From 62c5f744a0c7a82c4c4422fee333bfeeddb968fd Mon Sep 17 00:00:00 2001 From: Yurnero-Xy <2238384910@qq.com> Date: Thu, 20 Jul 2023 23:32:07 +0800 Subject: [PATCH] feat(user_controller): create user -> sync three roles --- controllers/user/api/v1/user_types.go | 8 ++++ .../user/config/manager/kustomization.yaml | 4 +- .../user/controllers/helper/config/rbac.go | 42 +++++++++++++++---- .../user/controllers/user_controller.go | 35 ++++++++++------ controllers/user/go.mod | 1 + controllers/user/go.sum | 3 ++ go.work.sum | 2 + 7 files changed, 72 insertions(+), 23 deletions(-) diff --git a/controllers/user/api/v1/user_types.go b/controllers/user/api/v1/user_types.go index ab4eb8ad186..ab703a903b3 100644 --- a/controllers/user/api/v1/user_types.go +++ b/controllers/user/api/v1/user_types.go @@ -39,6 +39,14 @@ type UserSpec struct { //+kubebuilder:default:=7200 CSRExpirationSeconds int32 `json:"csrExpirationSeconds,omitempty"` } +type UserRoleType string + +const ( + OwnerRoleType UserRoleType = "Owner" + ManagerRoleType UserRoleType = "Manager" + DeveloperRoleType UserRoleType = "Developer" +) + type UserPhase string // These are the valid phases of node. diff --git a/controllers/user/config/manager/kustomization.yaml b/controllers/user/config/manager/kustomization.yaml index 9bde1649623..9670216c47e 100644 --- a/controllers/user/config/manager/kustomization.yaml +++ b/controllers/user/config/manager/kustomization.yaml @@ -1,9 +1,7 @@ resources: - manager.yaml - generatorOptions: disableNameSuffixHash: true - configMapGenerator: - files: - controller_manager_config.yaml @@ -13,4 +11,4 @@ kind: Kustomization images: - name: controller newName: ghcr.io/labring/sealos-user-controller - newTag: dev + newTag: latest diff --git a/controllers/user/controllers/helper/config/rbac.go b/controllers/user/controllers/helper/config/rbac.go index f8753171578..e5b85c8d7b7 100644 --- a/controllers/user/controllers/helper/config/rbac.go +++ b/controllers/user/controllers/helper/config/rbac.go @@ -20,6 +20,7 @@ import ( "fmt" "os" + userv1 "github.com/labring/sealos/controllers/user/api/v1" rbacV1 "k8s.io/api/rbac/v1" ) @@ -45,13 +46,40 @@ func GetUsersNamespace(user string) string { return fmt.Sprintf("ns-%s", user) } -func GetUserRole() []rbacV1.PolicyRule { - return []rbacV1.PolicyRule{ - { - APIGroups: []string{"*"}, - Resources: []string{"*"}, - Verbs: []string{"*"}, - }, +func GetUserRole(roleType userv1.UserRoleType) []rbacV1.PolicyRule { + switch roleType { + case userv1.OwnerRoleType: + return []rbacV1.PolicyRule{ + { + APIGroups: []string{"*"}, + Resources: []string{"*"}, + Verbs: []string{"*"}, + }, + } + case userv1.ManagerRoleType: + return []rbacV1.PolicyRule{ + { + APIGroups: []string{"*"}, + Resources: []string{"*"}, + Verbs: []string{"*"}, + }, + } + case userv1.DeveloperRoleType: + return []rbacV1.PolicyRule{ + { + APIGroups: []string{"*"}, + Resources: []string{"*"}, + Verbs: []string{"list", "watch", "get"}, + }, + } + default: + return []rbacV1.PolicyRule{ + { + APIGroups: []string{"*"}, + Resources: []string{"*"}, + Verbs: []string{"*"}, + }, + } } } diff --git a/controllers/user/controllers/user_controller.go b/controllers/user/controllers/user_controller.go index fe88e0477e8..0153fdcd1d0 100644 --- a/controllers/user/controllers/user_controller.go +++ b/controllers/user/controllers/user_controller.go @@ -33,7 +33,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/predicate" - v12 "k8s.io/api/rbac/v1" + rbacv1 "k8s.io/api/rbac/v1" "sigs.k8s.io/controller-runtime/pkg/handler" "sigs.k8s.io/controller-runtime/pkg/source" @@ -138,8 +138,8 @@ func (r *UserReconciler) SetupWithManager(mgr ctrl.Manager, opts utilcontroller. For(&userv1.User{}, builder.WithPredicates( predicate.Or(predicate.GenerationChangedPredicate{}, predicate.AnnotationChangedPredicate{}))). Watches(&source.Kind{Type: &v1.ServiceAccount{}}, owner). - Watches(&source.Kind{Type: &v12.Role{}}, owner). - Watches(&source.Kind{Type: &v12.RoleBinding{}}, owner). + Watches(&source.Kind{Type: &rbacv1.Role{}}, owner). + Watches(&source.Kind{Type: &rbacv1.RoleBinding{}}, owner). WithOptions(kubecontroller.Options{ MaxConcurrentReconciles: utilcontroller.GetConcurrent(opts), RateLimiter: utilcontroller.GetRateLimiter(opts), @@ -273,11 +273,20 @@ func (r *UserReconciler) syncRole(ctx context.Context, user *userv1.User) contex r.saveCondition(user, roleCondition.DeepCopy()) } }() + //create three roles + r.createRole(ctx, roleCondition, user, userv1.OwnerRoleType) + r.createRole(ctx, roleCondition, user, userv1.ManagerRoleType) + r.createRole(ctx, roleCondition, user, userv1.DeveloperRoleType) + + return ctx +} + +func (r *UserReconciler) createRole(ctx context.Context, condition *userv1.Condition, user *userv1.User, roleType