feature: bcs容器访问db授权. issue TencentBlueKing#308

bcs-services/bcs-webhook-server/app/app.go

@@ -34,18 +34,24 @@ import (
 	"bk-bcs/bcs-services/bcs-webhook-server/pkg/inject/k8s"
 	"bk-bcs/bcs-services/bcs-webhook-server/pkg/inject/mesos"
 	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 	clientGoCache "k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/clientcmd"
 )
 
+const (
+	DbPrivilegeSecretName = "bcs-db-privilege"
+)
+
 //Run bcs log webhook server
 func Run(op *options.ServerOption) {
 
 	conf := parseConfig(op)
 
 	whSvr, err := NewWebhookServer(conf)
 	if err != nil {
-		blog.Errorf("create webhook server error %s, and exit", err.Error())
+		blog.Errorf("create webhook server error: %s, and exit", err.Error())
 		os.Exit(1)
 	}
 
@@ -96,6 +102,12 @@ func NewWebhookServer(conf *config.BcsWhsConfig) (*inject.WebhookServer, error)
 	if err != nil {
 		return nil, fmt.Errorf("error building kube config: %s\n", err.Error())
 	}
+	kubeClient, err := kubernetes.NewForConfig(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("error building kubernetes clientset: %s", err.Error())
+	}
+	whsvr.KubeClient = kubeClient
+
 	externalClient, err := apiextensionsclient.NewForConfig(cfg)
 	if err != nil {
 		return nil, fmt.Errorf("error building external clientset: %s", err.Error())
@@ -118,25 +130,64 @@ func NewWebhookServer(conf *config.BcsWhsConfig) (*inject.WebhookServer, error)
 
 		bcsLogConfigInformer := factory.Bkbcs().V2().BcsLogConfigs()
 		whsvr.BcsLogConfigLister = bcsLogConfigInformer.Lister()
-		k8sLogConfInject := k8s.NewLogConfInject(whsvr.BcsLogConfigLister)
-		whsvr.K8sLogConfInject = k8sLogConfInject
-		mesosLogConfInject := mesos.NewLogConfInject(whsvr.BcsLogConfigLister)
-		whsvr.MesosLogConfInject = mesosLogConfInject
+
+		switch whsvr.EngineType {
+		case "kubernetes":
+			k8sLogConfInject := k8s.NewLogConfInject(whsvr.BcsLogConfigLister)
+			whsvr.K8sLogConfInject = k8sLogConfInject
+		case "mesos":
+			mesosLogConfInject := mesos.NewLogConfInject(whsvr.BcsLogConfigLister)
+			whsvr.MesosLogConfInject = mesosLogConfInject
+		}
 
 		go factory.Start(stopCh)
 
-		blog.Infof("Waiting for inormer caches to sync")
-		blog.Infof("sleep 2 seconds to wait for crd to be ready")
-		time.Sleep(2 * time.Second)
+		blog.Infof("Waiting for BcsLogConfig inormer caches to sync")
+		blog.Infof("sleep 1 seconds to wait for BcsLogConfig crd to be ready")
+		time.Sleep(1 * time.Second)
 		if ok := clientGoCache.WaitForCacheSync(stopCh, bcsLogConfigInformer.Informer().HasSynced); !ok {
 			return nil, fmt.Errorf("failed to wait for caches to sync")
 		}
 	}
 
+	if conf.Injects.DbPriv.DbPrivInject {
+		dbPrivCreated, err := createBcsDbPrivConfig(externalClient)
+		if err != nil {
+			return nil, fmt.Errorf("error creating crd: %s", err.Error())
+		}
+		blog.Infof("created BcsDbPrivConfig crd: %t", dbPrivCreated)
+
+		bcsDbPrivConfigInformer := factory.Bkbcs().V2().BcsDbPrivConfigs()
+		whsvr.BcsDbPrivConfigLister = bcsDbPrivConfigInformer.Lister()
+
+		dbPrivSecret, err := whsvr.KubeClient.CoreV1().Secrets(metav1.NamespaceSystem).Get(DbPrivilegeSecretName, metav1.GetOptions{})
+		if err != nil {
+			return nil, fmt.Errorf("error when get db privilege secret in cluster: %s", err.Error())
+		}
+
+		switch whsvr.EngineType {
+		case "kubernetes":
+			k8sDbPrivConfInject := k8s.NewDbPrivConfInject(whsvr.BcsDbPrivConfigLister, whsvr.Injects, dbPrivSecret)
+			whsvr.K8sDbPrivConfInject = k8sDbPrivConfInject
+		case "mesos":
+			mesosDbPrivConfInject := mesos.NewDbPrivConfInject(whsvr.BcsDbPrivConfigLister)
+			whsvr.MesosDbPrivConfInject = mesosDbPrivConfInject
+		}
+
+		go factory.Start(stopCh)
+
+		blog.Infof("Waiting for BcsDbPrivConfig inormer caches to sync")
+		blog.Infof("sleep 1 seconds to wait for BcsDbPrivConfig crd to be ready")
+		time.Sleep(1 * time.Second)
+		if ok := clientGoCache.WaitForCacheSync(stopCh, bcsDbPrivConfigInformer.Informer().HasSynced); !ok {
+			return nil, fmt.Errorf("failed to wait for caches to sync")
+		}
+	}
+
 	// define http server and server handler
 	mux := http.NewServeMux()
-	mux.HandleFunc("/bcs/log_inject/v1/k8s", whsvr.K8sLogInject)
-	mux.HandleFunc("/bcs/log_inject/v1/mesos", whsvr.MesosLogInject)
+	mux.HandleFunc("/bcs/webhook/inject/v1/k8s", whsvr.K8sLogInject)
+	mux.HandleFunc("/bcs/webhook/inject/v1/mesos", whsvr.MesosLogInject)
 	whsvr.Server.Handler = mux
 
