[ACM-10865] fine-grain-rbac tech-preview (stolostron#1401)

* fine-grain-rbac tech-preview rebase Signed-off-by: Subbarao Meduri <[email protected]> * fix go.sum, address review comments Signed-off-by: Subbarao Meduri <[email protected]> * fix unit tests, special case acm_managed_cluster_labels, address comments Signed-off-by: Subbarao Meduri <[email protected]> --------- Signed-off-by: Subbarao Meduri <[email protected]>
coleenquadros · Jun 18, 2024 · 448fe48 · 448fe48
1 parent c8d3cd4
commit 448fe48
Show file tree

Hide file tree

Showing 9 changed files with 676 additions and 135 deletions.
diff --git a/go.mod b/go.mod
@@ -35,6 +35,7 @@ require (
 	github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace
 	github.com/stolostron/multiclusterhub-operator v0.0.0-20240507130539-00cf6ee9f650
 	github.com/stolostron/observatorium-operator v0.0.0-20240521155951-b4302d25bd18
+	github.com/stolostron/rbac-api-utils v0.0.0-20240404212618-7f57fc664256
 	github.com/stretchr/testify v1.9.0
 	github.com/thanos-io/thanos v0.35.0
 	go.uber.org/zap v1.27.0

diff --git a/go.sum b/go.sum
@@ -3052,6 +3052,8 @@ github.com/stolostron/multiclusterhub-operator v0.0.0-20240507130539-00cf6ee9f65
 github.com/stolostron/multiclusterhub-operator v0.0.0-20240507130539-00cf6ee9f650/go.mod h1:fVXNVgAb4lcyAurs9qi3UG5bkpRCO2hYmEkj9s9++MY=
 github.com/stolostron/observatorium-operator v0.0.0-20240521155951-b4302d25bd18 h1:E/PNsOae69+k4zpbKfXQYrI14fEQSKPjv+yP8eSHOV4=
 github.com/stolostron/observatorium-operator v0.0.0-20240521155951-b4302d25bd18/go.mod h1:fFyJt9/dkQ1/4NxiW4CjH4lj7brxGlkA4SscxoLfzYY=
+github.com/stolostron/rbac-api-utils v0.0.0-20240404212618-7f57fc664256 h1:BeTUZoAkKzPKSH0sG4a9PaakKHuJ0h9Cks9joBn3Ns8=
+github.com/stolostron/rbac-api-utils v0.0.0-20240404212618-7f57fc664256/go.mod h1:zYGYkVgY+sL501na1x5RDCKMrHD+JAwb6oRFU8e9XlU=
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=

diff --git a/...servability/controllers/multiclusterobservability/multiclusterobservability_controller.go b/...servability/controllers/multiclusterobservability/multiclusterobservability_controller.go
@@ -246,7 +246,7 @@ func (r *MultiClusterObservabilityReconciler) Reconcile(ctx context.Context, req
 	// set operand names to cover the upgrade case since we have name changed in new release
 	err = config.SetOperandNames(r.Client)
 	if err != nil {
-		return *result, err
+		return ctrl.Result{}, err
 	}
 	instance.Spec.StorageConfig.StorageClass = storageClassSelected
 	// Render the templates with a specified CR

diff --git a/proxy/cmd/main.go b/proxy/cmd/main.go
@@ -59,12 +59,13 @@ func main() {
 	klog.Infof("metrics server is: %s", cfg.metricServer)
 	klog.Infof("kubeconfig is: %s", cfg.kubeconfigLocation)
 
-	clusterClient, err := clusterclientset.NewForConfig(config.GetConfigOrDie())
+	kubeConfig := config.GetConfigOrDie()
+	clusterClient, err := clusterclientset.NewForConfig(kubeConfig)
 	if err != nil {
 		klog.Fatalf("failed to initialize new cluster clientset: %v", err)
 	}
 
-	kubeClient, err := kubernetes.NewForConfig(config.GetConfigOrDie())
+	kubeClient, err := kubernetes.NewForConfig(kubeConfig)
 	if err != nil {
 		klog.Fatalf("failed to initialize new kubernetes client: %v", err)
 	}
@@ -80,6 +81,10 @@ func main() {
 		}
 	}
 
