Add API to list resources under namespace tree

This change adds a new command and configuration to register an API
endpoint which will allow users to query for resources belonging to
descendants of any namespace. This means that finding all resources
under a parent namespace can be done in one request, instead finding and
iterating over all descendants. The new endpoints are:

* /apis/resources.hnc.x-k8s.io/v1alpha1
 - discovery endpoint
* /apis/resources.hnc.x-k8s.io/v1alpha1/{resource}
 - global resource query, equivalent to the same global request for the
   original resource
* /apis/resources.hnc.x-k8s.io/v1alpha1/namespaces/{namespace}/{resource}
 - returns resources in all namespaces under {namespace}, including
   {namespace}.

A new subcommand for the kubectl-hns plugin is also added:

kubectl hns get -n <parent ns> <resource>

Author: cmurphy

Dockerfile

@@ -14,6 +14,7 @@ COPY internal/ internal/
 
 # Build
 RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o manager ./cmd/manager/main.go
+RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o apiextension ./cmd/apiextension/main.go
 
 # Copied from kubebuilder scaffold to run as nonroot at
 # https://github.com/kubernetes-sigs/kubebuilder/blob/7af89cb00c224c57ece37dc14ea37caf1eb769db/pkg/scaffold/v2/dockerfile.go#L60
@@ -22,5 +23,6 @@ RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o manager ./cmd/manager/main.go
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
+COPY --from=builder /workspace/apiextension .
 USER nonroot:nonroot
 ENTRYPOINT ["/manager"]

Makefile

@@ -113,6 +113,7 @@ test-only: build-setup-envtest
 # Builds all binaries (manager and kubectl) and manifests
 build: generate fmt vet staticcheck manifests
 	go build -o bin/manager ./cmd/manager/main.go
+	go build -o bin/apiextension ./cmd/apiextension/main.go
 	GOOS=linux GOARCH=amd64 go build \
 	     -o bin/kubectl/kubectl-hns_linux_amd64 \
 	     -ldflags="-X sigs.k8s.io/hierarchical-namespaces/internal/version.Version=${HNC_IMG_TAG}" \

