修改创建节点池参数

Makefile

@@ -69,7 +69,7 @@ bcs-k8s: bcs-component bcs-network
 bcs-component:kube-sche apiserver-proxy \
 	webhook-server \
 	general-pod-autoscaler cluster-autoscaler \
-	netservice-controller
+	netservice-controller external-privilege
 
 bcs-network:ingress-controller
 
@@ -237,6 +237,11 @@ netservice-controller:pre
 	cd ${BCS_COMPONENT_PATH}/bcs-netservice-controller && go build ${LDFLAG} -o ${WORKSPACE}/${PACKAGEPATH}/bcs-runtime/bcs-k8s/bcs-component/bcs-netservice-controller/bcs-netservice-ipam ./ipam/main.go
 	cd ${BCS_COMPONENT_PATH}/bcs-netservice-controller/cni && go mod tidy && go build ${LDFLAG} -o ${WORKSPACE}/${PACKAGEPATH}/bcs-runtime/bcs-k8s/bcs-component/bcs-netservice-controller/bcs-underlay-cni ./cni.go
 
+external-privilege:pre
+	mkdir -p ${PACKAGEPATH}/bcs-runtime/bcs-k8s/bcs-component/
+	cp -R ${BCS_CONF_COMPONENT_PATH}/bcs-external-privilege ${PACKAGEPATH}/bcs-runtime/bcs-k8s/bcs-component
+	cd ${BCS_COMPONENT_PATH}/bcs-external-privilege && go mod tidy && go build ${LDFLAG} -o ${WORKSPACE}/${PACKAGEPATH}/bcs-runtime/bcs-k8s/bcs-component/bcs-external-privilege/bcs-external-privilege ./main.go
+
 bkcmdb-synchronizer:
 	mkdir -p ${PACKAGEPATH}/bcs-services
 	cp -R ${BCS_CONF_SERVICES_PATH}/bcs-bkcmdb-synchronizer ${PACKAGEPATH}/bcs-services

bcs-runtime/bcs-k8s/bcs-component/bcs-external-privilege/common/options.go

@@ -0,0 +1,87 @@
+/*
+ * Tencent is pleased to support the open source community by making Blueking Container Service available.
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package common
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/Tencent/bk-bcs/bcs-common/common/blog"
+	"github.com/Tencent/bk-bcs/bcs-common/common/encrypt"
+)
+
+const (
+	// ExternalSysTypeDBM external system DBM
+	ExternalSysTypeDBM = "DBM"
+)
+
+// Option xxx
+type Option struct {
+	RequestESB        *RequestEsb
+	PrivilegeIP       string
+	ExternalSysType   string
+	ExternalSysConfig string
+	DBPrivEnvList     []DBPrivEnv
+}
+
+func LoadOption() *Option {
+	var ret = &Option{RequestESB: &RequestEsb{}}
+	ret.RequestESB.AppCode = os.Getenv("io_tencent_bcs_app_code")
+	ret.RequestESB.AppSecret = os.Getenv("io_tencent_bcs_app_secret")
+	ret.RequestESB.Operator = os.Getenv("io_tencent_bcs_app_operator")
+
+	ret.PrivilegeIP = os.Getenv("io_tencent_bcs_privilege_ip")
+	podIP := os.Getenv("io_tencent_bcs_pod_ip")
+	if podIP != "" && podIP != ret.PrivilegeIP {
+		ret.PrivilegeIP = fmt.Sprintf("%s,%s", ret.PrivilegeIP, podIP)
+	}
+
+	ret.ExternalSysType = os.Getenv("external_sys_type")
+	ret.ExternalSysConfig = os.Getenv("external_sys_config")
+
+	envstr := []byte(os.Getenv("io_tencent_bcs_db_privilege_env"))
+	err := json.Unmarshal(envstr, &(ret.DBPrivEnvList))
+	if err != nil {
+		blog.Errorf("Unmarshall json str(%s) to []DBPrivEnv failed: %s\n", string(envstr), err.Error())
+		os.Exit(1)
+	}
+
+	if ret.RequestESB.AppCode == "" || ret.RequestESB.AppSecret == "" || ret.RequestESB.Operator == "" ||
+		len(ret.DBPrivEnvList) == 0 {
+		blog.Error("dbPrivEnvList is empty")
+		os.Exit(1)
+	}
+
+	decryptedAppCode, err := encrypt.DesDecryptFromBase([]byte(ret.RequestESB.AppCode))
+	if err != nil {
+		blog.Error("unable to decrypt appCode: %s", err.Error())
+		os.Exit(1)
+	}
+	decryptedAppSecret, err := encrypt.DesDecryptFromBase([]byte(ret.RequestESB.AppSecret))
+	if err != nil {
+		blog.Error("unable to decrypt appSecret: %s", err.Error())
+		os.Exit(1)
+	}
+	decryptedAppOperator, err := encrypt.DesDecryptFromBase([]byte(ret.RequestESB.Operator))
+	if err != nil {
+		blog.Error("unable to decrypt appOperator: %s", err.Error())
+		os.Exit(1)
+	}
+
+	ret.RequestESB.AppCode = string(decryptedAppCode)
+	ret.RequestESB.AppSecret = string(decryptedAppSecret)
+	ret.RequestESB.Operator = string(decryptedAppOperator)
+
+	return ret
+}

