User (#7)

* feat: expose mongo uri. (labring#3586) * expose mongo uri env. * feat: operation request -> rolebinding (sa <-> role) * feat: operation request -> rolebinding (sa <-> role) * feat: operation request --------- Co-authored-by: yy <56745951+lingdie@users.noreply.github.com>
lingdie · Jul 26, 2023 · ac682d9 · ac682d9
1 parent 59e7dd1
commit ac682d9
Show file tree

Hide file tree

Showing 21 changed files with 1,225 additions and 32 deletions.
diff --git a/controllers/licenseissuer/deploy/manifests/customconfig.yaml.tmpl b/controllers/licenseissuer/deploy/manifests/customconfig.yaml.tmpl
diff --git a/controllers/user/PROJECT b/controllers/user/PROJECT
@@ -16,4 +16,13 @@ resources:
     defaulting: true
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: sealos.io
+  group: user
+  kind: Operationrequest
+  path: github.com/labring/sealos/controllers/user/api/v1
+  version: v1
 version: "3"
diff --git a/controllers/user/api/v1/operationrequest_types.go b/controllers/user/api/v1/operationrequest_types.go
@@ -0,0 +1,89 @@
+/*
+Copyright 2022 labring.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// OperationrequestSpec defines the desired state of Operationrequest
+type OperationrequestSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+	Username  string `json:"username,omitempty"`
+	Namespace string `json:"namespace,omitempty"`
+	// +kubebuilder:validation:Enum=Owner;Manager;Developer
+	Type string `json:"type,omitempty"`
+	// +kubebuilder:validation:Enum=Grant;Update;Deprive
+	Action ActionType `json:"action,omitempty"` //TODO action可能要加个 update 用于更新rolebinding
+}
+type ActionType string
+
+const (
+	Grant   ActionType = "Grant"
+	Update  ActionType = "Update"
+	Deprive ActionType = "Deprive"
+)
+
+const ExpirationTime string = "3m"
+
+// OperationrequestStatus defines the observed state of Operationrequest
+type OperationrequestStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// Phase is the recently observed lifecycle phase of user
+	//+kubebuilder:default:=Unknown
+	Phase RequestPhase `json:"phase,omitempty"`
+}
+
+type RequestPhase string
+
+// These are the valid phases of node.
+const (
+	RequestPending RequestPhase = "Pending"
+	RequestUnknown RequestPhase = "Unknown"
+	RequestActive  RequestPhase = "Active"
+)
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// Operationrequest is the Schema for the operationrequests API
+type Operationrequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   OperationrequestSpec   `json:"spec,omitempty"`
+	Status OperationrequestStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// OperationrequestList contains a list of Operationrequest
+type OperationrequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Operationrequest `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Operationrequest{}, &OperationrequestList{})
+}
diff --git a/controllers/user/api/v1/zz_generated.deepcopy.go b/controllers/user/api/v1/zz_generated.deepcopy.go
diff --git a/controllers/user/config/crd/bases/user.sealos.io_operationrequests.yaml b/controllers/user/config/crd/bases/user.sealos.io_operationrequests.yaml
@@ -0,0 +1,69 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  creationTimestamp: null
+  name: operationrequests.user.sealos.io
+spec:
+  group: user.sealos.io
+  names:
+    kind: Operationrequest
+    listKind: OperationrequestList
+    plural: operationrequests
+    singular: operationrequest
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: Operationrequest is the Schema for the operationrequests API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OperationrequestSpec defines the desired state of Operationrequest
+            properties:
+              action:
+                enum:
+                - Grant
+                - Update
+                - Deprive
+                type: string
+              namespace:
+                type: string
+              type:
+                enum:
+                - Owner
+                - Manager
+                - Developer
+                type: string
+              username:
+                description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+                  Important: Run "make" to regenerate code after modifying this file'
+                type: string
+            type: object
+          status:
+            description: OperationrequestStatus defines the observed state of Operationrequest
+            properties:
+              phase:
+                default: Unknown
+                description: Phase is the recently observed lifecycle phase of user
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/controllers/user/config/crd/kustomization.yaml b/controllers/user/config/crd/kustomization.yaml
@@ -3,6 +3,7 @@
 # It should be run by config/default
 resources:
 - bases/user.sealos.io_users.yaml
+- bases/user.sealos.io_operationrequests.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -14,6 +15,7 @@ patchesStrategicMerge:
 #- patches/webhook_in_usergroupuserbindings.yaml
 #- patches/webhook_in_usergroupnamespacebindings.yaml
 #- patches/webhook_in_usergroupbindings.yaml
+#- patches/webhook_in_operationrequests.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
@@ -24,6 +26,7 @@ patchesStrategicMerge:
 #- patches/cainjection_in_usergroupuserbindings.yaml
 #- patches/cainjection_in_usergroupnamespacebindings.yaml
 #- patches/cainjection_in_usergroupbindings.yaml
+#- patches/cainjection_in_operationrequests.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/controllers/user/config/crd/patches/cainjection_in_operationrequests.yaml b/controllers/user/config/crd/patches/cainjection_in_operationrequests.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: operationrequests.user.sealos.io
diff --git a/controllers/user/config/crd/patches/webhook_in_operationrequests.yaml b/controllers/user/config/crd/patches/webhook_in_operationrequests.yaml
@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: operationrequests.user.sealos.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1
diff --git a/controllers/user/config/rbac/operationrequest_editor_role.yaml b/controllers/user/config/rbac/operationrequest_editor_role.yaml
@@ -0,0 +1,31 @@
+# permissions for end users to edit operationrequests.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: operationrequest-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: user
+    app.kubernetes.io/part-of: user
+    app.kubernetes.io/managed-by: kustomize
+  name: operationrequest-editor-role
+rules:
+- apiGroups:
+  - user.sealos.io
+  resources:
+  - operationrequests
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - user.sealos.io
+  resources:
+  - operationrequests/status
+  verbs:
+  - get