Install license handler to operator webhook server (#1194)

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Emruz Hossain <emruz@appscode.com>

Author: tamalsaha

go.mod

@@ -3,32 +3,17 @@ module stash.appscode.dev/stash
 go 1.12
 
 require (
-	cloud.google.com/go v0.56.0 // indirect
 	github.com/Azure/azure-sdk-for-go v43.0.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.10.2 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.8.3 // indirect
 	github.com/Azure/go-autorest/autorest/to v0.3.1-0.20191028180845-3492b2aff503 // indirect
 	github.com/appscode/go v0.0.0-20200323182826-54e98e09185a
 	github.com/aws/aws-sdk-go v1.31.9 // indirect
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/codeskyblue/go-sh v0.0.0-20190412065543-76bd3d59ff27
-	github.com/go-openapi/spec v0.19.7 // indirect
-	github.com/go-openapi/swag v0.19.9 // indirect
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/gogo/protobuf v1.3.1
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
-	github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 // indirect
-	github.com/googleapis/gnostic v0.4.0 // indirect
-	github.com/gophercloud/gophercloud v0.11.0 // indirect
 	github.com/gopherjs/gopherjs v0.0.0-20191106031601-ce3c9ade29de // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.14.6 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
-	github.com/kr/pretty v0.2.0 // indirect
 	github.com/kubernetes-csi/external-snapshotter/v2 v2.1.1-0.20200521091436-82ef6e66e992
-	github.com/mailru/easyjson v0.7.1 // indirect
-	github.com/mattn/go-colorable v0.1.6 // indirect
-	github.com/mitchellh/mapstructure v1.2.2 // indirect
 	github.com/onsi/ginkgo v1.11.0
 	github.com/onsi/gomega v1.8.1
 	github.com/opencontainers/go-digest v1.0.0 // indirect
@@ -40,29 +25,20 @@ require (
 	github.com/spf13/afero v1.2.2
 	github.com/spf13/cobra v0.0.5
 	github.com/spf13/pflag v1.0.5
-	go.bytebuilders.dev/license-verifier/kubernetes v0.2.2
+	go.bytebuilders.dev/license-verifier/kubernetes v0.3.0
 	go.opencensus.io v0.22.2 // indirect
-	go.uber.org/atomic v1.6.0 // indirect
-	go.uber.org/zap v1.13.0 // indirect
-	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a // indirect
-	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
-	golang.org/x/tools v0.0.0-20200603131246-cc40288be839 // indirect
 	gomodules.xyz/cert v1.0.3
 	gomodules.xyz/envsubst v0.1.0
 	gomodules.xyz/stow v0.2.3
 	google.golang.org/api v0.26.0 // indirect
-	google.golang.org/appengine v1.6.6 // indirect
-	google.golang.org/genproto v0.0.0-20200603110839-e855014d5736 // indirect
 	gopkg.in/ini.v1 v1.51.0
-	gopkg.in/yaml.v2 v2.3.0 // indirect
 	k8s.io/api v0.18.3
 	k8s.io/apiextensions-apiserver v0.18.3
 	k8s.io/apimachinery v0.18.8
 	k8s.io/apiserver v0.18.3
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/kube-aggregator v0.18.3
 	k8s.io/kubernetes v1.18.3
-	k8s.io/utils v0.0.0-20200414100711-2df71ebbae66 // indirect
 	kmodules.xyz/client-go v0.0.0-20200915091229-7df16c29f4e8
 	kmodules.xyz/constants v0.0.0-20200506032633-a21e58ceec72
 	kmodules.xyz/custom-resources v0.0.0-20200604135349-9e9f5c4fdba9
@@ -71,11 +47,9 @@ require (
 	kmodules.xyz/openshift v0.0.0-20200522123204-ce4abf5433c8
 	kmodules.xyz/prober v0.0.0-20200521101241-adf06150535c
 	kmodules.xyz/webhook-runtime v0.0.0-20200522123600-ca70a7e28ed0
-	stash.appscode.dev/apimachinery v0.10.1-0.20200914045248-546ceea96940
+	stash.appscode.dev/apimachinery v0.10.1-0.20200916073701-0189ba363808
 )
 
-// release-1.18
-
 replace bitbucket.org/ww/goautoneg => gomodules.xyz/goautoneg v0.0.0-20120707110453-a547fc61f48d
 
 replace cloud.google.com/go => cloud.google.com/go v0.49.0

go.sum

@@ -36,6 +36,7 @@ import (
 
 type ExtraOptions struct {
 	LicenseFile             string
+	LicenseApiService       string
 	StashImage              string
 	StashImageTag           string
 	DockerRegistry          string
@@ -74,6 +75,7 @@ func (s *ExtraOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.DockerRegistry, "docker-registry", s.DockerRegistry, "Docker image registry for sidecar, init-container, check-job, recovery-job and kubectl-job")
 	fs.StringSliceVar(&s.ImagePullSecrets, "image-pull-secrets", s.ImagePullSecrets, "List of image pull secrets for pulling image from private registries")
 	fs.StringVar(&s.LicenseFile, "license-file", s.LicenseFile, "Path to license file")
+	fs.StringVar(&s.LicenseApiService, "license-apiservice", s.LicenseApiService, "Name of the ApiService to use by the addons to identify the respective service and certificate for license verification request")
 
 	fs.Float64Var(&s.QPS, "qps", s.QPS, "The maximum QPS to the master from this client")
 	fs.IntVar(&s.Burst, "burst", s.Burst, "The maximum burst for throttle")
@@ -90,6 +92,8 @@ func (s *ExtraOptions) AddFlags(fs *pflag.FlagSet) {
 func (s *ExtraOptions) ApplyTo(cfg *controller.Config) error {
 	var err error
 
