Update auditor library

Signed-off-by: Tamal Saha <[email protected]>
kubedb · May 15, 2024 · f0d522c · f0d522c
1 parent 7fb9b8c
commit f0d522c
Show file tree

Hide file tree

Showing 43 changed files with 4,029 additions and 120 deletions.
diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.71.2
 	github.com/prometheus-operator/prometheus-operator/pkg/client v0.70.0
-	go.bytebuilders.dev/audit v0.0.33
+	go.bytebuilders.dev/audit v0.0.35
 	gomodules.xyz/encoding v0.0.7
 	gomodules.xyz/pointer v0.1.0
 	gomodules.xyz/runtime v0.3.0
@@ -37,12 +37,12 @@ require (
 	kmodules.xyz/monitoring-agent-api v0.29.0
 	kmodules.xyz/objectstore-api v0.29.1
 	kmodules.xyz/offshoot-api v0.29.2
-	kmodules.xyz/resource-metadata v0.18.2
+	kmodules.xyz/resource-metadata v0.18.5
 	kmodules.xyz/webhook-runtime v0.29.1
 	kubeops.dev/petset v0.0.5
 	kubeops.dev/sidekick v0.0.5
 	kubestash.dev/apimachinery v0.7.0
-	sigs.k8s.io/controller-runtime v0.17.3
+	sigs.k8s.io/controller-runtime v0.17.4
 	sigs.k8s.io/yaml v1.4.0
 	stash.appscode.dev/apimachinery v0.34.0
 )
@@ -141,7 +141,8 @@ require (
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
 	go.bytebuilders.dev/license-proxyserver v0.0.9 // indirect
-	go.bytebuilders.dev/license-verifier v0.14.0 // indirect
+	go.bytebuilders.dev/license-verifier v0.14.1 // indirect
+	go.bytebuilders.dev/license-verifier/kubernetes v0.14.1 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.10 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.10 // indirect
@@ -187,7 +188,7 @@ require (
 	kmodules.xyz/apiversion v0.2.0 // indirect
 	kmodules.xyz/go-containerregistry v0.0.12 // indirect
 	kmodules.xyz/prober v0.29.0 // indirect
-	kmodules.xyz/resource-metrics v0.29.1 // indirect
+	kmodules.xyz/resource-metrics v0.29.5 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 // indirect
 	sigs.k8s.io/cli-utils v0.34.0 // indirect
 	sigs.k8s.io/gateway-api v0.8.0 // indirect

