feat: user private ns invite

controllers/user/controllers/adapt_rolebinding_controller.go

@@ -0,0 +1,137 @@
+/*
+Copyright 2022 labring.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+	"context"
+
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	"github.com/labring/sealos/controllers/user/controllers/helper/config"
+
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+
+	v1 "k8s.io/api/rbac/v1"
+
+	"sigs.k8s.io/controller-runtime/pkg/event"
+
+	userv1 "github.com/labring/sealos/controllers/user/api/v1"
+
+	"github.com/go-logr/logr"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// TODO This controller is used to adapt the old RoleBinding. only need to deploy the logic once for conversion and delete the controller in the future
+
+// AdaptRoleBindingReconciler reconciles a RoleBinding object, Old Role bindings are backward compatible and will be deleted in the future
+type AdaptRoleBindingReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+	Logger logr.Logger
+}
+
+func (r *AdaptRoleBindingReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	rolebinding := &v1.RoleBinding{}
+	if err := r.Get(ctx, req.NamespacedName, rolebinding); err != nil {
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+
+	// old rolebinding only has one subject
+	if len(rolebinding.Subjects) != 1 {
+		return ctrl.Result{}, nil
+	}
+
+	if rolebinding.Subjects[0].Namespace != config.GetUserSystemNamespace() {
+		userName := rolebinding.GetAnnotations()[userAnnotationOwnerKey]
+		user := &userv1.User{}
+		if err := r.Get(ctx, client.ObjectKey{Name: userName}, user); err != nil {
+			r.Logger.Error(err, "get user failed")
+			return ctrl.Result{}, err
+		}
+		appendSubject := rolebinding.Subjects[0].DeepCopy()
+		appendSubject.Namespace = config.GetUserSystemNamespace()
+		rolebinding.Subjects = append(rolebinding.Subjects, *appendSubject)
+		if err := r.Update(ctx, rolebinding); err != nil {
+			r.Logger.Error(err, "update rolebinding failed")
+			return ctrl.Result{}, err
+		}
+		if err := controllerutil.SetControllerReference(user, rolebinding, r.Scheme); err != nil {
+			r.Logger.Error(err, "set controller reference failed")
+			return ctrl.Result{}, err
+		}
+	}
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *AdaptRoleBindingReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	const controllerName = "adapt_rolebinding_controller"
+	if r.Client == nil {
+		r.Client = mgr.GetClient()
+	}
+	r.Logger = ctrl.Log.WithName(controllerName)
+	r.Scheme = mgr.GetScheme()
+	r.Logger.V(1).Info("init reconcile AdaptRoleBinding controller")
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&v1.RoleBinding{}, builder.WithPredicates(WorkspacePredicate{})).
+		Complete(r)
+}
+
+type WorkspacePredicate struct {
+}
+
+func (WorkspacePredicate) Create(e event.CreateEvent) bool {
+	return isWorkspaceObject(e.Object)
+}
+
+func (WorkspacePredicate) Delete(_ event.DeleteEvent) bool {
+	return false
+}
+
+func (WorkspacePredicate) Update(_ event.UpdateEvent) bool {
+	return false
+}
+
+func (WorkspacePredicate) Generic(_ event.GenericEvent) bool {
+	return false
+}
+
+func isWorkspaceObject(obj client.Object) bool {
+	rolebinding, ok := obj.(*v1.RoleBinding)
+	if !ok {
+		return false
+	}
+	anno := obj.GetAnnotations()
+	if anno == nil {
+		return false
+	}
+	if anno["user.sealos.io/owner"] == "" {
+		return false
+	}
+	if len(obj.GetOwnerReferences()) > 0 {
+		return false
+	}
+
+	for _, sub := range rolebinding.Subjects {
+		if sub.Namespace == config.GetUserSystemNamespace() {
+			return false
+		}
+	}
+	return true
+}

controllers/user/controllers/helper/config/rbac.go

@@ -26,6 +26,10 @@ import (
 	userv1 "github.com/labring/sealos/controllers/user/api/v1"
 )
 
+func GetUserSystemNamespace() string {
+	return "user-system"
+}
+
 func GetDefaultNamespace() string {
 	return os.Getenv("NAMESPACE_NAME")
 }
@@ -35,7 +39,7 @@ func GetUsersSubject(user string) []rbacv1.Subject {
 		{
 			Kind:      "ServiceAccount",
 			Name:      user,
-			Namespace: GetUsersNamespace(user),
+			Namespace: GetUserSystemNamespace(),
 		},
 	}
 }

controllers/user/controllers/operationrequest_controller.go

@@ -135,22 +135,37 @@ func (r *OperationReqReconciler) reconcile(ctx context.Context, request *userv1.
 		"rolebinding.roleRef", rolebinding.RoleRef,
 	)
 
