This is an automated email from the ASF dual-hosted git repository.
zhongxjian pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo-kubernetes.git
The following commit(s) were added to refs/heads/master by this push:
new d3c12258 Update code logic (#848)
d3c12258 is described below
commit d3c1225872f4dea0a962c6f5bf75d907c174663b
Author: mfordjody <[email protected]>
AuthorDate: Sat Jan 17 20:48:59 2026 +0800
Update code logic (#848)
---
.asf.yaml | 1 +
dubbod/planet/pkg/bootstrap/server.go | 5 ++-
dubbod/security/pkg/credentialfetcher/fetcher.go | 2 +
.../security/pkg/credentialfetcher/plugin/token.go | 1 +
dubbod/security/pkg/k8s/configutil.go | 4 ++
dubbod/security/pkg/k8s/controller/casecret.go | 3 ++
dubbod/security/pkg/util/certutil.go | 6 +--
dubbod/security/pkg/util/jwtutil.go | 30 --------------
.../dubbo-discovery/files/gateway.yaml | 2 +-
.../dubbo-discovery/templates/deployment.yaml | 2 +-
pkg/config/mesh/mesh.go | 1 +
pkg/dubbo-agent/agent.go | 2 -
pkg/kube/inject/inject.go | 2 +-
pkg/security/security.go | 47 +---------------------
14 files changed, 20 insertions(+), 88 deletions(-)
diff --git a/.asf.yaml b/.asf.yaml
index d937857b..614a9987 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -34,6 +34,7 @@ github:
# only disable force push
# foo: bar
labels:
+ - grpc
- dubbo
- consul
- dubbo-go-pixiu
diff --git a/dubbod/planet/pkg/bootstrap/server.go
b/dubbod/planet/pkg/bootstrap/server.go
index 2ab36f2c..50588e30 100644
--- a/dubbod/planet/pkg/bootstrap/server.go
+++ b/dubbod/planet/pkg/bootstrap/server.go
@@ -100,8 +100,9 @@ type Server struct {
httpMux *http.ServeMux
httpsMux *http.ServeMux // webhooks
- ConfigStores []model.ConfigStoreController
- configController model.ConfigStoreController
+ ConfigStores []model.ConfigStoreController
+ configController model.ConfigStoreController
+
multiclusterController *multicluster.Controller
fileWatcher filewatcher.FileWatcher
diff --git a/dubbod/security/pkg/credentialfetcher/fetcher.go
b/dubbod/security/pkg/credentialfetcher/fetcher.go
index 29b93e47..2090668e 100644
--- a/dubbod/security/pkg/credentialfetcher/fetcher.go
+++ b/dubbod/security/pkg/credentialfetcher/fetcher.go
@@ -23,6 +23,8 @@ import (
"github.com/apache/dubbo-kubernetes/pkg/security"
)
+// If the credential generator does not have a JWT or is not configured with
any secure credentials,
+// it will obtain them from the Kubernetes token plugin.
func NewCredFetcher(credtype string) (security.CredFetcher, error) {
switch credtype {
case security.JWT, "":
diff --git a/dubbod/security/pkg/credentialfetcher/plugin/token.go
b/dubbod/security/pkg/credentialfetcher/plugin/token.go
index 628e8703..bf575961 100644
--- a/dubbod/security/pkg/credentialfetcher/plugin/token.go
+++ b/dubbod/security/pkg/credentialfetcher/plugin/token.go
@@ -31,6 +31,7 @@ type KubernetesTokenPlugin struct {
func CreateTokenPlugin() *KubernetesTokenPlugin {
return &KubernetesTokenPlugin{
+ // e.g: /var/run/secrets/kubernetes.io/serviceaccount/token
path: "",
}
}
diff --git a/dubbod/security/pkg/k8s/configutil.go
b/dubbod/security/pkg/k8s/configutil.go
index 1a45ed06..ecfb3e92 100644
--- a/dubbod/security/pkg/k8s/configutil.go
+++ b/dubbod/security/pkg/k8s/configutil.go
@@ -61,6 +61,10 @@ func InsertDataToConfigMap(client
kclient.Client[*v1.ConfigMap], meta metav1.Obj
return nil
}
+// Plugin new data into the ConfigMap.
+// Returns true if the content has changed.
+// Returns false if the content is exactly the same.
