mirror of
https://github.com/clastix/kamaji.git
synced 2026-04-15 06:56:47 +00:00
a9c2c0de89
* refactor: migrate error packages from pkg/errors to stdlib Replace github.com/pkg/errors with Go standard library error handling in foundation error packages: - internal/datastore/errors: errors.Wrap -> fmt.Errorf with %w - internal/errors: errors.As -> stdlib errors.As - controllers/soot/controllers/errors: errors.New -> stdlib errors.New Part 1 of 4 in the pkg/errors migration. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: migrate datastore package from pkg/errors to stdlib Replace github.com/pkg/errors with Go standard library error handling in the datastore layer: - connection.go: errors.Wrap -> fmt.Errorf with %w - datastore.go: errors.Wrap -> fmt.Errorf with %w - etcd.go: goerrors alias removed, use stdlib errors.As - nats.go: errors.Wrap/Is/New -> stdlib equivalents - postgresql.go: goerrors.Wrap -> fmt.Errorf with %w Part 2 of 4 in the pkg/errors migration. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: migrate internal packages from pkg/errors to stdlib (partial) Replace github.com/pkg/errors with Go standard library error handling in internal packages: - internal/builders/controlplane: errors.Wrap -> fmt.Errorf - internal/crypto: errors.Wrap -> fmt.Errorf - internal/kubeadm: errors.Wrap/Wrapf -> fmt.Errorf - internal/upgrade: errors.Wrap -> fmt.Errorf - internal/webhook: errors.Wrap -> fmt.Errorf Part 3 of 4 in the pkg/errors migration. Remaining files: internal/resources/*.go (8 files, 42 occurrences) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(resources): migrate from pkg/errors to stdlib Replace github.com/pkg/errors with Go standard library: - errors.Wrap(err, msg) → fmt.Errorf("msg: %w", err) - errors.New(msg) → errors.New(msg) Files migrated: - internal/resources/kubeadm_phases.go - internal/resources/kubeadm_upgrade.go - internal/resources/kubeadm_utils.go - internal/resources/datastore/datastore_multitenancy.go - internal/resources/datastore/datastore_setup.go - internal/resources/datastore/datastore_storage_config.go - internal/resources/addons/coredns.go - internal/resources/addons/kube_proxy.go Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(controllers): migrate from pkg/errors to stdlib Replace github.com/pkg/errors with Go standard library: - errors.Wrap(err, msg) → fmt.Errorf("msg: %w", err) - errors.New(msg) → errors.New(msg) (stdlib) - errors.Is/As → errors.Is/As (stdlib) Files migrated: - controllers/datastore_controller.go - controllers/kubeconfiggenerator_controller.go - controllers/tenantcontrolplane_controller.go - controllers/telemetry_controller.go - controllers/certificate_lifecycle_controller.go Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(soot): migrate from pkg/errors to stdlib Replace github.com/pkg/errors with Go standard library: - errors.Is() now uses stdlib errors.Is() Files migrated: - controllers/soot/controllers/kubeproxy.go - controllers/soot/controllers/migrate.go - controllers/soot/controllers/coredns.go - controllers/soot/controllers/konnectivity.go - controllers/soot/controllers/kubeadm_phase.go Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(api,cmd): migrate from pkg/errors to stdlib Replace github.com/pkg/errors with Go standard library: - errors.Wrap(err, msg) → fmt.Errorf("msg: %w", err) Files migrated: - api/v1alpha1/tenantcontrolplane_funcs.go - cmd/utils/k8s_version.go Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore: run go mod tidy after pkg/errors migration The github.com/pkg/errors package moved from direct to indirect dependency. It remains as an indirect dependency because other packages in the dependency tree still use it. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(datastore): use errors.Is for sentinel error comparison The stdlib errors.As expects a pointer to a concrete error type, not a pointer to an error value. For comparing against sentinel errors like rpctypes.ErrGRPCUserNotFound, errors.Is should be used instead. