, error) { + return RewriteArray(singleObj, "webhooks", func(webhook []byte) ([]byte, error) { + return RewriteArray(webhook, "rules", func(item []byte) ([]byte, error) { + return restoreRoleRule(rules, item) + }) + }) + }) +} diff --git a/images/kube-api-proxy/pkg/rewriter/admission_configuration_test.go b/images/kube-api-proxy/pkg/rewriter/admission_configuration_test.go new file mode 100644 index 000000000..311627663 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/admission_configuration_test.go @@ -0,0 +1,69 @@ +package rewriter + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestValidatingRename(t *testing.T) { + tests := []struct { + name string + manifest string + expect string + }{ + { + "mixed resources", + `{"webhooks":[{"rules":[{"apiGroups":[""],"resources":["pods"]},{"apiGroups": ["original.group.io"], "resources": ["someresources"]}]}]}`, + `{"webhooks":[{"rules":[{"apiGroups":[""],"resources":["pods"]},{"apiGroups": ["prefixed.resources.group.io"], "resources": ["prefixedsomeresources"]}]}]}`, + }, + { + "empty object", + `{}`, + `{}`, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + rwr := createTestRewriter() + + resBytes, err := RewriteValidatingOrList(rwr.Rules, []byte(tt.manifest), Rename) + require.NoError(t, err, "should rename validating webhook configuration") + + actual := string(resBytes) + require.Equal(t, tt.expect, actual) + }) + } +} + +func TestValidatingRestore(t *testing.T) { + tests := []struct { + name string + manifest string + expect string + }{ + { + "mixed resources", + `{"webhooks":[{"rules":[{"apiGroups":[""],"resources":["pods"]},{"apiGroups": ["prefixed.resources.group.io"], "resources": ["prefixedsomeresources"]}]}]}`, + `{"webhooks":[{"rules":[{"apiGroups":[""],"resources":["pods"]},{"apiGroups": ["original.group.io"], "resources": ["someresources"]}]}]}`, + }, + { + "empty object", + `{}`, + `{}`, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + rwr := createTestRewriter() + + resBytes, err := RewriteValidatingOrList(rwr.Rules, []byte(tt.manifest), Restore) + require.NoError(t, err, "should rename validating webhook configuration") + + actual := string(resBytes) + require.Equal(t, tt.expect, actual) + }) + } +} diff --git a/images/kube-api-proxy/pkg/rewriter/admission_review.go b/images/kube-api-proxy/pkg/rewriter/admission_review.go new file mode 100644 index 000000000..4ed448f3a --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/admission_review.go @@ -0,0 +1,154 @@ +package rewriter + +import ( + "github.com/tidwall/gjson" + "github.com/tidwall/sjson" +) + +// RewriteAdmissionReview rewrites AdmissionReview request and response. +// NOTE: only one rewrite direction is supported for now: +// - Restore object in AdmissionReview request. +// - Do nothing for AdmissionReview response. +func RewriteAdmissionReview(rules *RewriteRules, obj []byte, origGroup string) ([]byte, error) { + response := gjson.GetBytes(obj, "response") + if response.Exists() { + // TODO rewrite response with the Patch. + return obj, nil + } + + request := gjson.GetBytes(obj, "request") + if request.Exists() { + newRequest, err := RestoreAdmissionReviewRequest(rules, []byte(request.Raw), origGroup) + if err != nil { + return nil, err + } + if len(newRequest) > 0 { + obj, err = sjson.SetRawBytes(obj, "request", newRequest) + if err != nil { + return nil, err + } + } + } + + return obj, nil +} + +// RestoreAdmissionReviewRequest restores apiVersion, kind and other fields in an AdmissionReview request. +// Only restoring is required, as AdmissionReview request only comes from API Server. +func RestoreAdmissionReviewRequest(rules *RewriteRules, obj []byte, origGroup string) ([]byte, error) { + var err error + + // Rewrite "resource" field and find rules. + { + resourceObj := gjson.GetBytes(obj, "resource") + group := resourceObj.Get("group") + resource := resourceObj.Get("resource") + // Ignore reviews for unknown renamed group. + if group.String() != rules.RenamedGroup { + return nil, nil + } + newResource := rules.RestoreResource(resource.String()) + obj, err = sjson.SetBytes(obj, "resource.resource", newResource) + if err != nil { + return nil, err + } + obj, err = sjson.SetBytes(obj, "resource.group", origGroup) + if err != nil { + return nil, err + } + } + + // Rewrite "requestResource" field. + { + fieldObj := gjson.GetBytes(obj, "requestResource") + group := fieldObj.Get("group") + resource := fieldObj.Get("resource") + // Ignore reviews for unknown renamed group. + if group.String() != rules.RenamedGroup { + return nil, nil + } + newResource := rules.RestoreResource(resource.String()) + obj, err = sjson.SetBytes(obj, "requestResource.resource", newResource) + if err != nil { + return nil, err + } + obj, err = sjson.SetBytes(obj, "requestResource.group", origGroup) + if err != nil { + return nil, err + } + } + + // Check "subresource" field. No need to rewrite kind, requestKind, object and oldObject fields if subresource is set. + { + fieldObj := gjson.GetBytes(obj, "subresource") + if fieldObj.Exists() && fieldObj.String() != "" { + return obj, err + } + } + + // Rewrite "kind" field. + { + fieldObj := gjson.GetBytes(obj, "kind") + kind := fieldObj.Get("kind") + newKind := rules.RestoreKind(kind.String()) + obj, err = sjson.SetBytes(obj, "kind.kind", newKind) + if err != nil { + return nil, err + } + obj, err = sjson.SetBytes(obj, "kind.group", origGroup) + if err != nil { + return nil, err + } + } + + // Rewrite "requestKind" field. + { + fieldObj := gjson.GetBytes(obj, "requestKind") + kind := fieldObj.Get("kind") + newKind := rules.RestoreKind(kind.String()) + obj, err = sjson.SetBytes(obj, "requestKind.kind", newKind) + if err != nil { + return nil, err + } + obj, err = sjson.SetBytes(obj, "requestKind.group", origGroup) + if err != nil { + return nil, err + } + } + + // Rewrite "object" field. + { + fieldObj := gjson.GetBytes(obj, "object") + if fieldObj.Exists() { + newField, err := RestoreResource(rules, []byte(fieldObj.Raw), origGroup) + if err != nil { + return nil, err + } + if len(newField) > 0 { + obj, err = sjson.SetRawBytes(obj, "object", newField) + if err != nil { + return nil, err + } + } + } + } + + // Rewrite "oldObject" field. + { + fieldObj := gjson.GetBytes(obj, "oldObject") + if fieldObj.Exists() { + newField, err := RestoreResource(rules, []byte(fieldObj.Raw), origGroup) + if err != nil { + return nil, err + } + if len(newField) > 0 { + obj, err = sjson.SetRawBytes(obj, "oldObject", newField) + if err != nil { + return nil, err + } + } + } + } + + return obj, nil +} diff --git a/images/kube-api-proxy/pkg/rewriter/api_endpoint.go b/images/kube-api-proxy/pkg/rewriter/api_endpoint.go new file mode 100644 index 000000000..ea36ddb66 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/api_endpoint.go @@ -0,0 +1,297 @@ +package rewriter + +import ( + "net/url" + "strings" +) + +type APIEndpoint struct { + // IsUknown indicates that path is unknown for rewriter and should be passed as is. + IsUnknown bool + RawPath string + + IsRoot bool + + Prefix string + IsCore bool + + Group string + Version string + Namespace string + ResourceType string + Name string + Subresource string + Remainder []string + + IsCRD bool + CRDResourceType string + CRDGroup string + + IsWatch bool + RawQuery string +} + +// Core resources: +// - /api/VERSION/RESOURCETYPE +// - /api/VERSION/RESOURCETYPE/NAME +// - /api/VERSION/RESOURCETYPE/NAME/SUBRESOURCE +// - /api/VERSION/namespaces/NAMESPACE/RESOURCETYPE +// - /api/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME +// - /api/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE +// - /api/VERSION/namespaces/NAME/SUBRESOURCE - RESOURCETYPE=namespaces +// +// Cluster scoped custom resource: +// - /apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE +// | | | | +// PrefixIdx | | | +// GroupIDx -+ | | +// VersionIDx -----+ | +// ClusterResourceIdx -----+ +// +// Namespaced custom resource: +// - /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE +// - /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE +// +// CRD (CRD is itself a cluster scoped custom resource): +// - /apis/apiextensions.k8s.io/v1/customresourcedefinitions +// - /apis/apiextensions.k8s.io/v1/customresourcedefinitions/RESOURCETYPE.GROUP + +const ( + CorePrefix = "api" + APIsPrefix = "apis" + + NamespacesPart = "namespaces" + + CRDGroup = "apiextensions.k8s.io" + CRDResourceType = "customresourcedefinitions" + + WatchClause = "watch=true" +) + +// ParseAPIEndpoint breaks url path by parts. +func ParseAPIEndpoint(apiURL *url.URL) *APIEndpoint { + rawPath := apiURL.Path + rawQuery := apiURL.RawQuery + isWatch := strings.Contains(rawQuery, WatchClause) + + cleanedPath := strings.Trim(apiURL.Path, "/") + pathItems := strings.Split(cleanedPath, "/") + + if len(pathItems) == 0 { + return &APIEndpoint{ + IsRoot: true, + IsWatch: isWatch, + RawPath: rawPath, + RawQuery: rawQuery, + } + } + + var ae *APIEndpoint + // PREFIX is the first item in path. + prefix := pathItems[0] + switch prefix { + case CorePrefix: + ae = parseCoreEndpoint(pathItems) + case APIsPrefix: + ae = parseAPIsEndpoint(pathItems) + } + + if ae == nil { + return &APIEndpoint{ + IsUnknown: true, + RawPath: rawPath, + RawQuery: rawQuery, + } + } + + ae.IsWatch = isWatch + ae.RawPath = rawPath + ae.RawQuery = rawQuery + return ae +} + +func parseCoreEndpoint(pathItems []string) *APIEndpoint { + var isLast bool + var ae APIEndpoint + ae.IsCore = true + + // /api + ae.Prefix, isLast = Shift(&pathItems) + if isLast { + return &ae + } + + // /api/VERSION + ae.Version, isLast = Shift(&pathItems) + if isLast { + return &ae + } + + // /api/VERSION/RESOURCETYPE + ae.ResourceType, isLast = Shift(&pathItems) + if isLast { + return &ae + } + + // /api/VERSION/RESOURCETYPE/NAME + ae.Name, isLast = Shift(&pathItems) + if isLast { + return &ae + } + + // /api/VERSION/RESOURCETYPE/NAME/SUBRESOURCE + // /api/VERSION/namespaces/NAMESPACE/status + // /api/VERSION/namespaces/NAMESPACE/RESOURCETYPE + ae.Subresource, isLast = Shift(&pathItems) + if ae.ResourceType == NamespacesPart && ae.Subresource != "status" { + // It is a namespaced resource, we got ns name and resourcetype in name and subresource. + ae.Namespace = ae.Name + ae.ResourceType = ae.Subresource + ae.Name = "" + ae.Subresource = "" + } + // Stop if no items available. + if isLast { + return &ae + } + + // /api/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME + ae.Name, isLast = Shift(&pathItems) + if isLast { + return &ae + } + // /api/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE + ae.Subresource, isLast = Shift(&pathItems) + if isLast { + return &ae + } + + // Save remaining items if any. + ae.Remainder = pathItems + return &ae +} + +func parseAPIsEndpoint(pathItems []string) *APIEndpoint { + var ae APIEndpoint + var isLast bool + + // /apis + ae.Prefix, isLast = Shift(&pathItems) + if isLast { + return &ae + } + + // /apis/GROUP + ae.Group, isLast = Shift(&pathItems) + if isLast { + return &ae + } + + // /apis/GROUP/VERSION + ae.Version, isLast = Shift(&pathItems) + if isLast { + return &ae + } + + // /apis/GROUP/VERSION/RESOURCETYPE + ae.ResourceType, isLast = Shift(&pathItems) + // /apis/apiextensions.k8s.io/VERSION/customresourcedefinitions + if ae.Group == CRDGroup && ae.ResourceType == CRDResourceType { + ae.IsCRD = true + } + if isLast { + return &ae + } + + // /apis/GROUP/VERSION/RESOURCETYPE/NAME + ae.Name, isLast = Shift(&pathItems) + if ae.IsCRD { + ae.CRDResourceType, ae.CRDGroup, _ = strings.Cut(ae.Name, ".") + } + if isLast { + return &ae + } + + // /apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE + // /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE + ae.Subresource, isLast = Shift(&pathItems) + if ae.ResourceType == NamespacesPart { + // It is a namespaced resource, we got ns name and resourcetype in name and subresource. + ae.Namespace = ae.Name + ae.ResourceType = ae.Subresource + ae.Name = "" + ae.Subresource = "" + } + // Stop if no items available. + if isLast { + return &ae + } + + // /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME + ae.Name, isLast = Shift(&pathItems) + if isLast { + return &ae + } + // /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE + ae.Subresource, isLast = Shift(&pathItems) + if isLast { + return &ae + } + + // Save remaining items if any. + ae.Remainder = pathItems + return &ae +} + +func (a *APIEndpoint) Clone() *APIEndpoint { + clone := *a + return &clone +} + +func (a *APIEndpoint) Path() string { + if a.IsRoot || a.IsCore || a.IsUnknown { + return a.RawPath + } + + ns := "" + if a.Namespace != "" { + ns = NamespacesPart + "/" + a.Namespace + } + var parts []string + parts = []string{ + a.Prefix, + a.Group, + a.Version, + ns, + a.ResourceType, + a.Name, + a.Subresource, + } + if len(a.Remainder) > 0 { + parts = append(parts, a.Remainder...) + } + + nonEmptyParts := make([]string, 0) + for _, part := range parts { + if part != "" { + nonEmptyParts = append(nonEmptyParts, part) + } + } + + return "/" + strings.Join(nonEmptyParts, "/") +} + +// Shift deletes the first item from the array and returns it. +func Shift(items *[]string) (string, bool) { + if len(*items) == 0 { + return "", true + } + + first := (*items)[0] + if len(*items) == 1 { + *items = []string{} + } else { + *items = (*items)[1:] + } + return first, len(*items) == 0 +} diff --git a/images/kube-api-proxy/pkg/rewriter/api_endpoint_test.go b/images/kube-api-proxy/pkg/rewriter/api_endpoint_test.go new file mode 100644 index 000000000..a91d7901a --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/api_endpoint_test.go @@ -0,0 +1,276 @@ +package rewriter + +import ( + "net/url" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestParseAPIEndpoint(t *testing.T) { + + tests := []struct { + name string + path string + expect *APIEndpoint + }{ + { + "root", + "/", + &APIEndpoint{ + IsRoot: true, + }, + }, + + // Core resources. + { + "core apiversions", + "/api", + &APIEndpoint{ + IsCore: true, + Prefix: CorePrefix, + }, + }, + { + "core apiresourcelist", + "/api/v1", + &APIEndpoint{ + IsCore: true, + Prefix: CorePrefix, + Version: "v1", + }, + }, + { + "core deploymentlist", + "/api/v1/deployments", + &APIEndpoint{ + IsCore: true, + Prefix: CorePrefix, + Version: "v1", + ResourceType: "deployments", + }, + }, + { + "core deployment dy name", + "/api/v1/deployments/deployname", + &APIEndpoint{ + IsCore: true, + Prefix: CorePrefix, + Version: "v1", + ResourceType: "deployments", + Name: "deployname", + }, + }, + { + "core deployment status", + "/api/v1/deployments/deployname/status", + &APIEndpoint{ + IsCore: true, + Prefix: CorePrefix, + Version: "v1", + ResourceType: "deployments", + Name: "deployname", + Subresource: "status", + }, + }, + { + "core deployments in nsname", + "/api/v1/namespaces/nsname/deployments", + &APIEndpoint{ + IsCore: true, + Prefix: CorePrefix, + Version: "v1", + ResourceType: "deployments", + Namespace: "nsname", + }, + }, + { + "core deployment in nsname by name", + "/api/v1/namespaces/nsname/deployments/deployname", + &APIEndpoint{ + IsCore: true, + Prefix: CorePrefix, + Version: "v1", + ResourceType: "deployments", + Namespace: "nsname", + Name: "deployname", + }, + }, + { + "core deployment status in nsname", + "/api/v1/namespaces/nsname/deployments/deployname/status", + &APIEndpoint{ + IsCore: true, + Prefix: CorePrefix, + Version: "v1", + ResourceType: "deployments", + Namespace: "nsname", + Name: "deployname", + Subresource: "status", + }, + }, + + // Custom resources. + { + "apigrouplist", + "/apis", + &APIEndpoint{ + Prefix: APIsPrefix, + }, + }, + { + "apigroup", + "/apis/group.io", + &APIEndpoint{ + Prefix: APIsPrefix, + Group: "group.io", + }, + }, + { + "apiresourcelist", + "/apis/group.io/v1", + &APIEndpoint{ + Prefix: APIsPrefix, + Group: "group.io", + Version: "v1", + }, + }, + { + "someresourceslist", + "/apis/group.io/v1/someresources", + &APIEndpoint{ + Prefix: APIsPrefix, + Group: "group.io", + Version: "v1", + ResourceType: "someresources", + }, + }, + { + "someresource by name", + "/apis/group.io/v1/someresources/srname", + &APIEndpoint{ + Prefix: APIsPrefix, + Group: "group.io", + Version: "v1", + ResourceType: "someresources", + Name: "srname", + }, + }, + { + "someresource status", + "/apis/group.io/v1/someresources/srname/status", + &APIEndpoint{ + Prefix: APIsPrefix, + Group: "group.io", + Version: "v1", + ResourceType: "someresources", + Name: "srname", + Subresource: "status", + }, + }, + { + "someresources in nsname", + "/apis/group.io/v1/namespaces/nsname/someresources", + &APIEndpoint{ + Prefix: APIsPrefix, + Group: "group.io", + Version: "v1", + Namespace: "nsname", + ResourceType: "someresources", + }, + }, + { + "someresource in nsname by name", + "/apis/group.io/v1/namespaces/nsname/someresources/srname", + &APIEndpoint{ + Prefix: APIsPrefix, + Group: "group.io", + Version: "v1", + Namespace: "nsname", + ResourceType: "someresources", + Name: "srname", + }, + }, + { + "someresource status in nsname", + "/apis/group.io/v1/namespaces/nsname/someresources/srname/status", + &APIEndpoint{ + Prefix: APIsPrefix, + Group: "group.io", + Version: "v1", + Namespace: "nsname", + ResourceType: "someresources", + Name: "srname", + Subresource: "status", + }, + }, + + // CRDs + { + "crd list", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions", + &APIEndpoint{ + IsCRD: true, + Prefix: APIsPrefix, + Group: "apiextensions.k8s.io", + Version: "v1", + ResourceType: "customresourcedefinitions", + }, + }, + { + "crd by name", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions/crname", + &APIEndpoint{ + IsCRD: true, + Prefix: APIsPrefix, + Group: "apiextensions.k8s.io", + Version: "v1", + ResourceType: "customresourcedefinitions", + Name: "crname", + }, + }, + { + "crd status", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions/crname/status", + &APIEndpoint{ + IsCRD: true, + Prefix: APIsPrefix, + Group: "apiextensions.k8s.io", + Version: "v1", + ResourceType: "customresourcedefinitions", + Name: "crname", + Subresource: "status", + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + u, err := url.Parse(tt.path) + require.NoError(t, err, "should parse path '%s'", tt.path) + + actual := ParseAPIEndpoint(u) + if tt.expect == nil { + require.Nil(t, actual, "expect not parse path '%s', got non-empty %+v", tt.path, actual) + } + + if tt.expect != nil { + require.NotNil(t, actual, "expect parse path '%s' to %+v, got nil", tt.path, tt.expect) + + // Flags. + require.Equal(t, tt.expect.IsRoot, actual.IsRoot, "IsRoot") + require.Equal(t, tt.expect.IsCore, actual.IsCore, "IsCore") + require.Equal(t, tt.expect.IsCRD, actual.IsCRD, "IsCRD") + + // Parts. + require.Equal(t, tt.expect.Prefix, actual.Prefix, "Prefix") + require.Equal(t, tt.expect.Group, actual.Group, "Group") + require.Equal(t, tt.expect.Version, actual.Version, "Version") + require.Equal(t, tt.expect.ResourceType, actual.ResourceType, "ResourceType") + require.Equal(t, tt.expect.Name, actual.Name, "Name") + require.Equal(t, tt.expect.Subresource, actual.Subresource, "Subresource") + require.Equal(t, tt.expect.Namespace, actual.Namespace, "Namespace") + } + }) + } +} diff --git a/images/kube-api-proxy/pkg/rewriter/crd.go b/images/kube-api-proxy/pkg/rewriter/crd.go new file mode 100644 index 000000000..2c75bdbd1 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/crd.go @@ -0,0 +1,242 @@ +package rewriter + +import ( + "fmt" + "strings" + + "github.com/tidwall/gjson" + "github.com/tidwall/sjson" +) + +const ( + CRDKind = "CustomResourceDefinition" + CRDListKind = "CustomResourceDefinitionList" +) + +func RewriteCRDOrList(rules *RewriteRules, obj []byte, action Action) ([]byte, error) { + // CREATE, UPDATE, or PATCH requests. + if action == Rename { + return RewriteResourceOrList(obj, CRDListKind, func(singleObj []byte) ([]byte, error) { + return RenameCRD(rules, singleObj) + }) + } + + // Responses of GET, LIST, DELETE requests. Also, rewrite in watch events. + return RewriteResourceOrList(obj, CRDListKind, func(singleObj []byte) ([]byte, error) { + return RestoreCRD(rules, singleObj) + }) +} + +// RestoreCRD restores fields in CRD to original. +// +// Example: +// .metadata.name prefixedvirtualmachines.x.virtualization.deckhouse.io -> virtualmachines.kubevirt.io +// .spec.group x.virtualization.deckhouse.io -> kubevirt.io +// .spec.names +// +// categories kubevirt -> all +// kind PrefixedVirtualMachines -> VirtualMachine +// listKind PrefixedVirtualMachineList -> VirtualMachineList +// plural prefixedvirtualmachines -> virtualmachines +// singular prefixedvirtualmachine -> virtualmachine +// shortNames [xvm xvms] -> [vm vms] +func RestoreCRD(rules *RewriteRules, obj []byte) ([]byte, error) { + crdName := gjson.GetBytes(obj, "metadata.name").String() + resource, group, found := strings.Cut(crdName, ".") + if !found { + return nil, fmt.Errorf("malformed CRD name: should be resourcetype.group, got %s", crdName) + } + // Do not restore CRDs in unknown groups. + if group != rules.RenamedGroup { + return nil, nil + } + + origResource := rules.RestoreResource(resource) + + groupRule, resourceRule := rules.GroupResourceRules(origResource) + if resourceRule == nil { + return nil, nil + } + + newName := resourceRule.Plural + "." + groupRule.Group + obj, err := sjson.SetBytes(obj, "metadata.name", newName) + if err != nil { + return nil, err + } + + obj, err = sjson.SetBytes(obj, "spec.group", groupRule.Group) + if err != nil { + return nil, err + } + + names := []byte(gjson.GetBytes(obj, "spec.names").Raw) + + names, err = sjson.SetBytes(names, "categories", rules.RestoreCategories(resourceRule)) + if err != nil { + return nil, err + } + names, err = sjson.SetBytes(names, "kind", rules.RestoreKind(resourceRule.Kind)) + if err != nil { + return nil, err + } + names, err = sjson.SetBytes(names, "listKind", rules.RestoreKind(resourceRule.ListKind)) + if err != nil { + return nil, err + } + names, err = sjson.SetBytes(names, "plural", rules.RestoreResource(resourceRule.Plural)) + if err != nil { + return nil, err + } + names, err = sjson.SetBytes(names, "singular", rules.RestoreResource(resourceRule.Singular)) + if err != nil { + return nil, err + } + names, err = sjson.SetBytes(names, "shortNames", rules.RestoreShortNames(resourceRule.ShortNames)) + if err != nil { + return nil, err + } + + obj, err = sjson.SetRawBytes(obj, "spec.names", names) + if err != nil { + return nil, err + } + + return obj, nil +} + +// RenameCRD renames fields in CRD. +// +// Example: +// .metadata.name virtualmachines.kubevirt.io -> prefixedvirtualmachines.x.virtualization.deckhouse.io +// .spec.group kubevirt.io -> x.virtualization.deckhouse.io +// .spec.names +// +// categories all -> kubevirt +// kind VirtualMachine -> PrefixedVirtualMachines +// listKind VirtualMachineList -> PrefixedVirtualMachineList +// plural virtualmachines -> prefixedvirtualmachines +// singular virtualmachine -> prefixedvirtualmachine +// shortNames [vm vms] -> [xvm xvms] +func RenameCRD(rules *RewriteRules, obj []byte) ([]byte, error) { + crdName := gjson.GetBytes(obj, "metadata.name").String() + resource, group, found := strings.Cut(crdName, ".") + if !found { + return nil, fmt.Errorf("malformed CRD name: should be resourcetype.group, got %s", crdName) + } + + _, resourceRule := rules.ResourceRules(group, resource) + if resourceRule == nil { + return nil, nil + } + + newName := rules.RenameResource(resource) + "." + rules.RenamedGroup + obj, err := sjson.SetBytes(obj, "metadata.name", newName) + if err != nil { + return nil, err + } + + spec := gjson.GetBytes(obj, "spec") + newSpec, err := renameCRDSpec(rules, resourceRule, []byte(spec.Raw)) + if err != nil { + return nil, err + } + return sjson.SetRawBytes(obj, "spec", newSpec) +} + +func renameCRDSpec(rules *RewriteRules, resourceRule *ResourceRule, spec []byte) ([]byte, error) { + var err error + + spec, err = sjson.SetBytes(spec, "group", rules.RenamedGroup) + if err != nil { + return nil, err + } + + // Rename fields in the 'names' object. + names := []byte(gjson.GetBytes(spec, "names").Raw) + + if gjson.GetBytes(names, "categories").Exists() { + names, err = sjson.SetBytes(names, "categories", rules.RenameCategories(resourceRule.Categories)) + if err != nil { + return nil, err + } + } + if gjson.GetBytes(names, "kind").Exists() { + names, err = sjson.SetBytes(names, "kind", rules.RenameKind(resourceRule.Kind)) + if err != nil { + return nil, err + } + } + if gjson.GetBytes(names, "listKind").Exists() { + names, err = sjson.SetBytes(names, "listKind", rules.RenameKind(resourceRule.ListKind)) + if err != nil { + return nil, err + } + } + if gjson.GetBytes(names, "plural").Exists() { + names, err = sjson.SetBytes(names, "plural", rules.RenameResource(resourceRule.Plural)) + if err != nil { + return nil, err + } + } + if gjson.GetBytes(names, "singular").Exists() { + names, err = sjson.SetBytes(names, "singular", rules.RenameResource(resourceRule.Singular)) + if err != nil { + return nil, err + } + } + if gjson.GetBytes(names, "shortNames").Exists() { + names, err = sjson.SetBytes(names, "shortNames", rules.RenameShortNames(resourceRule.ShortNames)) + if err != nil { + return nil, err + } + } + + spec, err = sjson.SetRawBytes(spec, "names", names) + if err != nil { + return nil, err + } + + return spec, nil +} + +func RenameCRDPatch(rules *RewriteRules, resourceRule *ResourceRule, obj []byte) ([]byte, error) { + var err error + + patches := gjson.ParseBytes(obj).Array() + if len(patches) == 0 { + return obj, nil + } + + newPatches := []byte(`[]`) + isRenamed := false + for _, patch := range patches { + newPatch := []byte(patch.Raw) + + op := gjson.GetBytes(newPatch, "op").String() + path := gjson.GetBytes(newPatch, "path").String() + + if (op == "replace" || op == "add") && path == "/spec" { + isRenamed = true + value := []byte(gjson.GetBytes(newPatch, "value").Raw) + newValue, err := renameCRDSpec(rules, resourceRule, value) + if err != nil { + return nil, err + } + newPatch, err = sjson.SetRawBytes(newPatch, "value", newValue) + if err != nil { + return nil, err + } + } + + newPatches, err = sjson.SetRawBytes(newPatches, "-1", newPatch) + if err != nil { + return nil, err + } + } + + if !isRenamed { + return obj, nil + } + + return newPatches, nil +} diff --git a/images/kube-api-proxy/pkg/rewriter/crd_test.go b/images/kube-api-proxy/pkg/rewriter/crd_test.go new file mode 100644 index 000000000..e2691d826 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/crd_test.go @@ -0,0 +1,319 @@ +package rewriter + +import ( + "bufio" + "bytes" + "fmt" + "net/http" + "strings" + "testing" + + "github.com/stretchr/testify/require" + "github.com/tidwall/gjson" +) + +func createRewriterForCRDTest() *RuleBasedRewriter { + apiGroupRules := map[string]APIGroupRule{ + "original.group.io": { + GroupRule: GroupRule{ + Group: "original.group.io", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + }, + ResourceRules: map[string]ResourceRule{ + "someresources": { + Kind: "SomeResource", + ListKind: "SomeResourceList", + Plural: "someresources", + Singular: "someresource", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + Categories: []string{"all"}, + ShortNames: []string{"sr", "srs"}, + }, + "anotherresources": { + Kind: "AnotherResource", + ListKind: "AnotherResourceList", + Plural: "anotherresources", + Singular: "anotherresource", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + ShortNames: []string{"ar"}, + }, + }, + }, + "other.group.io": { + GroupRule: GroupRule{ + Group: "original.group.io", + Versions: []string{"v2alpha3"}, + PreferredVersion: "v2alpha3", + }, + ResourceRules: map[string]ResourceRule{ + "otherresources": { + Kind: "OtherResource", + ListKind: "OtherResourceList", + Plural: "otherresources", + Singular: "otherresource", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + ShortNames: []string{"or"}, + }, + }, + }, + } + + rwRules := &RewriteRules{ + KindPrefix: "Prefixed", // KV + ResourceTypePrefix: "prefixed", // kv + ShortNamePrefix: "p", + Categories: []string{"prefixed"}, + RenamedGroup: "prefixed.resources.group.io", + Rules: apiGroupRules, + } + + return &RuleBasedRewriter{ + Rules: rwRules, + } +} + +// TestCRDRename - rename of a single CRD. +func TestCRDRename(t *testing.T) { + origGroup := "original.group.io" + reqBody := `{ +"apiVersion": "apiextensions.k8s.io/v1", +"kind": "CustomResourceDefinition", +"metadata": { + "name":"someresources.original.group.io" +} +"spec": { + "group": "original.group.io", + "names": { + "kind": "SomeResource", + "listKind": "SomeResourceList", + "plural": "someresources", + "singular": "someresource", + "shortNames": ["sr"], + "categories": ["all"] + }, + "scope":"Namespaced", + "versions": {} +} +}` + rwr := createRewriterForCRDTest() + testCRDRules := rwr.Rules + + restored, err := RewriteCRDOrList(testCRDRules, []byte(reqBody), Rename) + if err != nil { + t.Fatalf("should rename CRD without error: %v", err) + } + if restored == nil { + t.Fatalf("should rename CRD: %v", err) + } + + resRule := testCRDRules.Rules[origGroup].ResourceRules["someresources"] + + tests := []struct { + path string + expected string + }{ + {"metadata.name", testCRDRules.RenameResource(resRule.Plural) + "." + testCRDRules.RenamedGroup}, + {"spec.group", testCRDRules.RenamedGroup}, + {"spec.names.kind", testCRDRules.RenameKind(resRule.Kind)}, + {"spec.names.listKind", testCRDRules.RenameKind(resRule.ListKind)}, + {"spec.names.plural", testCRDRules.RenameResource(resRule.Plural)}, + {"spec.names.singular", testCRDRules.RenameResource(resRule.Singular)}, + {"spec.names.shortNames", `["psr","psrs"]`}, + } + + for _, tt := range tests { + t.Run(tt.path, func(t *testing.T) { + actual := gjson.GetBytes(restored, tt.path).String() + if actual != tt.expected { + t.Fatalf("%s value should be %s, got %s", tt.path, tt.expected, actual) + } + }) + } +} + +// TestCRDPatch tests renaming /spec in a CRD patch. +func TestCRDPatch(t *testing.T) { + patches := `[{ "op": "add", "path": "/metadata/ownerReferences", "value": null }, +{ "op": "replace", "path": "/spec", "value": { +"group":"original.group.io", +"names":{"plural":"someresources","singular":"someresource","shortNames":["sr","srs"],"kind":"SomeResource","categories":["all"]}, +"scope":"Namespaced","versions":[{"name":"v1alpha1","schema":{}}] +} } +]` + patches = strings.ReplaceAll(patches, "\n", "") + + expect := `[{ "op": "add", "path": "/metadata/ownerReferences", "value": null }, +{ "op": "replace", "path": "/spec", "value": { +"group":"prefixed.resources.group.io", +"names":{"plural":"prefixedsomeresources","singular":"prefixedsomeresource","shortNames":["psr","psrs"],"kind":"PrefixedSomeResource","categories":["prefixed"]}, +"scope":"Namespaced","versions":[{"name":"v1alpha1","schema":{}}] +} } +]` + expect = strings.ReplaceAll(expect, "\n", "") + + rwr := createRewriterForCRDTest() + _, resRule := rwr.Rules.ResourceRules("original.group.io", "someresources") + require.NotNil(t, resRule, "should get resource rule for hardcoded group and resourceType") + + resBytes, err := RenameCRDPatch(rwr.Rules, resRule, []byte(patches)) + require.NoError(t, err, "should rename CRD patch") + + actual := string(resBytes) + require.Equal(t, expect, actual) +} + +// TestCRDRestore test restoring of a single CRD. +func TestCRDRestore(t *testing.T) { + crdHTTPRequest := `GET /apis/apiextensions.k8s.io/v1/customresourcedefinitions/someresources.original.group.io HTTP/1.1 +Host: 127.0.0.1 + +` + origGroup := "original.group.io" + crdPayload := `{ +"apiVersion": "apiextensions.k8s.io/v1", +"kind": "CustomResourceDefinition", +"metadata": { + "name":"prefixedsomeresources.prefixed.resources.group.io" +} +"spec": { + "group": "prefixed.resources.group.io", + "names": { + "kind": "PrefixedSomeResource", + "listKind": "PrefixedSomeResourceList", + "plural": "prefixedsomeresources", + "singular": "prefixedsomeresource", + "shortNames": ["psr"], + "categories": ["prefixed"] + }, + "scope":"Namespaced", + "versions": {} +} +}` + + req, err := http.ReadRequest(bufio.NewReader(bytes.NewBufferString(crdHTTPRequest))) + require.NoError(t, err, "should parse hardcoded http request") + require.NotNil(t, req.URL, "should parse url in hardcoded http request") + + rwr := createRewriterForCRDTest() + targetReq := NewTargetRequest(rwr, req) + require.NotNil(t, targetReq, "should get TargetRequest") + require.Equal(t, origGroup, targetReq.OrigGroup(), "should set proper orig group") + + resultBytes, err := rwr.RewriteJSONPayload(targetReq, []byte(crdPayload), Restore) // RewriteCRDOrList(crdPayload, []byte(reqBody), Restore, origGroup) + if err != nil { + t.Fatalf("should restore CRD without error: %v", err) + } + if resultBytes == nil { + t.Fatalf("should restore CRD: %v", err) + } + + resRule := rwr.Rules.Rules[origGroup].ResourceRules["someresources"] + + tests := []struct { + path string + expected string + }{ + {"metadata.name", resRule.Plural + "." + origGroup}, + {"spec.group", origGroup}, + {"spec.names.kind", resRule.Kind}, + {"spec.names.listKind", resRule.ListKind}, + {"spec.names.plural", resRule.Plural}, + {"spec.names.singular", resRule.Singular}, + } + + for _, tt := range tests { + t.Run(tt.path, func(t *testing.T) { + actual := gjson.GetBytes(resultBytes, tt.path).String() + if actual != tt.expected { + t.Fatalf("%s value should be %s, got %s", tt.path, tt.expected, actual) + } + }) + } +} + +func TestCRDPathRewrite(t *testing.T) { + tests := []struct { + name string + urlPath string + expected string + origGroup string + origResourceType string + }{ + { + "crd with rule", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions/someresources.original.group.io", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions/prefixedsomeresources.prefixed.resources.group.io", + "original.group.io", + "someresources", + }, + { + "crd watch by name", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions?fieldSelector=metadata.name%3Dsomeresources.original.group.io&resourceVersion=0&watch=true", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions?fieldSelector=metadata.name%3Dprefixedsomeresources.prefixed.resources.group.io&resourceVersion=0&watch=true", + "", + "", + }, + { + "unknown crd watch by name", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions?fieldSelector=metadata.name%3Dresource.unknown.group.io&resourceVersion=0&watch=true", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions?fieldSelector=metadata.name%3Dresource.unknown.group.io&resourceVersion=0&watch=true", + "", + "", + }, + { + "crd without rule", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions/unknown.group.io", + "", + "", + "", + }, + { + "crd list", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions", + "", + "", + "", + }, + { + "non crd apiextension", + "/apis/apiextensions.k8s.io/v1/unknown", + "", + "", + "", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + httpReqHead := fmt.Sprintf(`GET %s HTTP/1.1`, tt.urlPath) + httpReq := httpReqHead + "\n" + "Host: 127.0.0.1\n\n" + req, err := http.ReadRequest(bufio.NewReader(bytes.NewBufferString(httpReq))) + require.NoError(t, err, "should parse hardcoded http request") + require.NotNil(t, req.URL, "should parse url in hardcoded http request") + + rwr := createRewriterForCRDTest() + targetReq := NewTargetRequest(rwr, req) + require.NotNil(t, targetReq, "should get TargetRequest") + + if tt.expected == "" { + require.Equal(t, tt.urlPath, targetReq.Path(), "should not rewrite api endpoint path") + return + } + + if tt.origGroup != "" { + require.Equal(t, tt.origGroup, targetReq.OrigGroup()) + } + + actual := targetReq.Path() + if targetReq.RawQuery() != "" { + actual += "?" + targetReq.RawQuery() + } + + require.Equal(t, tt.expected, actual, "should rewrite api endpoint path") + }) + } +} diff --git a/images/kube-api-proxy/pkg/rewriter/discovery.go b/images/kube-api-proxy/pkg/rewriter/discovery.go new file mode 100644 index 000000000..f346bcc69 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/discovery.go @@ -0,0 +1,259 @@ +package rewriter + +import ( + "fmt" + "strings" + + "github.com/tidwall/gjson" + "github.com/tidwall/sjson" + "k8s.io/apimachinery/pkg/runtime" +) + +// RewriteAPIGroupList restores groups and kinds in /apis/ response. +// +// Rewrite each APIGroup in "groups". +// Response example: +// {"name":"x.virtualization.deckhouse.io", +// +// "versions":[ +// {"groupVersion":"x.virtualization.deckhouse.io/v1","version":"v1"}, +// {"groupVersion":"x.virtualization.deckhouse.io/v1beta1","version":"v1beta1"}, +// {"groupVersion":"x.virtualization.deckhouse.io/v1alpha3","version":"v1alpha3"}, +// {"groupVersion":"x.virtualization.deckhouse.io/v1alpha2","version":"v1alpha2"}, +// {"groupVersion":"x.virtualization.deckhouse.io/v1alpha1","version":"v1alpha1"} +// ], +// "preferredVersion":{"groupVersion":"x.virtualization.deckhouse.io/v1","version":"v1"} +// } +func RewriteAPIGroupList(rules *RewriteRules, objBytes []byte) ([]byte, error) { + groups := gjson.GetBytes(objBytes, "groups").Array() + // TODO get rid of RawExtension, use SetRawBytes. + rwrGroups := make([]interface{}, 0) + for _, group := range groups { + groupName := gjson.Get(group.Raw, "name").String() + // Replace renamed group with groups from rules. + if groupName == rules.RenamedGroup { + rwrGroups = append(rwrGroups, rules.GetAPIGroupList()...) + continue + } + rwrGroups = append(rwrGroups, runtime.RawExtension{Raw: []byte(group.Raw)}) + } + + return sjson.SetBytes(objBytes, "groups", rwrGroups) +} + +// RewriteAPIGroup rewrites responses for +// /apis/x.virtualization.deckhouse.io +// +// This call returns all versions for x.virtualization.deckhouse.io. +// Rewriter should reduce versions for only available in original group +// To reduce further requests with specific versions. +// +// Example response: +// { "kind":"APIGroup", +// +// "apiVersion":"v1", +// "name":"x.virtualization.deckhouse.io", +// "versions":[ +// {"groupVersion":"x.virtualization.deckhouse.io/v1","version":"v1"}, +// {"groupVersion":"x.virtualization.deckhouse.io/v1beta1","version":"v1beta1"}, +// {"groupVersion":"x.virtualization.deckhouse.io/v1alpha3","version":"v1alpha3"}, +// {"groupVersion":"x.virtualization.deckhouse.io/v1alpha2","version":"v1alpha2"}, +// {"groupVersion":"x.virtualization.deckhouse.io/v1alpha1","version":"v1alpha1"} +// ], +// "preferredVersion": { +// "groupVersion":"x.virtualization.deckhouse.io/v1", +// "version":"v1"} +// } +// +// Rewrite for kubevirt.io group should be: +// { "kind":"APIGroup", +// +// "apiVersion":"v1", +// "name":"kubevirt.io", +// "versions":[ +// {"groupVersion":"kubevirt.io/v1","version":"v1"}, +// {"groupVersion":"kubevirt.io/v1alpha3","version":"v1alpha3"} +// ], +// "preferredVersion": { +// "groupVersion":"kubevirt.io/v1", +// "version":"v1"} +// } +// +// And rewrite for clone.kubevirt.io group should be: +// { "kind":"APIGroup", +// +// "apiVersion":"v1", +// "name":"clone.kubevirt.io", +// "versions":[ +// {"groupVersion":"clone.kubevirt.io/v1alpha1","version":"v1alpha1"} +// ], +// "preferredVersion": { +// "groupVersion":"clone.kubevirt.io/v1alpha1", +// "version":"v1alpha1"} +// } +func RewriteAPIGroup(rules *RewriteRules, obj []byte, origGroup string) ([]byte, error) { + apiGroupRule, ok := rules.Rules[origGroup] + if !ok { + return nil, fmt.Errorf("no APIGroup rewrites for group '%s'", origGroup) + } + + // Grab all versions from rules. + versions := make([]interface{}, 0) + for _, ver := range apiGroupRule.GroupRule.Versions { + versions = append(versions, map[string]interface{}{ + "groupVersion": origGroup + "/" + ver, + "version": ver, + }) + } + preferredVersion := map[string]interface{}{ + "groupVersion": origGroup + "/" + apiGroupRule.GroupRule.PreferredVersion, + "version": apiGroupRule.GroupRule.PreferredVersion, + } + + obj, err := sjson.SetBytes(obj, "name", origGroup) + if err != nil { + return nil, err + } + obj, err = sjson.SetBytes(obj, "versions", versions) + if err != nil { + return nil, err + } + obj, err = sjson.SetBytes(obj, "preferredVersion", preferredVersion) + if err != nil { + return nil, err + } + return obj, nil +} + +// RewriteAPIResourceList rewrites server responses on +// /apis/GROUP/VERSION requests. +// This method excludes resources not belonging to original group from request. +// +// Example: +// +// Path rewrite: https://10.222.0.1:443/apis/kubevirt.io/v1 -> https://10.222.0.1:443/apis/x.virtualization.deckhouse.io/v1 +// original Group: kubevirt.io +// rewrite name,singularName,kind for each resource. +// /status -> name and kind +// /scale -> rewrite resource name in the name field +// +// Response from /apis/x.virtualization.deckhouse.io/v1: +// +// { +// "kind":"APIResourceList", +// "apiVersion":"v1", +// +// --> "groupVersion":"x.virtualization.deckhouse.io/v1" --> rewrite to origGroup+version: kubevirt.io/v1 +// +// "resources":[ +// { +// +// --> "name":"virtualmachineinstancereplicasets", +// --> "singularName":"virtualmachineinstancereplicaset", +// +// "namespaced":true, +// +// --> "kind":"VirtualMachineInstanceReplicaSet", +// +// "verbs":["delete","deletecollection","get","list","patch","create","update","watch"], +// "shortNames":["xvmirs","xvmirss"], +// "categories":["kubevirt"], +// "storageVersionHash":"QUMxLW9gfYs=" +// },{ +// +// --> "name":"virtualmachineinstancereplicasets/status", +// +// "singularName":"", +// "namespaced":true, +// +// --> "kind":"VirtualMachineInstanceReplicaSet", +// +// "verbs":["get","patch","update"] +// },{ +// +// --> "name":"virtualmachineinstancereplicasets/scale", +// +// "singularName":"", +// "namespaced":true, +// "group":"autoscaling", +// "version":"v1", +// "kind":"Scale", +// "verbs":["get","patch","update"] +// }] +// } +func RewriteAPIResourceList(rules *RewriteRules, obj []byte, origGroup string) ([]byte, error) { + // Ignore apiGroups not in rules. + apiGroupRule, ok := rules.Rules[origGroup] + if !ok { + return obj, nil + } + // MVP: rewrite only group for now. (No prefixes in the cluster yet). + obj, err := sjson.SetBytes(obj, "groupVersion", origGroup+"/"+apiGroupRule.GroupRule.PreferredVersion) + if err != nil { + return nil, err + } + + resources := []byte(`[]`) + + for _, resource := range gjson.GetBytes(obj, "resources").Array() { + name := resource.Get("name").String() + nameParts := strings.Split(name, "/") + resourceName := rules.RestoreResource(nameParts[0]) + + _, resourceRule := rules.ResourceRules(origGroup, resourceName) + if resourceRule == nil { + continue + } + + // Rewrite name and kind. + resBytes, err := sjson.SetBytes([]byte(resource.Raw), "name", rules.RestoreResource(name)) + if err != nil { + return nil, err + } + + kind := gjson.GetBytes(resBytes, "kind").String() + if kind != "" { + resBytes, err = sjson.SetBytes(resBytes, "kind", rules.RestoreKind(kind)) + if err != nil { + return nil, err + } + } + + singular := gjson.GetBytes(resBytes, "singularName").String() + if singular != "" { + resBytes, err = sjson.SetBytes(resBytes, "singularName", rules.RestoreResource(singular)) + if err != nil { + return nil, err + } + } + + shortNames := gjson.GetBytes(resBytes, "shortNames").Array() + if len(shortNames) > 0 { + strShortNames := make([]string, 0, len(shortNames)) + for _, shortName := range shortNames { + strShortNames = append(strShortNames, shortName.String()) + } + newShortNames := rules.RestoreShortNames(strShortNames) + resBytes, err = sjson.SetBytes(resBytes, "shortNames", newShortNames) + if err != nil { + return nil, err + } + } + + categories := gjson.GetBytes(resBytes, "categories") + if categories.Exists() { + restoredCategories := rules.RestoreCategories(resourceRule) + resBytes, err = sjson.SetBytes(resBytes, "categories", restoredCategories) + if err != nil { + return nil, err + } + } + + resources, err = sjson.SetRawBytes(resources, "-1", resBytes) + if err != nil { + return nil, err + } + } + + return sjson.SetRawBytes(obj, "resources", resources) +} diff --git a/images/kube-api-proxy/pkg/rewriter/discovery_test.go b/images/kube-api-proxy/pkg/rewriter/discovery_test.go new file mode 100644 index 000000000..7b87ce72f --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/discovery_test.go @@ -0,0 +1,285 @@ +package rewriter + +import ( + "bufio" + "bytes" + "net/http" + "strconv" + "testing" + + "github.com/stretchr/testify/require" + "github.com/tidwall/gjson" +) + +func createRewriterForDiscoveryTest() *RuleBasedRewriter { + apiGroupRules := map[string]APIGroupRule{ + "original.group.io": { + GroupRule: GroupRule{ + Group: "original.group.io", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + }, + ResourceRules: map[string]ResourceRule{ + "someresources": { + Kind: "SomeResource", + ListKind: "SomeResourceList", + Plural: "someresources", + Singular: "someresource", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + Categories: []string{"all"}, + ShortNames: []string{"sr", "srs"}, + }, + "anotherresources": { + Kind: "AnotherResource", + ListKind: "AnotherResourceList", + Plural: "anotherresources", + Singular: "anotherresource", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + ShortNames: []string{"ar"}, + }, + }, + }, + "other.group.io": { + GroupRule: GroupRule{ + Group: "original.group.io", + Versions: []string{"v2alpha3"}, + PreferredVersion: "v2alpha3", + }, + ResourceRules: map[string]ResourceRule{ + "otherresources": { + Kind: "OtherResource", + ListKind: "OtherResourceList", + Plural: "otherresources", + Singular: "otherresource", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + ShortNames: []string{"or"}, + }, + }, + }, + } + + webhookRules := map[string]WebhookRule{ + "/validate-prefixed-resources-group-io-v1-prefixedsomeresource": { + Path: "/validate-original-group-io-v1-someresource", + Group: "original.group.io", + Resource: "someresources", + }, + } + + rwRules := &RewriteRules{ + KindPrefix: "Prefixed", // KV + ResourceTypePrefix: "prefixed", // kv + ShortNamePrefix: "p", + Categories: []string{"prefixed"}, + RenamedGroup: "prefixed.resources.group.io", + Rules: apiGroupRules, + Webhooks: webhookRules, + } + + return &RuleBasedRewriter{ + Rules: rwRules, + } +} + +func TestRewriteRequestAPIResourceList(t *testing.T) { + // Request APIResourcesList of original, non-renamed resources. + request := `GET /apis/original.group.io/v1 HTTP/1.1 +Host: 127.0.0.1 + +` + req, err := http.ReadRequest(bufio.NewReader(bytes.NewBufferString(request))) + require.NoError(t, err, "should read hardcoded request") + + expectPath := "/apis/prefixed.resources.group.io/v1" + + // Response body with renamed APIResourcesList + resourceListPayload := `{ + "kind": "APIResourceList", + "apiVersion": "v1", + "groupVersion": "prefixed.resources.group.io/v1", + "resources": [ + {"name":"prefixedsomeresources", + "singularName":"prefixedsomeresource", + "namespaced":true, + "kind":"PrefixedSomeResource", + "verbs":["delete","deletecollection","get","list","patch","create","update","watch"], + "shortNames":["psr","psrs"], + "categories":["prefixed"], + "storageVersionHash":"1qIJ90Mhvd8="}, + + {"name":"prefixedsomeresources/status", + "singularName":"", + "namespaced":true, + "kind":"PrefixedSomeResource", + "verbs":["get","patch","update"]}, + + {"name":"prefixedotherresources", + "singularName":"prefixedotherresource", + "namespaced":true, + "kind":"PrefixedOtherResource", + "verbs":["delete","deletecollection","get","list","patch","create","update","watch"], + "shortNames":["por"], + "categories":["prefixed"], + "storageVersionHash":"Nwlto9QquX0="}, + + {"name":"prefixedotherresources/status", + "singularName":"", + "namespaced":true, + "kind":"PrefixOtherResource", + "verbs":["get","patch","update"]} +]}` + + // Client proxy mode. + rwr := createRewriterForDiscoveryTest() + + var targetReq *TargetRequest + + targetReq = NewTargetRequest(rwr, req) + require.NotNil(t, targetReq, "should get TargetRequest") + require.Equal(t, expectPath, targetReq.Path(), "should rewrite api endpoint path") + + resultBytes, err := rwr.RewriteJSONPayload(targetReq, []byte(resourceListPayload), Restore) + if err != nil { + t.Fatalf("should rewrite body with renamed resources: %v", err) + } + + actual := string(resultBytes) + + require.Contains(t, actual, `"someresources"`, "should contains original someresources, got: %s", actual) + require.Contains(t, actual, `"someresources/status"`, "should contains original someresources/status, got: %s", actual) + require.NotContains(t, actual, `"otherresources"`, "should not contains not requested otherresources, got: %s", actual) + require.NotContains(t, actual, `"otherresources/status"`, "should not contains not requested otherresources/status, got: %s", actual) +} + +func TestRewriteAdmissionReviewRequestForResource(t *testing.T) { + admissionReview := `{ + "kind":"AdmissionReview", + "apiVersion":"admission.k8s.io/v1", + "request":{ + "uid":"389cfe15-34a1-4829-ad4d-de2576385711", + "kind":{"group":"prefixed.resources.group.io","version":"v1","kind":"PrefixedSomeResource"}, + "resource":{"group":"prefixed.resources.group.io","version":"v1","resource":"prefixedsomeresources"}, + "requestKind":{"group":"prefixed.resources.group.io","version":"v1","kind":"PrefixedSomeResource"}, + "requestResource":{"group":"prefixed.resources.group.io","version":"v1","resource":"prefixedsomeresources"}, + "name":"some-resource-name", + "namespace":"nsname", + "operation":"UPDATE", + "userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}, + "object":{ + "apiVersion":"prefixed.resources.group.io/v1", + "kind":"PrefixedSomeResource", + "metadata":{ + "annotations":{ + "anno":"value", + }, + "creationTimestamp":"2024-02-05T12:42:32Z", + "finalizers":["group.io/protection","other.group.io/protection"], + "name":"some-resource-name", + "namespace":"nsname", + "ownerReferences":[ + {"apiVersion":"controller.group.io/v2", + "blockOwnerDeletion":true, + "controller":true, + "kind":"SomeKind","name":"some-controller-name","uid":"904cfea9-c9d6-4d3a-82f7-5790b1a1b3e0"} + ], + "resourceVersion":"265111919","uid":"4c74c3ff-2199-4f20-a71c-3b0e5fb505ca" + }, + "spec":{"field1":"value1", "field2":"value2"}, + "status":{ + "conditions":[ + {"lastProbeTime":null,"lastTransitionTime":"2024-03-06T14:38:39Z","status":"True","type":"Ready"}, + {"lastProbeTime":"2024-02-29T14:11:05Z","lastTransitionTime":null,"status":"True","type":"Healthy"}], + "printableStatus":"Ready" + } + }, + + "oldObject":{ + "apiVersion":"prefixed.resources.group.io/v1", + "kind":"PrefixedSomeResource", + "metadata":{ + "annotations":{ + "anno":"value", + }, + "creationTimestamp":"2024-02-05T12:42:32Z", + "finalizers":["group.io/protection","other.group.io/protection"], + "name":"some-resource-name", + "namespace":"nsname", + "ownerReferences":[ + {"apiVersion":"controller.group.io/v2", + "blockOwnerDeletion":true, + "controller":true, + "kind":"SomeKind","name":"some-controller-name","uid":"904cfea9-c9d6-4d3a-82f7-5790b1a1b3e0"} + ], + "resourceVersion":"265111919","uid":"4c74c3ff-2199-4f20-a71c-3b0e5fb505ca" + }, + "spec":{"field1":"value1", "field2":"value2"}, + "status":{ + "conditions":[ + {"lastProbeTime":null,"lastTransitionTime":"2024-03-06T14:38:39Z","status":"True","type":"Ready"}, + {"lastProbeTime":"2024-02-29T14:11:05Z","lastTransitionTime":null,"status":"True","type":"Healthy"}], + "printableStatus":"Ready" + } + } + } +} +` + admissionReviewRequest := `POST /validate-prefixed-resources-group-io-v1-prefixedsomeresource HTTP/1.1 +Host: 127.0.0.1 +Content-Type: application/json +Content-Length: ` + strconv.Itoa(len(admissionReview)) + ` + +` + admissionReview + + req, err := http.ReadRequest(bufio.NewReader(bytes.NewBufferString(admissionReviewRequest))) + require.NoError(t, err, "should read hardcoded AdmissionReview request") + + rwr := createRewriterForDiscoveryTest() + + // Check getting TargetRequest from the webhook request. + var targetReq *TargetRequest + targetReq = NewTargetRequest(rwr, req) + require.NotNil(t, targetReq, "should get TargetRequest") + require.True(t, targetReq.ShouldRewriteRequest(), "should rewrite request in TargetRequest") + + // Check payload rewriting. + resultBytes, err := rwr.RewriteJSONPayload(targetReq, []byte(admissionReview), Restore) + require.NoError(t, err, "should rewrite request") + if err != nil { + t.Fatalf("should rewrite request: %v", err) + } + + require.Greater(t, len(resultBytes), 0, "result bytes from RewriteJSONPayload should not be empty") + + groupRule, resRule := rwr.Rules.ResourceRules("original.group.io", "someresources") + require.NotNil(t, resRule, "should get resourceRule for hardcoded group and resourceType") + + tests := []struct { + path string + expected string + }{ + {"request.kind.group", groupRule.Group}, + {"request.kind.kind", resRule.Kind}, + {"request.requestKind.group", groupRule.Group}, + {"request.requestKind.kind", resRule.Kind}, + {"request.resource.group", groupRule.Group}, + {"request.resource.resource", resRule.Plural}, + {"request.requestResource.group", groupRule.Group}, + {"request.requestResource.resource", resRule.Plural}, + {"request.object.apiVersion", groupRule.Group + "/v1"}, + {"request.object.kind", resRule.Kind}, + {"request.oldObject.apiVersion", groupRule.Group + "/v1"}, + {"request.oldObject.kind", resRule.Kind}, + } + + for _, tt := range tests { + t.Run(tt.path, func(t *testing.T) { + actual := gjson.GetBytes(resultBytes, tt.path).String() + if actual != tt.expected { + t.Fatalf("%s value should be %s, got %s", tt.path, tt.expected, actual) + } + }) + } +} diff --git a/images/kube-api-proxy/pkg/rewriter/list.go b/images/kube-api-proxy/pkg/rewriter/list.go new file mode 100644 index 000000000..12823695f --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/list.go @@ -0,0 +1,43 @@ +package rewriter + +import ( + "github.com/tidwall/gjson" + "github.com/tidwall/sjson" +) + +// RewriteResourceOrList is a helper to transform a single resource or a list of resources. +func RewriteResourceOrList(payload []byte, listKind string, transformFn func(singleObj []byte) ([]byte, error)) ([]byte, error) { + kind := gjson.GetBytes(payload, "kind").String() + + // Not a list, transform a single resource. + if kind != listKind { + return transformFn(payload) + } + + return RewriteArray(payload, "items", transformFn) +} + +func RewriteArray(obj []byte, arrayPath string, transformFn func(item []byte) ([]byte, error)) ([]byte, error) { + // Transform each item in list. Put back original items if transformFn returns nil bytes. + items := gjson.GetBytes(obj, arrayPath).Array() + if len(items) == 0 { + return obj, nil + } + rwrItems := []byte(`[]`) + for _, item := range items { + rwrItem, err := transformFn([]byte(item.Raw)) + if err != nil { + return nil, err + } + // Put original item back. + if rwrItem == nil { + rwrItem = []byte(item.Raw) + } + rwrItems, err = sjson.SetRawBytes(rwrItems, "-1", rwrItem) + if err != nil { + return nil, err + } + } + + return sjson.SetRawBytes(obj, arrayPath, rwrItems) +} diff --git a/images/kube-api-proxy/pkg/rewriter/load.go b/images/kube-api-proxy/pkg/rewriter/load.go new file mode 100644 index 000000000..4621678a7 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/load.go @@ -0,0 +1,22 @@ +package rewriter + +import ( + "os" + + "sigs.k8s.io/yaml" +) + +func LoadRules(filename string) (*RewriteRules, error) { + data, err := os.ReadFile(filename) + if err != nil { + return nil, err + } + + var rules = new(RewriteRules) + err = yaml.Unmarshal(data, rules) + if err != nil { + return nil, err + } + + return rules, nil +} diff --git a/images/kube-api-proxy/pkg/rewriter/path.go b/images/kube-api-proxy/pkg/rewriter/path.go new file mode 100644 index 000000000..364e793e6 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/path.go @@ -0,0 +1,175 @@ +package rewriter + +// RewritePath return rewritten TargetPath along with original group and resource type. +// TODO: this rewriter is not conform to S in SOLID. Should split to ParseAPIEndpoint and RewriteAPIEndpoint. +//func (rw *RuleBasedRewriter) RewritePath(urlPath string) (*TargetRequest, error) { +// // Is it a webhook? +// if webhookRule, ok := rw.Rules.Webhooks[urlPath]; ok { +// return &TargetRequest{ +// Webhook: &webhookRule, +// }, nil +// } +// +// // Is it an API request? +// if strings.HasPrefix(urlPath, "/apis/") || urlPath == "/apis" { +// // TODO refactor RewriteAPIPath to produce a TargetPath, not an array in PathItems. +// cleanedPath := strings.Trim(urlPath, "/") +// pathItems := strings.Split(cleanedPath, "/") +// +// // First, try to rewrite CRD request. +// res := RewriteCRDPath(pathItems, rw.Rules) +// if res != nil { +// return res, nil +// } +// // Next, rewrite usual request. +// res, err := RewriteAPIsPath(pathItems, rw.Rules) +// if err != nil { +// return nil, err +// } +// if res == nil { +// // e.g. no rewrite rule find. +// return nil, nil +// } +// if len(res.PathItems) > 0 { +// res.TargetPath = "/" + path.Join(res.PathItems...) +// } +// return res, nil +// } +// +// if strings.HasPrefix(urlPath, "/api/") || urlPath == "/api" { +// return &TargetRequest{ +// IsCoreAPI: true, +// }, nil +// } +// +// return nil, nil +//} + +// Constants with indices of API endpoints portions. +// Request cluster scoped resource: +// - /apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE +// | | | | +// APISIdx | | | +// GroupIDx | | +// VersionIDx ---+ | +// ClusterResourceIdx ---+ + +// +// Request namespaced resource: +// - /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE +// | | | +// NamespacesIdx --------+ | | +// NamespaceIdx --------------------+ | +// NamespacedResourceIdx----------------------+ +// +// Request CRD: +// - /apis/apiextensions.k8s.io/v1/customresourcedefinitions/RESOURCETYPE.GROUP +// | | | +// GroupIdx | | +// ClusterResourceIdx -------------+ | +// CRDNameIdx -----------------------------------------------+ + +//const ( +// APISIdx = 0 +// GroupIdx = 1 +// VersionIdx = 2 +// NamespacesIdx = 3 +// NamespaceIdx = 4 +// ClusterResourceIdx = 3 +// NamespacedResourceIdx = 5 +//) + +// RewriteAPIsPath rewrites GROUP and RESOURCETYPE in these API calls: +// - /apis/GROUP +// - /apis/GROUP/VERSION +// - /apis/GROUP/VERSION/RESOURCETYPE +// - /apis/GROUP/VERSION/RESOURCETYPE/NAME +// - /apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE +// +// - /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE +// - /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME +// - /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE +//func RewriteAPIsPath(pathItems []string, rules *RewriteRules) (*TargetRequest, error) { +// if len(pathItems) == 0 { +// return nil, nil +// } +// +// res := &TargetRequest{ +// PathItems: make([]string, 0, len(pathItems)), +// } +// +// if len(pathItems) == 1 { +// if pathItems[APISIdx] == "apis" { +// // Do not rewrite URL, but rewrite response later. +// res.PathItems = append(res.PathItems, pathItems[APISIdx]) +// return res, nil +// } +// // The single path item should be "apis". +// return nil, nil +// } +// +// res.PathItems = append(res.PathItems, pathItems[APISIdx]) +// +// // Check if the GROUP portion match Rules. +// apiGroupName := "" +// apiGroupMatch := false +// group := pathItems[GroupIdx] +// for groupName, apiGroupRule := range rules.Rules { +// if apiGroupRule.GroupRule.Group == group { +// res.OrigGroup = group +// res.PathItems = append(res.PathItems, rules.RenamedGroup) +// apiGroupName = groupName +// apiGroupMatch = true +// break +// } +// } +// +// if !apiGroupMatch { +// return nil, nil +// } +// // Stop if GROUP is the last item in path. +// if len(pathItems) <= GroupIdx+1 { +// return res, nil +// } +// +// // Add VERSION portion. +// res.PathItems = append(res.PathItems, pathItems[VersionIdx]) +// // Stop if VERSION is the last item in path. +// if len(pathItems) <= VersionIdx+1 { +// return res, nil +// } +// +// // Check is namespaced resource is requested. +// resourceTypeIdx := ClusterResourceIdx +// if pathItems[NamespacesIdx] == "namespaces" { +// res.PathItems = append(res.PathItems, pathItems[NamespacesIdx]) +// res.PathItems = append(res.PathItems, pathItems[NamespaceIdx]) +// resourceTypeIdx = NamespacedResourceIdx +// } +// +// // Check if the RESOURCETYPE portion match Rules. +// resourceType := pathItems[resourceTypeIdx] +// resourceTypeMatched := true +// for _, rule := range rules.Rules[apiGroupName].ResourceRules { +// if rule.Plural == resourceType { +// res.OrigResourceType = resourceType +// res.PathItems = append(res.PathItems, rules.RenameResource(rule.Plural)) +// resourceTypeMatched = true +// break +// } +// } +// if !resourceTypeMatched { +// return nil, nil +// } +// // Return if RESOURCETYPE is the last item in path. +// if len(pathItems) == resourceTypeIdx+1 { +// return res, nil +// } +// +// // Copy remaining items: NAME and SUBRESOURCE. +// for i := resourceTypeIdx + 1; i < len(pathItems); i++ { +// res.PathItems = append(res.PathItems, pathItems[i]) +// } +// +// return res, nil +//} diff --git a/images/kube-api-proxy/pkg/rewriter/rbac.go b/images/kube-api-proxy/pkg/rewriter/rbac.go new file mode 100644 index 000000000..eacbdc42c --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/rbac.go @@ -0,0 +1,193 @@ +package rewriter + +import ( + "strings" + + "github.com/tidwall/gjson" + "github.com/tidwall/sjson" +) + +const ( + ClusterRoleKind = "ClusterRole" + ClusterRoleListKind = "ClusterRoleList" + RoleKind = "Role" + RoleListKind = "RoleList" +) + +func RewriteClusterRoleOrList(rules *RewriteRules, obj []byte, action Action) ([]byte, error) { + if action == Rename { + return RewriteResourceOrList(obj, ClusterRoleListKind, func(singleObj []byte) ([]byte, error) { + return RewriteArray(singleObj, "rules", func(item []byte) ([]byte, error) { + return renameRoleRule(rules, item) + }) + }) + } + return RewriteResourceOrList(obj, ClusterRoleListKind, func(singleObj []byte) ([]byte, error) { + return RewriteArray(singleObj, "rules", func(item []byte) ([]byte, error) { + return restoreRoleRule(rules, item) + }) + }) +} + +func RewriteRoleOrList(rules *RewriteRules, obj []byte, action Action) ([]byte, error) { + if action == Rename { + return RewriteResourceOrList(obj, RoleListKind, func(singleObj []byte) ([]byte, error) { + return RewriteArray(singleObj, "rules", func(item []byte) ([]byte, error) { + return renameRoleRule(rules, item) + }) + }) + } + return RewriteResourceOrList(obj, RoleListKind, func(singleObj []byte) ([]byte, error) { + return RewriteArray(singleObj, "rules", func(item []byte) ([]byte, error) { + return restoreRoleRule(rules, item) + }) + }) +} + +// renameRoleRule renames apiGroups and resources in a single rule. +// Rule examples: +// - apiGroups: +// - original.group.io +// resources: +// - '*' +// verbs: +// - '*' +// - apiGroups: +// - original.group.io +// resources: +// - someresources +// - someresources/finalizers +// - someresources/status +// - someresources/scale +// verbs: +// - watch +// - list +// - create +func renameRoleRule(rules *RewriteRules, obj []byte) ([]byte, error) { + var err error + + apiGroups := gjson.GetBytes(obj, "apiGroups").Array() + newGroups := []byte(`[]`) + shouldRename := false + for _, apiGroup := range apiGroups { + group := apiGroup.String() + if group == "*" { + shouldRename = true + } else if rules.HasGroup(group) { + group = rules.RenamedGroup + shouldRename = true + } + + newGroups, err = sjson.SetBytes(newGroups, "-1", group) + if err != nil { + return nil, err + } + } + + if !shouldRename { + return obj, nil + } + + resources := gjson.GetBytes(obj, "resources").Array() + newResources := []byte(`[]`) + for _, resource := range resources { + resourceType := resource.String() + if strings.Contains(resourceType, "/") { + resourceType, _, _ = strings.Cut(resource.String(), "/") + } + if resourceType != "*" { + _, resRule := rules.GroupResourceRules(resourceType) + if resRule != nil { + // TODO(future) make it work with suffix and subresource. + resourceType = rules.RenameResource(resource.String()) + } + } + + newResources, err = sjson.SetBytes(newResources, "-1", resourceType) + if err != nil { + return nil, err + } + } + + obj, err = sjson.SetRawBytes(obj, "apiGroups", newGroups) + if err != nil { + return nil, err + } + return sjson.SetRawBytes(obj, "resources", newResources) +} + +// restoreRoleRule restores apiGroups and resources in a single rule. +func restoreRoleRule(rules *RewriteRules, obj []byte) ([]byte, error) { + var err error + + apiGroups := gjson.GetBytes(obj, "apiGroups").Array() + newGroups := []byte(`[]`) + shouldRestore := false + shouldAddGroup := false + for _, apiGroup := range apiGroups { + group := apiGroup.String() + if group == "*" { + shouldRestore = true + } + if group == rules.RenamedGroup { + shouldRestore = true + shouldAddGroup = true + // Group will be restored later, do not add now. + continue + } + newGroups, err = sjson.SetBytes(newGroups, "-1", group) + if err != nil { + return nil, err + } + } + + if !shouldRestore { + return obj, nil + } + + // Loop over resources and detect group from rules. + + resources := gjson.GetBytes(obj, "resources").Array() + newResources := []byte(`[]`) + shouldRestore = false + groupToAdd := "" + for _, resource := range resources { + newResource := resource.String() + resourceType := resource.String() + //subresource := "" + if strings.Contains(resourceType, "/") { + resourceType, _, _ = strings.Cut(resourceType, "/") + } + if resourceType != "*" { + // Restore resourceType to get rules. + originalResourceType := rules.RestoreResource(resourceType) + groupRule, resRule := rules.GroupResourceRules(originalResourceType) + if groupRule != nil && resRule != nil { + shouldRestore = true + groupToAdd = groupRule.Group + // NOTE: Restore resource with subresource. + // TODO(future) make it work with suffixes. + newResource = rules.RestoreResource(resource.String()) + } + } + + newResources, err = sjson.SetBytes(newResources, "-1", newResource) + if err != nil { + return nil, err + } + } + + // Add restored group to apiGroups. + if shouldAddGroup && groupToAdd != "" { + newGroups, err = sjson.SetBytes(newGroups, "-1", groupToAdd) + if err != nil { + return nil, err + } + } + + obj, err = sjson.SetRawBytes(obj, "apiGroups", newGroups) + if err != nil { + return nil, err + } + return sjson.SetRawBytes(obj, "resources", newResources) +} diff --git a/images/kube-api-proxy/pkg/rewriter/rbac_test.go b/images/kube-api-proxy/pkg/rewriter/rbac_test.go new file mode 100644 index 000000000..4acbdbb41 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/rbac_test.go @@ -0,0 +1,147 @@ +package rewriter + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestRenameRoleRule(t *testing.T) { + + tests := []struct { + name string + rule string + expect string + }{ + { + "group and resources", + `{"apiGroups":["original.group.io"], +"resources": ["someresources","someresources/finalizers","someresources/status"], +"verbs": ["watch", "list", "create"] +}`, + `{"apiGroups":["prefixed.resources.group.io"], +"resources": ["prefixedsomeresources","prefixedsomeresources/finalizers","prefixedsomeresources/status"], +"verbs": ["watch", "list", "create"] +}`, + }, + { + "only resources", + `{"apiGroups":["*"], +"resources": ["someresources","someresources/finalizers","someresources/status"], +"verbs": ["watch", "list", "create"] +}`, + `{"apiGroups":["*"], +"resources": ["prefixedsomeresources","prefixedsomeresources/finalizers","prefixedsomeresources/status"], +"verbs": ["watch", "list", "create"] +}`, + }, + { + "only group", + `{"apiGroups":["original.group.io"], +"resources": ["*"], +"verbs": ["watch", "list", "create"] +}`, + `{"apiGroups":["prefixed.resources.group.io"], +"resources": ["*"], +"verbs": ["watch", "list", "create"] +}`, + }, + { + "allow all", + `{"apiGroups":["*"], "resources":["*"], "verbs":["*"]}`, + `{"apiGroups":["*"], "resources":["*"], "verbs":["*"]}`, + }, + { + "unknown group", + `{"apiGroups":["unknown.group.io"], "resources":["someresources"], "verbs":["*"]}`, + `{"apiGroups":["unknown.group.io"], "resources":["someresources"], "verbs":["*"]}`, + }, + { + "core resource", + `{"apiGroups":[""], "resources":["pods"], "verbs":["create"]}`, + `{"apiGroups":[""], "resources":["pods"], "verbs":["create"]}`, + }, + } + + rwr := createTestRewriter() + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + resBytes, err := renameRoleRule(rwr.Rules, []byte(tt.rule)) + require.NoError(t, err, "should rename rule") + + actual := string(resBytes) + require.Equal(t, tt.expect, actual) + }) + } +} + +func TestRestoreRoleRule(t *testing.T) { + tests := []struct { + name string + rule string + expect string + }{ + { + "group and resources", + `{"apiGroups":["prefixed.resources.group.io"], +"resources": ["prefixedsomeresources","prefixedsomeresources/finalizers","prefixedsomeresources/status"], +"verbs": ["watch", "list", "create"] +}`, + `{"apiGroups":["original.group.io"], +"resources": ["someresources","someresources/finalizers","someresources/status"], +"verbs": ["watch", "list", "create"] +}`, + }, + { + "only resources", + `{"apiGroups":["*"], +"resources": ["prefixedsomeresources","prefixedsomeresources/finalizers","prefixedsomeresources/status"], +"verbs": ["watch", "list", "create"] +}`, + `{"apiGroups":["*"], +"resources": ["someresources","someresources/finalizers","someresources/status"], +"verbs": ["watch", "list", "create"] +}`, + }, + // Impossible to restore with current rules. + // { + // "only group", + // `{"apiGroups":["prefixed.resources.group.io"], + //"resources": ["*"], + //"verbs": ["watch", "list", "create"] + //}`, + // `{"apiGroups":["original.group.io"], + //"resources": ["*"], + //"verbs": ["watch", "list", "create"] + //}`, + // }, + { + "allow all", + `{"apiGroups":["*"], "resources":["*"], "verbs":["*"]}`, + `{"apiGroups":["*"], "resources":["*"], "verbs":["*"]}`, + }, + { + "unknown group", + `{"apiGroups":["unknown.group.io"], "resources":["someresources"], "verbs":["*"]}`, + `{"apiGroups":["unknown.group.io"], "resources":["someresources"], "verbs":["*"]}`, + }, + { + "core resource", + `{"apiGroups":[""], "resources":["pods","configmaps"], "verbs":["create"]}`, + `{"apiGroups":[""], "resources":["pods","configmaps"], "verbs":["create"]}`, + }, + } + + rwr := createTestRewriter() + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + resBytes, err := restoreRoleRule(rwr.Rules, []byte(tt.rule)) + require.NoError(t, err, "should rename rule") + + actual := string(resBytes) + require.Equal(t, tt.expect, actual) + }) + } +} diff --git a/images/kube-api-proxy/pkg/rewriter/resource.go b/images/kube-api-proxy/pkg/rewriter/resource.go new file mode 100644 index 000000000..e89b8b1b8 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/resource.go @@ -0,0 +1,343 @@ +package rewriter + +import ( + "strings" + + "github.com/tidwall/gjson" + "github.com/tidwall/sjson" +) + +func RewriteCustomResourceOrList(rules *RewriteRules, obj []byte, action Action) ([]byte, error) { + kind := gjson.GetBytes(obj, "kind").String() + if action == Restore { + kind = rules.RestoreKind(kind) + } + origGroupName, origResName, isList := rules.ResourceByKind(kind) + if origGroupName == "" && origResName == "" { + // Return as-is if kind is not in rules. + return obj, nil + } + if isList { + if action == Restore { + return RestoreResourcesList(rules, obj, origGroupName) + } + + return RenameResourcesList(rules, obj) + } + + // Responses of GET, LIST, DELETE requests. + // AdmissionReview requests from API Server. + if action == Restore { + return RestoreResource(rules, obj, origGroupName) + } + // CREATE, UPDATE, PATCH requests. + // TODO need to implement for + return RenameResource(rules, obj) +} + +func RenameResourcesList(rules *RewriteRules, obj []byte) ([]byte, error) { + obj, err := RenameAPIVersionAndKind(rules, obj) + if err != nil { + return nil, err + } + + // Rewrite apiVersion and kind in each item. + items := gjson.GetBytes(obj, "items").Array() + rwrItems := []byte(`[]`) + for _, item := range items { + rwrItem, err := RenameResource(rules, []byte(item.Raw)) + if err != nil { + return nil, err + } + rwrItems, err = sjson.SetRawBytes(rwrItems, "-1", rwrItem) + } + + obj, err = sjson.SetRawBytes(obj, "items", rwrItems) + if err != nil { + return nil, err + } + + return obj, nil +} + +func RestoreResourcesList(rules *RewriteRules, obj []byte, origGroupName string) ([]byte, error) { + obj, err := RestoreAPIVersionAndKind(rules, obj, origGroupName) + if err != nil { + return nil, err + } + + // Rewrite apiVersion and kind in each item. + items := gjson.GetBytes(obj, "items").Array() + rwrItems := []byte(`[]`) + for _, item := range items { + rwrItem, err := RestoreResource(rules, []byte(item.Raw), origGroupName) + if err != nil { + return nil, err + } + rwrItems, err = sjson.SetRawBytes(rwrItems, "-1", rwrItem) + } + + obj, err = sjson.SetRawBytes(obj, "items", rwrItems) + if err != nil { + return nil, err + } + + return obj, nil +} + +func RenameResource(rules *RewriteRules, obj []byte) ([]byte, error) { + obj, err := RenameAPIVersionAndKind(rules, obj) + if err != nil { + return nil, err + } + + // Rewrite apiVersion in each managedFields. + obj, err = RenameManagedFields(rules, obj) + if err != nil { + return nil, err + } + + return RenameOwnerReferences(rules, obj) +} + +func RestoreResource(rules *RewriteRules, obj []byte, origGroupName string) ([]byte, error) { + obj, err := RestoreAPIVersionAndKind(rules, obj, origGroupName) + if err != nil { + return nil, err + } + + // Rewrite apiVersion in each managedFields. + obj, err = RestoreManagedFields(rules, obj, origGroupName) + if err != nil { + return nil, err + } + + return RestoreOwnerReferences(rules, obj, origGroupName) +} + +func RenameAPIVersionAndKind(rules *RewriteRules, obj []byte) ([]byte, error) { + apiVersion := gjson.GetBytes(obj, "apiVersion").String() + obj, err := sjson.SetBytes(obj, "apiVersion", rules.RenameApiVersion(apiVersion)) + if err != nil { + return nil, err + } + + kind := gjson.GetBytes(obj, "kind").String() + return sjson.SetBytes(obj, "kind", rules.RenameKind(kind)) +} + +func RestoreAPIVersionAndKind(rules *RewriteRules, obj []byte, origGroupName string) ([]byte, error) { + apiVersion := gjson.GetBytes(obj, "apiVersion").String() + apiVersion = rules.RestoreApiVersion(apiVersion, origGroupName) + obj, err := sjson.SetBytes(obj, "apiVersion", apiVersion) + if err != nil { + return nil, err + } + + kind := gjson.GetBytes(obj, "kind").String() + return sjson.SetBytes(obj, "kind", rules.RestoreKind(kind)) +} + +func RewriteOwnerReferences(rules *RewriteRules, obj []byte, action Action) ([]byte, error) { + ownerRefs := gjson.GetBytes(obj, "metadata.ownerReferences").Array() + if len(ownerRefs) == 0 { + return obj, nil + } + + rwrOwnerRefs := []byte(`[]`) + rewritten := false + for _, ownerRef := range ownerRefs { + kind := ownerRef.Get("kind").String() + if action == Restore { + kind = rules.RestoreKind(kind) + } + // Find if kind should be rewritten. + origGroup, origResource, _ := rules.ResourceByKind(kind) + if origGroup == "" && origResource == "" { + // There is no rewrite rule for kind, append ownerRef as is. + var err error + rwrOwnerRefs, err = sjson.SetRawBytes(rwrOwnerRefs, "-1", []byte(ownerRef.Raw)) + if err != nil { + return nil, err + } + continue + } + if action == Rename { + kind = rules.RenameKind(kind) + } + + rwrOwnerRef := []byte(ownerRef.Raw) + + rwrOwnerRef, err := sjson.SetBytes(rwrOwnerRef, "kind", kind) + if err != nil { + return nil, err + } + + apiVersion := ownerRef.Get("apiVersion").String() + if action == Restore { + apiVersion = rules.RestoreApiVersion(apiVersion, origGroup) + } + if action == Rename { + apiVersion = rules.RenameApiVersion(apiVersion) + } + rwrOwnerRef, err = sjson.SetBytes(rwrOwnerRef, "apiVersion", apiVersion) + if err != nil { + return nil, err + } + + rwrOwnerRefs, err = sjson.SetRawBytes(rwrOwnerRefs, "-1", rwrOwnerRef) + rewritten = true + } + if rewritten { + return sjson.SetRawBytes(obj, "metadata.ownerReferences", rwrOwnerRefs) + } + + return obj, nil +} + +// RenameOwnerReferences renames kind and apiVersion to send request to server. +func RenameOwnerReferences(rules *RewriteRules, obj []byte) ([]byte, error) { + ownerRefs := gjson.GetBytes(obj, "metadata.ownerReferences").Array() + if len(ownerRefs) == 0 { + return obj, nil + } + + rwrOwnerRefs := []byte(`[]`) + var err error + for _, ownerRef := range ownerRefs { + apiVersion := ownerRef.Get("apiVersion").String() + kind := ownerRef.Get("kind").String() + + rwrOwnerRef := []byte(ownerRef.Raw) + + _, resRule := rules.KindRules(apiVersion, kind) + if resRule != nil { + // Rename apiVersion and kind if resource has renaming rules. + rwrOwnerRef, err = sjson.SetBytes(rwrOwnerRef, "kind", rules.RenameKind(kind)) + if err != nil { + return nil, err + } + + rwrOwnerRef, err = sjson.SetBytes(rwrOwnerRef, "apiVersion", rules.RenameApiVersion(apiVersion)) + if err != nil { + return nil, err + } + } + + rwrOwnerRefs, err = sjson.SetRawBytes(rwrOwnerRefs, "-1", rwrOwnerRef) + if err != nil { + return nil, err + } + } + return sjson.SetRawBytes(obj, "metadata.ownerReferences", rwrOwnerRefs) +} + +// RestoreOwnerReferences restores kind and apiVersion to consume by the client. +// There are no checks if resource should be restored. This should be determined by the caller. +// +// Example response from the server: +// apiVersion: x.virtualization.deckhouse.io/v1 +// kind: VirtualMachineInstance +// metadata: +// +// name: ... +// namespace: .. +// ownerReferences: +// - apiVersion: x.virtualization.deckhouse.io/v1 <--- restore apiVersion +// blockOwnerDeletion: true +// controller: true +// kind: VirtualMachine <--- restore kind +// name: cloud-alpine +// uid: 4c74c3ff-2199-4f20-a71c-3b0e5fb505ca +func RestoreOwnerReferences(rules *RewriteRules, obj []byte, groupName string) ([]byte, error) { + ownerRefs := gjson.GetBytes(obj, "metadata.ownerReferences").Array() + if len(ownerRefs) == 0 { + return obj, nil + } + rOwnerRefs := []byte(`[]`) + restored := false + for _, ownerRef := range ownerRefs { + apiVersion := ownerRef.Get("apiVersion").String() + rOwnerRef := []byte(ownerRef.Raw) + var err error + if strings.HasPrefix(apiVersion, rules.RenamedGroup) { + rOwnerRef, err = sjson.SetBytes([]byte(ownerRef.Raw), "apiVersion", rules.RestoreApiVersion(apiVersion, groupName)) + if err != nil { + return nil, err + } + kind := gjson.GetBytes(rOwnerRef, "kind").String() + rOwnerRef, err = sjson.SetBytes(rOwnerRef, "kind", rules.RestoreKind(kind)) + if err != nil { + return nil, err + } + restored = true + } + rOwnerRefs, err = sjson.SetRawBytes(rOwnerRefs, "-1", rOwnerRef) + } + if restored { + return sjson.SetRawBytes(obj, "metadata.ownerReferences", rOwnerRefs) + } + return obj, nil +} + +// RestoreManagedFields restores apiVersion in managedFields items. +// +// Example response from the server: +// +// "metadata": { +// "managedFields":[ +// { "apiVersion":"x.virtualization.deckhouse.io/v1", "fieldsType":"FieldsV1", "fieldsV1":{ ... }}, "manager": "Go-http-client", ...