Add proxy address in web-console request (vmware-tanzu#61)

dilyar85 · web-flow · commit c4b0bf4c8062 · 2023-02-17T11:51:20.000+08:00
diff --git a/api/v1alpha1/webconsolerequest_types.go b/api/v1alpha1/webconsolerequest_types.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2021 VMware, Inc. All Rights Reserved.
+// Copyright (c) 2021-2023 VMware, Inc. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -21,6 +21,30 @@ type WebConsoleRequestStatus struct {
 	Response string `json:"response,omitempty"`
 	// ExpiryTime is when the ticket referenced in Response will expire.
 	ExpiryTime metav1.Time `json:"expiryTime,omitempty"`
+	// ProxyAddr describes the host address and optional port used to access
+	// the VM's web console.
+	// The value could be a DNS entry, IPv4, or IPv6 address, followed by an
+	// optional port. For example, valid values include:
+	//
+	//     DNS
+	//         * host.com
+	//         * host.com:6443
+	//
+	//     IPv4
+	//         * 1.2.3.4
+	//         * 1.2.3.4:6443
+	//
+	//     IPv6
+	//         * 1234:1234:1234:1234:1234:1234:1234:1234
+	//         * [1234:1234:1234:1234:1234:1234:1234:1234]:6443
+	//         * 1234:1234:1234:0000:0000:0000:1234:1234
+	//         * 1234:1234:1234::::1234:1234
+	//         * [1234:1234:1234::::1234:1234]:6443
+	//
+	// In other words, the field may be set to any value that is parsable
+	// by Go's https://pkg.go.dev/net#ResolveIPAddr and
+	// https://pkg.go.dev/net#ParseIP functions.
+	ProxyAddr string `json:"proxyAddr,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/config/crd/bases/vmoperator.vmware.com_webconsolerequests.yaml b/config/crd/bases/vmoperator.vmware.com_webconsolerequests.yaml
@@ -58,6 +58,18 @@ spec:
                   will expire.
                 format: date-time
                 type: string
+              proxyAddr:
+                description: "ProxyAddr describes the host address and optional port
+                  used to access the VM's web console. The value could be a DNS entry,
+                  IPv4, or IPv6 address, followed by an optional port. For example,
+                  valid values include: \n DNS * host.com * host.com:6443 \n IPv4
+                  * 1.2.3.4 * 1.2.3.4:6443 \n IPv6 * 1234:1234:1234:1234:1234:1234:1234:1234
+                  * [1234:1234:1234:1234:1234:1234:1234:1234]:6443 * 1234:1234:1234:0000:0000:0000:1234:1234
+                  * 1234:1234:1234::::1234:1234 * [1234:1234:1234::::1234:1234]:6443
+                  \n In other words, the field may be set to any value that is parsable
+                  by Go's https://pkg.go.dev/net#ResolveIPAddr and https://pkg.go.dev/net#ParseIP
+                  functions."
+                type: string
               response:
                 description: Response will be the authenticated ticket corresponding
                   to this web console request.
diff --git a/controllers/webconsolerequest/webconsolerequest_controller.go b/controllers/webconsolerequest/webconsolerequest_controller.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 VMware, Inc. All Rights Reserved.
+// Copyright (c) 2022-2023 VMware, Inc. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package webconsolerequest
@@ -13,6 +13,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -30,6 +31,9 @@ import (
 const (
 	DefaultExpiryTime = time.Second * 120
 	UUIDLabelKey      = "vmoperator.vmware.com/webconsolerequest-uuid"
+
+	ProxyAddrServiceName      = "kube-apiserver-lb-svc"
+	ProxyAddrServiceNamespace = "kube-system"
 )
 
 // AddToManager adds this package's controller to the provided manager.
@@ -79,6 +83,8 @@ type Reconciler struct {
 // +kubebuilder:rbac:groups=vmoperator.vmware.com,resources=webconsolerequests,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=vmoperator.vmware.com,resources=webconsolerequests/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=vmoperator.vmware.com,resources=virtualmachines,verbs=get;list
+// +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=services/status,verbs=get
 
 func (r *Reconciler) Reconcile(ctx goctx.Context, req ctrl.Request) (_ ctrl.Result, reterr error) {
 	webconsolerequest := &vmopv1alpha1.WebConsoleRequest{}
@@ -143,9 +149,10 @@ func (r *Reconciler) ReconcileEarlyNormal(ctx *context.WebConsoleRequestContext)
 		return true, nil
 	}
 
-	if ctx.WebConsoleRequest.Status.Response != "" {
-		// If the response is already set, no need to reconcile anymore
-		ctx.Logger.Info("Response already set, skip reconciling")
+	if ctx.WebConsoleRequest.Status.Response != "" &&
+		ctx.WebConsoleRequest.Status.ProxyAddr != "" {
+		// If the response and proxy address are already set, no need to reconcile anymore
+		ctx.Logger.Info("Response and proxy address already set, skip reconciling")
 		return true, nil
 	}
 
@@ -167,8 +174,21 @@ func (r *Reconciler) ReconcileNormal(ctx *context.WebConsoleRequestContext) erro
 	ctx.WebConsoleRequest.Status.Response = ticket
 	ctx.WebConsoleRequest.Status.ExpiryTime = metav1.NewTime(metav1.Now().Add(DefaultExpiryTime))
 
+	// Retrieve the proxy address from the load balancer service ingress IP.
+	proxySvc := &corev1.Service{}
+	proxySvcObjectKey := client.ObjectKey{Name: ProxyAddrServiceName, Namespace: ProxyAddrServiceNamespace}
+	err = r.Get(ctx, proxySvcObjectKey, proxySvc)
+	if err != nil {
+		return errors.Wrapf(err, "failed to get proxy address service  %s", proxySvcObjectKey)
+	}
+	if len(proxySvc.Status.LoadBalancer.Ingress) == 0 {
+		return errors.Errorf("no ingress found for proxy address service %s", proxySvcObjectKey)
+	}
+
+	ctx.WebConsoleRequest.Status.ProxyAddr = proxySvc.Status.LoadBalancer.Ingress[0].IP
+
 	// Add UUID as a Label to the current WebConsoleRequest resource after acquiring the ticket.
-	// This will be used when validating the connection request from users to the web-console URL.
+	// This will be used when validating the connection request from users to the web console URL.
 	if ctx.WebConsoleRequest.Labels == nil {
 		ctx.WebConsoleRequest.Labels = make(map[string]string)
 	}
diff --git a/controllers/webconsolerequest/webconsolerequest_intg_test.go b/controllers/webconsolerequest/webconsolerequest_intg_test.go
@@ -10,6 +10,7 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
+	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -26,9 +27,10 @@ func intgTests() {
 
 func webConsoleRequestReconcile() {
 	var (
-		ctx *builder.IntegrationTestContext
-		wcr *v1alpha1.WebConsoleRequest
-		vm  *v1alpha1.VirtualMachine
+		ctx      *builder.IntegrationTestContext
+		wcr      *v1alpha1.WebConsoleRequest
+		vm       *v1alpha1.VirtualMachine
+		proxySvc *corev1.Service
 	)
 
 	getWebConsoleRequest := func(ctx *builder.IntegrationTestContext, objKey types.NamespacedName) *v1alpha1.WebConsoleRequest {
@@ -66,6 +68,21 @@ func webConsoleRequestReconcile() {
 			},
 		}
 
+		proxySvc = &corev1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      webconsolerequest.ProxyAddrServiceName,
+				Namespace: webconsolerequest.ProxyAddrServiceNamespace,
+			},
+			Spec: corev1.ServiceSpec{
+				Ports: []corev1.ServicePort{
+					{
+						Name: "dummy-proxy-port",
+						Port: 443,
+					},
+				},
+			},
+		}
+
 		fakeVMProvider.Lock()
 		defer fakeVMProvider.Unlock()
 		fakeVMProvider.GetVirtualMachineWebMKSTicketFn = func(ctx context.Context, vm *v1alpha1.VirtualMachine, pubKey string) (string, error) {
@@ -83,6 +100,17 @@ func webConsoleRequestReconcile() {
 		BeforeEach(func() {
 			Expect(ctx.Client.Create(ctx, vm)).To(Succeed())
 			Expect(ctx.Client.Create(ctx, wcr)).To(Succeed())
+			Expect(ctx.Client.Create(ctx, proxySvc)).To(Succeed())
+			proxySvc.Status = corev1.ServiceStatus{
+				LoadBalancer: corev1.LoadBalancerStatus{
+					Ingress: []corev1.LoadBalancerIngress{
+						{
+							IP: "192.168.0.1",
+						},
+					},
+				},
+			}
+			Expect(ctx.Client.Status().Update(ctx, proxySvc)).To(Succeed())
 		})
 