+	user := &userv1.User{}
+	if err := r.Get(ctx, client.ObjectKey{Name: config.GetUserNameByNamespace(request.Namespace)}, user); err != nil {
+		r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to get user", "Failed to get user %s", request.Spec.User)
+		return ctrl.Result{}, err
+	}
+	if request.Spec.Role == userv1.OwnerRoleType {
+		if user.Name == user.Annotations[userv1.UserAnnotationOwnerKey] {
+			// 不允许转移个人空间
+			r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to grant role", "Failed to grant role %s to user %s, cannot transfer personal workspace", request.Spec.Role, request.Spec.User)
+			return ctrl.Result{}, r.updateRequestStatus(ctx, request, userv1.RequestFailed)
+		}
+	}
+	bindUser := &userv1.User{}
+	if err := r.Get(ctx, client.ObjectKey{Name: request.Spec.User}, bindUser); err != nil {
+		r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to get bind user", "Failed to get bind user %s", request.Spec.User)
+		return ctrl.Result{}, err
+	}
+	setUpOwnerReferenceFc := func() error {
+		return ctrl.SetControllerReference(bindUser, rolebinding, r.Scheme)
+	}
+
 	// handle OperationRequest, create or delete rolebinding
 	switch request.Spec.Action {
 	case userv1.Grant:
 		r.Recorder.Eventf(request, v1.EventTypeNormal, "Grant", "Grant role %s to user %s", request.Spec.Role, request.Spec.User)
-		if _, err := ctrl.CreateOrUpdate(ctx, r.Client, rolebinding, func() error { return nil }); err != nil {
+		if _, err := ctrl.CreateOrUpdate(ctx, r.Client, rolebinding, setUpOwnerReferenceFc); err != nil {
 			r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to create/update rolebinding", "Failed to create rolebinding %s/%s", rolebinding.Namespace, rolebinding.Name)
 			return ctrl.Result{}, err
 		}
 		if request.Spec.Role == userv1.OwnerRoleType {
 			// update user annotation
-			user := &userv1.User{}
-			if err := r.Get(ctx, client.ObjectKey{Name: config.GetUserNameByNamespace(request.Namespace)}, user); err != nil {
-				r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to get user", "Failed to get user %s", request.Spec.User)
-				return ctrl.Result{}, err
-			}
-
 			user.Annotations[userv1.UserAnnotationOwnerKey] = request.Spec.User
 			if err := r.Update(ctx, user); err != nil {
 				r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to update user", "Failed to update user %s", request.Spec.User)
@@ -169,18 +184,12 @@ func (r *OperationReqReconciler) reconcile(ctx context.Context, request *userv1.
 			r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to delete rolebinding", "Failed to delete rolebinding %s/%s", rolebinding.Namespace, rolebinding.Name)
 			return ctrl.Result{}, err
 		}
-		if _, err := ctrl.CreateOrUpdate(ctx, r.Client, rolebinding, func() error { return nil }); err != nil {
+		if _, err := ctrl.CreateOrUpdate(ctx, r.Client, rolebinding, setUpOwnerReferenceFc); err != nil {
 			r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to create/update rolebinding", "Failed to create rolebinding %s/%s", rolebinding.Namespace, rolebinding.Name)
 			return ctrl.Result{}, err
 		}
 		if request.Spec.Role == userv1.OwnerRoleType {
 			// update user annotation
-			user := &userv1.User{}
-			if err := r.Get(ctx, client.ObjectKey{Name: config.GetUserNameByNamespace(request.Namespace)}, user); err != nil {
-				r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to get user", "Failed to get user %s", request.Spec.User)
-				return ctrl.Result{}, err
-			}
-
 			user.Annotations[userv1.UserAnnotationOwnerKey] = request.Spec.User
 			if err := r.Update(ctx, user); err != nil {
 				r.Recorder.Eventf(request, v1.EventTypeWarning, "Failed to update user", "Failed to update user %s", request.Spec.User)
@@ -260,7 +269,7 @@ func conventRequestToRolebinding(request *userv1.Operationrequest) *rbacv1.RoleB
 			{
 				Kind:      rbacv1.ServiceAccountKind,
 				Name:      request.Spec.User,
-				Namespace: config.GetUsersNamespace(request.Spec.User),
+				Namespace: config.GetUserSystemNamespace(),
 			},
 		},
 		RoleRef: rbacv1.RoleRef{

controllers/user/controllers/user_controller.go

@@ -57,9 +57,11 @@ import (
 	"github.com/labring/sealos/controllers/user/controllers/helper"
 )
 
-var userAnnotationCreatorKey = userv1.UserAnnotationCreatorKey
-var userAnnotationOwnerKey = userv1.UserAnnotationOwnerKey
-var userLabelOwnerKey = userv1.UserLabelOwnerKey
+const (
+	userAnnotationCreatorKey = userv1.UserAnnotationCreatorKey
+	userAnnotationOwnerKey   = userv1.UserAnnotationOwnerKey
+	userLabelOwnerKey        = userv1.UserLabelOwnerKey
+)
 
