feature-261: Role Service

.github/workflows/actions.yaml

@@ -48,7 +48,7 @@ jobs:
         uses: dell/common-github-actions/go-code-tester@main
         with:
           threshold: 90
-          skip-list: "karavi-authorization/deploy,karavi-authorization/internal/web,karavi-authorization/internal/tenantsvc,karavi-authorization/cmd/karavictl/cmd,karavi-authorization/cmd/proxy-server,karavi-authorization/cmd/tenant-service,karavi-authorization/internal/proxy,karavi-authorization/internal/tenantsvc,karavi-authorization/internal/token/jwx"
+          skip-list: "karavi-authorization/deploy,karavi-authorization/internal/web,karavi-authorization/internal/tenantsvc,karavi-authorization/cmd/karavictl/cmd,karavi-authorization/cmd/proxy-server,karavi-authorization/cmd/tenant-service,karavi-authorization/internal/proxy,karavi-authorization/internal/tenantsvc,karavi-authorization/internal/token/jwx,karavi-authorization/internal/k8s,karavi-authorization/internal/role-service,karavi-authorization/internal/role-service/validate"
         env:
           # The hostname used to communicate with the Redis service container
           REDIS_HOST: redis
@@ -96,10 +96,20 @@ jobs:
       - name: Scan Proxy Server
         uses: Azure/container-scan@v0
         with:
-          image-name:  proxy-server:1.2.0
+          image-name: proxy-server:1.3.0
+          severity-threshold: HIGH
+      - name: Scan Role Service
+        uses: Azure/container-scan@v0
+        with:
+          image-name: role-service:1.3.0
+          severity-threshold: HIGH
+      - name: Scan Tenant Service
+        uses: Azure/container-scan@v0
+        with:
+          image-name: tenant-service:1.3.0
           severity-threshold: HIGH
       - name: Scan SideCar Proxy
         uses: Azure/container-scan@v0
         with:
-          image-name: sidecar-proxy:1.2.0
+          image-name: sidecar-proxy:1.3.0
           severity-threshold: HIGH          

Makefile

@@ -1,5 +1,5 @@
-DOCKER_TAG ?= 1.2.0
-SIDECAR_TAG ?= 1.2.0
+DOCKER_TAG ?= 1.3.0
+SIDECAR_TAG ?= 1.3.0
 
 .PHONY: build
 build:
@@ -9,6 +9,7 @@ build:
 	CGO_ENABLED=0 go build -o ./bin ./cmd/karavictl/
 	CGO_ENABLED=0 go build -o ./bin ./cmd/sidecar-proxy/
 	CGO_ENABLED=0 go build -o ./bin ./cmd/tenant-service/
+	CGO_ENABLED=0 go build -o ./bin ./cmd/role-service/
 
 .PHONY: build-installer
 build-installer: 
@@ -39,6 +40,7 @@ docker: build
 	docker build -t proxy-server:$(DOCKER_TAG) --build-arg APP=proxy-server ./bin/.
 	docker build -t sidecar-proxy:$(SIDECAR_TAG) --build-arg APP=sidecar-proxy ./bin/.
 	docker build -t tenant-service:$(DOCKER_TAG) --build-arg APP=tenant-service ./bin/.
+	docker build -t role-service:$(DOCKER_TAG) --build-arg APP=role-service ./bin/.
 
 .PHONY: protoc
 protoc:

cmd/karavictl/cmd/role.go

@@ -16,19 +16,28 @@ package cmd
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"karavi-authorization/internal/roles"
+	"io"
+	"karavi-authorization/internal/role-service/roles"
+	"karavi-authorization/pb"
+	"log"
+	"net"
 	"net/url"
 	"os"
 	"strings"
+	"time"
 
 	pscale "github.com/dell/goisilon"
 	pmax "github.com/dell/gopowermax"
 	"github.com/dell/goscaleio"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"sigs.k8s.io/yaml"
 )
 
@@ -58,6 +67,9 @@ func NewRoleCmd() *cobra.Command {
 		},
 	}
 
+	roleCmd.PersistentFlags().String("addr", "", "address of the csm-authorzation role service")
+	roleCmd.PersistentFlags().Bool("insecure", false, "address of the csm-authorzation role service")
+
 	roleCmd.AddCommand(NewRoleCreateCmd())
 	roleCmd.AddCommand(NewRoleDeleteCmd())
 	roleCmd.AddCommand(NewRoleGetCmd())
@@ -341,3 +353,42 @@ func validSystemType(sysType string) bool {
 	}
 	return false
 }
+
+func createRoleServiceClient(addr string, insecure bool) (pb.RoleServiceClient, io.Closer, error) {
+	var conn *grpc.ClientConn
+	var err error
+
+	if insecure {
+		conn, err = grpc.Dial(addr,
+			grpc.WithTimeout(10*time.Second),
+			grpc.WithContextDialer(func(_ context.Context, addr string) (net.Conn, error) {
+				return tls.Dial("tcp", addr, &tls.Config{
+					NextProtos:         []string{"h2"},
+					InsecureSkipVerify: true,
+				})
+			}),
+			grpc.WithInsecure())
+
+		if err != nil {
+			log.Fatal(err)
+		}
+
+	} else {
+		certs, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, nil, err
+		}
+		creds := credentials.NewClientTLSFromCert(certs, "")
+
+		conn, err = grpc.Dial(addr,
+			grpc.WithTransportCredentials(creds),
+			grpc.WithTimeout(10*time.Second))
+
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+
+	roleClient := pb.NewRoleServiceClient(conn)
+	return roleClient, conn, nil
+}

