feat(auth): add oidc support by oauth2-proxy and refactor with operat…

…or-go (#104) * build(deps): bump operator-go to 0.10.0 * feat(auth): add oidc support by oauth2-proxy and refactor with operator-go
zncdatadev · Sep 25, 2024 · 7a91aca · 7a91aca
1 parent 6005a9a
commit 7a91aca
Show file tree

Hide file tree

Showing 50 changed files with 1,037 additions and 408 deletions.
diff --git a/.chainsaw.yaml b/.chainsaw.yaml
@@ -3,13 +3,13 @@ kind: Configuration
 metadata:
  name: custom-config
 spec:
- #namespace: test
  timeouts:
  apply: 120s
- assert: 120s
+ assert: 300s
  cleanup: 240s
  delete: 240s
  error: 200s
  exec: 200s
  skipDelete: false
  failFast: true
+ parallel: 1
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -22,55 +22,25 @@ jobs:
  MARKDOWN_CONFIG_FILE: .markdownlint.yml
 
  golang-lint:
- name: Golang Lint
- runs-on: ubuntu-22.04
+ name: golang-lint
+ runs-on: ubuntu-latest
  steps:
- - uses: actions/checkout@v3
- - uses: actions/setup-go@v4
- with:
- go-version: '1.22'
- cache: false
- - name: golangci-lint
- uses: golangci/golangci-lint-action@v3
- with:
- # Require: The version of golangci-lint to use.
- # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
- # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
- version: v1.54
-
- # Optional: working directory, useful for monorepos
- # working-directory: somedir
-
- # Optional: golangci-lint command line arguments.
- #
- # Note: By default, the `.golangci.yml` file should be at the root of the repository.
- # The location of the configuration file can be changed by using `--config=`
- # args: --timeout=30m --config=/my/path/.golangci.yml --issues-exit-code=0
- args: --timeout=30m
-
- # Optional: show only new issues if it's a pull request. The default value is `false`.
- # only-new-issues: true
-
- # Optional: if set to true, then all caching functionality will be completely disabled,
- # takes precedence over all other caching options.
- # skip-cache: true
-
- # Optional: if set to true, then the action won't cache or restore ~/go/pkg.
- # skip-pkg-cache: true
-
- # Optional: if set to true, then the action won't cache or restore ~/.cache/go-build.
- # skip-build-cache: true
-
- # Optional: The mode to install golangci-lint. It can be 'binary' or 'goinstall'.
- # install-mode: "goinstall"
-
+ - uses: actions/checkout@v3
+ - uses: actions/setup-go@v4
+ with:
+ go-version: '1.23'
+ cache: false
+ - name: golangci-lint
+ run: |
+ make lint 
+ 
 
  golang-test:
  name: Golang Test
  runs-on: ubuntu-22.04
  strategy:
  matrix:
- go-version: ['1.22']
+ go-version: ['1.23']
  steps:
  - uses: actions/checkout@v3
  with:
@@ -98,7 +68,7 @@ jobs:
  - uses: actions/checkout@v3
  - uses: actions/setup-go@v4
  with:
- go-version: '1.22'
+ go-version: '1.23'
  cache: false
  - name: Create KinD clustet pur
  env:

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.22 as builder
+FROM golang:1.23 as builder
 ARG TARGETOS
 ARG TARGETARCH
 

diff --git a/Makefile b/Makefile
@@ -53,7 +53,7 @@ endif
 
 # Set the Operator SDK version to use. By default, what is installed on the system is used.
 # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit.
-OPERATOR_SDK_VERSION ?= v1.35.0
+OPERATOR_SDK_VERSION ?= v1.37.0
 
 # Image URL to use all building/pushing image targets
 IMG ?= $(REGISTRY)/$(PROJECT_NAME):$(VERSION)
@@ -116,8 +116,20 @@ fmt: ## Run go fmt against code.
 vet: ## Run go vet against code.
  go vet ./...
 
+GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
+GOLANGCI_LINT_VERSION ?= v1.60.3
+golangci-lint:
+ @[ -f $(GOLANGCI_LINT) ] || { \
+ set -e ;\
+ curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(shell dirname $(GOLANGCI_LINT)) $(GOLANGCI_LINT_VERSION) ;\
+ }
+
+.PHONY: lint
+lint: golangci-lint ## Run golangci-lint linter & yamllint
+ $(GOLANGCI_LINT) run --timeout 5m
+
 .PHONY: test
-test: manifests generate fmt vet envtest ## Run tests.
+test: manifests generate fmt vet envtest lint ## Run tests.
  KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
 
 ##@ Build
@@ -201,7 +213,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.4.2
-CONTROLLER_TOOLS_VERSION ?= v0.15.0
+CONTROLLER_TOOLS_VERSION ?= v0.16.2
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.
@@ -368,14 +380,29 @@ kind-delete: kind ## Delete a kind cluster.
 
 # chainsaw
 
-CHAINSAW_VERSION ?= v0.2.6
+CHAINSAW_VERSION ?= v0.2.8
 CHAINSAW = $(LOCALBIN)/chainsaw
 
 .PHONY: chainsaw
 chainsaw: $(CHAINSAW) ## Download chainsaw locally if necessary.
 $(CHAINSAW): $(LOCALBIN)
- test -s $(LOCALBIN)/chainsaw && $(LOCALBIN)/chainsaw version | grep -q $(CHAINSAW_VERSION) || \
- GOBIN=$(LOCALBIN) go install github.com/kyverno/chainsaw@$(CHAINSAW_VERSION)
+ @{ \
+ set -xe ;\
+ if test -x $(LOCALBIN)/chainsaw && ! $(LOCALBIN)/chainsaw version | grep $(CHAINSAW_VERSION:v%=%) > /dev/null; then \
+ echo "$(LOCALBIN)/chainsaw version is not expected $(CHAINSAW_VERSION). Removing it before installing."; \
+ rm -rf $(LOCALBIN)/chainsaw; \
+ fi; \
+ if test ! -s $(LOCALBIN)/chainsaw; then \
+ mkdir -p $(dir $(CHAINSAW)) ;\
+ TMP=$(shell mktemp -d) ;\
+ OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \
+ curl -sSL https://github.com/kyverno/chainsaw/releases/download/$(CHAINSAW_VERSION)/chainsaw_$${OS}_$${ARCH}.tar.gz | tar -xz -C $$TMP ;\
+ mv $$TMP/chainsaw $(CHAINSAW) ;\
+ rm -rf $$TMP ;\
+ chmod +x $(CHAINSAW) ;\
+ touch $(CHAINSAW) ;\
+ fi; \
+ }
 
 # chainsaw setup logical
 # - Build the operator docker image

diff --git a/api/v1alpha1/hdfscluster_types.go b/api/v1alpha1/hdfscluster_types.go
@@ -220,13 +220,32 @@ type ClusterConfigSpec struct {
 }
 
 type AuthenticationSpec struct {
+ // +kubebuilder:validation:Optional
+ AuthenticationClass string `json:"authenticationClass,omitempty"`
+
+ // +kubebuilder:validation:Optional
+ Oidc *OidcSpec `json:"oidc,omitempty"`
+
  // +kubebuilder:validation:Optional
  Tls *TlsSpec `json:"tls,omitempty"`
 
  // +kubebuilder:validation:Optional
  Kerberos *KerberosSpec `json:"kerberos,omitempty"`
 }
 