 // UserReconciler reconciles a User object
 type UserReconciler struct {
@@ -378,22 +380,15 @@ func (r *UserReconciler) syncServiceAccount(ctx context.Context, user *userv1.Us
 		}
 	}()
 	ctx = context.WithValue(ctx, ctxKey("reNew"), false)
-	sa := &v1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      user.Name,
-			Namespace: config.GetDefaultNamespace(),
-		},
-	}
-	_ = r.Delete(context.Background(), sa)
 	if err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		var change controllerutil.OperationResult
 		var err error
-		sa = &v1.ServiceAccount{}
+		sa := &v1.ServiceAccount{}
 		sa.Name = user.Name
-		sa.Namespace = config.GetUsersNamespace(user.Name)
+		sa.Namespace = config.GetUserSystemNamespace()
 		sa.Labels = map[string]string{}
 		if err = r.Get(context.Background(), client.ObjectKey{
-			Namespace: config.GetUsersNamespace(user.Name),
+			Namespace: config.GetUserSystemNamespace(),
 			Name:      user.Name,
 		}, sa); err != nil {
 			if apierrors.IsNotFound(err) {
@@ -423,12 +418,12 @@ func (r *UserReconciler) syncServiceAccount(ctx context.Context, user *userv1.Us
 			ctx = context.WithValue(ctx, ctxKey("reNew"), true)
 		}
 		saCondition.Message = fmt.Sprintf("sync namespace sa %s/%s successfully", sa.Name, sa.ResourceVersion)
+		ctx = context.WithValue(ctx, ctxKey("serviceAccount"), sa)
 		return nil
 	}); err != nil {
 		helper.SetConditionError(saCondition, "SyncUserError", err)
 		r.Recorder.Eventf(user, v1.EventTypeWarning, "syncUserServiceAccount", "Sync User namespace sa %s is error: %v", user.Name, err)
 	}
-	ctx = context.WithValue(ctx, ctxKey("serviceAccount"), sa)
 	return ctx
 }
 
@@ -459,7 +454,7 @@ func (r *UserReconciler) syncServiceAccountSecrets(ctx context.Context, user *us
 		secretName := sa.Secrets[0].Name
 		secrets := &v1.Secret{}
 		secrets.Name = secretName
-		secrets.Namespace = config.GetUsersNamespace(user.Name)
+		secrets.Namespace = config.GetUserSystemNamespace()
 		var err error
 		if err = r.Get(ctx, client.ObjectKeyFromObject(secrets), secrets); err == nil {
 			return nil
@@ -512,7 +507,7 @@ func (r *UserReconciler) syncKubeConfig(ctx context.Context, user *userv1.User)
 		return ctx
 	}
 	user.Status.ObservedCSRExpirationSeconds = user.Spec.CSRExpirationSeconds
-	cfg := kubeconfig.NewConfig(user.Name, "", user.Spec.CSRExpirationSeconds).WithServiceAccountConfig(config.GetUsersNamespace(user.Name), sa)
+	cfg := kubeconfig.NewConfig(user.Name, "", user.Spec.CSRExpirationSeconds).WithServiceAccountConfig(config.GetUserSystemNamespace(), sa)
 	apiConfig, err := cfg.Apply(r.config, r.Client)
 	if err != nil {
 		helper.SetConditionError(userCondition, "SyncKubeConfigError", err)

controllers/user/main.go

@@ -161,6 +161,13 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "DeleteRequest")
 		os.Exit(1)
 	}
+	if err = (&controllers.AdaptRoleBindingReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "AdaptRoleBinding")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

frontend/desktop/public/locales/en/common.json

@@ -224,5 +224,6 @@
   "you_can_use_the_kubectl_command_directly_from_the_terminal": "You can use the kubectl command directly from the terminal",
   "you_can_view_fees_through_the_fee_center": "You can view fees through the fee center",
   "you_have_not_purchased_the_license": "You have not purchased the License",
-  "yuan": "Yuan"
+  "yuan": "Yuan",
+  "rename": "Rename"
 }

frontend/desktop/public/locales/zh/common.json

@@ -217,5 +217,6 @@
   "you_can_use_the_kubectl_command_directly_from_the_terminal": "您可通过终端直接使用 kubectl 命令",
   "you_can_view_fees_through_the_fee_center": "您可通过费用中心查看费用",
   "you_have_not_purchased_the_license": "您还没有购买 License",
-  "yuan": "元"
+  "yuan": "元",
+  "rename": "重命名"
 }

frontend/desktop/src/api/namespace.ts

@@ -78,6 +78,9 @@ export const _switchRequest = (request: AxiosInstance) => (ns_uid: string) =>
   request.post<any, ApiResp<{ token: string; appToken: string }>>('/api/auth/namespace/switch', {
     ns_uid
   });
+export const _renameRequest =
+  (request: AxiosInstance) => (data: { ns_uid: string; teamName: string }) =>
+    request.post<any, ApiResp<null>>('/api/auth/namespace/rename', data);
 // for prod/dev
 export const abdicateRequest = _abdicateRequest(request);
 export const createRequest = _createRequest(request);
@@ -93,3 +96,4 @@ export const switchRequest = _switchRequest(request);
 export const getInviteCodeRequest = _getInviteCodeRequest(request);
 export const getInviteCodeInfoRequest = _getInviteCodeInfoRequest(request);
 export const verifyInviteCodeRequest = _verifyInviteCodeRequest(request);
+export const renameRequest = _renameRequest(request);