diff --git a/go.sum b/go.sum
@@ -382,12 +382,14 @@ github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
 github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
-go.bytebuilders.dev/audit v0.0.33 h1:p9cPJpRimV6asHh55RSr1IB6NhSZABvLPo0Md6QB4Nc=
-go.bytebuilders.dev/audit v0.0.33/go.mod h1:RjYq4EVdUGLfzSnnm0CtS0kjBgW3zDIDrTQr0YN6SRA=
+go.bytebuilders.dev/audit v0.0.35 h1:Q9zZMWypfz0sLCGV0/Yi4ajtjBmf3QwwxtRaqyqyvG8=
+go.bytebuilders.dev/audit v0.0.35/go.mod h1:USlmGT7yTmmFA4MKzBynkTrmvp6VufXTdJ/YQ9UZPMg=
 go.bytebuilders.dev/license-proxyserver v0.0.9 h1:MFArxunIZS0o3LZ+JuSwub8GwZ4bdE3kkfJ8hJfkREQ=
 go.bytebuilders.dev/license-proxyserver v0.0.9/go.mod h1:mLX/7EK1gouPWXmG3qibRXF8y+dkR3H1Hgttioy6Dww=
-go.bytebuilders.dev/license-verifier v0.14.0 h1:O6pXhz9vz7dPWIJATkX+JiMLhUD2ydzvKzf26c+3Jrw=
-go.bytebuilders.dev/license-verifier v0.14.0/go.mod h1:GB9XTSQUcllJ4AVq29TdJI6yRjoI86HGz0XMqq9nLwY=
+go.bytebuilders.dev/license-verifier v0.14.1 h1:Pk0a4NKgRjMt6eBZATHwLmPUuTQL00kQB3AQoxhCsUE=
+go.bytebuilders.dev/license-verifier v0.14.1/go.mod h1:GB9XTSQUcllJ4AVq29TdJI6yRjoI86HGz0XMqq9nLwY=
+go.bytebuilders.dev/license-verifier/kubernetes v0.14.1 h1:bKCtI8dLYXN2oe0xkS7tu68Knepj16SOdyLUq2jHYfc=
+go.bytebuilders.dev/license-verifier/kubernetes v0.14.1/go.mod h1:4fNWvcXF+2QOUD8xJTBscrIdVrduemPLHWZfBjG4/K8=
 go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
 go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 go.etcd.io/etcd/api/v3 v3.5.10 h1:szRajuUUbLyppkhs9K6BRtjY37l66XQQmw7oZRANE4k=
@@ -673,10 +675,10 @@ kmodules.xyz/offshoot-api v0.29.2 h1:akXmvkNqFz1n9p1STVs9iP7ODYET0S7BhcYCMXEjK4A
 kmodules.xyz/offshoot-api v0.29.2/go.mod h1:Wv7Xo8wbvznI+8bhaylRFHFjkt30xRDOUOnqV8kOAxM=
 kmodules.xyz/prober v0.29.0 h1:Ex7m4F9rH7uWNNJlLgP63ROOM+nUATJkC2L5OQ7nwMg=
 kmodules.xyz/prober v0.29.0/go.mod h1:UtK+HKyI1lFLEKX+HFLyOCVju6TO93zv3kwGpzqmKOo=
-kmodules.xyz/resource-metadata v0.18.2 h1:rfyq0Wnzx/2OiWGFbHTRp9cVvr2KI8xOCyy7gUVytm4=
-kmodules.xyz/resource-metadata v0.18.2/go.mod h1:Vb2bFCOX4uz2TsRRMzTkUqFWWOjJ261lY8Hs2HWgzh4=
-kmodules.xyz/resource-metrics v0.29.1 h1:gP4SNosdDGFImpne52mnQtHacmnllYkTMcYL//p/ltM=
-kmodules.xyz/resource-metrics v0.29.1/go.mod h1:OuG/QobZ7o8GFHl/u3lqaUR0fDZDegxtV8Vdh+MNBD4=
+kmodules.xyz/resource-metadata v0.18.5 h1:NRUFt3jBLAY2H5gEyv0ypwJGtclb5ioAeHX31vzcHiw=
+kmodules.xyz/resource-metadata v0.18.5/go.mod h1:HY6FmDDzQOEHfIEHRiqwNXVyof3uRIDtLSu0Yi1mIBw=
+kmodules.xyz/resource-metrics v0.29.5 h1:ciuvRXuXsloLNW/JwkubqbYySsvHvHr6/nhkTL5Sf1o=
+kmodules.xyz/resource-metrics v0.29.5/go.mod h1:OuG/QobZ7o8GFHl/u3lqaUR0fDZDegxtV8Vdh+MNBD4=
 kmodules.xyz/webhook-runtime v0.29.1 h1:SQ8NvwJpxv5CUuXIubSg9g0Bk8BBnj4dhCWEk6Ou8g8=
 kmodules.xyz/webhook-runtime v0.29.1/go.mod h1:WVgNO4NqFdYwYZ82L6QIycN1Ax47y+yXi7XIHekYylo=
 kubeops.dev/petset v0.0.5 h1:VVXi39JhjondlbHyZ98z0MLp6VCmiCMinL59K48Y2zA=
@@ -689,8 +691,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 h1:TgtAeesdhpm2S
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/KrK4fjnV61bE2g3sA7tiETLn8sooImelsCx3Y=
 sigs.k8s.io/cli-utils v0.34.0 h1:zCUitt54f0/MYj/ajVFnG6XSXMhpZ72O/3RewIchW8w=
 sigs.k8s.io/cli-utils v0.34.0/go.mod h1:EXyMwPMu9OL+LRnj0JEMsGG/fRvbgFadcVlSnE8RhFs=
-sigs.k8s.io/controller-runtime v0.17.3 h1:65QmN7r3FWgTxDMz9fvGnO1kbf2nu+acg9p2R9oYYYk=
-sigs.k8s.io/controller-runtime v0.17.3/go.mod h1:N0jpP5Lo7lMTF9aL56Z/B2oWBJjey6StQM0jRbKQXtY=
+sigs.k8s.io/controller-runtime v0.17.4 h1:AMf1E0+93/jLQ13fb76S6Atwqp24EQFCmNbG84GJxew=
+sigs.k8s.io/controller-runtime v0.17.4/go.mod h1:N0jpP5Lo7lMTF9aL56Z/B2oWBJjey6StQM0jRbKQXtY=
 sigs.k8s.io/gateway-api v0.8.0 h1:isQQ3Jx2qFP7vaA3ls0846F0Amp9Eq14P08xbSwVbQg=
 sigs.k8s.io/gateway-api v0.8.0/go.mod h1:okOnjPNBFbIS/Rw9kAhuIUaIkLhTKEu+ARIuXk2dgaM=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=

