update crd

Signed-off-by: stoneshi-yunify <[email protected]>
kubesphere · Sep 4, 2024 · 5a35bf3 · 5a35bf3
1 parent 081b266
commit 5a35bf3
Show file tree

Hide file tree

Showing 13 changed files with 463 additions and 454 deletions.
diff --git a/.mirrord/mirrord.json b/.mirrord/mirrord.json
@@ -0,0 +1,16 @@
+{
+    "target": {
+        "path": {
+            "deployment": "volume-initializer"
+        },
+        "namespace": "default"
+    },
+    "feature": {
+        "network": {
+            "incoming": "steal",
+            "outgoing": true
+        },
+        "fs": "read",
+        "env": true
+    }
+}
diff --git a/config/crd/bases/storage.kubesphere.io_initializers.yaml b/config/crd/bases/storage.kubesphere.io_initializers.yaml
diff --git a/config/samples/storage.kubesphere.io_v1alpha1_initializer.yaml b/config/samples/storage.kubesphere.io_v1alpha1_initializer.yaml
@@ -26,11 +26,26 @@ spec:
     imagePullPolicy: IfNotPresent
   pvcMatchers:
   - name: local
-    pvcTemplate:
-      apiVersion: v1
-      kind: PersistentVolumeClaim
-      spec:
-        storageClassName: local-path
+    storageClass:
+      fieldSelector:
+        - key: name
+          operator: In
+          values:
+            - local-path
+            - local-path2
+    namespace:
+      labelSelector:
+        - key: "kubernetes.io/metadata.name"
+          operator: In
+          values:
+            - default
+            - test
+    workspace:
+      fieldSelector:
+        - key: name
+          operator: NotIn
+          values:
+            - ws1
   pvcInitializers:
   - pvcMatcherName: local
     initContainerName: busybox

diff --git a/deploy/prepare.sh b/deploy/prepare.sh
@@ -86,7 +86,7 @@ kubectl -n ${namespace} create secret tls volume-initializer \
     --key "${keydir}/webhook-server-tls.key"
 
 ca_pem_b64="$(openssl base64 -A <"${keydir}/ca.crt")"
-cat "${basedir}/webhook-deployment-template" | sed -e 's@${CA_BUNDLE}@'"$ca_pem_b64"'@g' | sed -e 's@${NAMESPACE}@'"$namespace"'@g' | sed -e 's@${SERVICE}@'"$service"'@g' > "${basedir}/webhook-deployment.yaml"
+cat "${basedir}/webhook-deployment-template.yaml" | sed -e 's@${CA_BUNDLE}@'"$ca_pem_b64"'@g' | sed -e 's@${NAMESPACE}@'"$namespace"'@g' | sed -e 's@${SERVICE}@'"$service"'@g' > "${basedir}/webhook-deployment.yaml"
 
 echo "${basedir}/webhook-deployment.yaml generated"
 

diff --git a/deploy/webhook-deployment-template → deploy/webhook-deployment-template.yaml b/deploy/webhook-deployment-template → deploy/webhook-deployment-template.yaml
@@ -40,15 +40,18 @@ rules:
   - apiGroups: [""]
     resources: ["namespaces"]
     verbs: ["get", "list", "watch"]
-
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
     verbs: ["get", "list", "watch"]
-
+  - apiGroups: [""]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["tenant.kubesphere.io"]
+    resources: ["workspaces"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: ["storage.kubesphere.io"]
     resources: ["initializers"]
     verbs: ["get", "list", "watch"]
-
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "list", "watch", "patch", "update"]
@@ -101,7 +104,6 @@ spec:
           secret:
             secretName: volume-initializer
       serviceAccountName: volume-initializer
-      serviceAccount: volume-initializer
 ---
 apiVersion: v1
 kind: Service