userv1.UserRoleType) { if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { var change controllerutil.OperationResult var err error - role := &v12.Role{} - role.Name = user.Name + role := &rbacv1.Role{} + role.Name = string(roleType) role.Namespace = config.GetUsersNamespace(user.Name) role.Labels = map[string]string{} if change, err = controllerutil.CreateOrUpdate(ctx, r.Client, role, func() error { @@ -285,20 +294,20 @@ func (r *UserReconciler) syncRole(ctx context.Context, user *userv1.User) contex userAnnotationCreatorKey: user.Name, userAnnotationOwnerKey: user.Annotations[userAnnotationOwnerKey], } - role.Rules = config.GetUserRole() + role.Rules = config.GetUserRole(roleType) return controllerutil.SetControllerReference(user, role, r.Scheme) }); err != nil { return fmt.Errorf("unable to create namespace role by User: %w", err) } r.Logger.V(1).Info("create or update namespace role by User", "OperationResult", change) - roleCondition.Message = fmt.Sprintf("sync namespace role %s/%s successfully", role.Name, role.ResourceVersion) + condition.Message = fmt.Sprintf("sync namespace role %s/%s successfully", role.Name, role.ResourceVersion) return nil }); err != nil { - helper.SetConditionError(roleCondition, "SyncUserError", err) + helper.SetConditionError(condition, "SyncUserError", err) r.Recorder.Eventf(user, v1.EventTypeWarning, "syncUserRole", "Sync User namespace role %s is error: %v", user.Name, err) } - return ctx } + func (r *UserReconciler) syncRoleBinding(ctx context.Context, user *userv1.User) context.Context { roleBindingConditionType := userv1.ConditionType("RoleBindingSyncReady") rbCondition := &userv1.Condition{ @@ -318,7 +327,7 @@ func (r *UserReconciler) syncRoleBinding(ctx context.Context, user *userv1.User) if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { var change controllerutil.OperationResult var err error - roleBinding := &v12.RoleBinding{} + roleBinding := &rbacv1.RoleBinding{} roleBinding.Name = user.Name roleBinding.Namespace = config.GetUsersNamespace(user.Name) roleBinding.Labels = map[string]string{} @@ -327,10 +336,10 @@ func (r *UserReconciler) syncRoleBinding(ctx context.Context, user *userv1.User) userAnnotationCreatorKey: user.Name, userAnnotationOwnerKey: user.Annotations[userAnnotationOwnerKey], } - roleBinding.RoleRef = v12.RoleRef{ - APIGroup: v12.GroupName, + roleBinding.RoleRef = rbacv1.RoleRef{ + APIGroup: rbacv1.GroupName, Kind: "Role", - Name: user.Name, + Name: string(userv1.OwnerRoleType), } roleBinding.Subjects = config.GetNewUsersSubject(user.Name) return controllerutil.SetControllerReference(user, roleBinding, r.Scheme) diff --git a/controllers/user/go.mod b/controllers/user/go.mod index bb232993217..593328de329 100644 --- a/controllers/user/go.mod +++ b/controllers/user/go.mod @@ -7,6 +7,7 @@ require ( github.com/labring/operator-sdk v1.0.1 github.com/onsi/ginkgo v1.16.5 github.com/onsi/gomega v1.22.1 + golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 k8s.io/api v0.25.6 k8s.io/apimachinery v0.25.6 k8s.io/client-go v0.25.6 diff --git a/controllers/user/go.sum b/controllers/user/go.sum index 8a4f6f8fb04..bea6d791531 100644 --- a/controllers/user/go.sum +++ b/controllers/user/go.sum @@ -249,6 +249,7 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -537,6 +538,7 @@ golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 h1:QE6XYQK6naiK1EPAe1g/ILLxN5RBoH5xkJk3CqlMI/Y= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= @@ -550,6 +552,7 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= diff --git a/go.work.sum b/go.work.sum index ddc5781980c..2aa849f3a57 100644 --- a/go.work.sum +++ b/go.work.sum @@ -1855,6 +1855,7 @@ github.com/uwu-tools/magex v0.10.0/go.mod h1:TrSEhrL1xHfJVy6n05AUwFdcQndgwrbgL5y github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/fasthttp v1.40.0/go.mod h1:t/G+3rLek+CyY9bnIE+YlMRddxVAAGjhxndDB4i4C0I= github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ= +github.com/vbauerster/mpb/v7 v7.5.3/go.mod h1:i+h4QY6lmLvBNK2ah1fSreiw3ajskRlBp9AhY/PnuOE= github.com/vbauerster/mpb/v8 v8.3.0/go.mod h1:bngtYUAu25QGxcYYglsF6oyoHlC9Yhh582xF9LjfmL4= github.com/vektah/gqlparser/v2 v2.4.5/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0= github.com/veraison/go-cose v1.0.0-rc.1/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= @@ -2370,6 +2371,7 @@ gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzW gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8= gopkg.in/telebot.v3 v3.0.0/go.mod h1:7rExV8/0mDDNu9epSrDm/8j22KLaActH1Tbee6YjzWg= gopkg.in/telebot.v3 v3.1.2/go.mod h1:GJKwwWqp9nSkIVN51eRKU78aB5f5OnQuWdwiIZfPbko= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gorm.io/driver/postgres v1.3.5/go.mod h1:EGCWefLFQSVFrHGy4J8EtiHCWX5Q8t0yz2Jt9aKkGzU=