sttts · August 10, 2023 08:17
diff --git a/logging.patch b/logging.patch
 diff --git a/apis/generate.go b/apis/generate.go
 index 001a9de0..b5bd1df0 100644
 --- a/apis/generate.go
 +++ b/apis/generate.go
 @@ -23,6 +23,7 @@
 
 // Generate deepcopy methodsets and CRD manifests
 //go:generate go run -tags generate sigs.k8s.io/controller-tools/cmd/controller-gen object:headerFile=../hack/boilerplate.go.txt paths=./spaces/... crd:crdVersions=v1 output:artifacts:config=../package/crds
 +//go:generate bash -c "for CRD in ../package/crds/*.yaml; do PATCH=patches/$DOLLAR(basename \"$DOLLAR{CRD}\")-patch; if [ -f \"$DOLLAR{PATCH}\" ]; then echo \"Applying $DOLLAR{PATCH}\"; go run -tags generate github.com/vmware-archive/yaml-patch/cmd/yaml-patch -o \"$DOLLAR{PATCH}\" < \"$DOLLAR{CRD}\" > \"$DOLLAR{CRD}.patched\" && mv \"$DOLLAR{CRD}.patched\" \"$DOLLAR{CRD}\"; fi; done"
 
 // Sync CRDs to spaces chart.
 //go:generate rm -rf ../cluster/charts/spaces/crds
 diff --git a/apis/patches/spaces.upbound.io_controlplanes.yaml-patch b/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
 index e69de29b..543170fb 100644
 --- a/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
 +++ b/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
 @@ -0,0 +1,3 @@
 +- op: add
 +  path: /spec/versions/name=v1alpha1/schema/openAPIV3Schema/format
 +  value: "url"
 diff --git a/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml b/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
 index e69de29b..7415f580 100644
 --- a/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
 +++ b/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
 @@ -0,0 +1,29 @@
 +apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
 +kind: FlowSchema
 +metadata:
 +  name: exempt-token-and-subject-access-reviews
 +spec:
 +  # Setting higher priority to ensure it's evaluated before other FlowSchemas
 +  priorityLevelConfiguration:
 +    name: exempt
 +  matchingPrecedence: 10000
 +  rules:
 +  - subjects:
 +    # Matches all subjects (users, groups, service accounts)
 +    - kind: Group
 +      group:
 +        name: system:authenticated
 +    # Add other subjects if needed
 +    resourceRules:
 +    - verbs:
 +      - '*'
 +      resources:
 +      - 'tokenreviews'
 +      apiGroups:
 +      - 'authentication.k8s.io'
 +    - verbs:
 +      - '*'
 +      resources:
 +      - 'subjectaccessreviews'
 +      apiGroups:
 +      - 'authorization.k8s.io'
 diff --git a/cluster/charts/spaces/templates/router/clusterrole.yaml b/cluster/charts/spaces/templates/router/clusterrole.yaml
 index c0097ae5..8194bc1f 100644
 --- a/cluster/charts/spaces/templates/router/clusterrole.yaml
 +++ b/cluster/charts/spaces/templates/router/clusterrole.yaml
 @@ -9,7 +9,7 @@ rules:
 - apiGroups:
   - internal.spaces.upbound.io
   resources:
 -  - hostclusters
 +  - xhostclusters
   verbs:
   - get
   - list
 diff --git a/cmd/gateway/main.go b/cmd/gateway/main.go
 index e5c646c7..cfc6acff 100644
 --- a/cmd/gateway/main.go
 +++ b/cmd/gateway/main.go
 @@ -19,7 +19,6 @@ import (
 	"golang.org/x/sync/errgroup"
 