}, +// { "apiVersion":"x.virtualization.deckhouse.io/v1", "fieldsType":"FieldsV1", "fieldsV1":{ ... }}, "manager": "kubectl-edit", ...} +// ], +func RestoreManagedFields(rules *RewriteRules, obj []byte, origGroupName string) ([]byte, error) { + mgFields := gjson.GetBytes(obj, "metadata.managedFields") + if !mgFields.Exists() || len(mgFields.Array()) == 0 { + return obj, nil + } + + newFields := []byte(`[]`) + for _, mgField := range mgFields.Array() { + apiVersion := mgField.Get("apiVersion").String() + restoredAPIVersion := rules.RestoreApiVersion(apiVersion, origGroupName) + newField, err := sjson.SetBytes([]byte(mgField.Raw), "apiVersion", restoredAPIVersion) + if err != nil { + return nil, err + } + newFields, err = sjson.SetRawBytes(newFields, "-1", newField) + if err != nil { + return nil, err + } + } + return sjson.SetRawBytes(obj, "metadata.managedFields", newFields) +} + +// RenameManagedFields renames apiVersion in managedFields items. +// +// Example request from the client: +// +// "metadata": { +// "managedFields":[ +// { "apiVersion":"kubevirt.io/v1", "fieldsType":"FieldsV1", "fieldsV1":{ ... }}, "manager": "Go-http-client", ...}, +// { "apiVersion":"kubevirt.io/v1", "fieldsType":"FieldsV1", "fieldsV1":{ ... }}, "manager": "kubectl-edit", ...} +// ], +func RenameManagedFields(rules *RewriteRules, obj []byte) ([]byte, error) { + mgFields := gjson.GetBytes(obj, "metadata.managedFields") + if !mgFields.Exists() || len(mgFields.Array()) == 0 { + return obj, nil + } + + newFields := []byte(`[]`) + for _, mgField := range mgFields.Array() { + apiVersion := mgField.Get("apiVersion").String() + renamedAPIVersion := rules.RenameApiVersion(apiVersion) + newField, err := sjson.SetBytes([]byte(mgField.Raw), "apiVersion", renamedAPIVersion) + if err != nil { + return nil, err + } + newFields, err = sjson.SetRawBytes(newFields, "-1", newField) + if err != nil { + return nil, err + } + } + return sjson.SetRawBytes(obj, "metadata.managedFields", newFields) +} diff --git a/images/kube-api-proxy/pkg/rewriter/rule_rewriter.go b/images/kube-api-proxy/pkg/rewriter/rule_rewriter.go new file mode 100644 index 000000000..06d9e9414 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/rule_rewriter.go @@ -0,0 +1,208 @@ +package rewriter + +import ( + "regexp" + "strings" + + "github.com/tidwall/gjson" +) + +type RuleBasedRewriter struct { + Rules *RewriteRules +} + +type Action string + +const ( + // Restore is an action to restore resources to original. + Restore Action = "restore" + // Rename is an action to rename original resources. + Rename Action = "rename" +) + +// RewriteAPIEndpoint renames group and resource in /apis/* endpoints. +// It assumes that ep contains original group and resourceType. +// Restoring of path is not implemented. +func (rw *RuleBasedRewriter) RewriteAPIEndpoint(ep *APIEndpoint) *APIEndpoint { + // Leave paths /, /api, /api/*, and unknown paths as is. + if ep.IsRoot || ep.IsCore || ep.IsUnknown { + return nil + } + + // Rename CRD name resourcetype.group for resources with rules. + if ep.IsCRD { + // No endpoint rewrite for CRD list. + if ep.CRDGroup == "" && ep.CRDResourceType == "" { + if strings.Contains(ep.RawQuery, "metadata.name") { + // Rewrite name in field selector if any. + newQuery := rw.rewriteFieldSelector(ep.RawQuery) + if newQuery != "" { + res := ep.Clone() + res.RawQuery = newQuery + return res + } + } + return nil + } + + // Check if resource has rules + _, resourceRule := rw.Rules.ResourceRules(ep.CRDGroup, ep.CRDResourceType) + if resourceRule == nil { + // No rewrite for CRD without rules. + return nil + } + // Rewrite CRD name. + res := ep.Clone() + res.CRDGroup = rw.Rules.RenamedGroup + res.CRDResourceType = rw.Rules.RenameResource(res.CRDResourceType) + res.Name = res.CRDResourceType + "." + res.CRDGroup + return res + } + + // Rename group and resource for CR requests. + newGroup := "" + if ep.Group != "" { + groupRule := rw.Rules.GroupRule(ep.Group) + if groupRule == nil { + // No rewrite for group without rules. + return nil + } + newGroup = rw.Rules.RenamedGroup + } + + newResource := "" + if ep.ResourceType != "" { + _, resRule := rw.Rules.ResourceRules(ep.Group, ep.ResourceType) + if resRule != nil { + newResource = rw.Rules.RenameResource(ep.ResourceType) + } + } + + // Return rewritten endpoint if group or resource are changed. + if newGroup != "" || newResource != "" { + res := ep.Clone() + if newGroup != "" { + res.Group = newGroup + } + if newResource != "" { + res.ResourceType = newResource + } + + return res + } + + return nil +} + +var metadataNameRe = regexp.MustCompile(`metadata.name\%3D([a-z0-9-]+)((\.[a-z0-9-]+)*)`) + +// rewriteFieldSelector rewrites value for metadata.name in fieldSelector of CRDs listing. +// Example request: +// https://APISERVER/apis/apiextensions.k8s.io/v1/customresourcedefinitions?fieldSelector=metadata.name%3Dresources.original.group.io&... +func (rw *RuleBasedRewriter) rewriteFieldSelector(rawQuery string) string { + matches := metadataNameRe.FindStringSubmatch(rawQuery) + if matches == nil { + return "" + } + + resourceType := matches[1] + group := matches[2] + group = strings.TrimPrefix(group, ".") + + _, resRule := rw.Rules.ResourceRules(group, resourceType) + if resRule == nil { + return "" + } + + group = rw.Rules.RenamedGroup + resourceType = rw.Rules.RenameResource(resourceType) + + newSelector := `metadata.name%3D` + resourceType + "." + group + + return metadataNameRe.ReplaceAllString(rawQuery, newSelector) +} + +// RewriteJSONPayload does rewrite based on kind. +func (rw *RuleBasedRewriter) RewriteJSONPayload(targetReq *TargetRequest, obj []byte, action Action) ([]byte, error) { + // Detect Kind + kind := gjson.GetBytes(obj, "kind").String() + + var rwrBytes []byte + var err error + + //// Handle core resources: rewrite only for specific kind. + //if targetReq.IsCore() { + // pass := true + // switch kind { + // case "APIGroupList": + // case "APIGroup": + // case "APIResourceList": + // default: + // pass = shouldPassCoreResource(kind) + // } + // if pass { + // return obj, nil + // } + //} + + switch kind { + case "APIGroupList": + rwrBytes, err = RewriteAPIGroupList(rw.Rules, obj) + + case "APIGroup": + rwrBytes, err = RewriteAPIGroup(rw.Rules, obj, targetReq.OrigGroup()) + + case "APIResourceList": + rwrBytes, err = RewriteAPIResourceList(rw.Rules, obj, targetReq.OrigGroup()) + + case "AdmissionReview": + rwrBytes, err = RewriteAdmissionReview(rw.Rules, obj, targetReq.OrigGroup()) + + case CRDKind, CRDListKind: + rwrBytes, err = RewriteCRDOrList(rw.Rules, obj, action) + + case MutatingWebhookConfigurationKind, + MutatingWebhookConfigurationListKind: + rwrBytes, err = RewriteMutatingOrList(rw.Rules, obj, action) + + case ValidatingWebhookConfigurationKind, + ValidatingWebhookConfigurationListKind: + rwrBytes, err = RewriteValidatingOrList(rw.Rules, obj, action) + + case ClusterRoleKind, ClusterRoleListKind: + rwrBytes, err = RewriteClusterRoleOrList(rw.Rules, obj, action) + + case RoleKind, RoleListKind: + rwrBytes, err = RewriteRoleOrList(rw.Rules, obj, action) + + default: + if targetReq.IsCore() { + rwrBytes, err = RewriteOwnerReferences(rw.Rules, obj, action) + } else { + rwrBytes, err = RewriteCustomResourceOrList(rw.Rules, obj, action) + } + } + + // Return obj bytes as-is in case of the error. + if err != nil { + return obj, err + } + + return rwrBytes, nil +} + +// RewritePatch rewrites patches for some known objects. +// Only rename action is required for patches. +func (rw *RuleBasedRewriter) RewritePatch(targetReq *TargetRequest, obj []byte) ([]byte, error) { + if targetReq.IsCRD() { + // Check if CRD is known. + _, resRule := rw.Rules.ResourceRules(targetReq.OrigGroup(), targetReq.OrigResourceType()) + if resRule == nil { + return obj, nil + } + + return RenameCRDPatch(rw.Rules, resRule, obj) + } + + return obj, nil +} diff --git a/images/kube-api-proxy/pkg/rewriter/rule_rewriter_test.go b/images/kube-api-proxy/pkg/rewriter/rule_rewriter_test.go new file mode 100644 index 000000000..846706791 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/rule_rewriter_test.go @@ -0,0 +1,133 @@ +package rewriter + +import ( + "net/url" + "testing" + + "github.com/stretchr/testify/require" +) + +func createTestRewriter() *RuleBasedRewriter { + apiGroupRules := map[string]APIGroupRule{ + "original.group.io": { + GroupRule: GroupRule{ + Group: "original.group.io", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + }, + ResourceRules: map[string]ResourceRule{ + "someresources": { + Kind: "SomeResource", + ListKind: "SomeResourceList", + Plural: "someresources", + Singular: "someresource", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + Categories: []string{"all"}, + ShortNames: []string{"sr", "srs"}, + }, + "anotherresources": { + Kind: "AnotherResource", + ListKind: "AnotherResourceList", + Plural: "anotherresources", + Singular: "anotherresource", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + ShortNames: []string{"ar"}, + }, + }, + }, + "other.group.io": { + GroupRule: GroupRule{ + Group: "original.group.io", + Versions: []string{"v2alpha3"}, + PreferredVersion: "v2alpha3", + }, + ResourceRules: map[string]ResourceRule{ + "otherresources": { + Kind: "OtherResource", + ListKind: "OtherResourceList", + Plural: "otherresources", + Singular: "otherresource", + Versions: []string{"v1", "v1alpha1"}, + PreferredVersion: "v1", + ShortNames: []string{"or"}, + }, + }, + }, + } + + rules := &RewriteRules{ + KindPrefix: "Prefixed", // KV + ResourceTypePrefix: "prefixed", // kv + ShortNamePrefix: "p", + Categories: []string{"prefixed"}, + RenamedGroup: "prefixed.resources.group.io", + Rules: apiGroupRules, + } + + return &RuleBasedRewriter{ + Rules: rules, + } +} + +func TestRewriteAPIEndpoint(t *testing.T) { + tests := []struct { + name string + path string + expect string + }{ + { + "rewritable group", + "/apis/original.group.io", + "/apis/prefixed.resources.group.io", + }, + { + "rewritable group and version", + "/apis/original.group.io/v1", + "/apis/prefixed.resources.group.io/v1", + }, + { + "rewritable resource list", + "/apis/original.group.io/v1/someresources", + "/apis/prefixed.resources.group.io/v1/prefixedsomeresources", + }, + { + "rewritable resource by name", + "/apis/original.group.io/v1/someresources/srname", + "/apis/prefixed.resources.group.io/v1/prefixedsomeresources/srname", + }, + { + "rewritable resource status", + "/apis/original.group.io/v1/someresources/srname/status", + "/apis/prefixed.resources.group.io/v1/prefixedsomeresources/srname/status", + }, + { + "rewritable CRD", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions/someresources.original.group.io", + "/apis/apiextensions.k8s.io/v1/customresourcedefinitions/prefixedsomeresources.prefixed.resources.group.io", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + u, err := url.Parse(tt.path) + require.NoError(t, err, "should parse path '%s'", tt.path) + + ep := ParseAPIEndpoint(u) + + rwr := createTestRewriter() + + newEp := rwr.RewriteAPIEndpoint(ep) + + if tt.expect == "" { + require.Nil(t, newEp, "should not rewrite path '%s', got %+v", tt.path, newEp) + } + + require.NotNil(t, newEp, "should rewrite path '%s', got nil originEndpoint") + + require.Equal(t, tt.expect, newEp.Path(), "expect rewrite for path '%s' to be '%s', got '%s'", tt.path, tt.expect, ep.Path()) + }) + } + +} diff --git a/images/kube-api-proxy/pkg/rewriter/rules.go b/images/kube-api-proxy/pkg/rewriter/rules.go new file mode 100644 index 000000000..a8fc1ec60 --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/rules.go @@ -0,0 +1,210 @@ +package rewriter + +import "strings" + +type RewriteRules struct { + KindPrefix string `json:"kindPrefix"` + ResourceTypePrefix string `json:"resourceTypePrefix"` + ShortNamePrefix string `json:"shortNamePrefix"` + Categories []string `json:"categories"` + RenamedGroup string `json:"renamedGroup"` + Rules map[string]APIGroupRule `json:"rules"` + Webhooks map[string]WebhookRule `json:"webhooks"` +} + +type APIGroupRule struct { + GroupRule GroupRule `json:"groupRule"` + ResourceRules map[string]ResourceRule `json:"resourceRules"` +} + +type GroupRule struct { + Group string `json:"group"` + Versions []string `json:"versions"` + PreferredVersion string `json:"preferredVersion"` +} + +type ResourceRule struct { + Kind string `json:"kind"` + ListKind string `json:"listKind"` + Plural string `json:"plural"` + Singular string `json:"singular"` + ShortNames []string `json:"shortNames"` + Categories []string `json:"categories"` + Versions []string `json:"versions"` + PreferredVersion string `json:"preferredVersion"` +} + +type WebhookRule struct { + Path string `json:"path"` + Group string `json:"group"` + Resource string `json:"resource"` +} + +// GetAPIGroupList returns an array of groups in format applicable to use in APIGroupList: +// +// { +// name +// versions: [ { groupVersion, version } ... ] +// preferredVersion: { groupVersion, version } +// } +func (rr *RewriteRules) GetAPIGroupList() []interface{} { + groups := make([]interface{}, 0) + + for _, rGroup := range rr.Rules { + group := map[string]interface{}{ + "name": rGroup.GroupRule.Group, + "preferredVersion": map[string]interface{}{ + "groupVersion": rGroup.GroupRule.Group + "/" + rGroup.GroupRule.PreferredVersion, + "version": rGroup.GroupRule.PreferredVersion, + }, + } + versions := make([]interface{}, 0) + for _, ver := range rGroup.GroupRule.Versions { + versions = append(versions, map[string]interface{}{ + "groupVersion": rGroup.GroupRule.Group + "/" + ver, + "version": ver, + }) + } + group["versions"] = versions + groups = append(groups, group) + } + + return groups +} + +func (rr *RewriteRules) ResourceByKind(kind string) (string, string, bool) { + for groupName, group := range rr.Rules { + for resName, res := range group.ResourceRules { + if res.Kind == kind { + return groupName, resName, false + } + if res.ListKind == kind { + return groupName, resName, true + } + } + } + return "", "", false +} + +func (rr *RewriteRules) WebhookRule(path string) *WebhookRule { + if webhookRule, ok := rr.Webhooks[path]; ok { + return &webhookRule + } + return nil +} + +func (rr *RewriteRules) HasGroup(group string) bool { + _, ok := rr.Rules[group] + return ok +} + +func (rr *RewriteRules) GroupRule(group string) *GroupRule { + if groupRule, ok := rr.Rules[group]; ok { + return &groupRule.GroupRule + } + return nil +} + +// KindRules returns rule for group and resource by apiGroup and kind. +// apiGroup may be a group or a group with version. +func (rr *RewriteRules) KindRules(apiGroup, kind string) (*GroupRule, *ResourceRule) { + group, _, _ := strings.Cut(apiGroup, "/") + groupRule, ok := rr.Rules[group] + if !ok { + return nil, nil + } + + for _, resRule := range groupRule.ResourceRules { + if resRule.Kind == kind { + return &groupRule.GroupRule, &resRule + } + if resRule.ListKind == kind { + return &groupRule.GroupRule, &resRule + } + } + return nil, nil +} + +func (rr *RewriteRules) ResourceRules(group, resource string) (*GroupRule, *ResourceRule) { + groupRule, ok := rr.Rules[group] + if !ok { + return nil, nil + } + resourceRule, ok := rr.Rules[group].ResourceRules[resource] + if !ok { + return nil, nil + } + return &groupRule.GroupRule, &resourceRule +} + +func (rr *RewriteRules) GroupResourceRules(resourceType string) (*GroupRule, *ResourceRule) { + for _, group := range rr.Rules { + for _, res := range group.ResourceRules { + if res.Plural == resourceType { + return &group.GroupRule, &res + } + } + } + return nil, nil +} + +func (rr *RewriteRules) RenameResource(resource string) string { + return rr.ResourceTypePrefix + resource +} + +func (rr *RewriteRules) RenameKind(kind string) string { + return rr.KindPrefix + kind +} + +func (rr *RewriteRules) RestoreResource(resource string) string { + return strings.TrimPrefix(resource, rr.ResourceTypePrefix) +} + +func (rr *RewriteRules) RestoreKind(kind string) string { + return strings.TrimPrefix(kind, rr.KindPrefix) +} + +func (rr *RewriteRules) RestoreApiVersion(apiVersion string, group string) string { + // Replace group, keep version. + slashVersion := strings.TrimPrefix(apiVersion, rr.RenamedGroup) + return group + slashVersion +} + +func (rr *RewriteRules) RenameApiVersion(apiVersion string) string { + // Replace group, keep version. + apiVerParts := strings.Split(apiVersion, "/") + if len(apiVerParts) != 2 { + return apiVersion + } + return rr.RenamedGroup + "/" + apiVerParts[1] +} + +func (rr *RewriteRules) RenameCategories(categories []string) []string { + if len(categories) == 0 { + return []string{} + } + return rr.Categories +} + +func (rr *RewriteRules) RestoreCategories(resourceRule *ResourceRule) []string { + if resourceRule == nil { + return []string{} + } + return resourceRule.Categories +} + +func (rr *RewriteRules) RenameShortNames(shortNames []string) []string { + newNames := make([]string, 0, len(shortNames)) + for _, shortName := range shortNames { + newNames = append(newNames, rr.ShortNamePrefix+shortName) + } + return newNames +} + +func (rr *RewriteRules) RestoreShortNames(shortNames []string) []string { + newNames := make([]string, 0, len(shortNames)) + for _, shortName := range shortNames { + newNames = append(newNames, strings.TrimPrefix(shortName, rr.ShortNamePrefix)) + } + return newNames +} diff --git a/images/kube-api-proxy/pkg/rewriter/target_request.go b/images/kube-api-proxy/pkg/rewriter/target_request.go new file mode 100644 index 000000000..4a7606f5f --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/target_request.go @@ -0,0 +1,278 @@ +package rewriter + +import ( + "net/http" +) + +type TargetRequest struct { + originEndpoint *APIEndpoint + targetEndpoint *APIEndpoint + + webhookRule *WebhookRule +} + +func NewTargetRequest(rwr *RuleBasedRewriter, req *http.Request) *TargetRequest { + if req == nil || req.URL == nil { + return nil + } + + // Is it a request to the webhook? + webhookRule := rwr.Rules.WebhookRule(req.URL.Path) + if webhookRule != nil { + return &TargetRequest{ + webhookRule: webhookRule, + } + } + + apiEndpoint := ParseAPIEndpoint(req.URL) + if apiEndpoint == nil { + return nil + } + + // rewrite path if needed + targetEndpoint := rwr.RewriteAPIEndpoint(apiEndpoint) + + return &TargetRequest{ + originEndpoint: apiEndpoint, + targetEndpoint: targetEndpoint, + } +} + +// Path return possibly rewritten path for target endpoint. +func (tr *TargetRequest) Path() string { + if tr.targetEndpoint != nil { + return tr.targetEndpoint.Path() + } + if tr.originEndpoint != nil { + return tr.originEndpoint.Path() + } + if tr.webhookRule != nil { + return tr.webhookRule.Path + } + + return "" +} + +func (tr *TargetRequest) IsCore() bool { + if tr.originEndpoint != nil { + return tr.originEndpoint.IsCore + } + return false +} + +func (tr *TargetRequest) IsCRD() bool { + if tr.originEndpoint != nil { + return tr.originEndpoint.IsCRD + } + return false +} + +func (tr *TargetRequest) IsWatch() bool { + if tr.originEndpoint != nil { + return tr.originEndpoint.IsWatch + } + return false +} + +func (tr *TargetRequest) OrigGroup() string { + if tr.IsCRD() { + return tr.originEndpoint.CRDGroup + } + if tr.originEndpoint != nil { + return tr.originEndpoint.Group + } + if tr.webhookRule != nil { + return tr.webhookRule.Group + } + return "" +} + +func (tr *TargetRequest) OrigResourceType() string { + if tr.IsCRD() { + return tr.originEndpoint.CRDResourceType + } + if tr.originEndpoint != nil { + return tr.originEndpoint.ResourceType + } + if tr.webhookRule != nil { + return tr.webhookRule.Resource + } + return "" +} + +func (tr *TargetRequest) RawQuery() string { + if tr.targetEndpoint != nil { + return tr.targetEndpoint.RawQuery + } + if tr.originEndpoint != nil { + return tr.originEndpoint.RawQuery + } + return "" +} + +// ShouldRewriteRequest returns true if incoming payload should +// be rewritten. +func (tr *TargetRequest) ShouldRewriteRequest() bool { + // Consider known webhook should be rewritten. Unknown paths will be passed as-is. + if tr.webhookRule != nil { + return true + } + + if tr.originEndpoint != nil { + if tr.originEndpoint.IsRoot || tr.originEndpoint.IsUnknown { + return false + } + + if tr.targetEndpoint == nil { + // Pass resources without rules as is, except some special types. + + if tr.originEndpoint.IsCore { + switch tr.originEndpoint.ResourceType { + case "pods": + return true + } + } + + switch tr.originEndpoint.ResourceType { + case "mutatingwebhookconfigurations", + "validatingwebhookconfigurations", + "clusterroles", + "roles": + return true + } + + // Rewrite request body when creating CRD. + if tr.originEndpoint.ResourceType == "customresourcedefinitions" && tr.originEndpoint.Name == "" { + return true + } + + // Should not rewrite request if path is not rewritten. + return false + } + } + + // Payload should be inspected to decide if rewrite is required. + return true +} + +// ShouldRewriteResponse return true if response rewrite is needed. +// Response may be passed as is if false. +func (tr *TargetRequest) ShouldRewriteResponse() bool { + // If there is webhook rule, response should be rewritten. + if tr.webhookRule != nil { + return true + } + + if tr.originEndpoint == nil { + return false + } + + if tr.originEndpoint.IsRoot || tr.originEndpoint.IsUnknown { + return false + } + + // Some core resources should be rewritten. + if tr.originEndpoint.IsCore { + switch tr.originEndpoint.ResourceType { + case "pods": + return true + // pods should be rewritten + } + return false + } + + if tr.originEndpoint.IsCRD { + // Rewrite CRD List. + if tr.originEndpoint.Name == "" { + return true + } + // Rewrite CRD if group and resource was rewritten. + if tr.originEndpoint.Name != "" && tr.targetEndpoint != nil { + return true + } + return false + } + + // Rewrite if path was rewritten for known resource. + if tr.targetEndpoint != nil { + return true + } + + // Rewrite response from /apis discovery. + if tr.originEndpoint.Group == "" { + return true + } + + // Rewrite special resources. + switch tr.originEndpoint.ResourceType { + // Webhook