cmd/karavictl/cmd/role_create.go

@@ -20,7 +20,9 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"karavi-authorization/internal/roles"
+	"karavi-authorization/internal/role-service/roles"
+	"karavi-authorization/pb"
+	"strconv"
 	"strings"
 
 	"github.com/spf13/cobra"
@@ -41,6 +43,8 @@ func NewRoleCreateCmd() *cobra.Command {
 
 			outFormat := "failed to create role: %+v\n"
 
+			// parse flags
+
 			roleFlags, err := cmd.Flags().GetStringSlice("role")
 			if err != nil {
 				reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
@@ -50,56 +54,77 @@ func NewRoleCreateCmd() *cobra.Command {
 				reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, errors.New("no input")))
 			}
 
+			addr, err := cmd.Flags().GetString("addr")
+			if err != nil {
+				reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
+			}
+
+			insecure, err := cmd.Flags().GetBool("insecure")
+			if err != nil {
+				reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), err)
+			}
+
+			// process role flag
+
+			var newRole *roles.Instance
 			var rff roles.JSON
 			for _, v := range roleFlags {
 				t := strings.Split(v, "=")
 				if len(t) < roleFlagSize {
 					reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, errors.New("role does not have enough arguments")))
 				}
-				newRole, err := roles.NewInstance(t[0], t[1:]...)
+				newRole, err = roles.NewInstance(t[0], t[1:]...)
 				if err != nil {
 					reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
 				}
+
 				err = rff.Add(newRole)
 				if err != nil {
 					reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
 				}
 			}
 
-			existingRoles, err := GetRoles()
-			if err != nil {
-				reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
-			}
-
-			adding := rff.Instances()
-			var dups []string
-			for _, role := range adding {
-				if existingRoles.Get(role.RoleKey) != nil {
-					var dup bool
-					if dup {
-						dups = append(dups, role.Name)
-					}
+			if addr != "" {
+				// if addr flag is specified, make a grpc request
+				if err = doRoleCreateRequest(addr, insecure, newRole); err != nil {
+					reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
 				}
-			}
-			if len(dups) > 0 {
-				reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf("duplicates %+v", dups))
-			}
-
-			for _, role := range adding {
-				err := validateRole(ctx, role)
+			} else {
+				// modify the k3s configuration
+				existingRoles, err := GetRoles()
 				if err != nil {
-					err = fmt.Errorf("%s failed validation: %+v", role.Name, err)
 					reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
 				}
 
-				err = existingRoles.Add(role)
-				if err != nil {
-					reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
+				adding := rff.Instances()
+				var dups []string
+				for _, role := range adding {
+					if existingRoles.Get(role.RoleKey) != nil {
+						var dup bool
+						if dup {
+							dups = append(dups, role.Name)
+						}
+					}
+				}
+				if len(dups) > 0 {
+					reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf("duplicates %+v", dups))
 				}
-			}
 
-			if err = modifyCommonConfigMap(existingRoles); err != nil {
-				reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
+				for _, role := range adding {
+					err := validateRole(ctx, role)
+					if err != nil {
+						err = fmt.Errorf("%s failed validation: %+v", role.Name, err)
+						reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
+					}
+
+					err = existingRoles.Add(role)
+					if err != nil {
+						reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
+					}
+				}
+				if err = modifyK3sCommonConfigMap(existingRoles); err != nil {
+					reportErrorAndExit(JSONOutput, cmd.ErrOrStderr(), fmt.Errorf(outFormat, err))
+				}
 			}
 		},
 	}
@@ -108,7 +133,7 @@ func NewRoleCreateCmd() *cobra.Command {
 	return roleCreateCmd
 }
 
-func modifyCommonConfigMap(roles *roles.JSON) error {
+func modifyK3sCommonConfigMap(roles *roles.JSON) error {
 	var err error
 
 	data, err := json.MarshalIndent(&roles, "", "  ")
@@ -159,3 +184,26 @@ roles = ` + string(data))
 	}
 	return nil
 }
+
+func doRoleCreateRequest(addr string, insecure bool, role *roles.Instance) error {
+	client, conn, err := CreateRoleServiceClient(addr, insecure)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	req := &pb.RoleCreateRequest{
+		Name:        role.Name,
+		StorageType: role.SystemType,
+		SystemId:    role.SystemID,
+		Pool:        role.Pool,
+		Quota:       strconv.Itoa(role.Quota),
+	}
+
+	_, err = client.Create(context.Background(), req)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}