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: resolve golangci-lint errors - Fix GCI import formatting (remove extra blank lines between groups) - Use errors.Is instead of errors.As for mutex sentinel errors Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(errors): use proper variable declarations for errors.As The errors.As function requires a pointer to an assignable variable, not a pointer to a composite literal. The previous pattern `errors.As(err, &SomeError{})` creates a pointer to a temporary value which errors.As cannot reliably use for assignment. This fix declares proper variables for each error type and passes their addresses to errors.As, ensuring correct error chain matching. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(datastore/etcd): use rpctypes.Error() for gRPC error comparison The etcd gRPC status errors (ErrGRPCUserNotFound, ErrGRPCRoleNotFound) cannot be compared directly using errors.Is() because they are wrapped in gRPC status errors during transmission. The etcd rpctypes package provides: - ErrGRPC* constants: server-side gRPC status errors - Err* constants (without GRPC prefix): client-side comparable errors - Error() function: converts gRPC errors to comparable EtcdError values The correct pattern is to use rpctypes.Error(err) to normalize the received error, then compare against client-side error constants like rpctypes.ErrUserNotFound. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
205 lines
5.6 KiB
Go
205 lines
5.6 KiB
Go
// Copyright 2022 Clastix Labs
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package datastore
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"go.etcd.io/etcd/api/v3/authpb"
|
|
"go.etcd.io/etcd/api/v3/v3rpc/rpctypes"
|
|
etcdclient "go.etcd.io/etcd/client/v3"
|
|
|
|
kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
|
|
dserrors "github.com/clastix/kamaji/internal/datastore/errors"
|
|
)
|
|
|
|
func NewETCDConnection(config ConnectionConfig) (Connection, error) {
|
|
endpoints := make([]string, 0, len(config.Endpoints))
|
|
|
|
for _, ep := range config.Endpoints {
|
|
endpoints = append(endpoints, ep.String())
|
|
}
|
|
|
|
cfg := etcdclient.Config{
|
|
Endpoints: endpoints,
|
|
TLS: config.TLSConfig,
|
|
}
|
|
|
|
client, err := etcdclient.New(cfg)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &EtcdClient{
|
|
Client: *client,
|
|
}, nil
|
|
}
|
|
|
|
type EtcdClient struct {
|
|
Client etcdclient.Client
|
|
}
|
|
|
|
func (e *EtcdClient) CreateUser(ctx context.Context, user, password string) error {
|
|
if _, err := e.Client.Auth.UserAddWithOptions(ctx, user, password, &etcdclient.UserAddOptions{NoPassword: true}); err != nil {
|
|
return dserrors.NewCreateUserError(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (e *EtcdClient) CreateDB(context.Context, string) error {
|
|
return nil
|
|
}
|
|
|
|
func (e *EtcdClient) GrantPrivileges(ctx context.Context, user, dbName string) error {
|
|
if _, err := e.Client.Auth.RoleAdd(ctx, dbName); err != nil {
|
|
return dserrors.NewGrantPrivilegesError(err)
|
|
}
|
|
|
|
permission := etcdclient.PermissionType(authpb.READWRITE)
|
|
key := e.buildKey(dbName)
|
|
|
|
if _, err := e.Client.RoleGrantPermission(ctx, dbName, key, etcdclient.GetPrefixRangeEnd(key), permission); err != nil {
|
|
return dserrors.NewGrantPrivilegesError(err)
|
|
}
|
|
|
|
if _, err := e.Client.UserGrantRole(ctx, user, dbName); err != nil {
|
|
return dserrors.NewGrantPrivilegesError(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (e *EtcdClient) UserExists(ctx context.Context, user string) (bool, error) {
|
|
if _, err := e.Client.UserGet(ctx, user); err != nil {
|
|
// Convert gRPC error to comparable EtcdError using rpctypes.Error(),
|
|
// then compare against the client-side error constant.
|
|
// The == comparison is correct here as rpctypes.Error() normalizes
|
|
// gRPC status errors to comparable EtcdError struct values.