bcs-runtime/bcs-k8s/bcs-component/bcs-external-privilege/common/types.go

@@ -0,0 +1,31 @@
+/*
+ * Tencent is pleased to support the open source community by making Blueking Container Service available.
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package common
+
+// DBPrivEnv Env for DB privilege
+type DBPrivEnv struct {
+	AppName  string `json:"appName"`
+	TargetDb string `json:"targetDb"`
+	CallUser string `json:"callUser"`
+	DbName   string `json:"dbName"`
+	CallType string `json:"callType"`
+	Operator string `json:"operator"`
+	UseCDP   bool   `json:"useCDP,omitempty"`
+}
+
+// RequestEsb request esb option
+type RequestEsb struct {
+	AppCode   string `json:"bk_app_code"`
+	AppSecret string `json:"bk_app_secret"`
+	Operator  string `json:"-"`
+}

bcs-runtime/bcs-k8s/bcs-component/bcs-external-privilege/common/utils.go

@@ -0,0 +1,23 @@
+/*
+ * Tencent is pleased to support the open source community by making Blueking Container Service available.
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package common
+
+import (
+	"math/rand"
+	"time"
+)
+
+// WaitForSeveralSeconds wait for several seconds
+func WaitForSeveralSeconds() {
+	time.Sleep(3*time.Second + time.Duration(rand.Float32()*3000)*time.Millisecond)
+}

bcs-runtime/bcs-k8s/bcs-component/bcs-external-privilege/go.mod

@@ -0,0 +1,62 @@
+module github.com/TencentBlueKing/bk-bcs/bcs-runtime/bcs-k8s/bcs-component/bcs-external-privilege
+
+go 1.20
+
+replace (
+	github.com/coreos/bbolt v1.3.4 => go.etcd.io/bbolt v1.3.4
+	github.com/mholt/caddy => github.com/caddyserver/caddy v0.11.1
+	go.etcd.io/bbolt v1.3.4 => github.com/coreos/bbolt v1.3.4
+)
+
+require (
+	github.com/Tencent/bk-bcs/bcs-common v0.0.0-20240425084411-9fb5c1cf21ed
+	github.com/parnurzeal/gorequest v0.2.16
+)
+
+require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/bitly/go-simplejson v0.5.0 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/elazarl/goproxy v0.0.0-20231117061959-7cc037d33fb5 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-git/v5 v5.12.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/miekg/dns v1.1.50 // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
+	github.com/smartystreets/goconvey v1.8.1 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/ugorji/go/codec v1.2.11 // indirect
+	github.com/urfave/cli/v2 v2.3.0 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	go-micro.dev/v4 v4.8.1 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.13.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	moul.io/http2curl v1.0.0 // indirect
+)

bcs-runtime/bcs-k8s/bcs-component/bcs-external-privilege/main.go

@@ -0,0 +1,91 @@
+/*
+ * Tencent is pleased to support the open source community by making Blueking Container Service available.
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package main
+
+import (
+	"os"
+	"runtime"
+	"sync"
+
+	"github.com/Tencent/bk-bcs/bcs-common/common/blog"
+	"github.com/Tencent/bk-bcs/bcs-common/common/conf"
+
+	"github.com/TencentBlueKing/bk-bcs/bcs-runtime/bcs-k8s/bcs-component/bcs-external-privilege/common"
+	"github.com/TencentBlueKing/bk-bcs/bcs-runtime/bcs-k8s/bcs-component/bcs-external-privilege/pkg"
+)
+
+const failRetryLimit = 40
+
+func main() {
+	runtime.GOMAXPROCS(runtime.NumCPU())
+
+	option := common.LoadOption()
+	blog.InitLogs(conf.LogConfig{ToStdErr: true, Verbosity: 3})
+
+	var wg sync.WaitGroup
+	var success = false
+	for _, v := range option.DBPrivEnvList {
+		wg.Add(1)
+		go func(env common.DBPrivEnv) {
+			blog.Infof("starting granting privilege to db: %s, dbname: %s", env.TargetDb, env.DbName)
+			defer wg.Done()
+			var doPriRetry, checkRetry = 0, 0
+			client, err := pkg.InitClient(option, &env)
+			if err != nil {
+				blog.Errorf("failed to init client for external system, %v", err)
+				return
+			}
+
+			for doPriRetry < failRetryLimit {
+				err = client.DoPri(option, &env)
+				if err == nil {
+					break
+				}
+				blog.Errorf("error calling the privilege api: %s, db: %s, dbname: %s, retry %d",
+					err.Error(), env.TargetDb, env.DbName, doPriRetry)
+				doPriRetry++
+			}
+			if doPriRetry >= failRetryLimit {
+				blog.Errorf("error calling the privilege api with db: %s, dbname: %s, max retry times reached",
+					env.TargetDb, env.DbName)
+				return
+			}
+
+			for checkRetry < failRetryLimit {
+				common.WaitForSeveralSeconds()
+				err = client.CheckFinalStatus()
+				if err == nil {
+					break
+				}
+				blog.Errorf("check operation status failed: %s, db: %s, dbname: %s, retry %d",
+					err.Error(), env.TargetDb, env.DbName, checkRetry)
+				checkRetry++
+			}
+			if checkRetry >= failRetryLimit {
+				blog.Errorf("check operation status failed with db: %s, dbname: %s, max retry times reached",
+					env.TargetDb, env.DbName)
+				return
+			}
+
+			success = true
+			blog.Infof("granting privilege to db: %s, dbname: %s succeeded", env.TargetDb, env.DbName)
+		}(v)
+	}
+	wg.Wait()
+
+	if !success {
+		os.Exit(1)
+	}
+
+	os.Exit(0)
+}