Merge remote-tracking branch 'origin/master' into add_script_to_export_kalm_resources

Author: kevinxzhang

.circleci/config.yml

@@ -1,6 +1,6 @@
 version: 2.1
 orbs:
-  hello-orb:  kalmhq-ns1/hello-orb@dev:0.0.1
+  hello-orb: kalmhq-ns1/hello-orb@dev:0.0.1
   deploy-orb: kalmhq-ns1/deploy-orb@dev:0.0.2
 jobs:
   test-dashboard:
@@ -148,6 +148,15 @@ jobs:
           KALM_APP: kalm-system
           KALM_COMPONENT: kalm
           KALM_COMPONENT_IMG_TAG: latest
+  deploy-auth-proxy:
+    executor: deploy-orb/default
+    steps:
+      - deploy-orb/deploy:
+          KALM_API_ADDRESS: https://dashboard.kapp.live
+          KALM_DEPLOY_KEY: $DEPLOY_KEY
+          KALM_APP: kalm-system
+          KALM_COMPONENT: auth-proxy
+          KALM_COMPONENT_IMG_TAG: latest
   deploy-controller:
     environment:
       IMAGE_NAME: quay.io/kalmhq/kalm-controller:latest
@@ -192,27 +201,35 @@ workflows:
       - build-dashboard-image:
           filters:
             branches:
-              only: 
-              - master
-              - orb
+              only:
+                - master
+                - orb
       - push-dashboard-image:
           context: kalm-ci
           requires:
             - test-dashboard
             - build-dashboard-image
           filters:
             branches:
-              only: 
-              - master
-              - orb
+              only:
+                - master
+                - orb
       - deploy-dashboard:
           context: deploy-demo-cluster
           requires:
             - push-dashboard-image
           filters:
             branches:
-              only: 
-              - master
+              only:
+                - master
+      - deploy-auth-proxy:
+          context: deploy-demo-cluster
+          requires:
+            - push-dashboard-image
+          filters:
+            branches:
+              only:
+                - master
   controller:
     jobs:
       - test-controller

api/cmd/auth-proxy/main.go

@@ -96,10 +96,6 @@ func removeExtAuthPathPrefix(path string) string {
 		path = path[len(ENVOY_EXT_AUTH_PATH_PREFIX)+1:]
 	}
 
-	if path == "" {
-		path = "/"
-	}
-
 	return path
 }
 
@@ -111,6 +107,10 @@ func getOriginalURL(c echo.Context) string {
 		requestURI = removeExtAuthPathPrefix(c.Request().RequestURI)
 	}
 
+	if requestURI == "" {
+		requestURI = "/"
+	}
+
 	ur := fmt.Sprintf("%s://%s%s", c.Scheme(), c.Request().Host, requestURI)
 	log.Debug("original url ", ur)
 	return ur
@@ -295,8 +295,11 @@ func handleSetIDToken(c echo.Context, idToken *oidc.IDToken, rawIDToken string)
 
 	requestURI := c.Request().Header.Get("X-Envoy-Original-Path")
 
+	log.Debugf("[Set ID Token] X-Envoy-Original-Path: %s", requestURI)
+
 	if requestURI == "" {
 		requestURI = removeExtAuthPathPrefix(c.Request().RequestURI)
+		log.Debugf("[Set ID Token] RawRequestURI: %s,  removeExtAuthPathPrefix: %s", c.Request().RequestURI, requestURI)
 	}
 
 	uri, err := url.Parse(requestURI)
@@ -309,6 +312,10 @@ func handleSetIDToken(c echo.Context, idToken *oidc.IDToken, rawIDToken string)
 	params.Del(ID_TOKEN_QUERY_NAME)
 	uri.RawQuery = params.Encode()
 
+	if uri.Path == "" {
+		uri.Path = "/"
+	}
+
 	return c.Redirect(302, uri.String())
 }
 
@@ -445,6 +452,19 @@ func handleOIDCCallback(c echo.Context) error {
 	return c.Redirect(302, uri.String())
 }
 
+func handleLog(c echo.Context) error {
+	level := c.QueryParam("level")
+
+	switch level {
+	case "debug":
+		log.SetLevel(log.DebugLevel)
+	default:
+		log.SetLevel(log.InfoLevel)
+	}
+
+	return c.NoContent(200)
+}
+
 func main() {
 	e := server.NewEchoInstance()
 