+// Avoids meaningless updates.
func insertData(cm *v1.ConfigMap, data map[string]string) bool {
if cm.Data == nil {
cm.Data = data
diff --git a/dubbod/security/pkg/k8s/controller/casecret.go
b/dubbod/security/pkg/k8s/controller/casecret.go
index 84e31b15..dca33248 100644
--- a/dubbod/security/pkg/k8s/controller/casecret.go
+++ b/dubbod/security/pkg/k8s/controller/casecret.go
@@ -22,6 +22,9 @@ type CaSecretController struct {
client corev1.CoreV1Interface
}
+// Create a CA certificate secret
+// Rotate CAs
+// Synchronize CAs to various namespaces
func NewCaSecretController(core corev1.CoreV1Interface) *CaSecretController {
cs := &CaSecretController{
client: core,
diff --git a/dubbod/security/pkg/util/certutil.go
b/dubbod/security/pkg/util/certutil.go
index 7d3a0b74..5612b672 100644
--- a/dubbod/security/pkg/util/certutil.go
+++ b/dubbod/security/pkg/util/certutil.go
@@ -46,14 +46,10 @@ func (cu CertUtilImpl) GetWaitTime(certBytes []byte, now
time.Time) (time.Durati
return time.Duration(0), fmt.Errorf("certificate already
expired at %s, but now is %s",
cert.NotAfter, now)
}
- // Note: multiply time.Duration(int64) by an int
(gracePeriodPercentage) will cause overflow (e.g.,
- // when duration is time.Hour * 90000). So float64 is used instead.
gracePeriod := time.Duration(float64(cert.NotAfter.Sub(cert.NotBefore))
* (float64(cu.gracePeriodPercentage) / 100))
- // waitTime is the duration between now and the grace period starts.
- // It is the time until cert expiration minus the length of grace
period.
+
waitTime := timeToExpire - gracePeriod
if waitTime < 0 {
- // We are within the grace period.
return time.Duration(0), fmt.Errorf("got a certificate that
should be renewed now")
}
return waitTime, nil
diff --git a/dubbod/security/pkg/util/jwtutil.go
b/dubbod/security/pkg/util/jwtutil.go
deleted file mode 100644
index 3d973ec8..00000000
--- a/dubbod/security/pkg/util/jwtutil.go
+++ /dev/null
@@ -1,30 +0,0 @@
-//
-// Licensed to the Apache Software Foundation (ASF) under one or more
-// contributor license agreements. See the NOTICE file distributed with
-// this work for additional information regarding copyright ownership.
-// The ASF licenses this file to You under the Apache License, Version 2.0
-// (the "License"); you may not use this file except in compliance with
-// the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package util
-
-import (
- "encoding/base64"
- "strings"
-)
-
-func DecodeJwtPart(seg string) ([]byte, error) {
- if l := len(seg) % 4; l > 0 {
- seg += strings.Repeat("=", 4-l)
- }
-
- return base64.URLEncoding.DecodeString(seg)
-}
diff --git a/manifests/charts/dubbo-control/dubbo-discovery/files/gateway.yaml
b/manifests/charts/dubbo-control/dubbo-discovery/files/gateway.yaml
index 819b9d9f..01a0a2c3 100644
--- a/manifests/charts/dubbo-control/dubbo-discovery/files/gateway.yaml
+++ b/manifests/charts/dubbo-control/dubbo-discovery/files/gateway.yaml
@@ -46,7 +46,7 @@ spec:
serviceAccountName: {{ .ServiceAccount }}
containers:
- name: dubbo-proxy
- image: mfordjody/proxyadapter:0.3.1-debug
+ image: mfordjody/proxyadapter:0.3.2-debug
imagePullPolicy: Always
ports:
- containerPort: 15020
diff --git
a/manifests/charts/dubbo-control/dubbo-discovery/templates/deployment.yaml
b/manifests/charts/dubbo-control/dubbo-discovery/templates/deployment.yaml
index b34ed795..bc965ba7 100644
--- a/manifests/charts/dubbo-control/dubbo-discovery/templates/deployment.yaml
+++ b/manifests/charts/dubbo-control/dubbo-discovery/templates/deployment.yaml
@@ -19,7 +19,7 @@ spec:
serviceAccountName: dubbod
containers:
- name: discovery
- image: "mfordjody/planet:0.3.1-debug"
+ image: "mfordjody/planet:0.3.2-debug"
imagePullPolicy: Always
args:
- "discovery"
diff --git a/pkg/config/mesh/mesh.go b/pkg/config/mesh/mesh.go
index 572de167..4f413618 100644
--- a/pkg/config/mesh/mesh.go
+++ b/pkg/config/mesh/mesh.go
@@ -145,6 +145,7 @@ func DefaultMeshGlobalConfig()
*meshv1alpha1.MeshGlobalConfig {
func DefaultProxyConfig() *meshv1alpha1.ProxyConfig {
return &meshv1alpha1.ProxyConfig{
+ ConfigPath: constants.ConfigPathDir,
DiscoveryAddress: "dubbod.dubbo-system.svc:15012",
ControlPlaneAuthPolicy:
meshv1alpha1.AuthenticationPolicy_MUTUAL_TLS,
StatusPort: 15020,
diff --git a/pkg/dubbo-agent/agent.go b/pkg/dubbo-agent/agent.go
index 0e4e7d33..7938d37d 100644
--- a/pkg/dubbo-agent/agent.go
+++ b/pkg/dubbo-agent/agent.go
@@ -125,8 +125,6 @@ func NewAgent(proxyConfig *mesh.ProxyConfig, agentOpts
*AgentOptions, sopts *sec
}
func (a *Agent) Run(ctx context.Context) (func(), error) {
- // TODO initLocalDNSServer?