+	if err := util.InitAccessReviewer(kubeConfig); err != nil {
+		klog.Fatalf("failed to Initialize Access Reviewer: %v", err)
+	}
+
 	// watch all managed clusters
 	go util.WatchManagedCluster(clusterClient, kubeClient)
 	go util.WatchManagedClusterLabelAllowList(kubeClient)

diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go
@@ -19,7 +19,8 @@ const (
 	ManagedClusterLabelAllowListConfigMapKey  = "managed_cluster.yaml"
 	ManagedClusterLabelAllowListNamespace     = "open-cluster-management-observability"
 
-	RBACProxyLabelMetricName = "acm_label_names"
+	RBACProxyLabelMetricName              = "acm_label_names"
+	ACMManagedClusterLabelNamesMetricName = "acm_managed_cluster_labels"
 )
 
 var (
@@ -61,6 +62,10 @@ func GetRBACProxyLabelMetricName() string {
 	return RBACProxyLabelMetricName
 }
 
+func GetACMManagedClusterLabelNamesMetricName() string {
+	return ACMManagedClusterLabelNamesMetricName
+}
+
 // CreateManagedClusterLabelAllowListCM creates a managedcluster label allowlist configmap object.
 func CreateManagedClusterLabelAllowListCM(namespace string) *v1.ConfigMap {
 	return &v1.ConfigMap{

diff --git a/proxy/pkg/proxy/proxy.go b/proxy/pkg/proxy/proxy.go
@@ -44,16 +44,7 @@ func shouldModifyAPISeriesResponse(res http.ResponseWriter, req *http.Request) b
 		if strings.Contains(string(body), proxyconfig.GetRBACProxyLabelMetricName()) {
 			managedLabelList := proxyconfig.GetManagedClusterLabelList()
 
-			query := `{"status":"success","data":[`
-			for index, label := range managedLabelList.RegexLabelList {
-				query += `{"__name__":"` + proxyconfig.GetRBACProxyLabelMetricName() + `","label_name":"` + label + `"}`
-
-				if index != len(managedLabelList.RegexLabelList)-1 {
-					query += ","
-				}
-			}
-			query += `]}`
-
+			query := createQueryResponse(managedLabelList.RegexLabelList, proxyconfig.GetRBACProxyLabelMetricName())
 			_, err = res.Write([]byte(query))
 			if err == nil {
 				return true
@@ -69,6 +60,18 @@ func shouldModifyAPISeriesResponse(res http.ResponseWriter, req *http.Request) b
 	return false
 }
 
+func createQueryResponse(labels []string, metricName string) string {
+	query := `{"status":"success","data":[`
+	for index, label := range labels {
+		query += `{"__name__":"` + metricName + `","label_name":"` + label + `"}`
+		if index != len(labels)-1 {
+			query += ","
+		}
+	}
+	query += `]}`
+	return query
+}
+
 // HandleRequestAndRedirect is used to init proxy handler.
 func HandleRequestAndRedirect(res http.ResponseWriter, req *http.Request) {
 	if preCheckRequest(req) != nil {
@@ -104,7 +107,7 @@ func HandleRequestAndRedirect(res http.ResponseWriter, req *http.Request) {
 	req.Header.Set("X-Forwarded-Host", req.Header.Get("Host"))
 	req.Host = serverURL.Host
 	req.URL.Path = path.Join(basePath, req.URL.Path)
-	util.ModifyMetricsQueryParams(req, config.GetConfigOrDie().Host+projectsAPIPath)
+	util.ModifyMetricsQueryParams(req, config.GetConfigOrDie().Host+projectsAPIPath, util.GetAccessReviewer())
 	proxy.ServeHTTP(res, req)
 }
 
@@ -129,14 +132,14 @@ func preCheckRequest(req *http.Request) error {
 		}
 	}
 
-	projectList, ok := util.GetUserProjectList(token)
+	_, ok := util.GetUserProjectList(token)
 	if !ok {
-		projectList = util.FetchUserProjectList(token, config.GetConfigOrDie().Host+projectsAPIPath)
+		projectList := util.FetchUserProjectList(token, config.GetConfigOrDie().Host+projectsAPIPath)
 		up := util.NewUserProject(userName, token, projectList)
 		util.UpdateUserProject(up)
 	}
 
-	if len(projectList) == 0 || len(util.GetAllManagedClusterNames()) == 0 {
+	if len(util.GetAllManagedClusterNames()) == 0 {
 		return errors.New("no project or cluster found")
 	}