 	"k8s.io/client-go/rest"
 -	"k8s.io/client-go/transport"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 @@ -164,29 +163,19 @@ func (c *Command) runGateway(ctx context.Context, log logging.Logger) error {
 }
 
 func roundTripperForRestConfig(config *rest.Config) (http.RoundTripper, error) {
 +	cpy := *config
 +
 	// NOTE(epk): these values match the burst and QPS values in kubectl.
 	// xref: https://github.com/kubernetes/kubernetes/pull/105520
 -	config.Burst = 300
 -	config.QPS = 50
 -
 -	tlsConf, err := rest.TLSConfigFor(config)
 -	if err != nil {
 -		return nil, err
 -	}
 +	cpy.Burst = 300
 +	cpy.QPS = 50
 
 -	tlsTransport := &http.Transport{
 -		TLSClientConfig: tlsConf,
 -	}
 -
 -	restTransportConfig, err := config.TransportConfig()
 +	rt, err := rest.TransportFor(&cpy)
 	if err != nil {
 		return nil, err
 	}
 
 -	kubeRT, err := transport.HTTPWrappersForConfig(restTransportConfig, tlsTransport)
 -	if err != nil {
 -		return nil, err
 -	}
 +	fmt.Printf("rt: %v\n", rt)
 
 -	return kubeRT, nil
 +	return rt, nil
 }
 diff --git a/internal/server/gateway/gateway.go b/internal/server/gateway/gateway.go
 index 8510b074..bbda3cb3 100644
 --- a/internal/server/gateway/gateway.go
 +++ b/internal/server/gateway/gateway.go
 @@ -12,6 +12,7 @@ import (
 
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 	"github.com/go-chi/chi/v5"
 +
 	"k8s.io/client-go/transport"
 
 	"github.com/upbound/mxe/internal/logging"
 @@ -53,6 +54,7 @@ var (
 		"Accept-Encoding",
 		"Accept",
 		"User-Agent",
 +		"Audit-Id",
 	}
 )
 
 @@ -118,7 +120,6 @@ func (gw *Gateway) K8sHandler() http.HandlerFunc {
 		pReq.URL.Path = chi.URLParam(r, "*") // k8s/path -> path
 
 		proxy.ServeHTTP(w, pReq)
 -
 	}
 }
	diff --git a/apis/generate.go b/apis/generate.go
	index 001a9de0..b5bd1df0 100644
	--- a/apis/generate.go
	+++ b/apis/generate.go
	@@ -23,6 +23,7 @@

	// Generate deepcopy methodsets and CRD manifests
	//go:generate go run -tags generate sigs.k8s.io/controller-tools/cmd/controller-gen object:headerFile=../hack/boilerplate.go.txt paths=./spaces/... crd:crdVersions=v1 output:artifacts:config=../package/crds
	+//go:generate bash -c "for CRD in ../package/crds/*.yaml; do PATCH=patches/$DOLLAR(basename \"$DOLLAR{CRD}\")-patch; if [ -f \"$DOLLAR{PATCH}\" ]; then echo \"Applying $DOLLAR{PATCH}\"; go run -tags generate github.com/vmware-archive/yaml-patch/cmd/yaml-patch -o \"$DOLLAR{PATCH}\" < \"$DOLLAR{CRD}\" > \"$DOLLAR{CRD}.patched\" && mv \"$DOLLAR{CRD}.patched\" \"$DOLLAR{CRD}\"; fi; done"