diff --git a/deploy/webhook-deployment.yaml b/deploy/webhook-deployment.yaml
@@ -16,7 +16,7 @@ webhooks:
       namespace: default
       name: volume-initializer
       path: "/pods"
-    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNekNDQWh1Z0F3SUJBZ0lVUUlBMW96UlhzbHF6VzhFSDQ5bE5qQ2Yrb2xBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tURW5NQ1VHQTFVRUF3d2VkbTlzZFcxbExXbHVhWFJwWVd4cGVtVnlMbVJsWm1GMWJIUXVjM1pqTUI0WApEVEkwTURneU56QTNNRFl3TTFvWERUSTBNRGt5TmpBM01EWXdNMW93S1RFbk1DVUdBMVVFQXd3ZWRtOXNkVzFsCkxXbHVhWFJwWVd4cGVtVnlMbVJsWm1GMWJIUXVjM1pqTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBb1J1T2F1MnhUcWR6ZnEvRzhZOE1Ga0VtcDNCbjdTdHRDaVVuT1BMZXdOV1U2Rzk0WVJicQpvd0FyV01SWGg0emVZcEVpNk5tWjV1amVDMHBUVHRRdUxrcnFLZlQ2UU5OdXFJSVQwUXV3c2UwR2JtS2ZpRGNSCmpVMlEyMDlMcUpYWjF1VUVkdTZGZDlEbk9hSGZwSDlBOWNTU3lmT0NSdU96TnNJQ2srWEd3K3B0Slo3WjY2ZkwKVnFJVzIvQUR2WFdjY2QwdWFscE02b1ZNMGd5dXdQeGVHSmZkb1FQMTcwYlBhS2tBWGVaNG1RVkxhdHlmZ3JZaQo2M09XR0wyMjF3M3pHNW9FZWZNTHdKQWNDdnNuWWRSTWN5clEvb2JkYnpQRmppY0NXZGFJYUMzZjBHV3FGS1UrCjgwZ3Z2bU8rbEV3N0tsOE85WTU4M2VPMC9Xa1o0UGZmZFFJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVXdWbEUKaEo1bVJXRzNZTTJ0RW51d2E2MDhuT2N3SHdZRFZSMGpCQmd3Rm9BVXdWbEVoSjVtUldHM1lNMnRFbnV3YTYwOApuT2N3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZlFicis4cVRlazhNCi82MzBGNmt6bSs2RVhYajhWU05wU2p6SlNvZ296cnhDTDhoY0lDU2IwLzBmdmJaMCtmNjhrd1lVMlhMekczUTEKRnhPWGF1OFU4YkFkMTcvUXhmYkRNcEdCNC9EckJBUy90TFFiN0ZRQ1JwUElTSDJWa3VkZ2pMd1poSDJrdEpqSgpZQjNZK0ZKbi9uUE50K2prTTQ2dEpxRjBFOGd0YmpkaG5QYXBwUUN3QTEwZ3NUS3dxYkFUOWhZWUV3bTZQanpMCnJ1dFNKRUFRQTNtMVZhODM5cGptZFBGMEVxS3c0ZUVRNkRtOWZDT0dPdDloalRBVUNJR1VzdDdKOWdsSWZjSmMKTDduMmd4NzE0SXVBRTJMUE5VeHlWTTJ2Zm8vRis5SUFyWkxLOFlZQzRGeXlwU2YxSjFkWHZ0WXVqYURTQjljTwpIRHRFT0lXSU93PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNekNDQWh1Z0F3SUJBZ0lVUE1rLy80Ymg5V3lRMVVma1VpaUtjQmhNMlFFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tURW5NQ1VHQTFVRUF3d2VkbTlzZFcxbExXbHVhWFJwWVd4cGVtVnlMbVJsWm1GMWJIUXVjM1pqTUI0WApEVEkwTURrd05EQTNORGd5TWxvWERUSTBNVEF3TkRBM05EZ3lNbG93S1RFbk1DVUdBMVVFQXd3ZWRtOXNkVzFsCkxXbHVhWFJwWVd4cGVtVnlMbVJsWm1GMWJIUXVjM1pqTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBdVRYRXNnTmlLZUZKc1lHeHczVUNkMTd2aXdIeTZoMkZlTjhSTTY1dERYcjUvekx1ck5qSQp6a0NRRWFCQ0pZTE1oVkcrSXRyTldEeGNjRHhsSGNWSS9WcnYxWGxkSGRTUE1uSkhRWGlRSWQzcEFrZEt6NngxCitPSklhV1lKbElQdjJvZ0lseUVjTndwWVAyTlNCUXQyT0ZDZXVYUytER0NyV0IrekxqNHlSS1JOOEVtZDlJMFQKSTd2MzliMkoyWVNIVjl4L0xjRjFWclhwdmwyQ0FSenNrSlhaWnRudmo2KzNaMVVSd3UveXR3VWV0MzNYc0RYbApwbnE0QzVvMXlvWGVjU3hCT0h6dFlRNzFTbEp5KzlhZU9PZFNJZkN3eHRQSC9yQUQrSmNLb05jNFUxZngrV2Q1CndmQkxTcjQ3eWlUNnRRb0pKejNrRFhFRHVKV2MyUUM5cXdJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVUR0eEYKSTNRS3g4YnZ5cWNrWnp6dHkwR1FxRFF3SHdZRFZSMGpCQmd3Rm9BVUR0eEZJM1FLeDhidnlxY2taenp0eTBHUQpxRFF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQmRqU0JtbnJVdzNXCksxNDVIbmZDWGJMZUhVY1R2dnRhTERIQUR0UDhrVlBvV1VHZlloU1hqanNsbWk4MzByVVVzYnBMSEpXOTdXa1QKc0NwTkIrMkVQV1ZmTDFTRXJWZjYvYkZKd0dzM0pLNDN6bU52ZHMvdVdMa1VKK2FRRC9mN0tFU0c3ZGViZy9ROApaSGV4SlE5YUdOUm5WQVdxRzJNUXgvTXhpZjl4RlJ6NW5hcXlSMUFYOERSamVkVnA0TWRobU1uYkNPN3l1MDVjCk1JMlFOZnQ5M1NLV1ExTWp2YkZWTkR6WG9POGFYa08yWTR0V1pXZTZXM0l5KytKdm4rQkVLcm9iaFRZeGN2ZFEKaXFFSGRPR3N3OTdwb3RURWF3SFJnZGpjTTlsOXhqZHVYN25YRU1iZEgwQ2lKV2NVSVp1ZFB3RCtXTkYySk53SAo0ZjQvU3M4dUpBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
   admissionReviewVersions: ["v1"]
   sideEffects: None
   failurePolicy: Ignore
@@ -37,18 +37,21 @@ metadata:
   labels:
     role: controller
 rules:
-  - apiGroups: [ "" ]
-    resources: [ "namespaces" ]
-    verbs: [ "get", "list", "watch"]
-
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
     verbs: ["get", "list", "watch"]
-
-  - apiGroups: ["storage"]
+  - apiGroups: [""]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["tenant.kubesphere.io"]
+    resources: ["workspaces"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.kubesphere.io"]
     resources: ["initializers"]
-    verbs: [ "get", "list", "watch"]
-
+    verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "list", "watch", "patch", "update"]
@@ -101,7 +104,6 @@ spec:
           secret:
             secretName: volume-initializer
       serviceAccountName: volume-initializer
-      serviceAccount: volume-initializer
 ---
 apiVersion: v1
 kind: Service

