feat: refactor license and preset admin user (#3712)

* move license to github secrets * Decoupled pre-registration operations * fix bugs * Preset User removed from the registration module * modify the rbac * modify makefile and dockerfile * modify the makefile * fix collect bugs * fix logs output * fix bugs * add semgrepignore * =add markdown
labring · Aug 21, 2023 · 076c77c · 076c77c
1 parent ada947f
commit 076c77c
Show file tree

Hide file tree

Showing 13 changed files with 341 additions and 190 deletions.
diff --git a/.github/workflows/controllers.yml b/.github/workflows/controllers.yml
@@ -35,6 +35,7 @@ env:
   GO_VERSION: "1.20"
   DEFAULT_OWNER: "labring"
   CRYPTOKEY: ${{ secrets.CONTROLLER_BUILD_CRYPTOKEY }}
+  LICENSE_KEY: ${{ secrets.LICENSE_KEY }}
 jobs:
   resolve-modules:
     runs-on: ubuntu-20.04

diff --git a/controllers/licenseissuer/Dockerfile b/controllers/licenseissuer/Dockerfile
@@ -5,4 +5,7 @@ WORKDIR /
 USER 65532:65532
 
 COPY bin/controller-licenseissuer-$TARGETARCH /manager
-ENTRYPOINT ["/manager"]
+COPY bin/preset-$TARGETARCH /preset
+COPY bin/launcher-$TARGETARCH /launcher
+
+ENTRYPOINT ["/launcher"]
diff --git a/controllers/licenseissuer/Makefile b/controllers/licenseissuer/Makefile
@@ -5,7 +5,8 @@ IMG ?= ghcr.io/labring/sealos-licenseissuer-controller:latest
 ENVTEST_K8S_VERSION = 1.26.1
 
 include	.env
-export 
+export
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -60,11 +61,20 @@ vet: ## Run go vet against code.
 test: manifests generate fmt vet envtest ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
 
+
 ##@ Build
 
-.PHONY: build
-build:
-	CGO_ENABLED=0 GOOS=linux go build $(shell [ -n "${CRYPTOKEY}"  ] && echo "-ldflags '-X github.com/labring/sealos/controllers/pkg/crypto.encryptionKey=${CRYPTOKEY} -X github.com/labring/sealos/controllers/pkg/database.cryptoKey=${CRYPTOKEY}'") -o bin/manager cmd/main.go
+.PHONY: build 
+CONTROLLER_PKG=github.com/labring/sealos/controllers/pkg
+CONTROLLER_LICENSEISSUER=github.com/labring/sealos/controllers/licenseissuer/internal/controller
+build: manifests generate fmt vet ## Build manager binary.
+	LD_FLAGS=""; \
+	[ -n "$(CRYPTOKEY)" ] && LD_FLAGS+="-X ${CONTROLLER_PKG}/crypto.encryptionKey=${CRYPTOKEY} -X ${CONTROLLER_PKG}/database.cryptoKey=${CRYPTOKEY}"; \
+	[ -n "$(LICENSE_KEY)" ] && LD_FLAGS+=" -X ${CONTROLLER_LICENSEISSUER}/util.Key=${LICENSE_KEY}"; \
+	CGO_ENABLED=0 GOOS=linux  go build -ldflags "$${LD_FLAGS}" -o bin/manager cmd/main.go && \
+	CGO_ENABLED=0 GOOS=linux  go build -o bin/preset-${GOARCH} preset/main.go && chmod +x bin/preset-${GOARCH} && \
+	CGO_ENABLED=0 GOOS=linux  go build -o bin/launcher-${GOARCH} launcher/main.go && chmod +x bin/launcher-${GOARCH}
+
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.

diff --git a/controllers/licenseissuer/README.md b/controllers/licenseissuer/README.md
@@ -1,5 +1,14 @@
 # licenseissuer-controller
-// TODO(user): Add simple overview of use/purpose
+
+LicenseIssuer is a Operator that authorizes the use of a license for a given user.
+
+In this module, there are three binaries in total, which are launcher, preset, and manager. 
+
+Launcher is a starter responsible for launching preset and manager. 
+
+Preset is an idempotent binary program responsible for registering the root user in the database, and the root user has a certain amount of free quota. 
+
+Manager is used to create license resources and activate the license injected into the cluster.
 