@@ -456,6 +476,8 @@ func main() {
 	e.GET("/"+ENVOY_EXT_AUTH_PATH_PREFIX+"/*", handleExtAuthz)
 	e.GET("/"+ENVOY_EXT_AUTH_PATH_PREFIX, handleExtAuthz)
 
+	e.POST("/log", handleLog)
+
 	e.Logger.Fatal(e.StartH2CServer("0.0.0.0:3002", &http2.Server{
 		MaxConcurrentStreams: 250,
 		MaxReadFrameSize:     1048576,

api/handler/auth.go

@@ -62,7 +62,7 @@ func (h *ApiHandler) handleLoginStatus(c echo.Context) error {
 		},
 	}
 
-	builder := resources.NewBuilder(k8sClient, clientConfig, h.logger)
+	builder := resources.NewBuilder(clientConfig, h.logger)
 
 	// If the user can create clusterrolebinding, the user is an admin.
 	err = builder.Create(review)

api/handler/handler.go

@@ -8,7 +8,6 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/client-go/kubernetes"
 )
 
 var (
@@ -120,23 +119,14 @@ func (h *ApiHandler) Install(e *echo.Echo) {
 
 // use user token and permission
 func (h *ApiHandler) Builder(c echo.Context) *resources.Builder {
-	k8sClient := getK8sClient(c)
 	k8sClientConfig := getK8sClientConfig(c)
-	return resources.NewBuilder(k8sClient, k8sClientConfig, h.logger)
+	return resources.NewBuilder(k8sClientConfig, h.logger)
 }
 
 // use server account name permission
 func (h *ApiHandler) KalmBuilder() *resources.Builder {
 	cfg := h.clientManager.ClusterConfig
-
-	k8sClient, err := kubernetes.NewForConfig(cfg)
-
-	if err != nil {
-		h.logger.Error("Can't get k8s Client")
-		return nil
-	}
-
-	return resources.NewBuilder(k8sClient, cfg, h.logger)
+	return resources.NewBuilder(cfg, h.logger)
 }
 
 func NewApiHandler(clientManager *client.ClientManager) *ApiHandler {

api/handler/https_cert_issuer.go

@@ -9,9 +9,8 @@ import (
 )
 
 func (h *ApiHandler) handleGetHttpsCertIssuer(c echo.Context) error {
-	k8sClient := getK8sClient(c)
 	k8sClientConfig := getK8sClientConfig(c)
-	builder := resources.NewBuilder(k8sClient, k8sClientConfig, h.logger)
+	builder := resources.NewBuilder(k8sClientConfig, h.logger)
 
 	httpsCertIssuers, err := builder.GetHttpsCertIssuerList()
 	if err != nil {
@@ -40,9 +39,8 @@ func (h *ApiHandler) handleCreateHttpsCertIssuer(c echo.Context) (err error) {
 
 	if httpsCertIssuer.ACMECloudFlare != nil {
 		// reconcile secret for this issuer
-		k8sClient := getK8sClient(c)
 		k8sClientConfig := getK8sClientConfig(c)
-		builder := resources.NewBuilder(k8sClient, k8sClientConfig, h.logger)
+		builder := resources.NewBuilder(k8sClientConfig, h.logger)
 
 		acmeSecretName := resources.GenerateSecretNameForACME(httpsCertIssuer)
 		err := builder.ReconcileSecretForIssuer(
@@ -69,7 +67,6 @@ func (h *ApiHandler) handleCreateHttpsCertIssuer(c echo.Context) (err error) {
 	return c.JSON(201, httpsCertIssuer)
 }
 
-
 func (h *ApiHandler) handleUpdateHttpsCertIssuer(c echo.Context) error {
 	httpsCertIssuer, err := getHttpsCertIssuerFromContext(c)
 	if err != nil {

api/handler/k8s.go

@@ -2,20 +2,21 @@ package handler
 
 import (
 	"github.com/labstack/echo/v4"
+	coreV1 "k8s.io/api/core/v1"
 )
 
 func (h *ApiHandler) handleGetPVs(c echo.Context) error {
-	k8sClient := getK8sClient(c)
-	list, err := k8sClient.CoreV1().PersistentVolumes().List(c.Request().Context(), ListAll)
+	var pvList coreV1.PersistentVolumeList
+	err := h.Builder(c).List(&pvList)
 	if err != nil {
 		return err
 	}
-	return c.JSON(200, list)
+	return c.JSON(200, pvList)
 }
 