diff --git a/go.mod b/go.mod
@@ -4,6 +4,8 @@ module github.com/kubesphere/volume-initializer
 
 go 1.22.0
 
+toolchain go1.22.4
+
 require (
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/onsi/ginkgo/v2 v2.19.0
@@ -14,6 +16,7 @@ require (
 	k8s.io/client-go v0.31.0
 	k8s.io/code-generator v0.0.0-20240727175048-b53d16e2b339
 	k8s.io/klog/v2 v2.130.1
+	kubesphere.io/api v0.0.0-20240509130216-8c539e710f2d
 	sigs.k8s.io/controller-runtime v0.19.0
 )
 
@@ -34,7 +37,7 @@ require (
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -66,3 +69,8 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+replace (
+	github.com/projectcalico/api => github.com/kubesphere/calico/api v0.0.0-20230227071013-a73515ddc939 // v3.25.0
+	github.com/projectcalico/calico => github.com/kubesphere/calico v0.0.0-20230227071013-a73515ddc939 // v3.25.0
+)
diff --git a/go.sum b/go.sum
@@ -41,8 +41,8 @@ github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2
 github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
-github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
+github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -158,6 +158,7 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo=
@@ -178,6 +179,8 @@ k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7F
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+kubesphere.io/api v0.0.0-20240509130216-8c539e710f2d h1:wzWP3eAYBiRneauhsbu9oXNv44MlRqt82eQbWE6uItg=
+kubesphere.io/api v0.0.0-20240509130216-8c539e710f2d/go.mod h1:hsK8eBovruoPSiURDJIcQBcJ5Zsf+XO+0V2+1VzdAkc=
 sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q=
 sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=

