Add BackendConfig crd to provider cluster wide and namespace wide configs (#734)

* Add MeshConfig crd

* Reconcile objects automatically when MeshConfig is updated

* Add testcases

* Fix charts

* Use Watches

* Add rbac

* Fix ci

* Fix CVE

* Rename MeshConfig to BackendConfig

* fix ci

* Fix env test

* Fix ci

* Fix ci

Author: jiangpengcheng

.ci/clusters/global_backend_config.yaml

@@ -0,0 +1,8 @@
+apiVersion: compute.functionmesh.io/v1alpha1
+kind: BackendConfig
+metadata:
+  name: global-backend-config
+spec:
+  env:
+    global1: globalvalue1
+    shared1: fromglobal

.ci/helm.sh

@@ -596,3 +596,16 @@ function ci::verify_log_topic_with_auth() {
   fi
   return 1
 }
+
+function ci::verify_env() {
+  pod="$1-function-0"
+  key=$2
+  expect=$3
+  result=$(kubectl exec -n ${NAMESPACE} ${pod} -- env | grep "${key}")
+  echo "$result"
+  echo "$expect"
+  if [[ "$result" = "$expect" ]]; then
+    return 0
+  fi
+  return 1
+}

.ci/tests/integration/cases/crypto-function/manifests.yaml

@@ -9,7 +9,6 @@ spec:
   forwardSourceMessageProperty: true
   maxPendingAsyncRequests: 1000
   replicas: 1
-  maxReplicas: 5
   logTopic: persistent://public/default/logging-function-logs
   input:
     topics:

.ci/tests/integration/cases/global-and-namespaced-config/manifests.yaml

@@ -0,0 +1,77 @@
+apiVersion: compute.functionmesh.io/v1alpha1
+kind: Function
+metadata:
+  name: function-sample-env
+  namespace: default
+spec:
+  image: streamnative/pulsar-functions-java-sample:2.9.2.23
+  className: org.apache.pulsar.functions.api.examples.ExclamationFunction
+  forwardSourceMessageProperty: true
+  maxPendingAsyncRequests: 1000
+  replicas: 1
+  maxReplicas: 5
+  logTopic: persistent://public/default/logging-function-logs
+  input:
+    topics:
+      - persistent://public/default/input-java-topic
+    typeClassName: java.lang.String
+  output:
+    topic: persistent://public/default/output-java-topic
+    typeClassName: java.lang.String
+  resources:
+    requests:
+      cpu: 50m
+      memory: 1G
+    limits:
+      memory: 1.1G
+  # each secret will be loaded ad an env variable from the `path` secret with the `key` in that secret in the name of `name`
+  secretsMap:
+    "name":
+      path: "test-secret"
+      key: "username"
+    "pwd":
+      path: "test-secret"
+      key: "password"
+  pulsar:
+    pulsarConfig: "test-pulsar"
+    tlsConfig:
+      enabled: false
+      allowInsecure: false
+      hostnameVerification: true
+      certSecretName: sn-platform-tls-broker
+      certSecretKey: ""
+    #authConfig: "test-auth"
+  java:
+    jar: /pulsar/examples/api-examples.jar
+  # to be delete & use admission hook
+  clusterName: test
+  autoAck: true
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-pulsar
+data:
+  webServiceURL: http://sn-platform-pulsar-broker.default.svc.cluster.local:8080
+  brokerServiceURL: pulsar://sn-platform-pulsar-broker.default.svc.cluster.local:6650
+#---
+#apiVersion: v1
+#kind: ConfigMap
+#metadata:
+#  name: test-auth
+#data:
+#  clientAuthenticationPlugin: "abc"
+#  clientAuthenticationParameters: "xyz"
+#  tlsTrustCertsFilePath: "uvw"
+#  useTls: "true"
+#  tlsAllowInsecureConnection: "false"
+#  tlsHostnameVerificationEnable: "true"
+---
+apiVersion: v1
+data:
+  username: YWRtaW4=
+  password: MWYyZDFlMmU2N2Rm
+kind: Secret
+metadata:
+  name: test-secret
+type: Opaque

.ci/tests/integration/cases/global-and-namespaced-config/mesh-config-kube-system.yaml

@@ -0,0 +1,9 @@
+apiVersion: compute.functionmesh.io/v1alpha1
+kind: BackendConfig
+metadata:
+  name: backend-config
+  namespace: kube-system
+spec:
+  env:
+    namespaced1: namespacedvalue1
+    shared1: fromnamespace

.ci/tests/integration/cases/global-and-namespaced-config/mesh-config.yaml

@@ -0,0 +1,9 @@
+apiVersion: compute.functionmesh.io/v1alpha1
+kind: BackendConfig
+metadata:
+  name: backend-config
+  namespace: default
+spec:
+  env:
+    namespaced1: namespacedvalue1
+    shared1: fromnamespace