 ## Description
 // TODO(user): An in-depth paragraph about your project and overview of use

diff --git a/controllers/licenseissuer/config/manager/manager.yaml b/controllers/licenseissuer/config/manager/manager.yaml
@@ -67,22 +67,38 @@ spec:
         #   type: RuntimeDefault
       containers:
       - command:
-        - /manager
+        - /launcher
         args:
         - --leader-elect
         image: ghcr.io/labring/sealos-licenseissuer-controller:latest
+        imagePullPolicy: Always
         name: manager
         env:
         - name: CAN_CONNECT_TO_EXTERNAL_NETWORK
           valueFrom:
             secretKeyRef:
-              name: licenseissuer-env
               key: canConnectToExternalNetwork
+              name: licenseissuer-env
         - name: MONITOR
           valueFrom:
             secretKeyRef:
               key: isMonitor
               name: licenseissuer-env
+        - name: MONGO_URI
+          valueFrom: 
+            secretKeyRef:
+              key: MongoURI
+              name: licenseissuer-env
+        - name: PASSWORD_SALT
+          valueFrom:
+            secretKeyRef:
+              key: PasswordSalt
+              name: licenseissuer-env
+        - name: NAMESPACE
+          valueFrom:
+            secretKeyRef:
+              key: Namespace
+              name: licenseissuer-env
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

diff --git a/controllers/licenseissuer/config/rbac/role.yaml b/controllers/licenseissuer/config/rbac/role.yaml
@@ -37,6 +37,30 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

diff --git a/controllers/licenseissuer/deploy/manifests/configmaps.yaml b/controllers/licenseissuer/deploy/manifests/configmaps.yaml
@@ -5,15 +5,6 @@ metadata:
   name: license-history
   namespace: sealos-system
 ---
-apiVersion: infostream.sealos.io/v1
-kind: Launcher
-metadata:
-  name: launcher
-  namespace: sealos-system
-spec:
-  description: This YAML file is responsible for launching the entire cloud module.
-  name: Cloud-Launcher
----
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/controllers/licenseissuer/deploy/manifests/deploy.yaml b/controllers/licenseissuer/deploy/manifests/deploy.yaml
@@ -221,6 +221,30 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -467,7 +491,7 @@ spec:
         - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
         command:
-        - /manager
+        - /launcher
         env:
         - name: CAN_CONNECT_TO_EXTERNAL_NETWORK
           valueFrom:
@@ -480,7 +504,7 @@ spec:
               key: isMonitor
               name: licenseissuer-env
         - name: MONGO_URI
-          valueFrom: 
+          valueFrom:
             secretKeyRef:
               key: MongoURI
               name: licenseissuer-env
@@ -495,6 +519,7 @@ spec:
               key: Namespace
               name: licenseissuer-env
         image: ghcr.io/labring/sealos-licenseissuer-controller:latest
+        imagePullPolicy: Always
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/controllers/licenseissuer/internal/controller/license_controller.go b/controllers/licenseissuer/internal/controller/license_controller.go
@@ -49,6 +49,9 @@ type LicenseReconciler struct {
 	configMap corev1.ConfigMap
 }
 
+//+kubebuilder:rbac:groups=core,resources=persistentvolumes,verbs=get;list;watch
+//+kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch
+//+kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch
 //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=account.sealos.io,resources=accounts,verbs=get;list;watch;create;update;patch;delete
@@ -70,7 +73,6 @@ type LicenseReconciler struct {
 func (r *LicenseReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	r.logger.Info("Enter LicenseReconcile", "namespace:", req.Namespace, "name", req.Name)
 	r.logger.Info("Start to get license-related resource...")
-
 	// for notification
 	nq := &ntf.NoticeEventQueue{}
 	nm := ntf.NewNotificationManager(ctx, r.Client, r.logger, 1, 1)

diff --git a/controllers/licenseissuer/internal/controller/util/const.go b/controllers/licenseissuer/internal/controller/util/const.go
@@ -41,23 +41,9 @@ const (
 	// Add more url here
 )
 
-const (
-	// pre-defined user name and password
-	defaultuser     = "root"
-	defaultPassword = "sealos2023"
-
-	// kubernetes default user cr is admin
-	// it is corresponding to the root account
-	defaultK8sUser = "admin"
-
-	// the default db and collection of mongodb to store user information
-	defaultDB         = "test"
-	defaultCollection = "user"
-)
-
 const NoticeFrom = "Sealos Cloud"
 
-const Key = "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFvbFBTSzB0UjFKeDZtb25lL2ppeApSWGN6UGlxcU5SSXRmdW1mdWNyNGMxc2dqdlJha0NwcWtDU21lMTR1akJkU0x6QlZzRjkvUWl0UnFNb2NvaEN1CkJ6R25EQ29hWnZXbWVHeE96NEZSejVTeUg1QTlDa3dnbUEzYnFnMWxKSEZTMlZyVjVHVFhFWnphZTZtRmhHOVcKenJMTnpZMlptYTMzOVE1WTNJSDZ6RXIrcTRQbTZDOXBHVGpsSnVodlRvb0dSY2w0bmpZRXc2eHB6ZHZrdi9uSApmZmxsWGZVNDNyRGdQaGkwZDRjWnNuTUJlazUxQkNiRFRuSHlNVFdGT1RoTjc1VVM0bzJxRm9JSEhsM0N0RzE4ClZIZEdRSE1IR0dYcGN3bVhhck1EQndwVWFOSk9kMkhjTTB5dlZEY2xDZzRITkIwVUFWeFNweFlRV3BwNWJzN2gKbHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
+var Key = "asdhjkwqdaskdjhqjwdakxausdasdajs"
 
 const MaxSizeThresholdStr = "800Ki"