diff --git a/pkg/apis/storage/v1alpha1/selector.go b/pkg/apis/storage/v1alpha1/selector.go
@@ -0,0 +1,71 @@
+package v1alpha1
+
+import (
+	"slices"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/klog/v2"
+)
+
+const (
+	FieldName      = "name"
+	FieldNamespace = "namespace"
+)
+
+// GenericSelector supports field selector and label selector, they're ANDed requirements.
+type GenericSelector struct {
+	// FieldSelector is the field selector, which only supports "name" and "namespace" as key, and "In" and "NotIn" as operator.
+	FieldSelector []metav1.FieldSelectorRequirement `json:"fieldSelector,omitempty"`
+
+	// LabelSelector is the label selector
+	LabelSelector []metav1.LabelSelectorRequirement `json:"labelSelector,omitempty"`
+}
+
+func (s *GenericSelector) Match(obj metav1.Object) bool {
+	for _, req := range s.FieldSelector {
+		if req.Key != FieldName && req.Key != FieldNamespace {
+			continue
+		}
+		if req.Operator != metav1.FieldSelectorOpIn && req.Operator != metav1.FieldSelectorOpNotIn {
+			continue
+		}
+
+		var val string
+		if req.Key == FieldName {
+			val = obj.GetName()
+		}
+		if req.Key == FieldNamespace {
+			val = obj.GetNamespace()
+		}
+
+		var match bool
+		if req.Operator == metav1.FieldSelectorOpIn {
+			match = slices.Contains(req.Values, val)
+		}
+		if req.Operator == metav1.FieldSelectorOpNotIn {
+			match = !slices.Contains(req.Values, val)
+		}
+
+		if !match {
+			return false
+		}
+	}
+
+	if len(s.LabelSelector) > 0 {
+		labelSelector := metav1.LabelSelector{
+			MatchExpressions: s.LabelSelector,
+		}
+		selector, err := metav1.LabelSelectorAsSelector(&labelSelector)
+		if err != nil {
+			klog.ErrorS(err, "LabelSelectorAsSelector", "labelSelector", labelSelector)
+			return false
+		}
+		match := selector.Matches(labels.Set(obj.GetLabels()))
+		if !match {
+			return false
+		}
+	}
+
+	return true
+}
diff --git a/pkg/apis/storage/v1alpha1/types.go b/pkg/apis/storage/v1alpha1/types.go
@@ -43,14 +43,29 @@ type InitializerSpec struct {
 }
 
 type PVCInitializer struct {
-	PVCMatcherName    string `json:"pvcMatcherName,omitempty"`
+	// PVCMatcherName represents the name of PVCMatcher
+	PVCMatcherName string `json:"pvcMatcherName,omitempty"`
+
+	// InitContainerName represents the name of the init container
 	InitContainerName string `json:"initContainerName,omitempty"`
-	MountPathRoot     string `json:"mountPathRoot,omitempty"`
+
+	// MountPathRoot represents the root path of the mount point in the init container, default is "/".
+	MountPathRoot string `json:"mountPathRoot,omitempty"`
 }
 
+// PVCMatcher is used to filter PVCs. If no selector is specified, it will match any PVC.
 type PVCMatcher struct {
-	Name        string                       `json:"name,omitempty"`
-	PVCTemplate corev1.PersistentVolumeClaim `json:"pvcTemplate,omitempty"`
+	// Name is the matcher name
+	Name string `json:"name,omitempty"`
+
+	// StorageClass matches the PVC's storage class
+	StorageClass *GenericSelector `json:"storageClass,omitempty"`
+
+	// Namespace matches the PVC's namespace
+	Namespace *GenericSelector `json:"namespace,omitempty"`
+
+	// Workspace matches the PVC's workspace
+	Workspace *GenericSelector `json:"workspace,omitempty"`
 }
 
 type InitializerStatus struct {