github.com/oam-dev/cluster-gateway@v1.9.0/pkg/addon/agent/addon.go (about) 1 package agent 2 3 import ( 4 "context" 5 6 "github.com/pkg/errors" 7 rbacv1 "k8s.io/api/rbac/v1" 8 apierrors "k8s.io/apimachinery/pkg/api/errors" 9 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 10 "k8s.io/apimachinery/pkg/runtime" 11 "k8s.io/apimachinery/pkg/types" 12 "k8s.io/client-go/rest" 13 "open-cluster-management.io/addon-framework/pkg/agent" 14 addonv1alpha1 "open-cluster-management.io/api/addon/v1alpha1" 15 clusterv1 "open-cluster-management.io/api/cluster/v1" 16 "sigs.k8s.io/controller-runtime/pkg/client" 17 18 proxyv1alpha1 "github.com/oam-dev/cluster-gateway/pkg/apis/proxy/v1alpha1" 19 "github.com/oam-dev/cluster-gateway/pkg/common" 20 ) 21 22 var _ agent.AgentAddon = &clusterGatewayAddonManager{} 23 24 func NewClusterGatewayAddonManager(cfg *rest.Config, c client.Client) agent.AgentAddon { 25 return &clusterGatewayAddonManager{ 26 clientConfig: cfg, 27 client: c, 28 } 29 } 30 31 type clusterGatewayAddonManager struct { 32 clientConfig *rest.Config 33 client client.Client 34 } 35 36 func (c *clusterGatewayAddonManager) Manifests(cluster *clusterv1.ManagedCluster, addon *addonv1alpha1.ManagedClusterAddOn) ([]runtime.Object, error) { 37 if len(addon.Status.AddOnConfiguration.CRName) == 0 { 38 return nil, nil 39 } 40 cfg := &proxyv1alpha1.ClusterGatewayConfiguration{} 41 if err := c.client.Get( 42 context.TODO(), types.NamespacedName{ 43 Name: addon.Status.AddOnConfiguration.CRName, 44 }, 45 cfg); err != nil { 46 if apierrors.IsNotFound(err) { 47 return nil, nil 48 } 49 return nil, errors.Wrapf(err, "failed getting gateway configuration") 50 } 51 52 if cfg.Spec.SecretManagement.Type == proxyv1alpha1.SecretManagementTypeManual { 53 return nil, nil 54 } 55 switch cfg.Spec.SecretManagement.Type { 56 case proxyv1alpha1.SecretManagementTypeManagedServiceAccount: 57 managedServiceAccountAddon := &addonv1alpha1.ManagedClusterAddOn{} 58 if err := c.client.Get( 59 context.TODO(), 60 types.NamespacedName{ 61 Namespace: cluster.Name, 62 Name: "managed-serviceaccount", 63 }, 64 managedServiceAccountAddon); err != nil { 65 if apierrors.IsNotFound(err) { 66 return nil, nil 67 } 68 return nil, err 69 } 70 return buildClusterGatewayOutboundPermission( 71 managedServiceAccountAddon.Spec.InstallNamespace, 72 cfg.Spec.SecretManagement.ManagedServiceAccount.Name), nil 73 case proxyv1alpha1.SecretManagementTypeManual: 74 fallthrough 75 default: 76 return nil, nil 77 } 78 } 79 80 func (c *clusterGatewayAddonManager) GetAgentAddonOptions() agent.AgentAddonOptions { 81 return agent.AgentAddonOptions{ 82 AddonName: common.AddonName, 83 InstallStrategy: agent.InstallAllStrategy(common.InstallNamespace), 84 HealthProber: &agent.HealthProber{ 85 Type: agent.HealthProberTypeNone, // TODO: switch to ManifestWork-based prober 86 }, 87 } 88 } 89 90 func buildClusterGatewayOutboundPermission(serviceAccountNamespace, serviceAccountName string) []runtime.Object { 91 const clusterRoleName = "open-cluster-management:cluster-gateway:default" 92 clusterGatewayClusterRole := &rbacv1.ClusterRole{ 93 TypeMeta: metav1.TypeMeta{ 94 APIVersion: "rbac.authorization.k8s.io/v1", 95 Kind: "ClusterRole", 96 }, 97 ObjectMeta: metav1.ObjectMeta{ 98 Name: clusterRoleName, 99 }, 100 Rules: []rbacv1.PolicyRule{ 101 { 102 APIGroups: []string{"*"}, 103 Verbs: []string{"*"}, 104 Resources: []string{"*"}, 105 }, 106 }, 107 } 108 clusterGatewayClusterRoleBinding := &rbacv1.ClusterRoleBinding{ 109 TypeMeta: metav1.TypeMeta{ 110 APIVersion: "rbac.authorization.k8s.io/v1", 111 Kind: "ClusterRoleBinding", 112 }, 113 ObjectMeta: metav1.ObjectMeta{ 114 Name: clusterRoleName, 115 }, 116 RoleRef: rbacv1.RoleRef{ 117 Kind: "ClusterRole", 118 Name: clusterRoleName, 119 }, 120 Subjects: []rbacv1.Subject{ 121 { 122 Kind: rbacv1.ServiceAccountKind, 123 Namespace: serviceAccountNamespace, 124 Name: serviceAccountName, 125 }, 126 }, 127 } 128 return []runtime.Object{ 129 clusterGatewayClusterRole, 130 clusterGatewayClusterRoleBinding, 131 } 132 }