	// Sync CRDs to spaces chart.
	//go:generate rm -rf ../cluster/charts/spaces/crds
	diff --git a/apis/patches/spaces.upbound.io_controlplanes.yaml-patch b/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
	index e69de29b..543170fb 100644
	--- a/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
	+++ b/apis/patches/spaces.upbound.io_controlplanes.yaml-patch
	@@ -0,0 +1,3 @@
	+- op: add
	+ path: /spec/versions/name=v1alpha1/schema/openAPIV3Schema/format
	+ value: "url"
	diff --git a/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml b/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
	index e69de29b..7415f580 100644
	--- a/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
	+++ b/cluster/charts/mxp-bootstrapper/templates/flowschema.yaml
	@@ -0,0 +1,29 @@
	+apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
	+kind: FlowSchema
	+metadata:
	+ name: exempt-token-and-subject-access-reviews
	+spec:
	+ # Setting higher priority to ensure it's evaluated before other FlowSchemas
	+ priorityLevelConfiguration:
	+ name: exempt
	+ matchingPrecedence: 10000
	+ rules:
	+ - subjects:
	+ # Matches all subjects (users, groups, service accounts)
	+ - kind: Group
	+ group:
	+ name: system:authenticated
	+ # Add other subjects if needed
	+ resourceRules:
	+ - verbs:
	+ - '*'
	+ resources:
	+ - 'tokenreviews'
	+ apiGroups:
	+ - 'authentication.k8s.io'
	+ - verbs:
	+ - '*'
	+ resources:
	+ - 'subjectaccessreviews'
	+ apiGroups:
	+ - 'authorization.k8s.io'
	diff --git a/cluster/charts/spaces/templates/router/clusterrole.yaml b/cluster/charts/spaces/templates/router/clusterrole.yaml
	index c0097ae5..8194bc1f 100644
	--- a/cluster/charts/spaces/templates/router/clusterrole.yaml
	+++ b/cluster/charts/spaces/templates/router/clusterrole.yaml
	@@ -9,7 +9,7 @@ rules:
	- apiGroups:
	- internal.spaces.upbound.io
	resources:
	- - hostclusters
	+ - xhostclusters
	verbs:
	- get
	- list
	diff --git a/cmd/gateway/main.go b/cmd/gateway/main.go
	index e5c646c7..cfc6acff 100644
	--- a/cmd/gateway/main.go
	+++ b/cmd/gateway/main.go
	@@ -19,7 +19,6 @@ import (
	"golang.org/x/sync/errgroup"

	"k8s.io/client-go/rest"
	- "k8s.io/client-go/transport"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/client/config"
	"sigs.k8s.io/controller-runtime/pkg/log/zap"
	@@ -164,29 +163,19 @@ func (c *Command) runGateway(ctx context.Context, log logging.Logger) error {
	}

	func roundTripperForRestConfig(config *rest.Config) (http.RoundTripper, error) {
	+ cpy := *config
	+
	// NOTE(epk): these values match the burst and QPS values in kubectl.
	// xref: https://github.com/kubernetes/kubernetes/pull/105520
	- config.Burst = 300
	- config.QPS = 50
	-
	- tlsConf, err := rest.TLSConfigFor(config)
	- if err != nil {
	- return nil, err
	- }
	+ cpy.Burst = 300
	+ cpy.QPS = 50

	- tlsTransport := &http.Transport{
	- TLSClientConfig: tlsConf,
	- }
	-
	- restTransportConfig, err := config.TransportConfig()
	+ rt, err := rest.TransportFor(&cpy)
	if err != nil {
	return nil, err
	}

	- kubeRT, err := transport.HTTPWrappersForConfig(restTransportConfig, tlsTransport)
	- if err != nil {
	- return nil, err
	- }
	+ fmt.Printf("rt: %v\n", rt)

	- return kubeRT, nil
	+ return rt, nil
	}
	diff --git a/internal/server/gateway/gateway.go b/internal/server/gateway/gateway.go
	index 8510b074..bbda3cb3 100644
	--- a/internal/server/gateway/gateway.go
	+++ b/internal/server/gateway/gateway.go
	@@ -12,6 +12,7 @@ import (

	"github.com/crossplane/crossplane-runtime/pkg/errors"
	"github.com/go-chi/chi/v5"
	+
	"k8s.io/client-go/transport"

	"github.com/upbound/mxe/internal/logging"
	@@ -53,6 +54,7 @@ var (
	"Accept-Encoding",
	"Accept",
	"User-Agent",
	+ "Audit-Id",
	}
	)

	@@ -118,7 +120,6 @@ func (gw *Gateway) K8sHandler() http.HandlerFunc {
	pReq.URL.Path = chi.URLParam(r, "*") // k8s/path -> path

	proxy.ServeHTTP(w, pReq)
	-
	}
	}