cmd/apiextension/main.go

@@ -0,0 +1,173 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"flag"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/gorilla/mux"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/dynamic/dynamicinformer"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	corecache "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/clientcmd"
+	apiregv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
+	"path/filepath"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/hierarchical-namespaces/internal/apiextension/apiresources"
+	"sigs.k8s.io/hierarchical-namespaces/internal/apiextension/handlers"
+)
+
+var (
+	setupLog      = zap.New().WithName("setup-apiext")
+	listenAddress string
+	certPath      string
+	keyPath       string
+	debug         bool
+)
+
+func main() {
+	parseFlags()
+	cfg, err := getConfig()
+	if err != nil {
+		setupLog.Error(err, "unable to get cluster config")
+		os.Exit(1)
+	}
+	server(context.Background(), cfg)
+}
+
+func parseFlags() {
+	setupLog.Info("Parsing flags")
+	flag.StringVar(&listenAddress, "address", ":7443", "The address to listen on.")
+	flag.StringVar(&certPath, "cert", "", "Path to the server cert.")
+	flag.StringVar(&keyPath, "key", "", "Path to the server key.")
+	flag.BoolVar(&debug, "debug", false, "Enable debug logging.")
+	flag.Parse()
+}
+
+func getConfig() (*rest.Config, error) {
+	cfg, err := rest.InClusterConfig()
+	if err == nil {
+		return cfg, nil
+	}
+	kubeconfig := os.Getenv("KUBECONFIG")
+	if kubeconfig == "" {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return nil, fmt.Errorf("could not get kubeconfig: %w", err)
+		}
+		kubeconfig = filepath.Join(home, ".kube", "config")
+	}
+	cfg, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		return nil, err
+	}
+	return cfg, nil
+}
+
+func server(ctx context.Context, cfg *rest.Config) {
+	discovery, err := discovery.NewDiscoveryClientForConfig(cfg)
+	if err != nil {
+		setupLog.Error(err, "could not start watcher")
+		os.Exit(1)
+	}
+	dynamicClient, err := dynamic.NewForConfig(cfg)
+	if err != nil {
+		setupLog.Error(err, "could not get dynammic client for config")
+		os.Exit(1)
+	}
+	dynamicFactory := getDynamicInformerFactory(dynamicClient)
+	crdInformer, apiServiceInformer := setUpAPIInformers(dynamicFactory, ctx.Done())
+	apis := apiresources.WatchAPIResources(ctx, discovery, crdInformer, apiServiceInformer)
+	factory, err := getInformerFactory(cfg)
+	if err != nil {
+		setupLog.Error(err, "could not get informer factory")
+		os.Exit(1)
+	}
+	namespaceCache, configMapCache, err := setUpInformers(factory, ctx.Done())
+	if err != nil {
+		setupLog.Error(err, "failed to set up informers")
+		os.Exit(1)
+	}
+	mux := mux.NewRouter()
+	mux.HandleFunc("/apis/resources.hnc.x-k8s.io/v1alpha1", handlers.DiscoveryHandler(apis))
+	mux.HandleFunc("/apis/resources.hnc.x-k8s.io/v1alpha1/{resource}", handlers.Forwarder(dynamicClient, apis))
+	mux.HandleFunc("/apis/resources.hnc.x-k8s.io/v1alpha1/namespaces/{namespace}/{resource}", handlers.NamespaceHandler(apis, namespaceCache, dynamicClient))
+	mux.Use(handlers.AuthenticateMiddleware(configMapCache))
+
+	clientCA, err := getClientCA(configMapCache)
+	if err != nil {
+		setupLog.Error(err, "could not get client CA from configmap")
+		os.Exit(1)
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM([]byte(clientCA))
+	tlsConfig := &tls.Config{
+		ClientCAs:  caCertPool,
+		ClientAuth: tls.RequireAndVerifyClientCert,
+	}
+	server := http.Server{
+		Addr:      listenAddress,
+		Handler:   mux,
+		TLSConfig: tlsConfig,
+	}
+	setupLog.Info(fmt.Sprintf("starting server on %s", listenAddress))
+	err = server.ListenAndServeTLS(certPath, keyPath)
+	if err != nil {
+		setupLog.Error(err, "could not start server")
+		os.Exit(1)
+	}
+}
+
+func getClientCA(configMapCache corecache.ConfigMapNamespaceLister) (string, error) {
+	config, err := configMapCache.Get(handlers.ExtensionConfigMap)
+	if err != nil {
+		return "", err
+	}
+	clientCA, ok := config.Data[handlers.ClientCAKey]
+	if !ok {
+		return "", fmt.Errorf("invalid extension config")
+	}
+	return string(clientCA), nil
+}
+
+func getInformerFactory(cfg *rest.Config) (informers.SharedInformerFactory, error) {
+	clientset, err := kubernetes.NewForConfig(cfg)
+	if err != nil {
+		return nil, err
+	}
+	return informers.NewSharedInformerFactory(clientset, 0), nil
+}
+
+func getDynamicInformerFactory(dynamicClient dynamic.Interface) dynamicinformer.DynamicSharedInformerFactory {
+	return dynamicinformer.NewDynamicSharedInformerFactory(dynamicClient, time.Minute)
+}
+
+func setUpInformers(factory informers.SharedInformerFactory, stop <-chan struct{}) (corecache.NamespaceLister, corecache.ConfigMapNamespaceLister, error) {
+	namespaceInformer := factory.Core().V1().Namespaces()
+	configMapInformer := factory.Core().V1().ConfigMaps()
+	go factory.Start(stop)
+	if !cache.WaitForCacheSync(stop, namespaceInformer.Informer().HasSynced, configMapInformer.Informer().HasSynced) {
+		return nil, nil, fmt.Errorf("cached failed to sync")
+	}
+	return namespaceInformer.Lister(), configMapInformer.Lister().ConfigMaps(handlers.KubeSystemNamespace), nil
+}
+
+func setUpAPIInformers(factory dynamicinformer.DynamicSharedInformerFactory, stop <-chan struct{}) (cache.SharedIndexInformer, cache.SharedIndexInformer) {
+	crdGVR := apiextv1.SchemeGroupVersion.WithResource("customresourcedefinitions")
+	crdInformer := factory.ForResource(crdGVR).Informer()
+	apiServiceGVR := apiregv1.SchemeGroupVersion.WithResource("apiservices")
+	apiServiceInformer := factory.ForResource(apiServiceGVR).Informer()
+	go factory.Start(stop)
+	return crdInformer, apiServiceInformer
+}