configurations should be rewritten. + case "mutatingwebhookconfigurations", + "validatingwebhookconfigurations", + "clusterroles": + return true + } + + return false +} + +func (tr *TargetRequest) ResourceForLog() string { + if tr.webhookRule != nil { + return tr.webhookRule.Resource + } + if tr.originEndpoint != nil { + ep := tr.originEndpoint + if ep.IsRoot { + return "ROOT" + } + if ep.IsUnknown { + return "UKNOWN" + } + if ep.IsCore { + // /api + if ep.Version == "" { + return "APIVersions/core" + } + // /api/v1 + if ep.ResourceType == "" { + return "APIResourceList/core" + } + // /api/v1/RESOURCE/NAME/SUBRESOURCE + // /api/v1/namespaces/NS/status + // /api/v1/namespaces/NS/RESOURCE/NAME/SUBRESOURCE + if ep.Subresource != "" { + return ep.ResourceType + "/" + ep.Subresource + } + // /api/v1/RESOURCETYPE + // /api/v1/RESOURCETYPE/NAME + // /api/v1/namespaces + // /api/v1/namespaces/NAMESPACE + // /api/v1/namespaces/NAMESPACE/RESOURCETYPE + // /api/v1/namespaces/NAMESPACE/RESOURCETYPE/NAME + return ep.ResourceType + } + // /apis + if ep.Group == "" { + return "APIGroupList" + } + // /apis/GROUP + if ep.Version == "" { + return "APIGroup/" + ep.Group + } + // /apis/GROUP/VERSION + if ep.ResourceType == "" { + return "APIResourceList/" + ep.Group + } + // /apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE + // /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE + if ep.Subresource != "" { + return ep.ResourceType + "/" + ep.Subresource + } + // /apis/GROUP/VERSION/RESOURCETYPE + // /apis/GROUP/VERSION/RESOURCETYPE/NAME + // /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE + // /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME + return ep.ResourceType + } + + return "UNKNOWN" +} diff --git a/images/kube-api-proxy/pkg/rewriter/webhook.go b/images/kube-api-proxy/pkg/rewriter/webhook.go new file mode 100644 index 000000000..4a51c74cb --- /dev/null +++ b/images/kube-api-proxy/pkg/rewriter/webhook.go @@ -0,0 +1 @@ +package rewriter diff --git a/images/kube-api-proxy/pkg/server/http_server.go b/images/kube-api-proxy/pkg/server/http_server.go new file mode 100644 index 000000000..5b0f8a653 --- /dev/null +++ b/images/kube-api-proxy/pkg/server/http_server.go @@ -0,0 +1,141 @@ +package server + +import ( + "context" + "crypto/tls" + "errors" + "fmt" + logutil "kube-api-proxy/pkg/log" + "kube-api-proxy/pkg/tls/certmanager" + log "log/slog" + "net" + "net/http" + "sync" +) + +// HTTPServer starts HTTP server with root handler using listen address. +// Implements Runnable interface to be able to stop server. +type HTTPServer struct { + InstanceDesc string + ListenAddr string + RootHandler http.Handler + CertManager certmanager.CertificateManager + Err error + + initLock sync.Mutex + stopped bool + + listener net.Listener + instance *http.Server +} + +// init checks if listen is possible and creates new HTTP server instance. +// initLock is used to avoid data races with the Stop method. +func (s *HTTPServer) init() bool { + s.initLock.Lock() + defer s.initLock.Unlock() + if s.stopped { + // Stop was called earlier. + return false + } + + l, err := net.Listen("tcp", s.ListenAddr) + if err != nil { + s.Err = err + log.Error(fmt.Sprintf("%s: listen on %s err: %s", s.InstanceDesc, s.ListenAddr, err)) + return false + } + s.listener = l + log.Info(fmt.Sprintf("%s: listen for incoming requests on %s", s.InstanceDesc, s.ListenAddr)) + + mux := http.NewServeMux() + mux.Handle("/", s.RootHandler) + + s.instance = &http.Server{ + Handler: mux, + } + return true +} + +func (s *HTTPServer) Start() { + if !s.init() { + return + } + + // Start serving HTTP requests, block until server instance stops or returns an error. + var err error + if s.CertManager != nil { + go s.CertManager.Start() + s.setupTLS() + err = s.instance.ServeTLS(s.listener, "", "") + } else { + err = s.instance.Serve(s.listener) + } + // Ignore closed error: it's a consequence of stop. + if err != nil { + switch { + case errors.Is(err, http.ErrServerClosed): + case errors.Is(err, net.ErrClosed): + default: + s.Err = err + } + } + return +} + +func (s *HTTPServer) setupTLS() { + s.instance.TLSConfig = &tls.Config{ + GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { + cert := s.CertManager.Current() + if cert == nil { + return nil, errors.New("no server certificate, server is not yet ready to receive traffic") + } + return cert, nil + }, + } +} + +// Stop shutdowns HTTP server instance and close a done channel. +// Stop and init may be run in parallel, so initLock is used to wait until +// variables are initialized. +func (s *HTTPServer) Stop() { + s.initLock.Lock() + defer s.initLock.Unlock() + + if s.stopped { + return + } + s.stopped = true + + if s.CertManager != nil { + s.CertManager.Stop() + } + // Shutdown instance if it was initialized. + if s.instance != nil { + log.Info(fmt.Sprintf("%s: stop", s.InstanceDesc)) + err := s.instance.Shutdown(context.Background()) + // Ignore ErrClosed. + if err != nil { + switch { + case errors.Is(err, http.ErrServerClosed): + case errors.Is(err, net.ErrClosed): + case s.Err != nil: + // log error to not reset runtime error. + log.Error(fmt.Sprintf("%s: stop instance", s.InstanceDesc), logutil.SlogErr(err)) + default: + s.Err = err + } + } + } +} + +// ConstructListenAddr return ip:port with defaults. +func ConstructListenAddr(addr, port, defaultAddr, defaultPort string) string { + if addr == "" { + addr = defaultAddr + } + if port == "" { + port = defaultPort + } + return addr + ":" + port +} diff --git a/images/kube-api-proxy/pkg/server/runnable_group.go b/images/kube-api-proxy/pkg/server/runnable_group.go new file mode 100644 index 000000000..e60120423 --- /dev/null +++ b/images/kube-api-proxy/pkg/server/runnable_group.go @@ -0,0 +1,74 @@ +package server + +import ( + "sync" +) + +type Runnable interface { + Start() + Stop() +} + +// RunnableGroup is a group of Runnables that should run until one of them stops. +type RunnableGroup struct { + runnables []Runnable +} + +func NewRunnableGroup() *RunnableGroup { + return &RunnableGroup{ + runnables: make([]Runnable, 0), + } +} + +// Add register Runnable in a group. +// Note: not designed for parallel registering. +func (rg *RunnableGroup) Add(r Runnable) { + rg.runnables = append(rg.runnables, r) +} + +// Start starts all Runnables and stops all of them when at least one Runnable stops. +func (rg *RunnableGroup) Start() { + // Start all runnables. + oneStoppedCh := rg.startAll() + + // Block until one runnable is stopped. + <-oneStoppedCh + + // Wait until all Runnables stop. + rg.stopAll() +} + +// startAll calls Start for each Runnable in separate go routines. +// It waits until all go routines starts. +// It returns a channel, so caller can receive event when one of the Runnables stops. +func (rg *RunnableGroup) startAll() chan struct{} { + oneStopped := make(chan struct{}) + var closeOnce sync.Once + + for i := range rg.runnables { + r := rg.runnables[i] + go func() { + r.Start() + closeOnce.Do(func() { + close(oneStopped) + }) + }() + } + + return oneStopped +} + +// stopAll calls Stop for each Runnable in a separate go routine. +// It waits until all go routines starts. +func (rg *RunnableGroup) stopAll() { + var wg sync.WaitGroup + wg.Add(len(rg.runnables)) + for i := range rg.runnables { + r := rg.runnables[i] + go func() { + r.Stop() + wg.Done() + }() + } + wg.Wait() +} diff --git a/images/kube-api-proxy/pkg/target/kubernetes.go b/images/kube-api-proxy/pkg/target/kubernetes.go new file mode 100644 index 000000000..ad2757adc --- /dev/null +++ b/images/kube-api-proxy/pkg/target/kubernetes.go @@ -0,0 +1,39 @@ +package target + +import ( + "fmt" + "net/http" + "net/url" + + "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client/config" +) + +type Kubernetes struct { + Config *rest.Config + Client *http.Client + APIServerURL *url.URL +} + +func NewKubernetesTarget() (*Kubernetes, error) { + var err error + k := &Kubernetes{} + + k.Config, err = config.GetConfig() + if err != nil { + return nil, fmt.Errorf("load Kubernetes client config: %w", err) + } + + // Configure HTTP client to Kubernetes API server. + k.Client, err = rest.HTTPClientFor(k.Config) + if err != nil { + return nil, fmt.Errorf("setup Kubernetes API http client: %w", err) + } + + k.APIServerURL, err = url.Parse(k.Config.Host) + if err != nil { + return nil, fmt.Errorf("parse API server URL: %w", err) + } + + return k, nil +} diff --git a/images/kube-api-proxy/pkg/target/webhook.go b/images/kube-api-proxy/pkg/target/webhook.go new file mode 100644 index 000000000..d3ebd31bd --- /dev/null +++ b/images/kube-api-proxy/pkg/target/webhook.go @@ -0,0 +1,89 @@ +package target + +import ( + "crypto/tls" + "fmt" + "kube-api-proxy/pkg/tls/certmanager" + "kube-api-proxy/pkg/tls/certmanager/filesystem" + "net" + "net/http" + "net/url" + "os" + "time" +) + +type Webhook struct { + Client *http.Client + URL *url.URL + CertManager certmanager.CertificateManager +} + +const ( + WebhookAddressVar = "WEBHOOK_ADDRESS" + WebhookServerNameVar = "WEBHOOK_SERVER_NAME" + WebhookCertFileVar = "WEBHOOK_CERT_FILE" + WebhookKeyFileVar = "WEBHOOK_KEY_FILE" +) + +var ( + defaultWebhookTimeout = 30 * time.Second + defaultWebhookAddress = "https://127.0.0.1:9443" +) + +func NewWebhookTarget() (*Webhook, error) { + var err error + webhook := &Webhook{} + + // Target address and serverName. + address := os.Getenv(WebhookAddressVar) + if address == "" { + address = defaultWebhookAddress + } + + serverName := os.Getenv(WebhookServerNameVar) + if serverName == "" { + serverName = address + } + + webhook.URL, err = url.Parse(address) + if err != nil { + return nil, err + } + + // Certificate settings. + certFile := os.Getenv(WebhookCertFileVar) + keyFile := os.Getenv(WebhookKeyFileVar) + if certFile == "" && keyFile != "" { + return nil, fmt.Errorf("should specify cert file in %s if %s is not empty", WebhookCertFileVar, WebhookKeyFileVar) + } + if certFile != "" && keyFile == "" { + return nil, fmt.Errorf("should specify key file in %s if %s is not empty", WebhookKeyFileVar, WebhookCertFileVar) + } + if certFile != "" && keyFile != "" { + webhook.CertManager = filesystem.NewFileCertificateManager(certFile, keyFile) + } + + // Construct TLS client without validation to connect to the local webhook server. + dialer := &net.Dialer{ + Timeout: defaultWebhookTimeout, + } + + tr := &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + ServerName: serverName, + }, + DisableKeepAlives: true, + IdleConnTimeout: 5 * time.Minute, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + DialContext: dialer.DialContext, + } + + webhook.Client = &http.Client{ + Transport: tr, + Timeout: defaultWebhookTimeout, + } + + return webhook, nil +} diff --git a/images/kube-api-proxy/pkg/tls/certmanager/certmanager.go b/images/kube-api-proxy/pkg/tls/certmanager/certmanager.go new file mode 100644 index 000000000..d182692b6 --- /dev/null +++ b/images/kube-api-proxy/pkg/tls/certmanager/certmanager.go @@ -0,0 +1,11 @@ +package certmanager + +import ( + "crypto/tls" +) + +type CertificateManager interface { + Start() + Stop() + Current() *tls.Certificate +} diff --git a/images/kube-api-proxy/pkg/tls/certmanager/filesystem/file-cert-manager.go b/images/kube-api-proxy/pkg/tls/certmanager/filesystem/file-cert-manager.go new file mode 100644 index 000000000..532c43a04 --- /dev/null +++ b/images/kube-api-proxy/pkg/tls/certmanager/filesystem/file-cert-manager.go @@ -0,0 +1,152 @@ +package filesystem + +import ( + "crypto/tls" + "fmt" + "github.com/fsnotify/fsnotify" + logutil "kube-api-proxy/pkg/log" + "kube-api-proxy/pkg/tls/util" + "log/slog" + "os" + "path/filepath" + "sync" + "time" +) + +type FileCertificateManager struct { + stopCh chan struct{} + certAccessLock sync.Mutex + cert *tls.Certificate + certBytesPath string + keyBytesPath string + errorRetryInterval time.Duration +} + +func NewFileCertificateManager(certBytesPath, keyBytesPath string) *FileCertificateManager { + return &FileCertificateManager{ + certBytesPath: certBytesPath, + keyBytesPath: keyBytesPath, + stopCh: make(chan struct{}), + errorRetryInterval: 1 * time.Minute, + } +} + +func (f *FileCertificateManager) Start() { + objectUpdated := make(chan struct{}, 1) + watcher, err := fsnotify.NewWatcher() + if err != nil { + slog.Error("failed to create an inotify watcher", logutil.SlogErr(err)) + } + defer watcher.Close() + + certDir := filepath.Dir(f.certBytesPath) + err = watcher.Add(certDir) + if err != nil { + slog.Error(fmt.Sprintf("failed to establish a watch on %s", f.certBytesPath), logutil.SlogErr(err)) + } + keyDir := filepath.Dir(f.keyBytesPath) + if keyDir != certDir { + err = watcher.Add(keyDir) + if err != nil { + slog.Error(fmt.Sprintf("failed to establish a watch on %s", f.keyBytesPath), logutil.SlogErr(err)) + } + } + + go func() { + for { + select { + case _, ok := <-watcher.Events: + if !ok { + return + } + select { + case objectUpdated <- struct{}{}: + default: + slog.Debug("Dropping redundant wakeup for cert reload") + } + case err, ok := <-watcher.Errors: + if !ok { + return + } + slog.Error(fmt.Sprintf("An error occurred when watching certificates files %s and %s", f.certBytesPath, f.keyBytesPath), logutil.SlogErr(err)) + } + } + }() + + // ensure we load the certificates on startup + objectUpdated <- struct{}{} + +sync: + for { + select { + case <-objectUpdated: + if err := f.rotateCerts(); err != nil { + go func() { + time.Sleep(f.errorRetryInterval) + select { + case objectUpdated <- struct{}{}: + default: + slog.Debug("Dropping redundant wakeup for cert reload") + } + }() + } + case <-f.stopCh: + break sync + } + } +} + +func (f *FileCertificateManager) Stop() { + f.certAccessLock.Lock() + defer f.certAccessLock.Unlock() + select { + case <-f.stopCh: + default: + close(f.stopCh) + } +} + +func (f *FileCertificateManager) rotateCerts() error { + crt, err := f.loadCertificates() + if err != nil { + return fmt.Errorf("failed to load the certificate %s and %s: %w", f.certBytesPath, f.keyBytesPath, err) + } + + f.certAccessLock.Lock() + defer f.certAccessLock.Unlock() + // update after the callback, to ensure that the reconfiguration succeeded + f.cert = crt + slog.Info(fmt.Sprintf("certificate with common name '%s' retrieved.", crt.Leaf.Subject.CommonName)) + return nil +} + +func (f *FileCertificateManager) loadCertificates() (serverCrt *tls.Certificate, err error) { + // #nosec No risk for path injection. Used for specific cert file for key rotation + certBytes, err := os.ReadFile(f.certBytesPath) + if err != nil { + return nil, err + } + // #nosec No risk for path injection. Used for specific cert file for key rotation + keyBytes, err := os.ReadFile(f.keyBytesPath) + if err != nil { + return nil, err + } + + crt, err := tls.X509KeyPair(certBytes, keyBytes) + if err != nil { + return nil, fmt.Errorf("failed to load certificate: %w\n", err) + } + + leaf, err := util.ParseCertsPEM(certBytes) + if err != nil { + return nil, fmt.Errorf("failed to load leaf certificate: %w\n", err) + } + crt.Leaf = leaf[0] + return &crt, nil +} + +func (f *FileCertificateManager) Current() *tls.Certificate { + f.certAccessLock.Lock() + defer f.certAccessLock.Unlock() + return f.cert +} diff --git a/images/kube-api-proxy/pkg/tls/util/util.go b/images/kube-api-proxy/pkg/tls/util/util.go new file mode 100644 index 000000000..a6e27dd69 --- /dev/null +++ b/images/kube-api-proxy/pkg/tls/util/util.go @@ -0,0 +1,36 @@ +package util + +import ( + "crypto/x509" + "encoding/pem" + "errors" +) + +const CertificateBlockType string = "CERTIFICATE" + +func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { + var certs []*x509.Certificate + for len(pemCerts) > 0 { + var block *pem.Block + block, pemCerts = pem.Decode(pemCerts) + if block == nil { + break + } + // Only use PEM "CERTIFICATE" blocks without extra headers + if block.Type != CertificateBlockType || len(block.Headers) != 0 { + continue + } + + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return certs, err + } + + certs = append(certs, cert) + } + + if len(certs) == 0 { + return nil, errors.New("data does not contain any valid RSA or ECDSA certificates") + } + return certs, nil +} diff --git a/images/kube-api-proxy/werf.inc.yaml b/images/kube-api-proxy/werf.inc.yaml new file mode 100644 index 000000000..459209398 --- /dev/null +++ b/images/kube-api-proxy/werf.inc.yaml @@ -0,0 +1,39 @@ +--- +image: {{ $.ImageName }}-builder +fromImage: base-golang-21-bookworm +git: + - add: /images/{{ $.ImageName }} + to: /src/kube-api-proxy + stageDependencies: + install: + - go.mod + - go.sum + setup: + - "**/*.go" +mount: + - fromPath: ~/go-pkg-cache + to: /go/pkg +shell: + install: + - cd /src/kube-api-proxy + - go mod download + setup: + - cd /src/kube-api-proxy + - export GO111MODULE=on + - export GOOS=linux + - export CGO_ENABLED=0 + - export GOARCH=amd64 + - go build -v -a -o kube-api-proxy ./cmd/kube-api-proxy + +--- +image: {{ $.ImageName }} +fromImage: base-ubuntu-jammy +import: + - image: {{ $.ImageName }}-builder + add: /src/kube-api-proxy/kube-api-proxy + to: /app/kube-api-proxy + after: install +docker: + USER: "65532:65532" + WORKDIR: "/app" + ENTRYPOINT: ["/app/kube-api-proxy"] diff --git a/images/libguestfs/werf.inc.yaml b/images/libguestfs/werf.inc.yaml index ca0100d12..760b53540 100644 --- a/images/libguestfs/werf.inc.yaml +++ b/images/libguestfs/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: virt-artifact +- image: virt-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/pre-delete-hook/entrypoint.sh b/images/pre-delete-hook/entrypoint.sh index de2c576a6..b0a404abc 100644 --- a/images/pre-delete-hook/entrypoint.sh +++ b/images/pre-delete-hook/entrypoint.sh @@ -1,13 +1,13 @@ #!/bin/bash set -eu -o pipefail -KUBEVIRT_RESOURCE="kubevirts.x.virtualization.deckhouse.io" +KUBEVIRT_RESOURCE="dvpinternalkubevirts.internal.virtualization.deckhouse.io" echo "Delete Kubevirt configuration ..." kubectl delete -n d8-virtualization ${KUBEVIRT_RESOURCE} kubevirt || true echo "Wait for Kubevirt deletion ..." kubectl wait --for=delete -n d8-virtualization ${KUBEVIRT_RESOURCE} kubevirt --timeout=180s || true -CDI_RESOURCE="cdis.x.virtualization.deckhouse.io" +CDI_RESOURCE="dvpinternalcdis.internal.virtualization.deckhouse.io" echo "Delete CDI configuration ..." kubectl delete ${CDI_RESOURCE} cdi || true echo "Wait for CDI deletion ..." diff --git a/images/virt-api/werf.inc.yaml b/images/virt-api/werf.inc.yaml index 0f698f4df..d7a6d107b 100644 --- a/images/virt-api/werf.inc.yaml +++ b/images/virt-api/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: virt-artifact +- image: virt-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/virt-artifact/patches/010-override-crds.patch b/images/virt-artifact/patches/010-override-crds.patch deleted file mode 100644 index 11b2a5446..000000000 --- a/images/virt-artifact/patches/010-override-crds.patch +++ /dev/null @@ -1,992 +0,0 @@ -diff --git a/pkg/storage/export/export/export.go b/pkg/storage/export/export/export.go -index 51eb69df6..7a8a29381 100644 ---- a/pkg/storage/export/export/export.go -+++ b/pkg/storage/export/export/export.go -@@ -140,7 +140,7 @@ var exportGVK = schema.GroupVersionKind{ - } - - var datavolumeGVK = schema.GroupVersionKind{ -- Group: cdiv1.SchemeGroupVersion.Group, -+ Group: "x.virtualization.deckhouse.io", - Version: cdiv1.SchemeGroupVersion.Version, - Kind: "DataVolume", - } -diff --git a/pkg/storage/export/export/links.go b/pkg/storage/export/export/links.go -index 38bdb9410..5dfd44224 100644 ---- a/pkg/storage/export/export/links.go -+++ b/pkg/storage/export/export/links.go -@@ -32,6 +32,7 @@ import ( - corev1 "k8s.io/api/core/v1" - networkingv1 "k8s.io/api/networking/v1" - -+ "kubevirt.io/api/export" - exportv1 "kubevirt.io/api/export/v1alpha1" - - "kubevirt.io/kubevirt/pkg/certificates/triple/cert" -@@ -45,7 +46,7 @@ const ( - routeCaKey = "ca.crt" - subjectAltNameId = "2.5.29.17" - -- apiGroup = "export.kubevirt.io" -+ apiGroup = export.GroupName - apiVersion = "v1alpha1" - exportResourceName = "virtualmachineexports" - gv = apiGroup + "/" + apiVersion -diff --git a/pkg/storage/export/virt-exportserver/exportserver.go b/pkg/storage/export/virt-exportserver/exportserver.go -index 388f9c752..8e20fe5c4 100644 ---- a/pkg/storage/export/virt-exportserver/exportserver.go -+++ b/pkg/storage/export/virt-exportserver/exportserver.go -@@ -579,7 +579,7 @@ func vmHandler(filePath string, vi []VolumeInfo, getBasePath func() (string, err - for _, dv := range datavolumes { - dv.TypeMeta = metav1.TypeMeta{ - Kind: "DataVolume", -- APIVersion: "cdi.kubevirt.io/v1beta1", -+ APIVersion: "x.virtualization.deckhouse.io/v1beta1", - } - for _, info := range vi { - if strings.Contains(info.RawGzURI, dv.Name) { -diff --git a/pkg/virt-api/definitions/definitions.go b/pkg/virt-api/definitions/definitions.go -index 94443cbe3..b71cca384 100644 ---- a/pkg/virt-api/definitions/definitions.go -+++ b/pkg/virt-api/definitions/definitions.go -@@ -55,8 +55,33 @@ const ( - ) - - func ComposeAPIDefinitions() []*restful.WebService { -- var result []*restful.WebService -- for _, f := range []func() []*restful.WebService{ -+ return xGVApiServiceDefinitions(v1.GroupVersion) -+} -+ -+func xGVApiServiceDefinitions(xGV schema.GroupVersion) []*restful.WebService { -+ ws := new(restful.WebService) -+ ws.Doc("The KubeVirt and CDI API, a virtual machine management.") -+ -+ ws.Route( -+ ws.GET("/").Produces(mime.MIME_JSON).Writes(metav1.APIResourceList{}). -+ To(noop). -+ Operation(fmt.Sprintf("getAPIResources-%s", xGV.Group)). -+ Doc("Get KubeVirt and CDI API Resources"). -+ Returns(http.StatusOK, "OK", metav1.APIResourceList{}). -+ Returns(http.StatusNotFound, "Not Found", ""), -+ ) -+ -+ ws2 := new(restful.WebService) -+ ws2.Path(GroupBasePath(xGV)) -+ ws2.Route(ws2.GET("/"). -+ Produces(mime.MIME_JSON).Writes(metav1.APIGroup{}). -+ To(noop). -+ Doc("Get a KubeVirt and CDI API group"). -+ Operation("getAPIGroup-"+xGV.Group). -+ Returns(http.StatusOK, "OK", metav1.APIGroup{}). -+ Returns(http.StatusNotFound, "Not Found", "")) -+ -+ for _, f := range []func(ws *restful.WebService) *restful.WebService{ - kubevirtApiServiceDefinitions, - snapshotApiServiceDefinitions, - exportApiServiceDefinitions, -@@ -65,13 +90,13 @@ func ComposeAPIDefinitions() []*restful.WebService { - poolApiServiceDefinitions, - vmCloneDefinitions, - } { -- result = append(result, f()...) -+ ws = f(ws) - } - -- return result -+ return []*restful.WebService{ws, ws2} - } - --func kubevirtApiServiceDefinitions() []*restful.WebService { -+func kubevirtApiServiceDefinitions(ws *restful.WebService) *restful.WebService { - vmiGVR := schema.GroupVersionResource{Group: v1.GroupVersion.Group, Version: v1.GroupVersion.Version, Resource: "virtualmachineinstances"} - vmirsGVR := schema.GroupVersionResource{Group: v1.GroupVersion.Group, Version: v1.GroupVersion.Version, Resource: "virtualmachineinstancereplicasets"} - vmipGVR := schema.GroupVersionResource{Group: v1.GroupVersion.Group, Version: v1.GroupVersion.Version, Resource: "virtualmachineinstancepresets"} -@@ -79,11 +104,7 @@ func kubevirtApiServiceDefinitions() []*restful.WebService { - migrationGVR := schema.GroupVersionResource{Group: v1.GroupVersion.Group, Version: v1.GroupVersion.Version, Resource: "virtualmachineinstancemigrations"} - kubeVirtGVR := schema.GroupVersionResource{Group: v1.GroupVersion.Group, Version: v1.GroupVersion.Version, Resource: "kubevirt"} - -- ws, err := groupVersionProxyBase(v1.GroupVersion) -- if err != nil { -- panic(err) -- } -- -+ var err error - ws, err = genericNamespacedResourceProxy(ws, kubeVirtGVR, &v1.KubeVirt{}, v1.KubeVirtGroupVersionKind.Kind, &v1.KubeVirtList{}) - if err != nil { - panic(err) -@@ -113,24 +134,15 @@ func kubevirtApiServiceDefinitions() []*restful.WebService { - panic(err) - } - -- ws2, err := resourceProxyAutodiscovery(vmiGVR) -- if err != nil { -- panic(err) -- } -- -- return []*restful.WebService{ws, ws2} -+ return ws - } - --func snapshotApiServiceDefinitions() []*restful.WebService { -+func snapshotApiServiceDefinitions(ws *restful.WebService) *restful.WebService { - vmsGVR := snapshotv1.SchemeGroupVersion.WithResource("virtualmachinesnapshots") - vmscGVR := snapshotv1.SchemeGroupVersion.WithResource("virtualmachinesnapshotcontents") - vmrGVR := snapshotv1.SchemeGroupVersion.WithResource("virtualmachinerestores") - -- ws, err := groupVersionProxyBase(schema.GroupVersion{Group: snapshotv1.SchemeGroupVersion.Group, Version: snapshotv1.SchemeGroupVersion.Version}) -- if err != nil { -- panic(err) -- } -- -+ var err error - ws, err = genericNamespacedResourceProxy(ws, vmsGVR, &snapshotv1.VirtualMachineSnapshot{}, "VirtualMachineSnapshot", &snapshotv1.VirtualMachineSnapshotList{}) - if err != nil { - panic(err) -@@ -146,64 +158,40 @@ func snapshotApiServiceDefinitions() []*restful.WebService { - panic(err) - } - -- ws2, err := resourceProxyAutodiscovery(vmsGVR) -- if err != nil { -- panic(err) -- } -- return []*restful.WebService{ws, ws2} -+ return ws - } - --func exportApiServiceDefinitions() []*restful.WebService { -+func exportApiServiceDefinitions(ws *restful.WebService) *restful.WebService { - exportsGVR := exportv1.SchemeGroupVersion.WithResource("virtualmachineexports") - -- ws, err := groupVersionProxyBase(schema.GroupVersion{Group: exportv1.SchemeGroupVersion.Group, Version: exportv1.SchemeGroupVersion.Version}) -- if err != nil { -- panic(err) -- } -- -+ var err error - ws, err = genericNamespacedResourceProxy(ws, exportsGVR, &exportv1.VirtualMachineExport{}, "VirtualMachineExport", &exportv1.VirtualMachineExportList{}) - if err != nil { - panic(err) - } - -- ws2, err := resourceProxyAutodiscovery(exportsGVR) -- if err != nil { -- panic(err) -- } -- return []*restful.WebService{ws, ws2} -+ return ws - } - --func migrationPoliciesApiServiceDefinitions() []*restful.WebService { -+func migrationPoliciesApiServiceDefinitions(ws *restful.WebService) *restful.WebService { - mpGVR := migrationsv1.SchemeGroupVersion.WithResource(migrations.ResourceMigrationPolicies) - -- ws, err := groupVersionProxyBase(schema.GroupVersion{Group: migrationsv1.SchemeGroupVersion.Group, Version: migrationsv1.SchemeGroupVersion.Version}) -- if err != nil { -- panic(err) -- } -- -+ var err error - ws, err = genericClusterResourceProxy(ws, mpGVR, &migrationsv1.MigrationPolicy{}, migrationsv1.MigrationPolicyKind.Kind, &migrationsv1.MigrationPolicyList{}) - if err != nil { - panic(err) - } - -- ws2, err := resourceProxyAutodiscovery(mpGVR) -- if err != nil { -- panic(err) -- } -- return []*restful.WebService{ws, ws2} -+ return ws - } - --func instancetypeApiServiceDefinitions() []*restful.WebService { -+func instancetypeApiServiceDefinitions(ws *restful.WebService) *restful.WebService { - instancetypeGVR := instancetypev1beta1.SchemeGroupVersion.WithResource(instancetype.PluralResourceName) - clusterInstancetypeGVR := instancetypev1beta1.SchemeGroupVersion.WithResource(instancetype.ClusterPluralResourceName) - preferenceGVR := instancetypev1beta1.SchemeGroupVersion.WithResource(instancetype.PluralPreferenceResourceName) - clusterPreferenceGVR := instancetypev1beta1.SchemeGroupVersion.WithResource(instancetype.ClusterPluralPreferenceResourceName) - -- ws, err := groupVersionProxyBase(instancetypev1beta1.SchemeGroupVersion) -- if err != nil { -- panic(err) -- } -- -+ var err error - ws, err = genericNamespacedResourceProxy(ws, instancetypeGVR, &instancetypev1beta1.VirtualMachineInstancetype{}, "VirtualMachineInstancetype", &instancetypev1beta1.VirtualMachineInstancetypeList{}) - if err != nil { - panic(err) -@@ -224,53 +212,31 @@ func instancetypeApiServiceDefinitions() []*restful.WebService { - panic(err) - } - -- ws2, err := resourceProxyAutodiscovery(instancetypeGVR) -- if err != nil { -- panic(err) -- } -- -- return []*restful.WebService{ws, ws2} -+ return ws - } - --func poolApiServiceDefinitions() []*restful.WebService { -+func poolApiServiceDefinitions(ws *restful.WebService) *restful.WebService { - poolGVR := poolv1alpha1.SchemeGroupVersion.WithResource("virtualmachinepools") - -- ws, err := groupVersionProxyBase(poolv1alpha1.SchemeGroupVersion) -- if err != nil { -- panic(err) -- } -- -+ var err error - ws, err = genericNamespacedResourceProxy(ws, poolGVR, &poolv1alpha1.VirtualMachinePool{}, "VirtualMachinePool", &poolv1alpha1.VirtualMachinePoolList{}) - if err != nil { - panic(err) - } - -- ws2, err := resourceProxyAutodiscovery(poolGVR) -- if err != nil { -- panic(err) -- } -- -- return []*restful.WebService{ws, ws2} -+ return ws - } - --func vmCloneDefinitions() []*restful.WebService { -+func vmCloneDefinitions(ws *restful.WebService) *restful.WebService { - mpGVR := clonev1lpha1.SchemeGroupVersion.WithResource(clone.ResourceVMClonePlural) - -- ws, err := groupVersionProxyBase(schema.GroupVersion{Group: clonev1lpha1.SchemeGroupVersion.Group, Version: clonev1lpha1.SchemeGroupVersion.Version}) -- if err != nil { -- panic(err) -- } -- -+ var err error - ws, err = genericClusterResourceProxy(ws, mpGVR, &clonev1lpha1.VirtualMachineClone{}, clonev1lpha1.VirtualMachineCloneKind.Kind, &clonev1lpha1.VirtualMachineCloneList{}) - if err != nil { - panic(err) - } - -- ws2, err := resourceProxyAutodiscovery(mpGVR) -- if err != nil { -- panic(err) -- } -- return []*restful.WebService{ws, ws2} -+ return ws - } - - func groupVersionProxyBase(gv schema.GroupVersion) (*restful.WebService, error) { -@@ -295,25 +261,25 @@ func genericNamespacedResourceProxy(ws *restful.WebService, gvr schema.GroupVers - listExample := reflect.ValueOf(objListPointer).Elem().Interface() - - ws.Route(addNamespaceParam(ws, -- createOperation(ws, NamespacedResourceBasePath(gvr), objExample). -+ createOperation(ws, BaseNamespacedResourceBasePath(gvr), objExample). - Operation("createNamespaced"+objKind). - Doc("Create a "+objKind+obj), - )) - - ws.Route(addNamespaceParam(ws, -- replaceOperation(ws, NamespacedResourcePath(gvr), objExample). -+ replaceOperation(ws, BaseNamespacedResourcePath(gvr), objExample). - Operation("replaceNamespaced"+objKind). - Doc("Update a "+objKind+obj), - )) - - ws.Route(addNamespaceParam(ws, -- deleteOperation(ws, NamespacedResourcePath(gvr)). -+ deleteOperation(ws, BaseNamespacedResourcePath(gvr)). - Operation("deleteNamespaced"+objKind). - Doc("Delete a "+objKind+obj), - )) - - ws.Route(addNamespaceParam(ws, -- readOperation(ws, NamespacedResourcePath(gvr), objExample). -+ readOperation(ws, BaseNamespacedResourcePath(gvr), objExample). - Operation("readNamespaced"+objKind). - Doc("Get a "+objKind+obj), - )) -@@ -325,7 +291,7 @@ func genericNamespacedResourceProxy(ws *restful.WebService, gvr schema.GroupVers - ) - - ws.Route(addNamespaceParam(ws, -- patchOperation(ws, NamespacedResourcePath(gvr), objExample). -+ patchOperation(ws, BaseNamespacedResourcePath(gvr), objExample). - Operation("patchNamespaced"+objKind). - Doc("Patch a "+objKind+obj), - )) -@@ -339,19 +305,19 @@ func genericNamespacedResourceProxy(ws *restful.WebService, gvr schema.GroupVers - - // TODO, implement watch. For now it is here to provide swagger doc only - ws.Route(addNamespaceParam(ws, -- watchOperation(ws, "/watch"+NamespacedResourceBasePath(gvr)). -+ watchOperation(ws, "/watch"+BaseNamespacedResourceBasePath(gvr)). - Operation("watchNamespaced"+objKind). - Doc(watch+objKind+obj), - )) - - ws.Route(addNamespaceParam(ws, -- listOperation(ws, NamespacedResourceBasePath(gvr), listExample). -+ listOperation(ws, BaseNamespacedResourceBasePath(gvr), listExample). - Operation("listNamespaced"+objKind). - Doc("Get a list of "+objKind+objs), - )) - - ws.Route( -- deleteCollectionOperation(ws, NamespacedResourceBasePath(gvr)). -+ deleteCollectionOperation(ws, BaseNamespacedResourceBasePath(gvr)). - Operation("deleteCollectionNamespaced" + objKind). - Doc("Delete a collection of " + objKind + objs), - ) -@@ -642,10 +608,22 @@ func GroupVersionBasePath(gvr schema.GroupVersion) string { - return fmt.Sprintf("/apis/%s/%s", gvr.Group, gvr.Version) - } - -+// BaseNamespacedResourceBasePath concatenates NamespacedResourceBasePath result with group version base prefix. -+// WebService no longer uses the root path with group version, so it's necessary to set group version path here. -+func BaseNamespacedResourceBasePath(gvr schema.GroupVersionResource) string { -+ return GroupVersionBasePath(gvr.GroupVersion()) + NamespacedResourceBasePath(gvr) -+} -+ - func NamespacedResourceBasePath(gvr schema.GroupVersionResource) string { - return fmt.Sprintf("/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/%s", gvr.Resource) - } - -+// BaseNamespacedResourcePath concatenates NamespacedResourcePath result with group version base prefix. -+// WebService no longer uses the root path with group version, so it's necessary to set group version path here. -+func BaseNamespacedResourcePath(gvr schema.GroupVersionResource) string { -+ return GroupVersionBasePath(gvr.GroupVersion()) + NamespacedResourcePath(gvr) -+} -+ - func NamespacedResourcePath(gvr schema.GroupVersionResource) string { - return fmt.Sprintf("/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/%s/{name:[a-z0-9][a-z0-9\\-]*}", gvr.Resource) - } -diff --git a/pkg/virt-controller/watch/clone/util.go b/pkg/virt-controller/watch/clone/util.go -index cb66290f7..9cce76b10 100644 ---- a/pkg/virt-controller/watch/clone/util.go -+++ b/pkg/virt-controller/watch/clone/util.go -@@ -16,12 +16,13 @@ import ( - "k8s.io/apimachinery/pkg/util/rand" - - clonev1alpha1 "kubevirt.io/api/clone/v1alpha1" -+ coreapi "kubevirt.io/api/core" - v1 "kubevirt.io/api/core/v1" - ) - - const ( - vmKind = "VirtualMachine" -- kubevirtApiGroup = "kubevirt.io" -+ kubevirtApiGroup = coreapi.GroupName - ) - - // variable so can be overridden in tests -diff --git a/pkg/virt-operator/resource/generate/components/crds.go b/pkg/virt-operator/resource/generate/components/crds.go -index 822f3d82b..23f3a96a6 100644 ---- a/pkg/virt-operator/resource/generate/components/crds.go -+++ b/pkg/virt-operator/resource/generate/components/crds.go -@@ -156,9 +156,9 @@ func NewVirtualMachineInstanceCrd() (*extv1.CustomResourceDefinition, error) { - Plural: "virtualmachineinstances", - Singular: "virtualmachineinstance", - Kind: virtv1.VirtualMachineInstanceGroupVersionKind.Kind, -- ShortNames: []string{"vmi", "vmis"}, -+ ShortNames: []string{"xvmi", "xvmis"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -194,9 +194,9 @@ func NewVirtualMachineCrd() (*extv1.CustomResourceDefinition, error) { - Plural: "virtualmachines", - Singular: "virtualmachine", - Kind: virtv1.VirtualMachineGroupVersionKind.Kind, -- ShortNames: []string{"vm", "vms"}, -+ ShortNames: []string{"xvm", "xvms"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -244,9 +244,9 @@ func NewPresetCrd() (*extv1.CustomResourceDefinition, error) { - Plural: "virtualmachineinstancepresets", - Singular: "virtualmachineinstancepreset", - Kind: virtv1.VirtualMachineInstancePresetGroupVersionKind.Kind, -- ShortNames: []string{"vmipreset", "vmipresets"}, -+ ShortNames: []string{"xvmipreset", "xvmipresets"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -271,9 +271,9 @@ func NewReplicaSetCrd() (*extv1.CustomResourceDefinition, error) { - Plural: "virtualmachineinstancereplicasets", - Singular: "virtualmachineinstancereplicaset", - Kind: virtv1.VirtualMachineInstanceReplicaSetGroupVersionKind.Kind, -- ShortNames: []string{"vmirs", "vmirss"}, -+ ShortNames: []string{"xvmirs", "xvmirss"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -316,9 +316,9 @@ func NewVirtualMachineInstanceMigrationCrd() (*extv1.CustomResourceDefinition, e - Plural: "virtualmachineinstancemigrations", - Singular: "virtualmachineinstancemigration", - Kind: virtv1.VirtualMachineInstanceMigrationGroupVersionKind.Kind, -- ShortNames: []string{"vmim", "vmims"}, -+ ShortNames: []string{"xvmim", "xvmims"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -370,9 +370,9 @@ func NewKubeVirtCrd() (*extv1.CustomResourceDefinition, error) { - Plural: "kubevirts", - Singular: "kubevirt", - Kind: virtv1.KubeVirtGroupVersionKind.Kind, -- ShortNames: []string{"kv", "kvs"}, -+ ShortNames: []string{"xkv", "xkvs"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -411,9 +411,9 @@ func NewVirtualMachinePoolCrd() (*extv1.CustomResourceDefinition, error) { - Plural: "virtualmachinepools", - Singular: "virtualmachinepool", - Kind: "VirtualMachinePool", -- ShortNames: []string{"vmpool", "vmpools"}, -+ ShortNames: []string{"xvmpool", "xvmpools"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -463,9 +463,9 @@ func NewVirtualMachineSnapshotCrd() (*extv1.CustomResourceDefinition, error) { - Plural: "virtualmachinesnapshots", - Singular: "virtualmachinesnapshot", - Kind: "VirtualMachineSnapshot", -- ShortNames: []string{"vmsnapshot", "vmsnapshots"}, -+ ShortNames: []string{"xvmsnapshot", "xvmsnapshots"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -505,9 +505,9 @@ func NewVirtualMachineSnapshotContentCrd() (*extv1.CustomResourceDefinition, err - Plural: "virtualmachinesnapshotcontents", - Singular: "virtualmachinesnapshotcontent", - Kind: "VirtualMachineSnapshotContent", -- ShortNames: []string{"vmsnapshotcontent", "vmsnapshotcontents"}, -+ ShortNames: []string{"xvmsnapshotcontent", "xvmsnapshotcontents"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -544,9 +544,9 @@ func NewVirtualMachineRestoreCrd() (*extv1.CustomResourceDefinition, error) { - Plural: "virtualmachinerestores", - Singular: "virtualmachinerestore", - Kind: "VirtualMachineRestore", -- ShortNames: []string{"vmrestore", "vmrestores"}, -+ ShortNames: []string{"xvmrestore", "xvmrestores"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -585,9 +585,9 @@ func NewVirtualMachineExportCrd() (*extv1.CustomResourceDefinition, error) { - Plural: "virtualmachineexports", - Singular: "virtualmachineexport", - Kind: "VirtualMachineExport", -- ShortNames: []string{"vmexport", "vmexports"}, -+ ShortNames: []string{"xvmexport", "xvmexports"}, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -@@ -615,9 +615,9 @@ func NewVirtualMachineInstancetypeCrd() (*extv1.CustomResourceDefinition, error) - Names: extv1.CustomResourceDefinitionNames{ - Plural: instancetype.PluralResourceName, - Singular: instancetype.SingularResourceName, -- ShortNames: []string{"vminstancetype", "vminstancetypes", "vmf", "vmfs"}, -+ ShortNames: []string{"xvminstancetype", "xvminstancetypes", "xvmf", "xvmfs"}, - Kind: "VirtualMachineInstancetype", -- Categories: []string{"all"}, -+ Categories: []string{"kubevirt"}, - }, - Scope: extv1.NamespaceScoped, - Conversion: &extv1.CustomResourceConversion{ -@@ -657,7 +657,7 @@ func NewVirtualMachineClusterInstancetypeCrd() (*extv1.CustomResourceDefinition, - Names: extv1.CustomResourceDefinitionNames{ - Plural: instancetype.ClusterPluralResourceName, - Singular: instancetype.ClusterSingularResourceName, -- ShortNames: []string{"vmclusterinstancetype", "vmclusterinstancetypes", "vmcf", "vmcfs"}, -+ ShortNames: []string{"xvmclusterinstancetype", "xvmclusterinstancetypes", "xvmcf", "xvmcfs"}, - Kind: "VirtualMachineClusterInstancetype", - }, - Scope: extv1.ClusterScoped, -@@ -698,9 +698,9 @@ func NewVirtualMachinePreferenceCrd() (*extv1.CustomResourceDefinition, error) { - Names: extv1.CustomResourceDefinitionNames{ - Plural: instancetype.PluralPreferenceResourceName, - Singular: instancetype.SingularPreferenceResourceName, -- ShortNames: []string{"vmpref", "vmprefs", "vmp", "vmps"}, -+ ShortNames: []string{"xvmpref", "xvmprefs", "xvmp", "xvmps"}, - Kind: "VirtualMachinePreference", -- Categories: []string{"all"}, -+ Categories: []string{"kubevirt"}, - }, - Scope: extv1.NamespaceScoped, - Conversion: &extv1.CustomResourceConversion{ -@@ -740,7 +740,7 @@ func NewVirtualMachineClusterPreferenceCrd() (*extv1.CustomResourceDefinition, e - Names: extv1.CustomResourceDefinitionNames{ - Plural: instancetype.ClusterPluralPreferenceResourceName, - Singular: instancetype.ClusterSingularPreferenceResourceName, -- ShortNames: []string{"vmcp", "vmcps"}, -+ ShortNames: []string{"xvmcp", "xvmcps"}, - Kind: "VirtualMachineClusterPreference", - }, - Scope: extv1.ClusterScoped, -@@ -827,10 +827,10 @@ func NewVirtualMachineCloneCrd() (*extv1.CustomResourceDefinition, error) { - Names: extv1.CustomResourceDefinitionNames{ - Plural: clone.ResourceVMClonePlural, - Singular: clone.ResourceVMCloneSingular, -- ShortNames: []string{"vmclone", "vmclones"}, -+ ShortNames: []string{"xvmclone", "xvmclones"}, - Kind: clonev1alpha1.VirtualMachineCloneKind.Kind, - Categories: []string{ -- "all", -+ "kubevirt", - }, - }, - } -diff --git a/pkg/virt-operator/resource/generate/rbac/apiserver.go b/pkg/virt-operator/resource/generate/rbac/apiserver.go -index 99e8fe12d..1f409c28c 100644 ---- a/pkg/virt-operator/resource/generate/rbac/apiserver.go -+++ b/pkg/virt-operator/resource/generate/rbac/apiserver.go -@@ -28,14 +28,16 @@ import ( - - "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" - -+ coreapi "kubevirt.io/api/core" - virtv1 "kubevirt.io/api/core/v1" - "kubevirt.io/api/migrations" -+ snapshotapi "kubevirt.io/api/snapshot" - ) - - const ( - VersionName = "rbac.authorization.k8s.io" - VersionNamev1 = "rbac.authorization.k8s.io/v1" -- GroupName = "kubevirt.io" -+ GroupName = coreapi.GroupName - ) - - func GetAllApiServer(namespace string) []runtime.Object { -@@ -195,7 +197,7 @@ func newApiServerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "snapshot.kubevirt.io", -+ snapshotapi.GroupName, - }, - Resources: []string{ - "virtualmachinesnapshots", -@@ -208,7 +210,7 @@ func newApiServerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "datasources", -@@ -233,7 +235,7 @@ func newApiServerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "instancetype.kubevirt.io", -+ instancetype.GroupName, - }, - Resources: []string{ - instancetype.PluralResourceName, -diff --git a/pkg/virt-operator/resource/generate/rbac/cluster.go b/pkg/virt-operator/resource/generate/rbac/cluster.go -index 1af14cb60..82659d6f8 100644 ---- a/pkg/virt-operator/resource/generate/rbac/cluster.go -+++ b/pkg/virt-operator/resource/generate/rbac/cluster.go -@@ -28,15 +28,20 @@ import ( - virtv1 "kubevirt.io/api/core/v1" - - "kubevirt.io/api/migrations" -+ -+ cloneapi "kubevirt.io/api/clone" -+ exportapi "kubevirt.io/api/export" -+ poolapi "kubevirt.io/api/pool" -+ snapshotapi "kubevirt.io/api/snapshot" - ) - - const ( - GroupNameSubresources = "subresources.kubevirt.io" -- GroupNameSnapshot = "snapshot.kubevirt.io" -- GroupNameExport = "export.kubevirt.io" -- GroupNameClone = "clone.kubevirt.io" -- GroupNameInstancetype = "instancetype.kubevirt.io" -- GroupNamePool = "pool.kubevirt.io" -+ GroupNameSnapshot = snapshotapi.GroupName -+ GroupNameExport = exportapi.GroupName -+ GroupNameClone = cloneapi.GroupName -+ GroupNameInstancetype = instancetype.GroupName -+ GroupNamePool = poolapi.GroupName - NameDefault = "kubevirt.io:default" - VMInstancesGuestOSInfo = "virtualmachineinstances/guestosinfo" - VMInstancesFileSysList = "virtualmachineinstances/filesystemlist" -diff --git a/pkg/virt-operator/resource/generate/rbac/controller.go b/pkg/virt-operator/resource/generate/rbac/controller.go -index 474ab93b0..b7a1e2a55 100644 ---- a/pkg/virt-operator/resource/generate/rbac/controller.go -+++ b/pkg/virt-operator/resource/generate/rbac/controller.go -@@ -28,7 +28,11 @@ import ( - - "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" - -+ coreapi "kubevirt.io/api/core" -+ "kubevirt.io/api/export" - "kubevirt.io/api/instancetype" -+ "kubevirt.io/api/pool" -+ "kubevirt.io/api/snapshot" - - virtv1 "kubevirt.io/api/core/v1" - "kubevirt.io/api/migrations" -@@ -311,7 +315,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "snapshot.kubevirt.io", -+ snapshot.GroupName, - }, - Resources: []string{ - "*", -@@ -322,7 +326,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "export.kubevirt.io", -+ export.GroupName, - }, - Resources: []string{ - "*", -@@ -333,7 +337,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "pool.kubevirt.io", -+ pool.GroupName, - }, - Resources: []string{ - "virtualmachinepools", -@@ -354,7 +358,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "kubevirt.io", -+ coreapi.GroupName, - }, - Resources: []string{ - "*", -@@ -380,7 +384,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "cdi.kubevirt.io", -+ "x.virtualization.deckhouse.io", - }, - Resources: []string{ - "*", -@@ -468,7 +472,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "instancetype.kubevirt.io", -+ instancetype.GroupName, - }, - Resources: []string{ - instancetype.PluralResourceName, -diff --git a/pkg/virt-operator/resource/generate/rbac/exportproxy.go b/pkg/virt-operator/resource/generate/rbac/exportproxy.go -index 071ed91f9..bcfe70f36 100644 ---- a/pkg/virt-operator/resource/generate/rbac/exportproxy.go -+++ b/pkg/virt-operator/resource/generate/rbac/exportproxy.go -@@ -24,7 +24,9 @@ import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - -+ coreapi "kubevirt.io/api/core" - virtv1 "kubevirt.io/api/core/v1" -+ "kubevirt.io/api/export" - ) - - const ExportProxyServiceAccountName = "kubevirt-exportproxy" -@@ -70,7 +72,7 @@ func newExportProxyClusterRole() *rbacv1.ClusterRole { - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{ -- "export.kubevirt.io", -+ export.GroupName, - }, - Resources: []string{ - "virtualmachineexports", -@@ -81,7 +83,7 @@ func newExportProxyClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "kubevirt.io", -+ coreapi.GroupName, - }, - Resources: []string{ - "kubevirts", -diff --git a/pkg/virt-operator/resource/generate/rbac/handler.go b/pkg/virt-operator/resource/generate/rbac/handler.go -index e55a4044e..a953a5929 100644 ---- a/pkg/virt-operator/resource/generate/rbac/handler.go -+++ b/pkg/virt-operator/resource/generate/rbac/handler.go -@@ -25,6 +25,7 @@ import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - -+ coreapi "kubevirt.io/api/core" - virtv1 "kubevirt.io/api/core/v1" - "kubevirt.io/api/migrations" - -@@ -72,7 +73,7 @@ func newHandlerClusterRole() *rbacv1.ClusterRole { - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{ -- "kubevirt.io", -+ coreapi.GroupName, - }, - Resources: []string{ - "virtualmachineinstances", -@@ -134,7 +135,7 @@ func newHandlerClusterRole() *rbacv1.ClusterRole { - }, - { - APIGroups: []string{ -- "kubevirt.io", -+ coreapi.GroupName, - }, - Resources: []string{ - "kubevirts", -diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go -index 98939edde..fd6e72c5c 100644 ---- a/pkg/virt-operator/resource/generate/rbac/operator.go -+++ b/pkg/virt-operator/resource/generate/rbac/operator.go -@@ -25,6 +25,7 @@ import ( - rbacv1 "k8s.io/api/rbac/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -+ coreapi "kubevirt.io/api/core" - virtv1 "kubevirt.io/api/core/v1" - - "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" -@@ -83,7 +84,7 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole { - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{ -- "kubevirt.io", -+ coreapi.GroupName, - }, - Resources: []string{ - "kubevirts", -diff --git a/pkg/virtctl/create/clone/clone.go b/pkg/virtctl/create/clone/clone.go -index d82de56b9..fae2a0aad 100644 ---- a/pkg/virtctl/create/clone/clone.go -+++ b/pkg/virtctl/create/clone/clone.go -@@ -28,6 +28,8 @@ import ( - v1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/util/rand" - clonev1alpha1 "kubevirt.io/api/clone/v1alpha1" -+ coreapi "kubevirt.io/api/core" -+ "kubevirt.io/api/snapshot" - "kubevirt.io/client-go/kubecli" - - "kubevirt.io/kubevirt/pkg/pointer" -@@ -248,14 +250,14 @@ func (c *createClone) typeToTypedLocalObjectReference(sourceOrTargetType, source - switch sourceOrTargetType { - case "vm", "VM", "VirtualMachine", "virtualmachine": - kind = "VirtualMachine" -- apiGroup = "kubevirt.io" -+ apiGroup = coreapi.GroupName - case "snapshot", "VirtualMachineSnapshot", "vmsnapshot", "VMSnapshot": - if !isSource { - return nil, generateErr() - } - - kind = "VirtualMachineSnapshot" -- apiGroup = "snapshot.kubevirt.io" -+ apiGroup = snapshot.GroupName - default: - return nil, generateErr() - } -diff --git a/staging/src/kubevirt.io/api/clone/register.go b/staging/src/kubevirt.io/api/clone/register.go -index 85a24c26e..faa19eed5 100644 ---- a/staging/src/kubevirt.io/api/clone/register.go -+++ b/staging/src/kubevirt.io/api/clone/register.go -@@ -21,7 +21,7 @@ package clone - - // GroupName is the group name used in this package - const ( -- GroupName = "clone.kubevirt.io" -+ GroupName = "x.virtualization.deckhouse.io" - LatestVersion = "v1alpha1" - Kind = "VirtualMachineClone" - ListKind = "VirtualMachineCloneList" -diff --git a/staging/src/kubevirt.io/api/core/register.go b/staging/src/kubevirt.io/api/core/register.go -index 22080c717..56b23f7d7 100644 ---- a/staging/src/kubevirt.io/api/core/register.go -+++ b/staging/src/kubevirt.io/api/core/register.go -@@ -1,4 +1,4 @@ - package core - - // GroupName is the group name use in this package --const GroupName = "kubevirt.io" -+const GroupName = "x.virtualization.deckhouse.io" -diff --git a/staging/src/kubevirt.io/api/export/register.go b/staging/src/kubevirt.io/api/export/register.go -index 844dbf5e0..82f95d730 100644 ---- a/staging/src/kubevirt.io/api/export/register.go -+++ b/staging/src/kubevirt.io/api/export/register.go -@@ -21,5 +21,5 @@ package export - - // GroupName is the group name used in this package - const ( -- GroupName = "export.kubevirt.io" -+ GroupName = "x.virtualization.deckhouse.io" - ) -diff --git a/staging/src/kubevirt.io/api/instancetype/register.go b/staging/src/kubevirt.io/api/instancetype/register.go -index d4eafd31f..cffbb27f5 100644 ---- a/staging/src/kubevirt.io/api/instancetype/register.go -+++ b/staging/src/kubevirt.io/api/instancetype/register.go -@@ -21,7 +21,7 @@ package instancetype - - // GroupName is the group name used in this package - const ( -- GroupName = "instancetype.kubevirt.io" -+ GroupName = "x.virtualization.deckhouse.io" - - SingularResourceName = "virtualmachineinstancetype" - PluralResourceName = SingularResourceName + "s" -diff --git a/staging/src/kubevirt.io/api/migrations/register.go b/staging/src/kubevirt.io/api/migrations/register.go -index dbb6d3c41..03d40a9c2 100644 ---- a/staging/src/kubevirt.io/api/migrations/register.go -+++ b/staging/src/kubevirt.io/api/migrations/register.go -@@ -21,7 +21,7 @@ package migrations - - // GroupName is the group name used in this package - const ( -- GroupName = "migrations.kubevirt.io" -+ GroupName = "x.virtualization.deckhouse.io" - Version = "v1alpha1" - - ResourceMigrationPolicies = "migrationpolicies" -diff --git a/staging/src/kubevirt.io/api/pool/register.go b/staging/src/kubevirt.io/api/pool/register.go -index 08b9d8c62..9f45555b2 100644 ---- a/staging/src/kubevirt.io/api/pool/register.go -+++ b/staging/src/kubevirt.io/api/pool/register.go -@@ -21,5 +21,5 @@ package pool - - // GroupName is the group name used in this package - const ( -- GroupName = "pool.kubevirt.io" -+ GroupName = "x.virtualization.deckhouse.io" - ) -diff --git a/staging/src/kubevirt.io/api/snapshot/register.go b/staging/src/kubevirt.io/api/snapshot/register.go -index 880a59292..4a1216cb8 100644 ---- a/staging/src/kubevirt.io/api/snapshot/register.go -+++ b/staging/src/kubevirt.io/api/snapshot/register.go -@@ -21,5 +21,5 @@ package snapshot - - // GroupName is the group name used in this package - const ( -- GroupName = "snapshot.kubevirt.io" -+ GroupName = "x.virtualization.deckhouse.io" - ) -diff --git a/staging/src/kubevirt.io/client-go/generated/containerized-data-importer/clientset/versioned/scheme/register.go b/staging/src/kubevirt.io/client-go/generated/containerized-data-importer/clientset/versioned/scheme/register.go -index 3ac7803dd..66a3c3a43 100644 ---- a/staging/src/kubevirt.io/client-go/generated/containerized-data-importer/clientset/versioned/scheme/register.go -+++ b/staging/src/kubevirt.io/client-go/generated/containerized-data-importer/clientset/versioned/scheme/register.go -@@ -31,10 +31,6 @@ import ( - var Scheme = runtime.NewScheme() - var Codecs = serializer.NewCodecFactory(Scheme) - var ParameterCodec = runtime.NewParameterCodec(Scheme) --var localSchemeBuilder = runtime.SchemeBuilder{ -- cdiv1beta1.AddToScheme, -- uploadv1beta1.AddToScheme, --} - - // AddToScheme adds all types of this clientset into the given scheme. This allows composition - // of clientsets, like in: -@@ -50,9 +46,44 @@ var localSchemeBuilder = runtime.SchemeBuilder{ - // - // After this, RawExtensions in Kubernetes types will serialize kube-aggregator types - // correctly. --var AddToScheme = localSchemeBuilder.AddToScheme -+var AddToScheme func(scheme *runtime.Scheme) error - - func init() { -+ cdiv1beta1.SchemeGroupVersion.Group = "x.virtualization.deckhouse.io" -+ cdiv1beta1.CDIGroupVersionKind.Group = "x.virtualization.deckhouse.io" -+ cdiv1beta1.SchemeBuilder = runtime.NewSchemeBuilder(func(scheme *runtime.Scheme) error { -+ scheme.AddKnownTypes(cdiv1beta1.SchemeGroupVersion, -+ &cdiv1beta1.DataVolume{}, -+ &cdiv1beta1.DataVolumeList{}, -+ &cdiv1beta1.CDIConfig{}, -+ &cdiv1beta1.CDIConfigList{}, -+ &cdiv1beta1.CDI{}, -+ &cdiv1beta1.CDIList{}, -+ &cdiv1beta1.StorageProfile{}, -+ &cdiv1beta1.StorageProfileList{}, -+ &cdiv1beta1.DataSource{}, -+ &cdiv1beta1.DataSourceList{}, -+ &cdiv1beta1.DataImportCron{}, -+ &cdiv1beta1.DataImportCronList{}, -+ &cdiv1beta1.ObjectTransfer{}, -+ &cdiv1beta1.ObjectTransferList{}, -+ &cdiv1beta1.VolumeImportSource{}, -+ &cdiv1beta1.VolumeImportSourceList{}, -+ &cdiv1beta1.VolumeUploadSource{}, -+ &cdiv1beta1.VolumeUploadSourceList{}, -+ &cdiv1beta1.VolumeCloneSource{}, -+ &cdiv1beta1.VolumeCloneSourceList{}, -+ ) -+ v1.AddToGroupVersion(scheme, cdiv1beta1.SchemeGroupVersion) -+ return nil -+ }) -+ cdiv1beta1.AddToScheme = cdiv1beta1.SchemeBuilder.AddToScheme -+ -+ AddToScheme = (&runtime.SchemeBuilder{ -+ cdiv1beta1.AddToScheme, -+ uploadv1beta1.AddToScheme, -+ }).AddToScheme -+ - v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"}) - utilruntime.Must(AddToScheme(Scheme)) - } -diff --git a/staging/src/kubevirt.io/client-go/generated/containerized-data-importer/clientset/versioned/typed/core/v1beta1/core_client.go b/staging/src/kubevirt.io/client-go/generated/containerized-data-importer/clientset/versioned/typed/core/v1beta1/core_client.go -index 2fd57771a..03660be5c 100644 ---- a/staging/src/kubevirt.io/client-go/generated/containerized-data-importer/clientset/versioned/typed/core/v1beta1/core_client.go -+++ b/staging/src/kubevirt.io/client-go/generated/containerized-data-importer/clientset/versioned/typed/core/v1beta1/core_client.go -@@ -113,6 +113,7 @@ func New(c rest.Interface) *CdiV1beta1Client { - - func setConfigDefaults(config *rest.Config) error { - gv := v1beta1.SchemeGroupVersion -+ gv.Group = "x.virtualization.deckhouse.io" - config.GroupVersion = &gv - config.APIPath = "/apis" - config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() diff --git a/images/virt-artifact/patches/012-support-kubeconfig-env.patch b/images/virt-artifact/patches/012-support-kubeconfig-env.patch new file mode 100644 index 000000000..529bd113b --- /dev/null +++ b/images/virt-artifact/patches/012-support-kubeconfig-env.patch @@ -0,0 +1,13 @@ +diff --git a/staging/src/kubevirt.io/client-go/kubecli/kubecli.go b/staging/src/kubevirt.io/client-go/kubecli/kubecli.go +index f5d3982a8..719717247 100644 +--- a/staging/src/kubevirt.io/client-go/kubecli/kubecli.go ++++ b/staging/src/kubevirt.io/client-go/kubecli/kubecli.go +@@ -99,7 +99,7 @@ var once sync.Once + // the different controller generators which normally add these flags too. + func Init() { + if flag.CommandLine.Lookup("kubeconfig") == nil { +- flag.StringVar(&kubeconfig, "kubeconfig", "", "absolute path to the kubeconfig file") ++ flag.StringVar(&kubeconfig, "kubeconfig", os.Getenv("KUBECONFIG"), "absolute path to the kubeconfig file") + } + if flag.CommandLine.Lookup("master") == nil { + flag.StringVar(&master, "master", "", "master url") diff --git a/images/virt-artifact/patches/README.md b/images/virt-artifact/patches/README.md index 30df45cbc..ead6ec3a4 100644 --- a/images/virt-artifact/patches/README.md +++ b/images/virt-artifact/patches/README.md @@ -26,11 +26,8 @@ The provided fix will always run the job in same place where virt-operator runs - https://github.com/kubevirt/kubevirt/pull/9360 -#### `010-override-crds.patch` - -Rename group name for all kubevirt CRDs to override them with deckhouse virtualization CRDs. - -Also, remove short names and change categories. Just in case. - #### `011-virt-api-authentication.patch` -Added the ability for virt-api to authenticate clients with certificates signed by our rootCA located in the config-map virtualization-ca. \ No newline at end of file +Added the ability for virt-api to authenticate clients with certificates signed by our rootCA located in the config-map virtualization-ca. + +#### `012-support-kubeconfig-env.patch` +Support `KUBECONFIG` environment variable. diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index 6ad72e2da..fe6d1440c 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -3,7 +3,7 @@ {{- $builderImage := "quay.io/kubevirt/builder:2306070730-a3b45da40" }} {{- $version := "1.0.0" }} -artifact: {{ $.ImageName }} +image: {{ $.ImageName }} from: {{ $builderImage }} git: - add: /images/{{ $.ImageName }} @@ -19,7 +19,11 @@ shell: setup: - git clone --depth 1 --branch v{{ $version }} https://github.com/kubevirt/kubevirt.git /kubevirt - cd /kubevirt - - git apply /patches/*.patch + - | + for p in /patches/*.patch ; do + echo -n "Apply ${p} ... " + git apply ${p} || echo FAIL && echo OK + done - mkdir -p _out - echo "========== Build kubevirt images ============" - make bazel-build-image-bundle KUBEVIRT_RUN_UNNESTED=true diff --git a/images/virt-controller/werf.inc.yaml b/images/virt-controller/werf.inc.yaml index dc6f53664..5506075b1 100644 --- a/images/virt-controller/werf.inc.yaml +++ b/images/virt-controller/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: virt-artifact +- image: virt-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/virt-exportproxy/werf.inc.yaml b/images/virt-exportproxy/werf.inc.yaml index c543cfcf3..6026a127b 100644 --- a/images/virt-exportproxy/werf.inc.yaml +++ b/images/virt-exportproxy/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: virt-artifact +- image: virt-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/virt-exportserver/werf.inc.yaml b/images/virt-exportserver/werf.inc.yaml index a26b639b2..96af74ff6 100644 --- a/images/virt-exportserver/werf.inc.yaml +++ b/images/virt-exportserver/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: virt-artifact +- image: virt-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml index ac79ddde1..bd2ef733f 100644 --- a/images/virt-handler/werf.inc.yaml +++ b/images/virt-handler/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: virt-artifact +- image: virt-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml index c809a3778..723029cb1 100644 --- a/images/virt-launcher/werf.inc.yaml +++ b/images/virt-launcher/werf.inc.yaml @@ -2,7 +2,7 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: virt-artifact +- image: virt-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' diff --git a/images/virt-operator/werf.inc.yaml b/images/virt-operator/werf.inc.yaml index c738559f0..e4ec6dbe6 100644 --- a/images/virt-operator/werf.inc.yaml +++ b/images/virt-operator/werf.inc.yaml @@ -2,13 +2,13 @@ image: {{ $.ImageName }} fromImage: base-scratch import: -- artifact: virt-artifact +- image: virt-artifact add: /images/kubevirt/{{ $.ImageName }}:latest excludePaths: - 'sys' to: / before: setup -- artifact: virt-artifact +- image: virt-artifact add: / to: / includePaths: diff --git a/images/virtualization-artifact/cmd/virtualization-controller/main.go b/images/virtualization-artifact/cmd/virtualization-controller/main.go index 83e8750e9..a15447df5 100644 --- a/images/virtualization-artifact/cmd/virtualization-controller/main.go +++ b/images/virtualization-artifact/cmd/virtualization-controller/main.go @@ -11,9 +11,7 @@ import ( "go.uber.org/zap/zapcore" extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" apiruntime "k8s.io/apimachinery/pkg/runtime" - apiruntimeschema "k8s.io/apimachinery/pkg/runtime/schema" clientgoscheme "k8s.io/client-go/kubernetes/scheme" virtv1 "kubevirt.io/api/core/v1" cdiv1beta1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1" @@ -47,18 +45,13 @@ var ( ) const ( - defaultVerbosity = "1" - kubevirtCoreGroupName = "x.virtualization.deckhouse.io" - cdiCoreGroupName = "x.virtualization.deckhouse.io" + defaultVerbosity = "1" ) func init() { importerImage = getRequiredEnvVar(common.ImporterPodImageNameVar) uploaderImage = getRequiredEnvVar(common.UploaderPodImageNameVar) controllerNamespace = getRequiredEnvVar(common.PodNamespaceVar) - - overrideKubevirtCoreGroupName(kubevirtCoreGroupName) - overrideCDICoreGroupName(cdiCoreGroupName) } func setupLogger() { @@ -99,61 +92,6 @@ func getRequiredEnvVar(name string) string { return val } -func overrideKubevirtCoreGroupName(groupName string) { - virtv1.GroupVersion.Group = groupName - virtv1.SchemeGroupVersion.Group = groupName - virtv1.StorageGroupVersion.Group = groupName - for i := range virtv1.GroupVersions { - virtv1.GroupVersions[i].Group = groupName - } - - virtv1.VirtualMachineInstanceGroupVersionKind.Group = groupName - virtv1.VirtualMachineInstanceReplicaSetGroupVersionKind.Group = groupName - virtv1.VirtualMachineInstancePresetGroupVersionKind.Group = groupName - virtv1.VirtualMachineGroupVersionKind.Group = groupName - virtv1.VirtualMachineInstanceMigrationGroupVersionKind.Group = groupName - virtv1.KubeVirtGroupVersionKind.Group = groupName - - virtv1.SchemeBuilder = apiruntime.NewSchemeBuilder(virtv1.AddKnownTypesGenerator([]apiruntimeschema.GroupVersion{virtv1.GroupVersion})) - virtv1.AddToScheme = virtv1.SchemeBuilder.AddToScheme -} - -func overrideCDICoreGroupName(groupName string) { - cdiv1beta1.SchemeGroupVersion.Group = groupName - cdiv1beta1.CDIGroupVersionKind.Group = groupName - - cdiv1beta1.SchemeBuilder = apiruntime.NewSchemeBuilder(addKnownTypes) - cdiv1beta1.AddToScheme = cdiv1beta1.SchemeBuilder.AddToScheme -} - -// Adds the list of known types to Scheme. -func addKnownTypes(scheme *apiruntime.Scheme) error { - scheme.AddKnownTypes(cdiv1beta1.SchemeGroupVersion, - &cdiv1beta1.DataVolume{}, - &cdiv1beta1.DataVolumeList{}, - &cdiv1beta1.CDIConfig{}, - &cdiv1beta1.CDIConfigList{}, - &cdiv1beta1.CDI{}, - &cdiv1beta1.CDIList{}, - &cdiv1beta1.StorageProfile{}, - &cdiv1beta1.StorageProfileList{}, - &cdiv1beta1.DataSource{}, - &cdiv1beta1.DataSourceList{}, - &cdiv1beta1.DataImportCron{}, - &cdiv1beta1.DataImportCronList{}, - &cdiv1beta1.ObjectTransfer{}, - &cdiv1beta1.ObjectTransferList{}, - &cdiv1beta1.VolumeImportSource{}, - &cdiv1beta1.VolumeImportSourceList{}, - &cdiv1beta1.VolumeUploadSource{}, - &cdiv1beta1.VolumeUploadSourceList{}, - &cdiv1beta1.VolumeCloneSource{}, - &cdiv1beta1.VolumeCloneSourceList{}, - ) - metav1.AddToGroupVersion(scheme, cdiv1beta1.SchemeGroupVersion) - return nil -} - func main() { flag.Parse() @@ -172,6 +110,8 @@ func main() { log.Error(err, "") os.Exit(1) } + // Override content type to JSON so proxy can rewrite payloads. + cfg.ContentType = apiruntime.ContentTypeJSON leaderElectionNS := os.Getenv(common.PodNamespaceVar) if leaderElectionNS == "" { diff --git a/images/virtualization-artifact/pkg/apiserver/server/config.go b/images/virtualization-artifact/pkg/apiserver/server/config.go index 8b7989353..bf0598adc 100644 --- a/images/virtualization-artifact/pkg/apiserver/server/config.go +++ b/images/virtualization-artifact/pkg/apiserver/server/config.go @@ -73,7 +73,7 @@ func (c Config) Complete() (*Server, error) { if err != nil { return nil, err } - crd, err := kubeclient.CustomResourceDefinitions().Get(context.Background(), virtv2.Resource(virtv2.VMResource).String(), metav1.GetOptions{}) + crd, err := kubeclient.CustomResourceDefinitions().Get(context.Background(), virtv2.Resource(virtv2.VirtualMachineResource).String(), metav1.GetOptions{}) if err != nil { return nil, err } diff --git a/images/virtualization-artifact/pkg/controller/vm_reconciler.go b/images/virtualization-artifact/pkg/controller/vm_reconciler.go index aaa5c1ef5..692e69014 100644 --- a/images/virtualization-artifact/pkg/controller/vm_reconciler.go +++ b/images/virtualization-artifact/pkg/controller/vm_reconciler.go @@ -77,6 +77,32 @@ func (r *VMReconciler) SetupController(_ context.Context, mgr manager.Manager, c return fmt.Errorf("error setting watch on VirtualMachine: %w", err) } + // Subscribe on Kubevirt VirtualMachineInstances to update our VM status. + if err := ctr.Watch( + source.Kind(mgr.GetCache(), &virtv1.VirtualMachineInstance{}), + handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, vmi client.Object) []reconcile.Request { + return []reconcile.Request{ + { + NamespacedName: types.NamespacedName{ + Name: vmi.GetName(), + Namespace: vmi.GetNamespace(), + }, + }, + } + }), + predicate.Funcs{ + CreateFunc: func(e event.CreateEvent) bool { return true }, + DeleteFunc: func(e event.DeleteEvent) bool { return true }, + UpdateFunc: func(e event.UpdateEvent) bool { + oldVM := e.ObjectOld.(*virtv1.VirtualMachineInstance) + newVM := e.ObjectNew.(*virtv1.VirtualMachineInstance) + return oldVM.Status.Phase != newVM.Status.Phase + }, + }, + ); err != nil { + return fmt.Errorf("error setting watch on VirtualMachine: %w", err) + } + // Watch for Pods created on behalf of VMs. Handle only changes in status.phase. // Pod tracking is required to detect when Pod becomes Completed after guest initiated reset or shutdown. if err := ctr.Watch( diff --git a/images/virtualization-artifact/pkg/tls/util/util.go b/images/virtualization-artifact/pkg/tls/util/util.go index 107206103..a6e27dd69 100644 --- a/images/virtualization-artifact/pkg/tls/util/util.go +++ b/images/virtualization-artifact/pkg/tls/util/util.go @@ -9,7 +9,7 @@ import ( const CertificateBlockType string = "CERTIFICATE" func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { - certs := []*x509.Certificate{} + var certs []*x509.Certificate for len(pemCerts) > 0 { var block *pem.Block block, pemCerts = pem.Decode(pemCerts) diff --git a/images/vmi-router/netlinkmanager/manager.go b/images/vmi-router/netlinkmanager/manager.go index da183c189..b7d2186fc 100644 --- a/images/vmi-router/netlinkmanager/manager.go +++ b/images/vmi-router/netlinkmanager/manager.go @@ -186,7 +186,7 @@ func (m *Manager) isManagedIP(ip string) (bool, error) { func (m *Manager) UpdateRoute(ctx context.Context, vm *virtv1alpha2.VirtualMachine) { // TODO Add cleanup if node was lost? // TODO What about migration? Is nodeName just changed to new node or we need some workarounds when 2 Pods are running? - if vm.Status.NodeName == "" { + if vm.Status.Node == "" { // VMI has no node assigned return } @@ -222,7 +222,7 @@ func (m *Manager) UpdateRoute(ctx context.Context, vm *virtv1alpha2.VirtualMachi // Retrieve a Cilium Node by VMs node name. ciliumNode := &ciliumv2.CiliumNode{} - err = m.client.Get(ctx, types.NamespacedName{Namespace: "", Name: vm.Status.NodeName}, ciliumNode) + err = m.client.Get(ctx, types.NamespacedName{Namespace: "", Name: vm.Status.Node}, ciliumNode) if err != nil { m.log.Error(err, "failed to get cilium node for vmi") } diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl new file mode 100644 index 000000000..c73b50b85 --- /dev/null +++ b/templates/_helpers.tpl @@ -0,0 +1,74 @@ +{{- define "strategic_affinity_patch" -}} + {{- $key := index . 0 -}} + {{- $labelValue := index . 1 -}} + '{{ include "tmplAntiAffinity" (list $key $labelValue) | fromYaml | toJson }}' +{{- end }} + +{{- define "tmplAntiAffinity" -}} + {{- $key := index . 0 -}} + {{- $labelValue := index . 1 -}} +spec: + template: + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ $key }} + operator: In + values: + - {{ $labelValue }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{- define "kubeproxy_resources" -}} +cpu: 100m +memory: 150Mi +{{- end -}} + +{{- define "nowebhook_kubeproxy_patch" -}} + '{{ include "nowebhook_kubeproxy_patch_tmpl" . | fromYaml | toJson }}' +{{- end }} + +{{- define "nowebhook_kubeproxy_patch_tmpl" -}} + {{- $ctx := index . 0 -}} + {{- $containerName := index . 1 -}} + {{- $proxyImage := include "helm_lib_module_image" (list $ctx "kubeApiProxy") }} +metadata: + annotations: + kubectl.kubernetes.io/default-container: {{ $containerName }} +spec: + template: + spec: + volumes: + - name: kube-api-proxy-kubeconfig + configMap: + name: kube-api-proxy-kubeconfig + containers: + - name: proxy + image: {{ $proxyImage }} + imagePullPolicy: IfNotPresent + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }} + {{- if not ( $ctx.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "kubeproxy_resources" . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + - name: {{ $containerName }} + env: + - name: KUBECONFIG + value: /kubeconfig.local/proxy.kubeconfig + volumeMounts: + - name: kube-api-proxy-kubeconfig + mountPath: /kubeconfig.local +{{- end -}} diff --git a/templates/cdi/_helpers.tpl b/templates/cdi/_helpers.tpl new file mode 100644 index 000000000..221db64ba --- /dev/null +++ b/templates/cdi/_helpers.tpl @@ -0,0 +1,58 @@ +{{- define "cdi.apiserver_kubeproxy_patch" -}} + '{{ include "cdi.apiserver_kubeproxy_patch_tmpl" . | fromYaml | toJson }}' +{{- end }} + +{{- define "cdi.apiserver_kubeproxy_patch_tmpl" -}} + {{- $proxyImage := include "helm_lib_module_image" (list . "kubeApiProxy") }} +metadata: + annotations: + kubectl.kubernetes.io/default-container: cdi-apiserver +spec: + template: + spec: + volumes: + - name: kube-api-proxy-kubeconfig + configMap: + name: kube-api-proxy-kubeconfig + containers: + - name: proxy + image: {{ $proxyImage }} + imagePullPolicy: Always + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }} + {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "kubeproxy_resources" . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + ports: + - containerPort: 24192 + name: webhook-proxy + protocol: TCP + env: + - name: WEBHOOK_ADDRESS + value: "https://127.0.0.1:8443" + - name: WEBHOOK_CERT_FILE + value: "/var/run/certs/cdi-apiserver-server-cert/tls.crt" + - name: WEBHOOK_KEY_FILE + value: "/var/run/certs/cdi-apiserver-server-cert/tls.key" + volumeMounts: + - mountPath: /var/run/certs/cdi-apiserver-server-cert + name: server-cert + readOnly: true + - name: cdi-apiserver + env: + - name: KUBECONFIG + value: /kubeconfig.local/proxy.kubeconfig + volumeMounts: + - name: kube-api-proxy-kubeconfig + mountPath: /kubeconfig.local +{{- end -}} diff --git a/templates/cdi/cdi-operator/deployment.yaml b/templates/cdi/cdi-operator/deployment.yaml index 3d16ca868..791f06a5e 100644 --- a/templates/cdi/cdi-operator/deployment.yaml +++ b/templates/cdi/cdi-operator/deployment.yaml @@ -59,6 +59,8 @@ metadata: {{- include "helm_lib_module_labels" (list .) | nindent 2 }} name: cdi-operator namespace: d8-{{ .Chart.Name }} + annotations: + kubectl.kubernetes.io/default-container: cdi-operator spec: {{- include "helm_lib_deployment_strategy_and_replicas_for_ha" . | nindent 2 }} revisionHistoryLimit: 2 @@ -72,10 +74,30 @@ spec: spec: {{- include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "cdi-operator")) | nindent 6 }} containers: + - name: proxy + image: {{ include "helm_lib_module_image" (list . "kubeApiProxy") }} + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }} + {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "cdi_operator_resources" . | nindent 12 }} + {{- end }} - name: cdi-operator {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }} env: {{- include "cdi_images" . | nindent 8 }} + - name: KUBECONFIG + value: "/kubeconfig.local/proxy.kubeconfig" - name: DEPLOY_CLUSTER_RESOURCES value: "true" - name: OPERATOR_VERSION @@ -97,8 +119,15 @@ spec: {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} {{- include "cdi_operator_resources" . | nindent 12 }} {{- end }} + volumeMounts: + - name: kube-api-proxy-kubeconfig + mountPath: /kubeconfig.local {{- include "helm_lib_priority_class" (tuple . "cluster-low") | nindent 6 }} {{- include "helm_lib_node_selector" (tuple . "system") | nindent 6 }} {{- include "helm_lib_tolerations" (tuple . "system") | nindent 6 }} {{- include "helm_lib_module_pod_security_context_run_as_user_nobody" . | nindent 6 }} serviceAccountName: cdi-operator + volumes: + - name: kube-api-proxy-kubeconfig + configMap: + name: kube-api-proxy-kubeconfig diff --git a/templates/cdi/cdi-operator/rbac-for-us.yaml b/templates/cdi/cdi-operator/rbac-for-us.yaml index 9bcb328d0..810371ea6 100644 --- a/templates/cdi/cdi-operator/rbac-for-us.yaml +++ b/templates/cdi/cdi-operator/rbac-for-us.yaml @@ -40,7 +40,7 @@ rules: - update - delete - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io - upload.cdi.kubevirt.io resources: - '*' @@ -123,28 +123,28 @@ rules: verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - datavolumes + - dvpinternaldatavolumes verbs: - list - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - datasources + - dvpinternaldatasources verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - cdis + - dvpinternalcdis verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - cdis/finalizers + - dvpinternalcdis/finalizers verbs: - update - apiGroups: @@ -219,7 +219,7 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: @@ -286,9 +286,9 @@ rules: verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - dataimportcrons + - dvpinternaldataimportcrons verbs: - get - list diff --git a/templates/cdi/cdi.yaml b/templates/cdi/cdi.yaml index 2adca57c2..065505e9e 100644 --- a/templates/cdi/cdi.yaml +++ b/templates/cdi/cdi.yaml @@ -2,9 +2,12 @@ {{- $nodeSelectorMaster := index (include "helm_lib_node_selector" (tuple . "master") | fromYaml) "nodeSelector" | default (dict) | toJson }} {{- $tolerationsSystem := index (include "helm_lib_tolerations" (tuple . "system") | fromYaml) "tolerations" | default (list) | toJson }} {{- $tolerationsAnyNode := index (include "helm_lib_tolerations" (tuple . "any-node") | fromYaml) "tolerations" | default (list) | toJson }} +{{- $proxyImage := include "helm_lib_module_image" (list . "kubeApiProxy") | toJson }} +{{- $kubeAPIProxyRewriter := true }} +{{- $webhookProxyPort := 24192 }} --- -apiVersion: x.virtualization.deckhouse.io/v1beta1 -kind: CDI +apiVersion: internal.virtualization.deckhouse.io/v1beta1 +kind: DVPInternalCDI metadata: name: cdi namespace: d8-{{ .Chart.Name }} @@ -36,16 +39,6 @@ spec: resourceName: cdi-uploadproxy patch: '[{"op":"replace","path":"/spec/replicas","value":0}]' type: json - {{- if ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - - resourceType: Deployment - resourceName: cdi-apiserver - patch: '[{"op":"replace","path":"/spec/template/spec/containers/0/resources/requests","value":{}}]' - type: json - - resourceType: Deployment - resourceName: cdi-deployment - patch: '[{"op":"replace","path":"/spec/template/spec/containers/0/resources/requests","value":{}}]' - type: json - {{- end }} {{- if (include "helm_lib_ha_enabled" .) }} - resourceType: Deployment @@ -54,8 +47,8 @@ spec: type: json - resourceType: Deployment resourceName: cdi-apiserver - patch: '[{"op":"replace","path":"/spec/template/spec/affinity","value":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"cdi.kubevirt.io","operator":"In","values":["cdi-apiserver"]}]},"topologyKey":"kubernetes.io/hostname"}]}}}]' - type: json + patch: {{ include "strategic_affinity_patch" (list "app" "cdi-apiserver") }} + type: strategic - resourceType: Deployment resourceName: cdi-deployment @@ -63,9 +56,89 @@ spec: type: json - resourceType: Deployment resourceName: cdi-deployment - patch: '[{"op":"replace","path":"/spec/template/spec/affinity","value":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["containerized-data-importer"]}]},"topologyKey":"kubernetes.io/hostname"}]}}}]' + patch: {{ include "strategic_affinity_patch" (list "app" "containerized-data-importer") }} + type: strategic + {{- end }} + + {{- if $kubeAPIProxyRewriter }} + - resourceType: Deployment + resourceName: cdi-apiserver + patch: {{ include "cdi.apiserver_kubeproxy_patch" . }} + type: strategic + + - resourceType: Deployment + resourceName: cdi-deployment + patch: {{ include "nowebhook_kubeproxy_patch" (list . "cdi-controller") }} + type: strategic + + # Change service in webhook configurations to point to the rewriter proxy. + # Add port to cdi-api service. + - resourceName: cdi-api + resourceType: Service + patch: | + [{"op":"replace", "path":"/spec/ports/0/name", "value":"https"}] type: json + - resourceName: cdi-api + resourceType: Service + patch: | + {"spec":{"ports":[ + {"name": "webhook-proxy", + "port": {{ $webhookProxyPort }}, + "protocol": "TCP", + "targetPort": "webhook-proxy"} + ]}} + type: strategic + - resourceName: cdi-api-datavolume-mutate + resourceType: MutatingWebhookConfiguration + patch: | + {"webhooks":[ + { "name":"datavolume-mutate.cdi.kubevirt.io", + "clientConfig":{"service":{"port": {{ $webhookProxyPort }} }}} + ]} + type: strategic + - resourceName: cdi-api-dataimportcron-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhooks":[ + { "name":"dataimportcron-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"port": {{ $webhookProxyPort }} }}} + ]} + type: strategic + - resourceName: cdi-api-datavolume-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhooks":[ + { "name":"datavolume-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"port": {{ $webhookProxyPort }} }}} + ]} + type: strategic + - resourceName: cdi-api-populator-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhooks":[ + { "name":"populator-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"port": {{ $webhookProxyPort }} }}} + ]} + type: strategic + - resourceName: cdi-api-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhooks":[ + { "name":"cdi-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"port": {{ $webhookProxyPort }} }}} + ]} + type: strategic + - resourceName: objecttransfer-api-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhooks":[ + { "name":"objecttransfer-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"port": {{ $webhookProxyPort }} }}} + ]} + type: strategic + {{- end }} + workload: nodeSelector: kubernetes.io/os: linux diff --git a/templates/kube-api-proxy-kubeconfig-cm.yaml b/templates/kube-api-proxy-kubeconfig-cm.yaml new file mode 100644 index 000000000..5373651ac --- /dev/null +++ b/templates/kube-api-proxy-kubeconfig-cm.