+	cfg.LicenseFile = s.LicenseFile
+	cfg.LicenseApiService = s.LicenseApiService
 	cfg.StashImage = s.StashImage
 	cfg.StashImageTag = s.StashImageTag
 	cfg.DockerRegistry = s.DockerRegistry

pkg/cmds/server/options.go

@@ -287,6 +287,11 @@ func (c *StashController) ensureBackupJob(invoker apis.Invoker, targetInfo apis.
 	if err != nil {
 		return err
 	}
+	// Give the ServiceAccount permission to send request to the license handler
+	err = stash_rbac.EnsureLicenseReaderClusterRoleBinding(c.kubeClient, invoker.OwnerRef, invoker.ObjectMeta.Namespace, serviceAccountName, invoker.Labels)
+	if err != nil {
+		return err
+	}
 
 	// if the Stash is using a private registry, then ensure the image pull secrets
 	var imagePullSecrets []core.LocalObjectReference
@@ -327,6 +332,8 @@ func (c *StashController) ensureBackupJob(invoker apis.Invoker, targetInfo apis.
 	implicitInputs[apis.StashDockerRegistry] = c.DockerRegistry
 	implicitInputs[apis.StashDockerImage] = c.StashImage
 	implicitInputs[apis.StashImageTag] = c.StashImageTag
+	// license related inputs
+	implicitInputs[apis.LicenseApiService] = c.LicenseApiService
 
 	taskResolver := resolve.TaskResolver{
 		StashClient:     c.stashClient,

pkg/controller/backup_session.go

@@ -44,6 +44,8 @@ const (
 )
 
 type config struct {
+	LicenseFile             string
+	LicenseApiService       string
 	StashImage              string
 	StashImageTag           string
 	DockerRegistry          string

pkg/controller/config.go

@@ -486,6 +486,11 @@ func (c *StashController) ensureRestoreJob(invoker apis.RestoreInvoker, index in
 	if err != nil {
 		return err
 	}
+	// Give the ServiceAccount permission to send request to the license handler
+	err = stash_rbac.EnsureLicenseReaderClusterRoleBinding(c.kubeClient, invoker.OwnerRef, invoker.ObjectMeta.Namespace, serviceAccountName, invoker.Labels)
+	if err != nil {
+		return err
+	}
 
 	// if the Stash is using a private registry, then ensure the image pull secrets
 	var imagePullSecrets []core.LocalObjectReference
@@ -662,6 +667,8 @@ func (c *StashController) resolveRestoreTask(invoker apis.RestoreInvoker, reposi
 	implicitInputs[apis.StashDockerRegistry] = c.DockerRegistry
 	implicitInputs[apis.StashDockerImage] = c.StashImage
 	implicitInputs[apis.StashImageTag] = c.StashImageTag
+	// license related inputs
+	implicitInputs[apis.LicenseApiService] = c.LicenseApiService
 
 	taskResolver := resolve.TaskResolver{
 		StashClient:     c.stashClient,

pkg/controller/restore_session.go

@@ -290,3 +290,28 @@ func EnsureRepoReaderRolebindingDeleted(kubeClient kubernetes.Interface, stashCl
 	glog.Infof("Deleted repo-reader rolebinding: " + GetRepoReaderRoleBindingName(meta.Name, meta.Namespace))
 	return nil
 }
+
+func EnsureLicenseReaderClusterRoleBinding(kc kubernetes.Interface, owner *metav1.OwnerReference, namespace, sa string, labels map[string]string) error {
+	meta := metav1.ObjectMeta{
+		Name:   meta_util.NameWithSuffix(apis.LicenseReader, sa),
+		Labels: labels,
+	}
+	_, _, err := rbac_util.CreateOrPatchClusterRoleBinding(context.TODO(), kc, meta, func(in *rbac.ClusterRoleBinding) *rbac.ClusterRoleBinding {
+		core_util.EnsureOwnerReference(&in.ObjectMeta, owner)
+
+		in.RoleRef = rbac.RoleRef{
+			APIGroup: rbac.GroupName,
+			Kind:     apis.KindClusterRole,
+			Name:     apis.LicenseReader,
+		}
+		in.Subjects = []rbac.Subject{
+			{
+				Kind:      rbac.ServiceAccountKind,
+				Name:      sa,
+				Namespace: namespace,
+			},
+		}
+		return in
+	}, metav1.PatchOptions{})
+	return err
+}

pkg/rbac/jobs.go

@@ -30,6 +30,7 @@ import (
 	"stash.appscode.dev/stash/pkg/eventer"
 	snapregistry "stash.appscode.dev/stash/pkg/registry/snapshot"
 
+	license "go.bytebuilders.dev/license-verifier/kubernetes"
 	admission "k8s.io/api/admission/v1beta1"
 	core "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -127,6 +128,9 @@ func (c completedConfig) New() (*StashServer, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	license.NewLicenseEnforcer(c.ExtraConfig.ClientConfig, c.ExtraConfig.LicenseFile).Install(genericServer.Handler.NonGoRestfulMux)
+
 	ctrl, err := c.ExtraConfig.New()
 	if err != nil {
 		return nil, err

pkg/server/server.go

@@ -0,0 +1,37 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
+/bin
+/.go
+
+/.idea
+/.markdownlint.json
+/.vscode
+/apiserver.local.config
+/coverage.txt
+/dist
+/hack/config/.env
+/test/e2e/junit.xml
+/test/e2e/report.xml
+
+.terraform
+*.tfstate*