 func (h *ApiHandler) handleGetNodes(c echo.Context) error {
-	k8sClient := getK8sClient(c)
-	list, err := k8sClient.CoreV1().Nodes().List(c.Request().Context(), ListAll)
+	var list coreV1.NodeList
+	err := h.Builder(c).List(&list)
 	if err != nil {
 		return err
 	}

api/handler/middleware.go

@@ -1,11 +1,8 @@
 package handler
 
 import (
-	"github.com/kalmhq/kalm/controller/api/v1alpha1"
 	"github.com/labstack/echo/v4"
-	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 )
 
@@ -39,16 +36,6 @@ func getK8sClient(c echo.Context) *kubernetes.Clientset {
 	return c.Get(KUBERNETES_CLIENT_CLIENT_KEY).(*kubernetes.Clientset)
 }
 
-func getKalmV1Alpha1Client(c echo.Context) (*rest.RESTClient, error) {
-	// copy a cfg
-	cfg := getK8sClientConfig(c)
-	cfg.ContentConfig.GroupVersion = &v1alpha1.GroupVersion
-	cfg.APIPath = "/apis"
-	cfg.NegotiatedSerializer = serializer.NewCodecFactory(scheme.Scheme)
-	cfg.UserAgent = rest.DefaultKubernetesUserAgent()
-	return rest.UnversionedRESTClientFor(cfg)
-}
-
 func getK8sClientConfig(c echo.Context) *rest.Config {
 	return c.Get(KUBERNETES_CLIENT_CONFIG_KEY).(*rest.Config)
 }

api/handler/pods.go

@@ -2,16 +2,16 @@ package handler
 
 import (
 	"github.com/labstack/echo/v4"
+	coreV1 "k8s.io/api/core/v1"
 	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"net/http"
 )
 
 func (h *ApiHandler) handleDeletePod(c echo.Context) error {
-	namespace := c.Param("namespace")
-	name := c.Param("name")
-	k8sClient := getK8sClient(c)
-
-	err := k8sClient.CoreV1().Pods(namespace).Delete(c.Request().Context(), name, metaV1.DeleteOptions{})
+	err := h.Builder(c).Delete(&coreV1.Pod{ObjectMeta: metaV1.ObjectMeta{
+		Namespace: c.Param("namespace"),
+		Name:      c.Param("name"),
+	}})
 
 	if err != nil {
 		return err

api/handler/webhook.go

@@ -7,7 +7,6 @@ import (
 	"github.com/kalmhq/kalm/controller/api/v1alpha1"
 	"github.com/kalmhq/kalm/controller/controllers"
 	"github.com/labstack/echo/v4"
-	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/tools/clientcmd/api"
 	"net/http"
@@ -51,13 +50,7 @@ func (h *ApiHandler) handleDeployWebhookCall(c echo.Context) error {
 		return err
 	}
 
-	deployKeyClient, err := kubernetes.NewForConfig(deployKeyConfig)
-
-	if err != nil {
-		return err
-	}
-
-	builder := resources.NewBuilder(deployKeyClient, deployKeyConfig, h.logger)
+	builder := resources.NewBuilder(deployKeyConfig, h.logger)
 
 	if builder == nil {
 		return fmt.Errorf("invalid deploy key")

api/main.go

@@ -2,9 +2,11 @@ package main
 
 import (
 	"context"
+	"golang.org/x/net/http2"
 	"log"
 	"os"
 	"sort"
+	"time"
 
 	_ "github.com/joho/godotenv/autoload"
 	"github.com/kalmhq/kalm/api/client"
@@ -113,5 +115,10 @@ func run(runningConfig *config.Config) {
 	// watcher.StartWatching(clientManager)
 
 	go resources.StartMetricScraper(context.Background(), clientManager)
-	e.Logger.Fatal(e.Start(runningConfig.GetServerAddress()))
+
+	e.Logger.Fatal(e.StartH2CServer(runningConfig.GetServerAddress(), &http2.Server{
+		MaxConcurrentStreams: 250,
+		MaxReadFrameSize:     1048576,
+		IdleTimeout:          60 * time.Second,
+	}))
 }