diff --git a/vendor/go.bytebuilders.dev/audit/lib/nats.go b/vendor/go.bytebuilders.dev/audit/lib/nats.go
@@ -24,15 +24,15 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"sync"
 	"time"
 
 	"github.com/nats-io/nats.go"
 	"github.com/pkg/errors"
-	proxyserver "go.bytebuilders.dev/license-proxyserver/apis/proxyserver/v1alpha1"
-	proxyclient "go.bytebuilders.dev/license-proxyserver/client/clientset/versioned"
 	verifier "go.bytebuilders.dev/license-verifier"
+	"go.bytebuilders.dev/license-verifier/apis/licenses/v1alpha1"
 	"go.bytebuilders.dev/license-verifier/info"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"go.bytebuilders.dev/license-verifier/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
 )
@@ -45,10 +45,10 @@ const (
 )
 
 type NatsConfig struct {
-	LicenseID string     `json:"licenseID"`
-	Subject   string     `json:"natsSubject"`
-	Server    string     `json:"natsServer"`
-	Client    *nats.Conn `json:"-"`
+	// LicenseID string     `json:"licenseID"`
+	Subject string     `json:"natsSubject"`
+	Server  string     `json:"natsServer"`
+	Client  *nats.Conn `json:"-"`
 }
 
 // NatsCredential represents the api response of the register licensed user api
@@ -57,29 +57,37 @@ type NatsCredential struct {
 	Credential []byte `json:"credential"`
 }
 
-func NewNatsConfig(cfg *rest.Config, clusterID string, LicenseFile string) (*NatsConfig, error) {
-	var licenseBytes []byte
-	var err error
-
-	licenseBytes, err = os.ReadFile(LicenseFile)
-	if errors.Is(err, os.ErrNotExist) {
-		req := proxyserver.LicenseRequest{
-			TypeMeta: metav1.TypeMeta{},
-			Request: &proxyserver.LicenseRequestRequest{
-				Features: info.Features(),
-			},
-		}
-		pc, err := proxyclient.NewForConfig(cfg)
-		if err != nil {
-			return nil, errors.Wrap(err, "failed create client for license-proxyserver")
-		}
-		resp, err := pc.ProxyserverV1alpha1().LicenseRequests().Create(context.TODO(), &req, metav1.CreateOptions{})
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to read license")
-		}
-		licenseBytes = []byte(resp.Response.License)
-	} else if err != nil {
-		return nil, errors.Wrap(err, "failed to read license")
+type LicenseIDGetter interface {
+	GetLicenseID() string
+}
+
+type LicenseUpdater struct {
+	le      *kubernetes.LicenseEnforcer
+	License v1alpha1.License
+	mu      sync.Mutex
+}
+
+func (lu *LicenseUpdater) GetLicenseID() string {
+	lu.mu.Lock()
+	defer lu.mu.Unlock()
+
+	l := lu.License
+	if l.Status == v1alpha1.LicenseActive && time.Now().After(l.NotAfter.Time) {
+		license, _ := lu.le.LoadLicense()
+		lu.License = license
+		l = license
+	}
+	return l.ID
+}
+
+func NewNatsConfig(cfg *rest.Config, clusterID string, LicenseFile string) (*NatsConfig, LicenseIDGetter, error) {
+	le, err := kubernetes.NewLicenseEnforcer(cfg, LicenseFile)
+	if err != nil {
+		return nil, nil, err
+	}
+	license, licenseBytes := le.LoadLicense()
+	if license.Status != v1alpha1.LicenseActive {
+		return nil, nil, fmt.Errorf("license status is %s", license.Status)
 	}
 
 	opts := verifier.Options{
@@ -90,46 +98,46 @@ func NewNatsConfig(cfg *rest.Config, clusterID string, LicenseFile string) (*Nat
 	}
 	data, err := json.Marshal(opts)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	resp, err := http.Post(info.MustRegistrationAPIEndpoint(), "application/json", bytes.NewReader(data))
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	defer resp.Body.Close()
 