 	return whsvr, nil

bcs-services/bcs-webhook-server/app/db_priv_conf.go

@@ -0,0 +1,58 @@
+/*
+ * Tencent is pleased to support the open source community by making Blueking Container Service available.
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package app
+
+import (
+	"reflect"
+
+	"bk-bcs/bcs-common/common/blog"
+	bcsv2 "bk-bcs/bcs-services/bcs-webhook-server/pkg/apis/bk-bcs/v2"
+	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func createBcsDbPrivConfig(clientset apiextensionsclient.Interface) (bool, error) {
+	bcsDbPrivConfigPlural := "bcsdbprivconfigs"
+
+	bcsDbPrivConfigFullName := "bcsdbprivconfigs" + "." + bcsv2.SchemeGroupVersion.Group
+
+	crd := &apiextensionsv1beta1.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: bcsDbPrivConfigFullName,
+		},
+		Spec: apiextensionsv1beta1.CustomResourceDefinitionSpec{
+			Group:   bcsv2.SchemeGroupVersion.Group,   // BcsDbPrivConfigsGroup,
+			Version: bcsv2.SchemeGroupVersion.Version, // BcsDbPrivConfigsVersion,
+			Scope:   apiextensionsv1beta1.NamespaceScoped,
+			Names: apiextensionsv1beta1.CustomResourceDefinitionNames{
+				Plural:   bcsDbPrivConfigPlural,
+				Kind:     reflect.TypeOf(bcsv2.BcsDbPrivConfig{}).Name(),
+				ListKind: reflect.TypeOf(bcsv2.BcsDbPrivConfigList{}).Name(),
+			},
+		},
+	}
+
+	_, err := clientset.ApiextensionsV1beta1().CustomResourceDefinitions().Create(crd)
+	if err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			blog.Infof("crd is already exists: %s", err)
+			return false, nil
+		}
+		blog.Errorf("create crd failed: %s", err)
+		return false, err
+	}
+	return true, nil
+}

bcs-services/bcs-webhook-server/options/options.go

@@ -47,6 +47,13 @@ func Parse(ops *ServerOption) error {
 }
 
 type InjectOptions struct {
-	LogConfEnv          bool `json:"log_conf" value:"false" usage:"whether inject log config to container env"`
-	DbPrivInitContainer bool `json:"db_privilege" value:"false" usage:"whether inject db privileges init-container"`
+	LogConfEnv bool          `json:"log_conf" value:"false" usage:"whether inject log config to container env"`
+	DbPriv     DbPrivOptions `json:"db_privilege"`
+}
+
+type DbPrivOptions struct {
+	DbPrivInject       bool   `json:"db_privilege_inject" value:"false" usage:"whether inject db privileges init-container"`
+	NetworkType        string `json:"network_type" value:"overlay" usage:"network type of this cluster, overlay or underlay"`
+	EsbUrl             string `json:"esb_url" value:"" usage:"esb api url to privilege"`
+	InitContainerImage string `json:"init_container_image" value:"" usage:"the image name of init-container to inject"`
 }

bcs-services/bcs-webhook-server/pkg/apis/bk-bcs/v2/db_priv_config.go

@@ -0,0 +1,46 @@
+/*
+ * Tencent is pleased to support the open source community by making Blueking Container Service available.
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package v2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:noStatus
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type BcsDbPrivConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+	Spec              BcsDbPrivConfigSpec `json:"spec"`
+}
+
+type BcsDbPrivConfigSpec struct {
+	PodSelector map[string]string `json:"podSelector"`
+	AppName     string            `json:"appName"`
+	TargetDb    string            `json:"targetDb"`
+	DbType      string            `json:"dbType"`
+	CallUser    string            `json:"callUser"`
+	DbName      string            `json:"dbName"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type BcsDbPrivConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []BcsDbPrivConfig `json:"items"`
+}

bcs-services/bcs-webhook-server/pkg/apis/bk-bcs/v2/register.go

@@ -47,6 +47,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&BcsLogConfig{},
 		&BcsLogConfigList{},
+		&BcsDbPrivConfig{},
+		&BcsDbPrivConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil