登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
开源项目 > 服务器应用 > 容器/虚拟机 &&
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
36 Star 395 Fork 71

GVPrancher / rancher

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
project_cluster_handler.go 7.77 KB
一键复制 编辑 原始数据 按行查看 历史
Craig Jellick 提交于 2018-04-20 10:12 . Condition on cluster for initial role population
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295
package auth



import (

	"reflect"



	"github.com/pkg/errors"

	"github.com/rancher/norman/condition"

	corev1 "github.com/rancher/types/apis/core/v1"

	"github.com/rancher/types/apis/management.cattle.io/v3"

	"github.com/rancher/types/config"

	"github.com/sirupsen/logrus"

	v12 "k8s.io/api/core/v1"

	apierrors "k8s.io/apimachinery/pkg/api/errors"

	"k8s.io/apimachinery/pkg/api/meta"

	"k8s.io/apimachinery/pkg/apis/meta/v1"

	"k8s.io/apimachinery/pkg/labels"

	"k8s.io/apimachinery/pkg/runtime"

)



const (

	creatorIDAnn                  = "field.cattle.io/creatorId"

	creatorOwnerBindingAnnotation = "authz.management.cattle.io/creator-owner-binding"

)



var defaultProjectLabels = labels.Set(map[string]string{"authz.management.cattle.io/default-project": "true"})

var crtbCeatorOwnerAnnotations = map[string]string{creatorOwnerBindingAnnotation: "true"}



func newPandCLifecycles(management *config.ManagementContext) (*projectLifecycle, *clusterLifecycle) {

	m := &mgr{

		mgmt:          management,

		nsLister:      management.Core.Namespaces("").Controller().Lister(),

		prtbLister:    management.Management.ProjectRoleTemplateBindings("").Controller().Lister(),

		crtbLister:    management.Management.ClusterRoleTemplateBindings("").Controller().Lister(),

		projectLister: management.Management.Projects("").Controller().Lister(),

	}

	p := &projectLifecycle{

		mgr: m,

	}

	c := &clusterLifecycle{

		mgr: m,

	}

	return p, c

}



type projectLifecycle struct {

	mgr *mgr

}



func (l *projectLifecycle) sync(key string, orig *v3.Project) error {

	if orig == nil {

		return nil

	}



	obj := orig.DeepCopyObject()



	obj, err := l.mgr.reconcileResourceToNamespace(obj)

	if err != nil {

		return err

	}



	obj, err = l.mgr.reconcileCreatorRTB(obj)

	if err != nil {

		return err

	}



	// update if it has changed

	if obj != nil && !reflect.DeepEqual(orig, obj) {

		_, err = l.mgr.mgmt.Management.Projects("").ObjectClient().Update(orig.Name, obj)

		if err != nil {

			return err

		}

	}

	return err

}



func (l *projectLifecycle) Create(obj *v3.Project) (*v3.Project, error) {

	// no-op because the sync function will take care of it

	return obj, nil

}



func (l *projectLifecycle) Updated(obj *v3.Project) (*v3.Project, error) {

	// no-op because the sync function will take care of it

	return obj, nil

}



func (l *projectLifecycle) Remove(obj *v3.Project) (*v3.Project, error) {

	err := l.mgr.deleteNamespace(obj)

	return obj, err

}



type clusterLifecycle struct {

	mgr *mgr

}



func (l *clusterLifecycle) sync(key string, orig *v3.Cluster) error {

	if orig == nil {

		return nil

	}



	obj := orig.DeepCopyObject()

	obj, err := l.mgr.reconcileResourceToNamespace(obj)

	if err != nil {

		return err

	}



	obj, err = l.mgr.createDefaultProject(obj)

	if err != nil {

		return err

	}



	obj, err = l.mgr.reconcileCreatorRTB(obj)

	if err != nil {

		return err

	}



	// update if it has changed

	if obj != nil && !reflect.DeepEqual(orig, obj) {

		_, err = l.mgr.mgmt.Management.Clusters("").ObjectClient().Update(orig.Name, obj)

		if err != nil {

			return err

		}

	}

	return err

}



func (l *clusterLifecycle) Create(obj *v3.Cluster) (*v3.Cluster, error) {

	// no-op because the sync function will take care of it

	return obj, nil

}



func (l *clusterLifecycle) Updated(obj *v3.Cluster) (*v3.Cluster, error) {

	// no-op because the sync function will take care of it

	return obj, nil

}



func (l *clusterLifecycle) Remove(obj *v3.Cluster) (*v3.Cluster, error) {

	err := l.mgr.deleteNamespace(obj)

	return obj, err

}



type mgr struct {

	mgmt          *config.ManagementContext

	nsLister      corev1.NamespaceLister

	projectLister v3.ProjectLister



	prtbLister v3.ProjectRoleTemplateBindingLister

	crtbLister v3.ClusterRoleTemplateBindingLister

}



func (m *mgr) createDefaultProject(obj runtime.Object) (runtime.Object, error) {

	return v3.ClusterConditionconditionDefautlProjectCreated.DoUntilTrue(obj, func() (runtime.Object, error) {

		metaAccessor, err := meta.Accessor(obj)

		if err != nil {

			return obj, err

		}



		projects, err := m.projectLister.List(metaAccessor.GetName(), defaultProjectLabels.AsSelector())

		if err != nil {

			return obj, err

		}

		if len(projects) > 0 {

			return obj, nil

		}



		creatorID, ok := metaAccessor.GetAnnotations()[creatorIDAnn]

		if !ok {

			logrus.Warnf("Cluster %v has no creatorId annotation. Cannot create default project", metaAccessor.GetName())

			return obj, nil

		}



		_, err = m.mgmt.Management.Projects(metaAccessor.GetName()).Create(&v3.Project{

			ObjectMeta: v1.ObjectMeta{

				GenerateName: "project-",

				Annotations: map[string]string{

					creatorIDAnn: creatorID,

				},

				Labels: defaultProjectLabels,

			},

			Spec: v3.ProjectSpec{

				DisplayName: "Default",

				Description: "Default project created for the cluster",

				ClusterName: metaAccessor.GetName(),

			},

		})



		return obj, err

	})

}



func (m *mgr) reconcileCreatorRTB(obj runtime.Object) (runtime.Object, error) {

	return v3.CreatorMadeOwner.DoUntilTrue(obj, func() (runtime.Object, error) {

		metaAccessor, err := meta.Accessor(obj)

		if err != nil {

			return obj, err

		}



		typeAccessor, err := meta.TypeAccessor(obj)

		if err != nil {

			return obj, err

		}



		creatorID, ok := metaAccessor.GetAnnotations()[creatorIDAnn]

		if !ok {

			logrus.Warnf("%v %v has no creatorId annotation. Cannot add creator as owner", typeAccessor.GetKind(), metaAccessor.GetName())

			return obj, nil

		}



		rtbName := "creator"

		om := v1.ObjectMeta{

			Name:      rtbName,

			Namespace: metaAccessor.GetName(),

		}



		switch typeAccessor.GetKind() {

		case v3.ProjectGroupVersionKind.Kind:

			if rtb, _ := m.prtbLister.Get(metaAccessor.GetName(), rtbName); rtb != nil {

				return obj, nil

			}

			if _, err := m.mgmt.Management.ProjectRoleTemplateBindings(metaAccessor.GetName()).Create(&v3.ProjectRoleTemplateBinding{

				ObjectMeta:       om,

				ProjectName:      metaAccessor.GetNamespace() + ":" + metaAccessor.GetName(),

				RoleTemplateName: "project-owner",

				UserName:         creatorID,

			}); err != nil {

				return obj, err

			}

		case v3.ClusterGroupVersionKind.Kind:

			if rtb, _ := m.crtbLister.Get(metaAccessor.GetName(), rtbName); rtb != nil {

				return obj, nil

			}

			om.Annotations = crtbCeatorOwnerAnnotations

			if _, err := m.mgmt.Management.ClusterRoleTemplateBindings(metaAccessor.GetName()).Create(&v3.ClusterRoleTemplateBinding{

				ObjectMeta:       om,

				ClusterName:      metaAccessor.GetName(),

				RoleTemplateName: "cluster-owner",

				UserName:         creatorID,

			}); err != nil {

				return obj, err

			}

		}



		return obj, nil

	})

}



func (m *mgr) deleteNamespace(obj runtime.Object) error {

	o, err := meta.Accessor(obj)

	if err != nil {

		return condition.Error("MissingMetadata", err)

	}



	nsClient := m.mgmt.K8sClient.CoreV1().Namespaces()

	ns, err := nsClient.Get(o.GetName(), v1.GetOptions{})

	if apierrors.IsNotFound(err) {

		return nil

	}

	if ns.Status.Phase != v12.NamespaceTerminating {

		err = nsClient.Delete(o.GetName(), nil)

		if apierrors.IsNotFound(err) {

			return nil

		}

	}

	return err

}



func (m *mgr) reconcileResourceToNamespace(obj runtime.Object) (runtime.Object, error) {

	return v3.NamespaceBackedResource.Do(obj, func() (runtime.Object, error) {

		o, err := meta.Accessor(obj)

		if err != nil {

			return obj, condition.Error("MissingMetadata", err)

		}

		t, err := meta.TypeAccessor(obj)

		if err != nil {

			return obj, condition.Error("MissingTypeMetadata", err)

		}



		ns, _ := m.nsLister.Get("", o.GetName())

		if ns == nil {

			nsClient := m.mgmt.K8sClient.CoreV1().Namespaces()

			_, err := nsClient.Create(&v12.Namespace{

				ObjectMeta: v1.ObjectMeta{

					Name: o.GetName(),

					Annotations: map[string]string{

						"management.cattle.io/system-namespace": "true",

					},

				},

			})

			if err != nil {

				return obj, condition.Error("NamespaceCreationFailure", errors.Wrapf(err, "failed to create namespace for %v %v", t.GetKind(), o.GetName()))

			}

		}



		return obj, nil

	})

}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/rancher/rancher.git
git@gitee.com:rancher/rancher.git
rancher
rancher
rancher
v2.0.3-rc1
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
344bd9b3 5694891 D2dac590 5694891