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kube-api-proxy-kubeconfig + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list .) | nindent 2 }} +data: + proxy.kubeconfig: | + apiVersion: v1 + kind: Config + clusters: + - cluster: + server: http://127.0.0.1:23915 + name: proxy.api.server + contexts: + - context: + cluster: proxy.api.server + name: proxy.api.server + current-context: proxy.api.server diff --git a/templates/kubevirt/_helpers.tpl b/templates/kubevirt/_helpers.tpl new file mode 100644 index 000000000..4ac1abff3 --- /dev/null +++ b/templates/kubevirt/_helpers.tpl @@ -0,0 +1,62 @@ + +{{- define "kubevirt.apiserver_kubeproxy_patch" -}} + '{{ include "kubevirt.apiserver_kubeproxy_patch_tmpl" . | fromYaml | toJson }}' +{{- end }} + + +{{- define "kubevirt.apiserver_kubeproxy_patch_tmpl" -}} + {{- $proxyImage := include "helm_lib_module_image" (list . "kubeApiProxy") }} +metadata: + annotations: + kubectl.kubernetes.io/default-container: virt-api +spec: + template: + spec: + volumes: + - name: kube-api-proxy-kubeconfig + configMap: + name: kube-api-proxy-kubeconfig + containers: + - name: proxy + image: {{ $proxyImage }} + imagePullPolicy: IfNotPresent + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }} + {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "cdi.kubeproxy_resources" . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + ports: + - containerPort: 24192 + name: webhook-proxy + protocol: TCP + env: + - name: WEBHOOK_ADDRESS + value: https://127.0.0.1:8443 + - name: WEBHOOK_CERT_FILE + value: /etc/virt-api/certificates/tls.crt + - name: WEBHOOK_KEY_FILE + value: /etc/virt-api/certificates/tls.key + volumeMounts: + - name: kubevirt-virt-api-certs + mountPath: /etc/virt-api/certificates + readOnly: true + - name: virt-api + command: + - virt-api + - --kubeconfig=/kubeconfig.local/proxy.kubeconfig + volumeMounts: + - name: kube-api-proxy-kubeconfig + mountPath: /kubeconfig.local +{{- end -}} + + diff --git a/templates/kubevirt/kubevirt.yaml b/templates/kubevirt/kubevirt.yaml index 0f19517ca..87630ee9f 100644 --- a/templates/kubevirt/kubevirt.yaml +++ b/templates/kubevirt/kubevirt.yaml @@ -2,9 +2,12 @@ {{- $nodeSelectorMaster := index (include "helm_lib_node_selector" (tuple . "master") | fromYaml) "nodeSelector" | default (dict) | toJson }} {{- $tolerationsSystem := index (include "helm_lib_tolerations" (tuple . "system") | fromYaml) "tolerations" | default (list) | toJson }} {{- $tolerationsAnyNode := index (include "helm_lib_tolerations" (tuple . "any-node") | fromYaml) "tolerations" | default (list) | toJson }} +{{- $proxyImage := include "helm_lib_module_image" (list . "kubeApiProxy") | toJson }} +{{- $kubeAPIProxyRewriter := true }} +{{- $webhookProxyPort := 24192 }} --- -apiVersion: x.virtualization.deckhouse.io/v1 -kind: KubeVirt +apiVersion: internal.virtualization.deckhouse.io/v1 +kind: DVPInternalKubeVirt metadata: name: kubevirt namespace: d8-{{ .Chart.Name }} @@ -27,6 +30,9 @@ spec: - Sidecar - VolumeSnapshotDataSource customizeComponents: + flags: + api: {} + controller: {} patches: - resourceType: Deployment resourceName: virt-api @@ -52,30 +58,203 @@ spec: resourceName: virt-exportproxy patch: '[{"op":"replace","path":"/spec/replicas","value":0}]' type: json - {{- if ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - - resourceType: Deployment - resourceName: virt-api - patch: '[{"op":"replace","path":"/spec/template/spec/containers/0/resources/requests","value":{}}]' - type: json - - resourceType: Deployment - resourceName: virt-controller - patch: '[{"op":"replace","path":"/spec/template/spec/containers/0/resources/requests","value":{}}]' - type: json - - resourceType: DaemonSet - resourceName: virt-handler - patch: '[{"op":"replace","path":"/spec/template/spec/containers/0/resources/requests","value":{}}]' - type: json - {{- end }} {{- if (include "helm_lib_ha_enabled" .) }} - resourceType: Deployment resourceName: virt-api - patch: '[{"op":"replace","path":"/spec/template/spec/affinity","value":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"kubevirt.io","operator":"In","values":["virt-api"]}]},"topologyKey":"kubernetes.io/hostname"}]}}}]' - type: json + patch: {{ include "strategic_affinity_patch" (list "kubevirt.io" "virt-api") }} + type: strategic - resourceType: Deployment resourceName: virt-controller - patch: '[{"op":"replace","path":"/spec/template/spec/affinity","value":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"kubevirt.io","operator":"In","values":["virt-controller"]}]},"topologyKey":"kubernetes.io/hostname"}]}}}]' + patch: {{ include "strategic_affinity_patch" (list "kubevirt.io" "virt-controller") }} + type: strategic + {{- end }} + + {{- if $kubeAPIProxyRewriter }} + - resourceName: virt-controller + resourceType: Deployment + patch: {{ include "nowebhook_kubeproxy_patch" (list . "virt-controller") }} + type: strategic + + - resourceName: virt-api + resourceType: Deployment + patch: {{ include "kubevirt.apiserver_kubeproxy_patch" . }} + type: strategic + + - resourceName: virt-handler + resourceType: DaemonSet + patch: {{ include "nowebhook_kubeproxy_patch" (list . "virt-handler") }} + type: strategic + + - resourceName: virt-exportproxy + resourceType: Deployment + patch: {{ include "nowebhook_kubeproxy_patch" (list . "exportproxy") }} + type: strategic + + # Patch services used in webhook configurations, add webhook-proxy port 24192. + - resourceName: virt-api + resourceType: Service + patch: | + [{"op":"replace", "path":"/spec/ports/0/name", "value":"https"}] type: json + - resourceName: virt-api + resourceType: Service + patch: | + {"spec":{"ports":[ + {"name": "webhook-proxy", + "port": {{ $webhookProxyPort }}, + "protocol": "TCP", + "targetPort": "webhook-proxy"} + ]}} + type: strategic + - resourceName: kubevirt-operator-webhook + resourceType: Service + patch: | + {"spec":{"ports":[ + {"name": "webhook-proxy", + "port": {{ $webhookProxyPort }}, + "protocol": "TCP", + "targetPort": "webhook-proxy"} + ]}} + type: strategic + # Change service in webhook configuration to point to the rewriter proxy. + # Patch was produced with this jq command: + # kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io virt-api-validator -o json | jq '{"webhooks": .webhooks|map({"name":.name, "clientConfig":{"service":{"port":24192}}}) }' + # virt-api-webhook-proxy service is created separately. + - resourceName: virt-api-validator + resourceType: ValidatingWebhookConfiguration + patch: | + { + "webhooks": [ + { + "name": "virt-launcher-eviction-interceptor.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachineinstances-create-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachineinstances-update-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachine-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachinereplicaset-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachinepool-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachinepreset-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "migration-create-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "migration-update-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachinesnapshot-validator.snapshot.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachinerestore-validator.snapshot.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachineexport-validator.export.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachineinstancetype-validator.instancetype.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachineclusterinstancetype-validator.instancetype.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachinepreference-validator.instancetype.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachineclusterpreference-validator.instancetype.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "kubevirt-crd-status-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "migration-policy-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "vm-clone-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + } + ] + } + type: strategic + # Change service in webhook configuration to point to the rewriter proxy. + # Patch was produced with this jq command: + # kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io virt-api-mutator -o json | jq '{"webhooks": .webhooks|map({"name":.name, "clientConfig":{"service":{"port":24192}}}) }' + # virt-api-webhook-proxy service is created separately. + - resourceName: virt-api-mutator + resourceType: MutatingWebhookConfiguration + patch: | + { + "webhooks": [ + { + "name": "virtualmachines-mutator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachineinstances-mutator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "migrations-mutator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "virtualmachineclones-mutator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + } + ] + } + type: strategic + # Change service in webhook configuration to point to the rewriter proxy. + # Patch was produced with this jq command: + # kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io virt-operator-validator -o json | jq '{"webhooks": .webhooks|map({"name":.name, "clientConfig":{"service":{"port":24192}}}) }' + # kubevirt-operator-webhook-proxy service is created separately. + - resourceName: virt-operator-validator + resourceType: ValidatingWebhookConfiguration + patch: | + { + "webhooks": [ + { + "name": "kubevirt-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + }, + { + "name": "kubevirt-update-validator.kubevirt.io", + "clientConfig": {"service": {"port": {{ $webhookProxyPort }} }} + } + ] + } + + type: strategic {{- end }} + imagePullPolicy: IfNotPresent imagePullSecrets: - name: virtualization-module-registry diff --git a/templates/kubevirt/virt-operator/deployment.yaml b/templates/kubevirt/virt-operator/deployment.yaml index cb89c8603..36166118f 100644 --- a/templates/kubevirt/virt-operator/deployment.yaml +++ b/templates/kubevirt/virt-operator/deployment.yaml @@ -61,6 +61,8 @@ metadata: {{- include "helm_lib_module_labels" (list . (dict "app" "virt-operator")) | nindent 2 }} name: virt-operator namespace: d8-{{ .Chart.Name }} + annotations: + kubectl.kubernetes.io/default-container: virt-operator spec: {{- include "helm_lib_deployment_strategy_and_replicas_for_ha" . | nindent 2 }} revisionHistoryLimit: 2 @@ -88,9 +90,44 @@ spec: topologyKey: kubernetes.io/hostname weight: 1 containers: + - name: proxy + image: {{ include "helm_lib_module_image" (list . "kubeApiProxy") }} + imagePullPolicy: Always + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }} + {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "cdi_operator_resources" . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + ports: + - containerPort: 24192 + name: webhook-proxy + protocol: TCP + env: + - name: WEBHOOK_ADDRESS + value: "https://127.0.0.1:8444" + - name: WEBHOOK_CERT_FILE + value: "/etc/virt-operator/certificates/tls.crt" + - name: WEBHOOK_KEY_FILE + value: "/etc/virt-operator/certificates/tls.key" + volumeMounts: + - mountPath: /etc/virt-operator/certificates + name: kubevirt-operator-certs + readOnly: true - name: virt-operator {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }} args: + - --kubeconfig + - /kubeconfig.local/proxy.kubeconfig - --port - "8443" - -v @@ -131,6 +168,8 @@ spec: readOnly: true - mountPath: /profile-data name: profile-data + - mountPath: /kubeconfig.local + name: kube-api-proxy-kubeconfig {{- include "helm_lib_priority_class" (tuple . "system-cluster-critical") | nindent 6 }} {{- include "helm_lib_node_selector" (tuple . "master") | nindent 6 }} {{- include "helm_lib_tolerations" (tuple . "any-node") | nindent 6 }} @@ -143,3 +182,6 @@ spec: secretName: kubevirt-operator-certs - emptyDir: {} name: profile-data + - name: kube-api-proxy-kubeconfig + configMap: + name: kube-api-proxy-kubeconfig diff --git a/templates/kubevirt/virt-operator/rbac-for-us.yaml b/templates/kubevirt/virt-operator/rbac-for-us.yaml index 97d02eb39..26c39807d 100644 --- a/templates/kubevirt/virt-operator/rbac-for-us.yaml +++ b/templates/kubevirt/virt-operator/rbac-for-us.yaml @@ -86,9 +86,9 @@ metadata: name: d8:virtualization:kubevirt-operator rules: - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list @@ -294,10 +294,10 @@ rules: - delete - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances verbs: - get - list @@ -311,15 +311,15 @@ rules: verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines/status + - dvpinternalvirtualmachines/status verbs: - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancemigrations + - dvpinternalvirtualmachineinstancemigrations verbs: - create - get @@ -327,9 +327,9 @@ rules: - watch - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancepresets + - dvpinternalvirtualmachineinstancepresets verbs: - watch - list @@ -357,50 +357,50 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinesnapshots - - virtualmachinerestores - - virtualmachinesnapshotcontents + - dvpinternalvirtualmachinesnapshots + - dvpinternalvirtualmachinerestores + - dvpinternalvirtualmachinesnapshotcontents verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - datasources - - datavolumes + - dvpinternaldatasources + - dvpinternaldatavolumes verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - delete - create @@ -408,9 +408,9 @@ rules: - patch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list @@ -550,24 +550,24 @@ rules: - delete - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: - '*' - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: - '*' - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinepools - - virtualmachinepools/finalizers - - virtualmachinepools/status - - virtualmachinepools/scale + - dvpinternalvirtualmachinepools + - dvpinternalvirtualmachinepools/finalizers + - dvpinternalvirtualmachinepools/status + - dvpinternalvirtualmachinepools/scale verbs: - watch - list @@ -577,7 +577,7 @@ rules: - patch - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: @@ -593,7 +593,7 @@ rules: verbs: - update - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: @@ -648,30 +648,30 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineclones - - virtualmachineclones/status - - virtualmachineclones/finalizers + - dvpinternalvirtualmachineclones + - dvpinternalvirtualmachineclones/status + - dvpinternalvirtualmachineclones/finalizers verbs: - get - list @@ -717,9 +717,9 @@ rules: - get - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstances + - dvpinternalvirtualmachineinstances verbs: - update - list @@ -757,17 +757,17 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list @@ -781,17 +781,17 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineexports + - dvpinternalvirtualmachineexports verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - list - watch @@ -864,13 +864,13 @@ rules: verbs: - update - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances - - virtualmachineinstancepresets - - virtualmachineinstancereplicasets - - virtualmachineinstancemigrations + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances + - dvpinternalvirtualmachineinstancepresets + - dvpinternalvirtualmachineinstancereplicasets + - dvpinternalvirtualmachineinstancemigrations verbs: - get - delete @@ -881,11 +881,11 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinesnapshots - - virtualmachinesnapshotcontents - - virtualmachinerestores + - dvpinternalvirtualmachinesnapshots + - dvpinternalvirtualmachinesnapshotcontents + - dvpinternalvirtualmachinerestores verbs: - get - delete @@ -896,9 +896,9 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineexports + - dvpinternalvirtualmachineexports verbs: - get - delete @@ -909,9 +909,9 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineclones + - dvpinternalvirtualmachineclones verbs: - get - delete @@ -922,12 +922,12 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - delete @@ -938,9 +938,9 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinepools + - dvpinternalvirtualmachinepools verbs: - get - delete @@ -951,9 +951,9 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list @@ -1009,13 +1009,13 @@ rules: verbs: - update - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances - - virtualmachineinstancepresets - - virtualmachineinstancereplicasets - - virtualmachineinstancemigrations + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances + - dvpinternalvirtualmachineinstancepresets + - dvpinternalvirtualmachineinstancereplicasets + - dvpinternalvirtualmachineinstancemigrations verbs: - get - delete @@ -1025,11 +1025,11 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinesnapshots - - virtualmachinesnapshotcontents - - virtualmachinerestores + - dvpinternalvirtualmachinesnapshots + - dvpinternalvirtualmachinesnapshotcontents + - dvpinternalvirtualmachinerestores verbs: - get - delete @@ -1039,9 +1039,9 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineexports + - dvpinternalvirtualmachineexports verbs: - get - delete @@ -1051,9 +1051,9 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineclones + - dvpinternalvirtualmachineclones verbs: - get - delete @@ -1063,12 +1063,12 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - delete @@ -1078,9 +1078,9 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinepools + - dvpinternalvirtualmachinepools verbs: - get - delete @@ -1090,16 +1090,16 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list @@ -1120,67 +1120,67 @@ rules: verbs: - update - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances - - virtualmachineinstancepresets - - virtualmachineinstancereplicasets - - virtualmachineinstancemigrations + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances + - dvpinternalvirtualmachineinstancepresets + - dvpinternalvirtualmachineinstancereplicasets + - dvpinternalvirtualmachineinstancemigrations verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinesnapshots - - virtualmachinesnapshotcontents - - virtualmachinerestores + - dvpinternalvirtualmachinesnapshots + - dvpinternalvirtualmachinesnapshotcontents + - dvpinternalvirtualmachinerestores verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineexports + - dvpinternalvirtualmachineexports verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineclones + - dvpinternalvirtualmachineclones verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinepools + - dvpinternalvirtualmachinepools verbs: - get - list - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list diff --git a/templates/kubevirt/vmi-router/rbac-for-us.yaml b/templates/kubevirt/vmi-router/rbac-for-us.yaml index ca191d4e4..4e5ad8411 100644 --- a/templates/kubevirt/vmi-router/rbac-for-us.yaml +++ b/templates/kubevirt/vmi-router/rbac-for-us.yaml @@ -14,9 +14,9 @@ metadata: {{- include "helm_lib_module_labels" (list . (dict "app" "vmi-router")) | nindent 2 }} rules: - apiGroups: - - x.virtualization.deckhouse.io + - virtualization.deckhouse.io resources: - - virtualmachineinstances + - virtualmachines verbs: - get - list diff --git a/templates/pre-delete-hook/rbac-for-us.yaml b/templates/pre-delete-hook/rbac-for-us.yaml index 96bf862c9..84b4d0f43 100644 --- a/templates/pre-delete-hook/rbac-for-us.yaml +++ b/templates/pre-delete-hook/rbac-for-us.yaml @@ -15,10 +15,10 @@ metadata: {{- include "helm_lib_module_labels" (list . (dict "app" "virtualization-pre-delete-hook")) | nindent 2 }} rules: - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - cdis - - kubevirts + - dvpinternalcdis + - dvpinternalkubevirts verbs: - get - delete diff --git a/templates/virtualization-controller/_helpers.tpl b/templates/virtualization-controller/_helpers.tpl index 00cbe7644..529e96ec1 100644 --- a/templates/virtualization-controller/_helpers.tpl +++ b/templates/virtualization-controller/_helpers.tpl @@ -1,5 +1,7 @@ {{- define "virtualization-controller.envs" -}} {{- $registry := include "dvcr.get_registry" (list .) }} +- name: KUBECONFIG + value: "/kubeconfig.local/proxy.kubeconfig" - name: VERBOSITY value: "3" - name: FORCE_BRIDGE_NETWORK_BINDING diff --git a/templates/virtualization-controller/deployment.yaml b/templates/virtualization-controller/deployment.yaml index 9f86fe578..3ebfcc4e5 100644 --- a/templates/virtualization-controller/deployment.yaml +++ b/templates/virtualization-controller/deployment.yaml @@ -45,6 +45,8 @@ metadata: name: virtualization-controller namespace: d8-{{ .Chart.Name }} {{- include "helm_lib_module_labels" (list . (dict "app" "virtualization-controller")) | nindent 2 }} + annotations: + kubectl.kubernetes.io/default-container: virtualization-controller spec: {{- include "helm_lib_deployment_strategy_and_replicas_for_ha" . | nindent 2 }} revisionHistoryLimit: 2 @@ -60,12 +62,32 @@ spec: spec: {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "virtualization-controller")) | nindent 6 }} containers: + - name: proxy + image: {{ include "helm_lib_module_image" (list . "kubeApiProxy") }} + imagePullPolicy: IfNotPresent + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }} + {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "virtualization_controller_resources" . | nindent 12 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File - name: virtualization-controller image: {{ include "helm_lib_module_image" (list . "virtualizationController") }} imagePullPolicy: Always volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: admission-webhook-secret + - mountPath: /kubeconfig.local + name: kube-api-proxy-kubeconfig ports: - containerPort: 9443 name: controller @@ -80,6 +102,7 @@ spec: {{- include "virtualization_controller_resources" . | nindent 12 }} {{- end }} env: {{ include "virtualization-controller.envs" . | nindent 12 }} + dnsPolicy: ClusterFirst serviceAccountName: virtualization-controller {{- include "helm_lib_priority_class" (tuple . "system-cluster-critical") | nindent 6 }} @@ -89,3 +112,6 @@ spec: - name: admission-webhook-secret secret: secretName: virtualization-controller-tls + - name: kube-api-proxy-kubeconfig + configMap: + name: kube-api-proxy-kubeconfig diff --git a/templates/virtualization-controller/rbac-for-us.yaml b/templates/virtualization-controller/rbac-for-us.yaml index 5344c729c..ad11ad77a 100644 --- a/templates/virtualization-controller/rbac-for-us.yaml +++ b/templates/virtualization-controller/rbac-for-us.yaml @@ -87,9 +87,9 @@ rules: - create - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - datavolumes + - dvpinternaldatavolumes verbs: - get - create @@ -98,10 +98,10 @@ rules: - watch - list - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances verbs: - get - watch @@ -111,17 +111,17 @@ rules: - list - delete - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines/status + - dvpinternalvirtualmachines/status verbs: - patch - update