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, errors.New(resp.Status + ", " + string(body))
+		return nil, nil, errors.New(resp.Status + ", " + string(body))
 	}
 
 	var natscred NatsCredential
 	err = json.Unmarshal(body, &natscred)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
-	klog.V(5).InfoS("using event receiver", "address", natscred.Server, "subject", natscred.Subject, "licenseID", natscred.LicenseID)
+	klog.V(5).InfoS("using event receiver", "address", natscred.Server, "subject", natscred.Subject, "licenseID", license.ID)
 
-	natscred.Client, err = NewConnection(natscred)
+	natscred.Client, err = NewConnection(license.ID, natscred)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
-	return &natscred.NatsConfig, nil
+	return &natscred.NatsConfig, &LicenseUpdater{le: le, License: license}, nil
 }
 
 // NewConnection creates a new NATS connection
-func NewConnection(natscred NatsCredential) (nc *nats.Conn, err error) {
+func NewConnection(licenseID string, natscred NatsCredential) (nc *nats.Conn, err error) {
 	servers := natscred.Server
 
 	opts := []nats.Option{
-		nats.Name(fmt.Sprintf("%s.%s", natscred.LicenseID, info.ProductName)),
+		nats.Name(fmt.Sprintf("%s.%s", licenseID, info.ProductName)),
 		nats.MaxReconnects(-1),
 		nats.ErrorHandler(errorHandler),
 		nats.ReconnectHandler(reconnectHandler),

diff --git a/vendor/go.bytebuilders.dev/audit/lib/publisher.go b/vendor/go.bytebuilders.dev/audit/lib/publisher.go
@@ -66,6 +66,7 @@ type EventPublisher struct {
 	connect func() error
 
 	nats        *NatsConfig
+	lu          LicenseIDGetter
 	mapper      discovery.ResourceMapper
 	createEvent EventCreator
 
@@ -90,7 +91,7 @@ func NewEventPublisher(
 }
 
 func NewResilientEventPublisher(
-	fnConnect func() (*NatsConfig, error),
+	fnConnect func() (*NatsConfig, LicenseIDGetter, error),
 	mapper discovery.ResourceMapper,
 	fnCreateEvent EventCreator,
 ) *EventPublisher {
@@ -100,7 +101,7 @@ func NewResilientEventPublisher(
 	}
 	p.connect = func() error {
 		var err error
-		p.nats, err = fnConnect()
+		p.nats, p.lu, err = fnConnect()
 		if err != nil {
 			klog.V(5).InfoS("failed to connect with event receiver", "error", err)
 		}
@@ -120,9 +121,9 @@ func (p *EventPublisher) NatsClient() (*nats.Conn, error) {
 func (p *EventPublisher) Publish(ev *api.Event, et api.EventType) error {
 	event := cloudeventssdk.NewEvent()
 	event.SetID(fmt.Sprintf("%s.%d", ev.Resource.GetUID(), ev.Resource.GetGeneration()))
-	// /byte.builders/auditor/license_id/feature/info.ProductName/api_group/api_resource/
+	// /appscode.com/auditor/license_id/feature/info.ProductName/api_group/api_resource/
 	// ref: https://github.com/cloudevents/spec/blob/v1.0.1/spec.md#source-1
-	event.SetSource(fmt.Sprintf("/byte.builders/auditor/%s/feature/%s/%s/%s", ev.LicenseID, info.ProductName, ev.ResourceID.Group, ev.ResourceID.Name))
+	event.SetSource(fmt.Sprintf("/%s/auditor/%s/feature/%s/%s/%s", info.ProdDomain, ev.LicenseID, info.ProductName, ev.ResourceID.Group, ev.ResourceID.Name))
 	// obj.getUID
 	// ref: https://github.com/cloudevents/spec/blob/v1.0.1/spec.md#subject
 	event.SetSubject(string(ev.Resource.GetUID()))
@@ -187,7 +188,7 @@ func (p *EventPublisher) ForGVK(informer Informer, gvk schema.GroupVersionKind)
 			if p.nats == nil {
 				return nil, fmt.Errorf("not connected to nats")
 			}
-			ev.LicenseID = p.nats.LicenseID
+			ev.LicenseID = p.lu.GetLicenseID()
 