|
|
if rpctypes.Error(err) == rpctypes.ErrUserNotFound { //nolint:errorlint
|
|
return false, nil
|
|
}
|
|
|
|
return false, dserrors.NewCheckUserExistsError(err)
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
func (e *EtcdClient) DBExists(context.Context, string) (bool, error) {
|
|
return true, nil
|
|
}
|
|
|
|
func (e *EtcdClient) GrantPrivilegesExists(ctx context.Context, username, dbName string) (bool, error) {
|
|
_, err := e.Client.RoleGet(ctx, dbName)
|
|
if err != nil {
|
|
// Convert gRPC error to comparable EtcdError using rpctypes.Error(),
|
|
// then compare against the client-side error constant.
|
|
// The == comparison is correct here as rpctypes.Error() normalizes
|
|
// gRPC status errors to comparable EtcdError struct values.
|
|
if rpctypes.Error(err) == rpctypes.ErrRoleNotFound { //nolint:errorlint
|
|
return false, nil
|
|
}
|
|
|
|
return false, dserrors.NewCheckGrantExistsError(err)
|
|
}
|
|
|
|
user, err := e.Client.UserGet(ctx, username)
|
|
if err != nil {
|
|
return false, dserrors.NewCheckGrantExistsError(err)
|
|
}
|
|
|
|
for _, i := range user.Roles {
|
|
if i == dbName {
|
|
return true, nil
|
|
}
|
|
}
|
|
|
|
return false, nil
|
|
}
|
|
|
|
func (e *EtcdClient) DeleteUser(ctx context.Context, user string) error {
|
|
if _, err := e.Client.Auth.UserDelete(ctx, user); err != nil {
|
|
return dserrors.NewDeleteUserError(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (e *EtcdClient) DeleteDB(ctx context.Context, dbName string) error {
|
|
prefix := e.buildKey(dbName)
|
|
if _, err := e.Client.Delete(ctx, prefix, etcdclient.WithPrefix()); err != nil {
|
|
return dserrors.NewCannotDeleteDatabaseError(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (e *EtcdClient) RevokePrivileges(ctx context.Context, _, dbName string) error {
|
|
if _, err := e.Client.Auth.RoleDelete(ctx, dbName); err != nil {
|
|
return dserrors.NewRevokePrivilegesError(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (e *EtcdClient) GetConnectionString() string {
|
|
// There's no need for connection string in etcd client:
|
|
// it's not used by Kine
|
|
return ""
|
|
}
|
|
|
|
func (e *EtcdClient) Close() error {
|
|
if err := e.Client.Close(); err != nil {
|
|
return dserrors.NewCloseConnectionError(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (e *EtcdClient) Check(ctx context.Context) error {
|
|
if _, err := e.Client.AuthStatus(ctx); err != nil {
|
|
return dserrors.NewCheckConnectionError(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (e *EtcdClient) Driver() string {
|
|
return string(kamajiv1alpha1.EtcdDriver)
|
|
}
|
|
|
|
// buildKey adds slashes to the beginning and end of the key. This ensures that the range
|
|
// end for etcd RBAC is calculated using the entire key prefix, not only the key name. If
|
|
// the range end was calculated e.g. for `/cp-a`, the result would be `/cp-b`, which also
|
|
// includes `/cp-aa` (etcd uses lexicographic ordering on key ranges for RBAC). Using
|
|
// `/cp-a/` as the input for the range end calculation results in `/cp-a0`, which doesn't
|
|
// allow for any other potential control plane key prefixes to be located within the range.
|
|
// For more information, see also https://etcd.io/docs/v3.3/learning/api/#key-ranges
|
|
func (e *EtcdClient) buildKey(key string) string {
|
|
return fmt.Sprintf("/%s/", key)
|
|
}
|
|
|
|
func (e *EtcdClient) Migrate(ctx context.Context, tcp kamajiv1alpha1.TenantControlPlane, target Connection) error {
|
|
targetClient := target.(*EtcdClient) //nolint:forcetypeassert
|
|
|
|
if err := target.Check(ctx); err != nil {
|
|
return err
|
|
}
|
|
|
|
response, err := e.Client.Get(ctx, e.buildKey(tcp.Status.Storage.Setup.Schema), etcdclient.WithPrefix())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for _, kv := range response.Kvs {
|
|
if _, err = targetClient.Client.Put(ctx, string(kv.Key), string(kv.Value)); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|