-
if a.cfg.WorkloadIdentitySocketFile !=
filepath.Base(a.cfg.WorkloadIdentitySocketFile) {
return nil, fmt.Errorf("workload identity socket file override
must be a filename, not a path: %s", a.cfg.WorkloadIdentitySocketFile)
}
diff --git a/pkg/kube/inject/inject.go b/pkg/kube/inject/inject.go
index 7ce1a5f0..4164b3e9 100644
--- a/pkg/kube/inject/inject.go
+++ b/pkg/kube/inject/inject.go
@@ -114,7 +114,7 @@ func RunTemplate(params InjectionParameters) (mergedPod
*corev1.Pod, templatePod
MeshGlobalConfig: meshGlobalConfig,
Values: params.valuesConfig.asMap,
Revision: params.revision,
- ProxyImage: getProxyImage(params.valuesConfig.asMap,
"mfordjody/proxyadapter:0.3.1-debug"),
+ ProxyImage: getProxyImage(params.valuesConfig.asMap,
"mfordjody/proxyadapter:0.3.2-debug"),
CompliancePolicy: common_features.CompliancePolicy,
}
diff --git a/pkg/security/security.go b/pkg/security/security.go
index 6bcc177e..82c302d7 100644
--- a/pkg/security/security.go
+++ b/pkg/security/security.go
@@ -18,14 +18,12 @@ package security
import (
"context"
- "fmt"
"net/http"
"os"
"path/filepath"
"strings"
"time"
- "google.golang.org/grpc/metadata"
"google.golang.org/grpc/peer"
dubbolog "github.com/apache/dubbo-kubernetes/pkg/log"
@@ -56,9 +54,7 @@ const (
)
const (
- BearerTokenPrefix = "Bearer "
- K8sTokenPrefix = "Dubbo "
- CertSigner = "CertSigner"
+ CertSigner = "CertSigner"
)
type AuthContext struct {
@@ -94,11 +90,6 @@ type AuthSource int
const (
AuthSourceClientCertificate AuthSource = iota
- AuthSourceIDToken
-)
-
-const (
- authorizationMeta = "authorization"
)
type KubernetesInfo struct {
@@ -235,42 +226,6 @@ func CheckWorkloadCertificate(certChainFilePath,
keyFilePath, rootCertFilePath s
return true
}
-func ExtractBearerToken(ctx context.Context) (string, error) {
- md, ok := metadata.FromIncomingContext(ctx)
- if !ok {
- return "", fmt.Errorf("no metadata is attached")
- }
-
- authHeader, exists := md[authorizationMeta]
- if !exists {
- return "", fmt.Errorf("no HTTP authorization header exists")
- }
-
- for _, value := range authHeader {
- if strings.HasPrefix(value, BearerTokenPrefix) {
- return strings.TrimPrefix(value, BearerTokenPrefix), nil
- }
- }
-
- return "", fmt.Errorf("no bearer token exists in HTTP authorization
header")
-}
-
-func ExtractRequestToken(req *http.Request) (string, error) {
- value := req.Header.Get(authorizationMeta)
- if value == "" {
- return "", fmt.Errorf("no HTTP authorization header exists")
- }
-
- if strings.HasPrefix(value, BearerTokenPrefix) {
- return strings.TrimPrefix(value, BearerTokenPrefix), nil
- }
- if strings.HasPrefix(value, K8sTokenPrefix) {
- return strings.TrimPrefix(value, K8sTokenPrefix), nil
- }
-
- return "", fmt.Errorf("no bearer token exists in HTTP authorization
header")
-}
-
// GetConnectionAddress extracts the peer address from the gRPC context.
// It returns "unknown" if the peer information is not available.
func GetConnectionAddress(ctx context.Context) string {