 			return ev, nil
 		},
@@ -239,43 +240,45 @@ func (p *EventPublisher) setupSiteInfoPublisher(cfg *rest.Config, kc kubernetes.
 		p.si.Product = new(auditorapi.ProductInfo)
 	}
 
-	_, err = nodeInformer.AddEventHandlerWithResyncPeriod(&SiteInfoPublisher{
-		p: p,
-		createEvent: func(_ client.Object) (*api.Event, error) {
-			cmeta, err := clusterid.ClusterMetadata(kc.CoreV1().Namespaces())
-			if err != nil {
-				return nil, err
-			}
-			nodes, err := listNodes()
-			if err != nil {
-				return nil, err
-			}
+	event := func(_ client.Object) (*api.Event, error) {
+		cmeta, err := clusterid.ClusterMetadata(kc.CoreV1().Namespaces())
+		if err != nil {
+			return nil, err
+		}
+		nodes, err := listNodes()
+		if err != nil {
+			return nil, err
+		}
 
-			p.siMutex.Lock()
-			p.si.Kubernetes.Cluster = cmeta
-			siteinfo.RefreshNodeStats(p.si, nodes)
-			p.siMutex.Unlock()
+		p.siMutex.Lock()
+		p.si.Kubernetes.Cluster = cmeta
+		siteinfo.RefreshNodeStats(p.si, nodes)
+		p.siMutex.Unlock()
 
-			p.once.Do(p.connect)
-			if p.nats == nil {
-				return nil, fmt.Errorf("not connected to nats")
-			}
+		p.once.Do(p.connect)
+		if p.nats == nil {
+			return nil, fmt.Errorf("not connected to nats")
+		}
 
-			p.si.Product.LicenseID = p.nats.LicenseID
-			p.si.Name = fmt.Sprintf("%s.%s", p.nats.LicenseID, p.si.Product.ProductName)
-			ev := &api.Event{
-				Resource: p.si,
-				ResourceID: kmapi.ResourceID{
-					Group:   auditorapi.SchemeGroupVersion.Group,
-					Version: auditorapi.SchemeGroupVersion.Version,
-					Name:    auditorapi.ResourceSiteInfos,
-					Kind:    auditorapi.ResourceKindSiteInfo,
-					Scope:   kmapi.ClusterScoped,
-				},
-				LicenseID: p.nats.LicenseID,
-			}
-			return ev, nil
-		},
+		licenseID := p.lu.GetLicenseID()
+		p.si.Product.LicenseID = licenseID
+		p.si.Name = fmt.Sprintf("%s.%s", licenseID, p.si.Product.ProductName)
+		ev := &api.Event{
+			Resource: p.si,
+			ResourceID: kmapi.ResourceID{
+				Group:   auditorapi.SchemeGroupVersion.Group,
+				Version: auditorapi.SchemeGroupVersion.Version,
+				Name:    auditorapi.ResourceSiteInfos,
+				Kind:    auditorapi.ResourceKindSiteInfo,
+				Scope:   kmapi.ClusterScoped,
+			},
+			LicenseID: licenseID,
+		}
+		return ev, nil
+	}
+	_, err = nodeInformer.AddEventHandlerWithResyncPeriod(&SiteInfoPublisher{
+		p:           p,
+		createEvent: event,
 	}, eventInterval)
 	return err
 }

diff --git a/vendor/go.bytebuilders.dev/license-verifier/Makefile b/vendor/go.bytebuilders.dev/license-verifier/Makefile
@@ -64,7 +64,7 @@ ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
 BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian11
 BASEIMAGE_DBG    ?= debian:bullseye
 
-GO_VERSION       ?= 1.21
+GO_VERSION       ?= 1.22
 BUILD_IMAGE      ?= ghcr.io/appscode/golang-dev:$(GO_VERSION)
 
 OUTBIN = bin/$(OS)_$(ARCH)/$(BIN)