diff --git a/go.mod b/go.mod index 3a7e72f..e3fa494 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,6 @@ module open-cluster-management.io/multicluster-controlplane -go 1.22.5 - -toolchain go1.22.8 +go 1.22.8 require ( github.com/onsi/ginkgo/v2 v2.20.0 @@ -30,9 +28,10 @@ require ( k8s.io/metrics v0.30.3 k8s.io/utils v0.0.0-20240310230437-4693a0247e57 open-cluster-management.io/api v0.15.0 - open-cluster-management.io/managed-serviceaccount v0.6.0 + open-cluster-management.io/managed-serviceaccount v0.7.0 open-cluster-management.io/ocm v0.15.0 open-cluster-management.io/sdk-go v0.15.0 + sigs.k8s.io/cluster-inventory-api v0.0.0-20240730014211-ef0154379848 sigs.k8s.io/controller-runtime v0.18.5 ) @@ -180,7 +179,6 @@ require ( k8s.io/pod-security-admission v0.30.3 // indirect open-cluster-management.io/addon-framework v0.11.0 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect - sigs.k8s.io/cluster-inventory-api v0.0.0-20240730014211-ef0154379848 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect diff --git a/go.sum b/go.sum index 1bad8eb..d841506 100644 --- a/go.sum +++ b/go.sum @@ -566,8 +566,8 @@ open-cluster-management.io/addon-framework v0.11.0 h1:ZJxphgHQ36VUJF0RIag+nzcEn5 open-cluster-management.io/addon-framework v0.11.0/go.mod h1:ruMU8i/dciz3qCv2CQ46Cu1b7rkK7TpvB+W4bRwHf+I= open-cluster-management.io/api v0.15.0 h1:lRee1KOlGHZb2scTA7ff9E9Fxt2hJc7jpkHnaCbvkOU= open-cluster-management.io/api v0.15.0/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM= -open-cluster-management.io/managed-serviceaccount v0.6.0 h1:qIi5T9WQJBuoGqnYGIktXbtqfQoiN2H9XU2P/6lAQiw= -open-cluster-management.io/managed-serviceaccount v0.6.0/go.mod h1:G4LUTbZiyrB8c0+rqi/xnDmGlsg7Rdr4T7MPLCWhyQI= +open-cluster-management.io/managed-serviceaccount v0.7.0 h1:OShodBB3i+rMXjR9xEF6ySp9yBeiiLlEOAKvPA2v3i4= +open-cluster-management.io/managed-serviceaccount v0.7.0/go.mod h1:NNKqC+cePQ9HH0r7mb9CYSk/hXGsNYu9+K4YfcZTwAk= open-cluster-management.io/ocm v0.15.0 h1:anXQzvQUhM/DT8FcKVi4n8AY97IA5DVI0mb8R1wsvbs= open-cluster-management.io/ocm v0.15.0/go.mod h1:d6ubRiBaouiQ+yV+wFAmarpU7I77nXhkJnQJf8gLZC4= open-cluster-management.io/sdk-go v0.15.0 h1:2IAJnPfUoY6rPC5w7LhqAnvIlgekPoVW03LdZO1unIM= diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go index fdf0914..29180e4 100644 --- a/pkg/agent/agent.go +++ b/pkg/agent/agent.go @@ -125,7 +125,8 @@ func (o *AgentOptions) WithWorkloadSourceDriverConfig(hubKubeConfigFile string) } func (o *AgentOptions) RunAgent(ctx context.Context) error { - config := singletonspoke.NewAgentConfig(o.CommonOpts, o.RegistrationAgentOpts, o.WorkAgentOpts) + cancleCtx, cancel := context.WithCancel(ctx) + config := singletonspoke.NewAgentConfig(o.CommonOpts, o.RegistrationAgentOpts, o.WorkAgentOpts, cancel) inClusterKubeConfig, err := rest.InClusterConfig() if err != nil { klog.Warningf("failed to get kubeconfig from cluster inside, will use '--kubeconfig' to build client") @@ -156,9 +157,9 @@ func (o *AgentOptions) RunAgent(ctx context.Context) error { OperatorNamespace: "open-cluster-management-agent", } - go utilruntime.Must(config.RunSpokeAgent(ctx, controllerContext)) + go utilruntime.Must(config.RunSpokeAgent(cancleCtx, controllerContext)) - <-ctx.Done() + <-cancleCtx.Done() return nil } diff --git a/pkg/certificate/certchains/signers.go b/pkg/certificate/certchains/signers.go index e3adf46..7cafea9 100644 --- a/pkg/certificate/certchains/signers.go +++ b/pkg/certificate/certchains/signers.go @@ -336,7 +336,7 @@ func (s *CertificateSigner) SignServingCertificate(signInfo *ServingCertificateS tlsConfig, _, err := s.signerConfig.EnsureServerCert( ServingCertPath(certDir), ServingKeyPath(certDir), - sets.NewString(signInfo.Hostnames...), + sets.New[string](signInfo.Hostnames...), signInfo.ValidityDays, ) @@ -354,7 +354,7 @@ func (s *CertificateSigner) SignServingCertificate(signInfo *ServingCertificateS func (s *CertificateSigner) SignPeerCertificate(signInfo *PeerCertificateSigningRequestInfo) error { certDir := filepath.Join(s.signerDir, signInfo.Name) - hostnameSet := sets.NewString(signInfo.Hostnames...) + hostnameSet := sets.New[string](signInfo.Hostnames...) if _, err := crypto.GetServerCert( PeerCertPath(certDir), PeerKeyPath(certDir), diff --git a/pkg/controllers/kubecontroller/core.go b/pkg/controllers/kubecontroller/core.go index d4527d9..aee7d89 100644 --- a/pkg/controllers/kubecontroller/core.go +++ b/pkg/controllers/kubecontroller/core.go @@ -87,6 +87,7 @@ func startGarbageCollectorController(ctx context.Context, controllerContext Cont ignoredResources[schema.GroupResource{Group: r.Group, Resource: r.Resource}] = struct{}{} } garbageCollector, err := garbagecollector.NewGarbageCollector( + ctx, gcClientset, metadataClient, controllerContext.RESTMapper, diff --git a/pkg/controllers/ocmcontroller/ocmcontroller.go b/pkg/controllers/ocmcontroller/ocmcontroller.go index 5c7911a..36cf3a4 100644 --- a/pkg/controllers/ocmcontroller/ocmcontroller.go +++ b/pkg/controllers/ocmcontroller/ocmcontroller.go @@ -3,6 +3,8 @@ package ocmcontroller import ( "context" + cpclientset "sigs.k8s.io/cluster-inventory-api/client/clientset/versioned" + cpinformerv1alpha1 "sigs.k8s.io/cluster-inventory-api/client/informers/externalversions" "time" "github.com/openshift/library-go/pkg/controller/controllercmd" @@ -125,8 +127,14 @@ func runControllers(ctx context.Context, return err } + clusterProfileClient, err := cpclientset.NewForConfig(controllerContext.KubeConfig) + if err != nil { + return err + } + clusterInformers := clusterv1informers.NewSharedInformerFactory(clusterClient, 10*time.Minute) workInformers := workinformers.NewSharedInformerFactory(workClient, 10*time.Minute) + clusterProfileInformers := cpinformerv1alpha1.NewSharedInformerFactory(clusterProfileClient, 30*time.Minute) addOnInformers := addoninformers.NewSharedInformerFactory(addOnClient, 10*time.Minute) dynamicInformers := dynamicinformer.NewDynamicSharedInformerFactory(dynamicClient, 10*time.Minute) @@ -137,9 +145,11 @@ func runControllers(ctx context.Context, kubeClient, metadataClient, clusterClient, + clusterProfileClient, addOnClient, kubeInformers, clusterInformers, + clusterProfileInformers, workInformers, addOnInformers, ); err != nil { diff --git a/pkg/servers/kubeapiserver.go b/pkg/servers/kubeapiserver.go index 144602a..04838d7 100644 --- a/pkg/servers/kubeapiserver.go +++ b/pkg/servers/kubeapiserver.go @@ -6,6 +6,7 @@ package servers import ( "crypto/tls" "fmt" + "k8s.io/apimachinery/pkg/util/wait" "net/http" "net/url" "time" @@ -264,6 +265,8 @@ func buildGenericConfig( return } + ctx := wait.ContextForChannel(genericConfig.DrainedNotify()) + authorizationConfig := options.Authorization.ToAuthorizationConfig(versionedInformers) if genericConfig.EgressSelector != nil { egressDialer, err := genericConfig.EgressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext()) @@ -273,7 +276,7 @@ func buildGenericConfig( } authorizationConfig.CustomDial = egressDialer } - genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = authorizationConfig.New() + genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = authorizationConfig.New(ctx, genericConfig.APIServerID) if err != nil { lastErr = fmt.Errorf("invalid authorization config: %v", err) return @@ -292,7 +295,7 @@ func buildGenericConfig( LoopbackClientConfig: genericConfig.LoopbackClientConfig, } serviceResolver = buildServiceResolver(options.EnableAggregatorRouting, genericConfig.LoopbackClientConfig.Host, versionedInformers) - pluginInitializers, admissionPostStartHook, err = admissionConfig.New(proxyTransport, genericConfig.EgressSelector, + pluginInitializers, err = admissionConfig.New(proxyTransport, genericConfig.EgressSelector, serviceResolver, genericConfig.TracerProvider) if err != nil { lastErr = fmt.Errorf("failed to create admission plugin initializer: %v", err) diff --git a/pkg/servers/options/authentication.go b/pkg/servers/options/authentication.go index d375e28..b41417a 100644 --- a/pkg/servers/options/authentication.go +++ b/pkg/servers/options/authentication.go @@ -495,7 +495,7 @@ func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat } if ret.AuthenticationConfig != nil { - if err := apiservervalidation.ValidateAuthenticationConfiguration(ret.AuthenticationConfig).ToAggregate(); err != nil { + if err := apiservervalidation.ValidateAuthenticationConfiguration(ret.AuthenticationConfig, []string{}).ToAggregate(); err != nil { return kubeauthenticator.Config{}, err } } @@ -603,7 +603,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen authenticators := []authenticator.Request{} // var openAPIV3SecuritySchemes spec3.SecuritySchemes - authenticator, openAPIV2SecurityDefinitions, openAPIV3SecuritySchemes, err := authenticatorConfig.New() + authenticator, _, openAPIV2SecurityDefinitions, openAPIV3SecuritySchemes, err := authenticatorConfig.New(context.Background()) if err != nil { return err } diff --git a/pkg/servers/options/plugins.go b/pkg/servers/options/plugins.go index 43b00b7..2a95b30 100644 --- a/pkg/servers/options/plugins.go +++ b/pkg/servers/options/plugins.go @@ -7,6 +7,7 @@ package options // This should probably be part of some configuration fed into the build for a // given binary target. import ( + validatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating" certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval" certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing" certsubjectrestriction "k8s.io/kubernetes/plugin/pkg/admission/certificates/subjectrestriction" @@ -49,9 +50,10 @@ var AllOrderedPlugins = []string{ // new admission plugins should generally be inserted above here // webhook, resourcequota, and deny plugins must go at the end - mutatingwebhook.PluginName, // MutatingAdmissionWebhook - validatingwebhook.PluginName, // ValidatingAdmissionWebhook - resourcequota.PluginName, // ResourceQuota + mutatingwebhook.PluginName, // MutatingAdmissionWebhook + validatingwebhook.PluginName, // ValidatingAdmissionWebhook + validatingadmissionpolicy.PluginName, // ValidatingAdmissionPolicy + resourcequota.PluginName, // ResourceQuota } // RegisterAllAdmissionPlugins registers all admission plugins.