+// OidcSpec defines the OIDC spec.
+type OidcSpec struct {
+ // OIDC client credentials secret. It must contain the following keys:
+ // - `CLIENT_ID`: The client ID of the OIDC client.
+ // - `CLIENT_SECRET`: The client secret of the OIDC client.
+ // credentials will omit to pod environment variables.
+ // +kubebuilder:validation:Required
+ ClientCredentialsSecret string `json:"clientCredentialsSecret"`
+
+ // +kubebuilder:validation:Optional
+ ExtraScopes []string `json:"extraScopes,omitempty"`
+}
+
 type TlsSpec struct {
  // +kubebuilder:validation:Optional
  // +kubebuilder:default:="tls"

diff --git a/api/v1alpha1/image.go b/api/v1alpha1/image.go
@@ -6,10 +6,10 @@ import (
 )
 
 const (
- DefaultRepository = "quay.io/zncdatadev"
- DefaultProductVersion = "3.3.6"
- DefaultProductName = "hadoop"
- DefaultStackVersion  = "0.0.0-dev"
+ DefaultRepository  = "quay.io/zncdatadev"
+ DefaultProductVersion  = "3.3.6"
+ DefaultProductName  = "hadoop"
+ DefaultKubedoopVersion = "0.0.0-dev"
 )
 
 type ImageSpec struct {
@@ -22,28 +22,28 @@ type ImageSpec struct {
 
  // +kubebuilder:validation:Optional
  // +kubebuilder:default="0.0.0-dev"
- PlatformVersion string `json:"platformVersion,omitempty"`
+ KubedoopVersion string `json:"kubedoopVersion,omitempty"`
 
  // +kubebuilder:validation:Optional
  // +kubebuilder:default="3.3.6"
  ProductVersion string `json:"productVersion,omitempty"`
 
  // +kubebuilder:validation:Optional
  // +kubebuilder:default:=IfNotPresent
- PullPolicy *corev1.PullPolicy `json:"pullPolicy,omitempty"`
+ PullPolicy corev1.PullPolicy `json:"pullPolicy,omitempty"`
 
  // +kubebuilder:validation:Optional
  PullSecretName string `json:"pullSecretName,omitempty"`
 }
 
 func TransformImage(imageSpec *ImageSpec) *util.Image {
  if imageSpec == nil {
- return util.NewImage(DefaultProductName, DefaultStackVersion, DefaultProductVersion)
+ return util.NewImage(DefaultProductName, DefaultKubedoopVersion, DefaultProductVersion)
  }
  return &util.Image{
  Custom: imageSpec.Custom,
  Repo: imageSpec.Repo,
- PlatformVersion: imageSpec.PlatformVersion,
+ KubedoopVersion: imageSpec.KubedoopVersion,
  ProductVersion: imageSpec.ProductVersion,
  PullPolicy: imageSpec.PullPolicy,
  PullSecretName: imageSpec.PullSecretName,

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/cmd/main.go b/cmd/main.go
@@ -29,6 +29,8 @@ import (
  // to ensure that exec-entrypoint and run can make use of them.
  _ "k8s.io/client-go/plugin/pkg/client/auth"
 
+ authv1alpha1 "github.com/zncdatadev/operator-go/pkg/apis/authentication/v1alpha1"
+ listenerv1alpha1 "github.com/zncdatadev/operator-go/pkg/apis/listeners/v1alpha1"
  "k8s.io/apimachinery/pkg/runtime"
  utilruntime "k8s.io/apimachinery/pkg/util/runtime"
  clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -38,7 +40,6 @@ import (
 
  hdfsv1alpha1 "github.com/zncdatadev/hdfs-operator/api/v1alpha1"
  "github.com/zncdatadev/hdfs-operator/internal/controller"
- listenerv1alpha1 "github.com/zncdatadev/operator-go/pkg/apis/listeners/v1alpha1"
  //+kubebuilder:scaffold:imports
 )
 
@@ -50,6 +51,7 @@ var (
 func init() {
  utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
+ utilruntime.Must(authv1alpha1.AddToScheme(scheme))
  utilruntime.Must(hdfsv1alpha1.AddToScheme(scheme))
  utilruntime.Must(listenerv1alpha1.AddToScheme(scheme))
  //+kubebuilder:scaffold:scheme