operator/pkg/util/k8s.go - dubbo-go-pixiu - Git at Google

 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package util

 import (
 	"fmt"
 )

 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/kubernetes"
 )

 import (
 	iopv1alpha1 "github.com/apache/dubbo-go-pixiu/operator/pkg/apis/istio/v1alpha1"
 	"github.com/apache/dubbo-go-pixiu/pkg/kube"
 )

 type JWTPolicy string

 const (
 	FirstPartyJWT JWTPolicy = "first-party-jwt"
 	ThirdPartyJWT JWTPolicy = "third-party-jwt"
 )

 // DetectSupportedJWTPolicy queries the api-server to detect whether it has TokenRequest support
 func DetectSupportedJWTPolicy(client kubernetes.Interface) (JWTPolicy, error) {
 	_, s, err := client.Discovery().ServerGroupsAndResources()
 	// This may fail if any api service is down. We should only fail if the specific API we care about failed
 	if err != nil {
 		if discovery.IsGroupDiscoveryFailedError(err) {
 			derr := err.(*discovery.ErrGroupDiscoveryFailed)
 			if _, f := derr.Groups[schema.GroupVersion{Group: "authentication.k8s.io", Version: "v1"}]; f {
 				return "", err
 			}
 		} else {
 			return "", err
 		}
 	}
 	for _, res := range s {
 		for _, api := range res.APIResources {
 			// Appearance of this API indicates we do support third party jwt token
 			if api.Name == "serviceaccounts/token" {
 				return ThirdPartyJWT, nil
 			}
 		}
 	}
 	return FirstPartyJWT, nil
 }

 // GKString differs from default representation of GroupKind
 func GKString(gvk schema.GroupKind) string {
 	return fmt.Sprintf("%s/%s", gvk.Group, gvk.Kind)
 }

 // ValidateIOPCAConfig validates if the IstioOperator CA configs are applicable to the K8s cluster
 func ValidateIOPCAConfig(client kube.Client, iop *iopv1alpha1.IstioOperator) error {
 	globalI := iop.Spec.Values.AsMap()["global"]
 	global, ok := globalI.(map[string]interface{})
 	if !ok {
 		// This means no explicit global configuration. Still okay
 		return nil
 	}
 	ca, ok := global["pilotCertProvider"].(string)
 	if !ok {
 		// This means the default pilotCertProvider is being used
 		return nil
 	}
 	if ca == "kubernetes" {
 		ver, err := client.GetKubernetesVersion()
 		if err != nil {
 			return fmt.Errorf("failed to determine support for K8s legacy signer. Use the --force flag to ignore this: %v", err)
 		}

 		if kube.IsAtLeastVersion(client, 22) {
 			return fmt.Errorf("configuration PILOT_CERT_PROVIDER=%s not supported in Kubernetes %v."+
 				"Please pick another value for PILOT_CERT_PROVIDER", ca, ver.String())
 		}
 	}
 	return nil
 }
	// Copyright Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package util

	import (
	"fmt"
	)

	import (
	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/client-go/discovery"
	"k8s.io/client-go/kubernetes"
	)

	import (
	iopv1alpha1 "github.com/apache/dubbo-go-pixiu/operator/pkg/apis/istio/v1alpha1"
	"github.com/apache/dubbo-go-pixiu/pkg/kube"
	)

	type JWTPolicy string

	const (
	FirstPartyJWT JWTPolicy = "first-party-jwt"
	ThirdPartyJWT JWTPolicy = "third-party-jwt"
	)

	// DetectSupportedJWTPolicy queries the api-server to detect whether it has TokenRequest support
	func DetectSupportedJWTPolicy(client kubernetes.Interface) (JWTPolicy, error) {
	_, s, err := client.Discovery().ServerGroupsAndResources()
	// This may fail if any api service is down. We should only fail if the specific API we care about failed
	if err != nil {
	if discovery.IsGroupDiscoveryFailedError(err) {
	derr := err.(*discovery.ErrGroupDiscoveryFailed)
	if _, f := derr.Groups[schema.GroupVersion{Group: "authentication.k8s.io", Version: "v1"}]; f {
	return "", err
	}
	} else {
	return "", err
	}
	}
	for _, res := range s {
	for _, api := range res.APIResources {
	// Appearance of this API indicates we do support third party jwt token
	if api.Name == "serviceaccounts/token" {
	return ThirdPartyJWT, nil
	}
	}
	}
	return FirstPartyJWT, nil
	}

	// GKString differs from default representation of GroupKind
	func GKString(gvk schema.GroupKind) string {
	return fmt.Sprintf("%s/%s", gvk.Group, gvk.Kind)
	}

	// ValidateIOPCAConfig validates if the IstioOperator CA configs are applicable to the K8s cluster
	func ValidateIOPCAConfig(client kube.Client, iop *iopv1alpha1.IstioOperator) error {
	globalI := iop.Spec.Values.AsMap()["global"]
	global, ok := globalI.(map[string]interface{})
	if !ok {
	// This means no explicit global configuration. Still okay
	return nil
	}
	ca, ok := global["pilotCertProvider"].(string)
	if !ok {
	// This means the default pilotCertProvider is being used
	return nil
	}
	if ca == "kubernetes" {
	ver, err := client.GetKubernetesVersion()
	if err != nil {
	return fmt.Errorf("failed to determine support for K8s legacy signer. Use the --force flag to ignore this: %v", err)
	}

	if kube.IsAtLeastVersion(client, 22) {
	return fmt.Errorf("configuration PILOT_CERT_PROVIDER=%s not supported in Kubernetes %v."+
	"Please pick another value for PILOT_CERT_PROVIDER", ca, ver.String())
	}
	}
	return nil
	}