config/apiextension/apiextension.yaml

@@ -0,0 +1,120 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: resourcelist
+rules:
+- apiGroups:
+  - "*"
+  resources:
+  - "*"
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: resourcelist
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: resourcelist
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: hnc-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: resourcelist
+  name: resourcelist
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: resourcelist
+  template:
+    metadata:
+      labels:
+        app: resourcelist
+    spec:
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+      - image: controller:latest # this is usually overridden by kustomize
+        name: resourcelist
+        command:
+        - /apiextension
+        args:
+        - "--cert=/certs/tls.crt"
+        - "--key=/certs/tls.key"
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: certs
+          mountPath: /certs
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
+        ports:
+        - containerPort: 7443
+          name: server
+          protocol: TCP
+      volumes:
+      - secret:
+          defaultMode: 420
+          secretName: hnc-resourcelist
+        name: certs
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: resourcelist
+  name: resourcelist
+spec:
+  ports:
+  - port: 7443
+    protocol: TCP
+    targetPort: 7443
+  selector:
+    app: resourcelist
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: resourcelist
+spec:
+  dnsNames:
+  - hnc-resourcelist.hnc-system.svc
+  - hnc-resourcelist.hnc-system.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: hnc-resourcelist
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.resources.hnc.x-k8s.io
+  annotations:
+    cert-manager.io/inject-ca-from: hnc-system/hnc-resourcelist
+spec:
+  group: resources.hnc.x-k8s.io
+  version: v1alpha1
+  groupPriorityMinimum: 10
+  versionPriority: 10
+  service:
+    namespace: hnc-system
+    name: resourcelist
+    port: 7443

config/apiextension/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- apiextension.yaml

config/variants/default-cc/kustomization.yaml

@@ -14,6 +14,7 @@ bases:
 - ../../manager
 - ../../rbac
 - ../../webhook
+- ../../apiextension
 
 patches:
 - patch: |-

config/variants/default-cm/kustomization.yaml

@@ -14,6 +14,7 @@ bases:
 - ../../manager
 - ../../rbac
 - ../../webhook
+- ../../apiextension
 
 patchesStrategicMerge:
 - webhookcainjection_patch.yaml

config/variants/hrq/kustomization.yaml

@@ -14,6 +14,7 @@ bases:
 - ../../manager
 - ../../rbac
 - ../../webhook
+- ../../apiextension
 
 patchesStrategicMerge:
 - webhook_patch.yaml

go.mod

@@ -93,13 +93,12 @@ require (
 	golang.org/x/mod v0.7.0 // indirect
 	golang.org/x/net v0.3.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect
-	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/sync v0.1.0
 	golang.org/x/sys v0.3.0 // indirect
 	golang.org/x/term v0.3.0 // indirect
 	golang.org/x/text v0.5.0
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	golang.org/x/tools v0.4.1-0.20221208213631-3f74d914ae6d // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/api v0.44.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
@@ -121,6 +120,15 @@ require (
 )
 
 require (
+	github.com/gorilla/mux v1.8.0
+	k8s.io/apiserver v0.23.2
+	k8s.io/kube-aggregator v0.23.2
+	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20230208013708-22718275bffe
+)
+
+require (
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/spf13/afero v1.6.0 // indirect
-	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20230208013708-22718275bffe // indirect
 )