Skip to content

Commit

Permalink
Remove Flavor Filtering
Browse files Browse the repository at this point in the history
We filter based on vcpu/ram/swap as required by kubeadm, but this is a
domain specific thing, rather than generic, so remove this and delegate
handling to the kubernetes service.

Implements #67
  • Loading branch information
spjmurray committed Nov 1, 2024
1 parent 204e54a commit 689e88b
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 57 deletions.
4 changes: 2 additions & 2 deletions charts/region/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn's Region Controller

type: application

version: v0.1.44
appVersion: v0.1.44
version: v0.1.45
appVersion: v0.1.45

icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png

Expand Down
26 changes: 13 additions & 13 deletions pkg/client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import (

coreclient "github.com/unikorn-cloud/core/pkg/client"
"github.com/unikorn-cloud/identity/pkg/middleware/authorization"
"github.com/unikorn-cloud/identity/pkg/middleware/openapi/accesstoken"
"github.com/unikorn-cloud/region/pkg/openapi"

"sigs.k8s.io/controller-runtime/pkg/client"
Expand Down Expand Up @@ -78,28 +77,29 @@ func (c *Client) HTTPClient(ctx context.Context) (*http.Client, error) {
return client, nil
}

// accessTokenInjector implements OAuth2 bearer token authorization.
func accessTokenInjector(ctx context.Context, req *http.Request) error {
accessToken, err := accesstoken.FromContext(ctx)
if err != nil {
return err
}
type AccessTokenGetter interface {
Get() string
}

req.Header.Set("Authorization", "bearer "+accessToken)
otel.GetTextMapPropagator().Inject(ctx, propagation.HeaderCarrier(req.Header))
authorization.InjectClientCert(ctx, req.Header)
// accessTokenInjector implements OAuth2 bearer token authorization.
func accessTokenInjector(accessToken AccessTokenGetter) func(context.Context, *http.Request) error {
return func(ctx context.Context, req *http.Request) error {
req.Header.Set("Authorization", "bearer "+accessToken.Get())
otel.GetTextMapPropagator().Inject(ctx, propagation.HeaderCarrier(req.Header))
authorization.InjectClientCert(ctx, req.Header)

return nil
return nil
}
}

// Client returns a new OpenAPI client that can be used to access the API.
func (c *Client) Client(ctx context.Context) (*openapi.ClientWithResponses, error) {
func (c *Client) Client(ctx context.Context, accessToken AccessTokenGetter) (*openapi.ClientWithResponses, error) {
httpClient, err := c.HTTPClient(ctx)
if err != nil {
return nil, err
}

client, err := openapi.NewClientWithResponses(c.options.Host(), openapi.WithHTTPClient(httpClient), openapi.WithRequestEditorFn(accessTokenInjector))
client, err := openapi.NewClientWithResponses(c.options.Host(), openapi.WithHTTPClient(httpClient), openapi.WithRequestEditorFn(accessTokenInjector(accessToken)))
if err != nil {
return nil, err
}
Expand Down
51 changes: 21 additions & 30 deletions pkg/handler/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ func (h *Handler) getPhysicalNetwork(ctx context.Context, id string) (*unikornv1
}

func (h *Handler) GetApiV1OrganizationsOrganizationIDRegions(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter) {
if err := rbac.AllowOrganizationScope(r.Context(), "regions", identityapi.Read, organizationID); err != nil {
if err := rbac.AllowOrganizationScope(r.Context(), "region:regions", identityapi.Read, organizationID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -173,7 +173,7 @@ func convertFlavor(in providers.Flavor) openapi.Flavor {
}

func (h *Handler) GetApiV1OrganizationsOrganizationIDRegionsRegionIDFlavors(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, regionID openapi.RegionIDParameter) {
if err := rbac.AllowOrganizationScope(r.Context(), "regions", identityapi.Read, organizationID); err != nil {
if err := rbac.AllowOrganizationScope(r.Context(), "region:flavors", identityapi.Read, organizationID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -261,7 +261,7 @@ func convertImage(in providers.Image) openapi.Image {
}

func (h *Handler) GetApiV1OrganizationsOrganizationIDRegionsRegionIDImages(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, regionID openapi.RegionIDParameter) {
if err := rbac.AllowOrganizationScope(r.Context(), "regions", identityapi.Read, organizationID); err != nil {
if err := rbac.AllowOrganizationScope(r.Context(), "region:images", identityapi.Read, organizationID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -419,7 +419,7 @@ func generateTagList(in *openapi.TagList) unikornv1.TagList {
}

func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDIdentities(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "identities", identityapi.Create, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:identities", identityapi.Create, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -466,7 +466,7 @@ func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitie
}

func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "identities", identityapi.Read, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:identities", identityapi.Read, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -481,7 +481,7 @@ func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentities
}

func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "identities", identityapi.Delete, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:identities", identityapi.Delete, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -564,7 +564,7 @@ func (h *Handler) convertPhysicalNetworkList(ctx context.Context, in unikornv1.P
}

func (h *Handler) GetApiV1OrganizationsOrganizationIDPhysicalnetworks(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter) {
if err := rbac.AllowOrganizationScope(r.Context(), "physicalnetworks", identityapi.Read, organizationID); err != nil {
if err := rbac.AllowOrganizationScope(r.Context(), "region:physicalnetworks", identityapi.Read, organizationID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -590,7 +590,7 @@ func (h *Handler) GetApiV1OrganizationsOrganizationIDPhysicalnetworks(w http.Res
}

func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDPhysicalnetworks(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "physicalnetworks", identityapi.Create, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:physicalnetworks", identityapi.Create, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -658,7 +658,7 @@ func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitie
}

func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDPhysicalnetworksPhysicalNetworkID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter, physicalNetworkID openapi.PhysicalNetworkIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "physicalnetworks", identityapi.Read, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:physicalnetworks", identityapi.Read, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -673,7 +673,7 @@ func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentities
}

func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDPhysicalnetworksPhysicalNetworkID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter, physicalNetworkID openapi.PhysicalNetworkIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "physicalnetworks", identityapi.Delete, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:physicalnetworks", identityapi.Delete, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -756,7 +756,7 @@ func convertQuota(in *unikornv1.Quota) *openapi.QuotasSpec {
}

func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDQuotas(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "quotas", identityapi.Read, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:quotas", identityapi.Read, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -826,7 +826,7 @@ func (h *Handler) generateQuota(ctx context.Context, organizationID, projectID s
}

func (h *Handler) PutApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDQuotas(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter) {
if err := rbac.AllowProjectScope(r.Context(), "quotas", identityapi.Update, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:quotas", identityapi.Update, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -899,7 +899,7 @@ func convertExternalNetworks(in providers.ExternalNetworks) openapi.ExternalNetw
}

func (h *Handler) GetApiV1OrganizationsOrganizationIDRegionsRegionIDExternalnetworks(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, regionID openapi.RegionIDParameter) {
if err := rbac.AllowOrganizationScope(r.Context(), "regions", identityapi.Read, organizationID); err != nil {
if err := rbac.AllowOrganizationScope(r.Context(), "region:externalnetworks", identityapi.Read, organizationID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -1012,9 +1012,8 @@ func (h *Handler) generateSecurityGroup(ctx context.Context, organizationID, pro
return resource, nil
}

// (GET /api/v1/organizations/{organizationID}/securitygroups)
func (h *Handler) GetApiV1OrganizationsOrganizationIDSecuritygroups(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter) {
if err := rbac.AllowOrganizationScope(r.Context(), "securitygroups", identityapi.Read, organizationID); err != nil {
if err := rbac.AllowOrganizationScope(r.Context(), "region:securitygroups", identityapi.Read, organizationID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -1028,11 +1027,10 @@ func (h *Handler) GetApiV1OrganizationsOrganizationIDSecuritygroups(w http.Respo
util.WriteJSONResponse(w, r, http.StatusOK, h.convertSecurityGroupList(result))
}

// (POST /api/v1/organizations/{organizationID}/projects/{projectID}/identities/{identityID}/securitygroups)
func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDSecuritygroups(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter,
projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter) {

if err := rbac.AllowProjectScope(r.Context(), "securitygroups", identityapi.Create, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:securitygroups", identityapi.Create, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -1063,11 +1061,10 @@ func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitie
util.WriteJSONResponse(w, r, http.StatusCreated, h.convertSecurityGroup(securityGroup))
}

// (DELETE /api/v1/organizations/{organizationID}/projects/{projectID}/identities/{identityID}/securitygroups/{securityGroupID})
func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDSecuritygroupsSecurityGroupID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter,
projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter, securityGroupID openapi.SecurityGroupIDParameter) {

if err := rbac.AllowProjectScope(r.Context(), "securitygroups", identityapi.Delete, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:securitygroups", identityapi.Delete, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -1091,11 +1088,10 @@ func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDIdentit
w.WriteHeader(http.StatusAccepted)
}

// (GET /api/v1/organizations/{organizationID}/projects/{projectID}/identities/{identityID}/securitygroups/{securityGroupID})
func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDSecuritygroupsSecurityGroupID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter,
projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter, securityGroupID openapi.SecurityGroupIDParameter) {

if err := rbac.AllowProjectScope(r.Context(), "securitygroups", identityapi.Read, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:securitygroups", identityapi.Read, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -1109,11 +1105,10 @@ func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentities
util.WriteJSONResponse(w, r, http.StatusOK, h.convertSecurityGroup(resource))
}

// (PUT /api/v1/organizations/{organizationID}/projects/{projectID}/identities/{identityID}/securitygroups/{securityGroupID})
func (h *Handler) PutApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDSecuritygroupsSecurityGroupID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter,
projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter, securityGroupID openapi.SecurityGroupIDParameter) {

if err := rbac.AllowProjectScope(r.Context(), "securitygroups", identityapi.Update, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:securitygroups", identityapi.Update, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -1324,7 +1319,6 @@ func (h *Handler) generateSecurityGroupRule(ctx context.Context, organizationID,
return resource, nil
}

// (GET /api/v1/organizations/{organizationID}/projects/{projectID}/identities/{identityID}/securitygroups/{securityGroupID}/rules)
func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDSecuritygroupsSecurityGroupIDRules(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter,
projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter, securityGroupID openapi.SecurityGroupIDParameter) {

Expand All @@ -1342,11 +1336,10 @@ func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentities
util.WriteJSONResponse(w, r, http.StatusOK, h.convertSecurityGroupRuleList(result))
}

// (POST /api/v1/organizations/{organizationID}/projects/{projectID}/identities/{identityID}/securitygroups/{securityGroupID}/rules)
func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDSecuritygroupsSecurityGroupIDRules(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter,
projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter, securityGroupID openapi.SecurityGroupIDParameter) {

if err := rbac.AllowProjectScope(r.Context(), "securitygroups", identityapi.Create, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:securitygroups", identityapi.Create, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down Expand Up @@ -1383,11 +1376,10 @@ func (h *Handler) PostApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitie
util.WriteJSONResponse(w, r, http.StatusCreated, h.convertSecurityGroupRule(securityGroupRule))
}

// (DELETE /api/v1/organizations/{organizationID}/projects/{projectID}/identities/{identityID}/securitygroups/{securityGroupID}/rules/{ruleID})
func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDSecuritygroupsSecurityGroupIDRulesRuleID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter,
projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter, securityGroupID openapi.SecurityGroupIDParameter, ruleID openapi.RuleIDParameter) {

if err := rbac.AllowProjectScope(r.Context(), "securitygroups", identityapi.Delete, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:securitygroups", identityapi.Delete, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand All @@ -1411,11 +1403,10 @@ func (h *Handler) DeleteApiV1OrganizationsOrganizationIDProjectsProjectIDIdentit
w.WriteHeader(http.StatusAccepted)
}

// (GET /api/v1/organizations/{organizationID}/projects/{projectID}/identities/{identityID}/securitygroups/{securityGroupID}/rules/{ruleID})
func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDIdentitiesIdentityIDSecuritygroupsSecurityGroupIDRulesRuleID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter,
projectID openapi.ProjectIDParameter, identityID openapi.IdentityIDParameter, securityGroupID openapi.SecurityGroupIDParameter, ruleID openapi.RuleIDParameter) {

if err := rbac.AllowProjectScope(r.Context(), "securitygroups", identityapi.Read, organizationID, projectID); err != nil {
if err := rbac.AllowProjectScope(r.Context(), "region:securitygroups", identityapi.Read, organizationID, projectID); err != nil {
errors.HandleError(w, r, err)
return
}
Expand Down
12 changes: 0 additions & 12 deletions pkg/providers/openstack/compute.go
Original file line number Diff line number Diff line change
Expand Up @@ -169,22 +169,10 @@ func (c *ComputeClient) Flavors(ctx context.Context) ([]flavors.Flavor, error) {

result = slices.DeleteFunc(result, func(flavor flavors.Flavor) bool {
// We are admin, so see all the things, throw out private flavors.
// TODO: we _could_ allow if our project is in the allowed IDs.
if !flavor.IsPublic {
return true
}

// Kubeadm requires 2 VCPU, 2 "GB" of RAM (I'll pretend it's GiB) and no swap:
// https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
if flavor.VCPUs < 2 || flavor.RAM < 2048 || flavor.Swap != 0 {
return true
}

// Don't remove the flavor if it's implicitly selected by a lack of configuration.
if c.options == nil || c.options.Flavors == nil || c.options.Flavors.Selector == nil {
return false
}

if len(c.options.Flavors.Selector.IDs) > 0 {
if !slices.Contains(c.options.Flavors.Selector.IDs, flavor.ID) {
return true
Expand Down

0 comments on commit 689e88b

Please sign in to comment.