 		AfterEach(func() {
@@ -100,6 +128,7 @@ func webConsoleRequestReconcile() {
 				}
 				return false
 			}).Should(BeTrue(), "waiting for webconsolerequest to be")
+			Expect(wcr.Status.ProxyAddr).To(Equal("192.168.0.1"))
 			Expect(wcr.Status.Response).ToNot(BeEmpty())
 			Expect(wcr.Status.ExpiryTime.Time).To(BeTemporally("~", time.Now(), webconsolerequest.DefaultExpiryTime))
 			Expect(wcr.Labels).To(HaveKeyWithValue(webconsolerequest.UUIDLabelKey, string(wcr.UID)))
diff --git a/controllers/webconsolerequest/webconsolerequest_unit_test.go b/controllers/webconsolerequest/webconsolerequest_unit_test.go
@@ -10,6 +10,7 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -35,6 +36,7 @@ func unitTestsReconcile() {
 		wcrCtx     *vmopContext.WebConsoleRequestContext
 		wcr        *v1alpha1.WebConsoleRequest
 		vm         *v1alpha1.VirtualMachine
+		proxySvc   *corev1.Service
 	)
 
 	BeforeEach(func() {
@@ -53,6 +55,22 @@ func unitTestsReconcile() {
 				PublicKey:          "",
 			},
 		}
+
+		proxySvc = &corev1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      webconsolerequest.ProxyAddrServiceName,
+				Namespace: webconsolerequest.ProxyAddrServiceNamespace,
+			},
+			Status: corev1.ServiceStatus{
+				LoadBalancer: corev1.LoadBalancerStatus{
+					Ingress: []corev1.LoadBalancerIngress{
+						{
+							IP: "dummy-proxy-ip",
+						},
+					},
+				},
+			},
+		}
 	})
 
 	JustBeforeEach(func() {
@@ -83,7 +101,7 @@ func unitTestsReconcile() {
 
 	Context("ReconcileNormal", func() {
 		BeforeEach(func() {
-			initObjects = append(initObjects, wcr, vm)
+			initObjects = append(initObjects, wcr, vm, proxySvc)
 		})
 
 		JustBeforeEach(func() {
@@ -97,6 +115,7 @@ func unitTestsReconcile() {
 				err := reconciler.ReconcileNormal(wcrCtx)
 				Expect(err).ToNot(HaveOccurred())
 
+				Expect(wcrCtx.WebConsoleRequest.Status.ProxyAddr).To(Equal("dummy-proxy-ip"))
 				Expect(wcrCtx.WebConsoleRequest.Status.Response).ToNot(BeEmpty())
 				Expect(wcrCtx.WebConsoleRequest.Status.ExpiryTime.Time).To(BeTemporally("~", time.Now(), webconsolerequest.DefaultExpiryTime))
 				// Checking the label key only because UID will not be set to a resource during unit test.
diff --git a/docs/apis/v1alpha1.md b/docs/apis/v1alpha1.md
@@ -1140,3 +1140,8 @@ _Appears in:_
 | --- | --- |
 | `response` _string_ | Response will be the authenticated ticket corresponding to this web console request. |
 | `expiryTime` _[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta)_ | ExpiryTime is when the ticket referenced in Response will expire. |
+| `proxyAddr` _string_ | ProxyAddr describes the host address and optional port used to access the VM's web console. The value could be a DNS entry, IPv4, or IPv6 address, followed by an optional port. For example, valid values include: 
+ DNS * host.com * host.com:6443 
+ IPv4 * 1.2.3.4 * 1.2.3.4:6443 
+ IPv6 * 1234:1234:1234:1234:1234:1234:1234:1234 * [1234:1234:1234:1234:1234:1234:1234:1234]:6443 * 1234:1234:1234:0000:0000:0000:1234:1234 * 1234:1234:1234::::1234:1234 * [1234:1234:1234::::1234:1234]:6443 
+ In other words, the field may be set to any value that is parsable by Go's https://pkg.go.dev/net#ResolveIPAddr and https://pkg.go.dev/net#ParseIP functions. |