.ci/tests/integration/cases/global-and-namespaced-config/verify.sh

@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+E2E_DIR=$(dirname "$0")
+BASE_DIR=$(cd "${E2E_DIR}"/../../../../..;pwd)
+PULSAR_NAMESPACE=${PULSAR_NAMESPACE:-"default"}
+PULSAR_RELEASE_NAME=${PULSAR_RELEASE_NAME:-"sn-platform"}
+E2E_KUBECONFIG=${E2E_KUBECONFIG:-"/tmp/e2e-k8s.config"}
+
+source "${BASE_DIR}"/.ci/helm.sh
+
+if [ ! "$KUBECONFIG" ]; then
+  export KUBECONFIG=${E2E_KUBECONFIG}
+fi
+
+manifests_file="${BASE_DIR}"/.ci/tests/integration/cases/global-and-namespaced-config/manifests.yaml
+mesh_config_file="${BASE_DIR}"/.ci/tests/integration/cases/global-and-namespaced-config/mesh-config.yaml
+mesh_config_file_in_kube_system="${BASE_DIR}"/.ci/tests/integration/cases/global-and-namespaced-config/mesh-config-kube-system.yaml
+global_mesh_config_file="${BASE_DIR}"/.ci/clusters/global_backend_config.yaml
+
+
+kubectl apply -f "${mesh_config_file}" > /dev/null 2>&1
+kubectl apply -f "${manifests_file}" > /dev/null 2>&1
+
+verify_fm_result=$(ci::verify_function_mesh function-sample-env 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_fm_result"
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" global1 global1=globalvalue1 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_env_result"
+  kubectl delete -f "${mesh_config_file}" > /dev/null 2>&1
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" namespaced1 namespaced1=namespacedvalue1 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_env_result"
+  kubectl delete -f "${mesh_config_file}" > /dev/null 2>&1
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+# if global and namespaced config has same key, the value from namespace should be used
+verify_env_result=$(ci::verify_env "function-sample-env" shared1 shared1=fromnamespace 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_env_result"
+  kubectl delete -f "${mesh_config_file}" > /dev/null 2>&1
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+# delete the namespaced config, the function should be reconciled without namespaced env injected
+kubectl delete -f "${mesh_config_file}" > /dev/null 2>&1
+sleep 30
+
+verify_fm_result=$(ci::verify_function_mesh function-sample-env 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_fm_result"
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" global1 global1=globalvalue1 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_env_result"
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" shared1 shared1=fromglobal 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_env_result"
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" namespaced1 "" 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_env_result"
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+# delete the global config, the function should be reconciled without global env injected
+kubectl delete -f "${global_mesh_config_file}" -n $FUNCTION_MESH_NAMESPACE > /dev/null 2>&1 || true
+sleep 30
+
+verify_fm_result=$(ci::verify_function_mesh function-sample-env 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_fm_result"
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" global1 "" 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_env_result"
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+# config created in an another namespace should not affect functions in other namespaces
+kubectl apply -f "${mesh_config_file_in_kube_system}" > /dev/null 2>&1
+sleep 30
+
+verify_fm_result=$(ci::verify_function_mesh function-sample-env 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_fm_result"
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+verify_env_result=$(ci::verify_env "function-sample-env" namespaced1 "" 2>&1)
+if [ $? -eq 0 ]; then
+  echo "e2e-test: ok" | yq eval -
+else
+  echo "$verify_env_result"
+  kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true
+  exit 1
+fi
+
+kubectl delete -f "${manifests_file}" > /dev/null 2>&1 || true

.ci/tests/integration/e2e_with_tls.yaml

@@ -87,12 +87,17 @@ setup:
         image="function-mesh-operator:latest"
         IMG=${image} make docker-build-skip-test
         kind load docker-image ${image}
-        helm install ${FUNCTION_MESH_RELEASE_NAME} -n ${FUNCTION_MESH_NAMESPACE} --set operatorImage=${image} --create-namespace charts/function-mesh-operator
+        helm install ${FUNCTION_MESH_RELEASE_NAME} -n ${FUNCTION_MESH_NAMESPACE} --set operatorImage=${image} --set controllerManager.globalBackendConfig=global-backend-config --set controllerManager.globalBackendConfigNamespace=${FUNCTION_MESH_NAMESPACE} --set controllerManager.namespacedBackendConfig=backend-config --create-namespace charts/function-mesh-operator
       wait:
         - namespace: function-mesh
           resource: pod
           label-selector: app.kubernetes.io/name=function-mesh-operator
           for: condition=Ready
+
+    - name: apply global env config map
+      command: |
+        kubectl create -n ${FUNCTION_MESH_NAMESPACE} -f .ci/clusters/global_backend_config.yaml
+
   timeout: 60m
 
 cleanup:
@@ -124,3 +129,5 @@ verify:
       expected: expected.data.yaml
     - query: bash .ci/tests/integration/cases/crypto-function/verify.sh
       expected: expected.data.yaml
+    - query: timeout 5m bash .ci/tests/integration/cases/global-and-namespaced-config/verify.sh
+      expected: expected.data.yaml

.github/workflows/olm-verify.yml

@@ -27,10 +27,10 @@ jobs:
       - name: checkout
         uses: actions/checkout@v2
 
-      - name: Set up GO 1.20.4
+      - name: Set up GO 1.21.8
         uses: actions/setup-go@v1
         with:
-          go-version: 1.20.4
+          go-version: 1.21.8
         id: go
 
       - name: InstallKubebuilder

.github/workflows/trivy.yml

@@ -23,10 +23,10 @@ jobs:
           repository: ${{github.event.pull_request.head.repo.full_name}}
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - name: Set up GO 1.20.4
+      - name: Set up GO 1.21.8
         uses: actions/setup-go@v1
         with:
-          go-version: 1.20.4
+          go-version: 1.21.8
         id: go
 
       - name: InstallKubebuilder

Makefile

@@ -72,7 +72,7 @@ test-ginkgo: generate fmt vet manifests envtest
 
 .PHONY: envtest
 envtest:
-	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20240320141353-395cfc7486e6
 
 # Build manager binary
 manager: generate fmt vet