devtron-labs · ShashwatDadhich · Jun 2, 2023 · Mar 16, 2023 · Mar 16, 2023 · Mar 17, 2023
@@ -1,8 +1,12 @@
 package bean
 
 type ClusterInfo struct {
-	ClusterId   int    `json:"clusterId"`
-	ClusterName string `json:"clusterName"`
-	BearerToken string `json:"bearerToken"`
-	ServerUrl   string `json:"serverUrl"`
+	ClusterId             int    `json:"clusterId"`
+	ClusterName           string `json:"clusterName"`
+	BearerToken           string `json:"bearerToken"`
+	ServerUrl             string `json:"serverUrl"`
+	InsecureSkipTLSVerify bool   `json:"insecureSkipTLSVerify"`
+	KeyData               string `json:"keyData"`
+	CertData              string `json:"certData"`
+	CAData                string `json:"CAData"`
 }
@@ -43,6 +43,8 @@ const CLUSTER_DELETE_SUCCESS_RESP = "Cluster deleted successfully."
 
 type ClusterRestHandler interface {
 	Save(w http.ResponseWriter, r *http.Request)
+	SaveClusters(w http.ResponseWriter, r *http.Request)
+	ValidateKubeconfig(w http.ResponseWriter, r *http.Request)
 	FindAll(w http.ResponseWriter, r *http.Request)
 	FindById(w http.ResponseWriter, r *http.Request)
 	FindNoteByClusterId(w http.ResponseWriter, r *http.Request)
@@ -92,6 +94,81 @@ func NewClusterRestHandlerImpl(clusterService cluster.ClusterService,
 	}
 }
 
+func (impl ClusterRestHandlerImpl) SaveClusters(w http.ResponseWriter, r *http.Request) {
+	token := r.Header.Get("token")
+	decoder := json.NewDecoder(r.Body)
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	beans := []*cluster.ClusterBean{}
+	err = decoder.Decode(&beans)
+	if err != nil {
+		impl.logger.Errorw("request err, Save", "error", err, "payload", beans)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+	// not logging bean object as it contains sensitive data
+	impl.logger.Infow("request payload received for save clusters")
+
+	// RBAC enforcer applying
+	isSuperAdmin, err := impl.userService.IsSuperAdmin(int(userId))
+	if !isSuperAdmin || err != nil {
+		if err != nil {
+			impl.logger.Errorw("request err, CheckSuperAdmin", "err", err, "isSuperAdmin", isSuperAdmin)
+		}
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
+		return
+	}
+	//RBAC enforcer Ends
+	ctx, cancel := context.WithCancel(r.Context())
+	if cn, ok := w.(http.CloseNotifier); ok {
+		go func(done <-chan struct{}, closed <-chan bool) {
+			select {
+			case <-done:
+			case <-closed:
+				cancel()
+			}
+		}(ctx.Done(), cn.CloseNotify())
+	}
+	if util2.IsBaseStack() {
+		ctx = context.WithValue(ctx, "token", token)
+	} else {
+		acdToken, err := impl.argoUserService.GetLatestDevtronArgoCdUserToken()
+		if err != nil {
+			impl.logger.Errorw("error in getting acd token", "err", err)
+			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+			return
+		}
+		ctx = context.WithValue(ctx, "token", acdToken)
+	}
+
+	for _, bean := range beans {
+		l := len(bean.ServerUrl)
+		if l > 1 && bean.ServerUrl[l-1:] == "/" {
+			bean.ServerUrl = bean.ServerUrl[0 : l-1]
+		}
+		if bean.Id != 0 {
+			_, err1 := impl.clusterService.Update(ctx, bean, userId)
+			if err1 != nil {
+				bean.ErrorInConnecting = err1.Error()
+			} else {
+				bean.ClusterUpdated = true
+			}
+		} else {
+			_, err1 := impl.clusterService.Save(ctx, bean, userId)
+			if err1 != nil {
+				bean.ErrorInConnecting = err1.Error()
+			}
+		}
+	}
+
+	res := beans
+
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
 func (impl ClusterRestHandlerImpl) Save(w http.ResponseWriter, r *http.Request) {
 	token := r.Header.Get("token")
 	decoder := json.NewDecoder(r.Body)
@@ -161,6 +238,66 @@ func (impl ClusterRestHandlerImpl) Save(w http.ResponseWriter, r *http.Request)
 	common.WriteJsonResp(w, err, bean, http.StatusOK)
 }
 
+func (impl ClusterRestHandlerImpl) ValidateKubeconfig(w http.ResponseWriter, r *http.Request) {
+	token := r.Header.Get("token")
+	decoder := json.NewDecoder(r.Body)
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+	bean := &cluster.Kubeconfig{}
+	err = decoder.Decode(bean)
+	if err != nil {
+		impl.logger.Errorw("request err, Validate", "error", err, "payload", bean)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	err = impl.validator.Struct(bean)
+	if err != nil {
+		impl.logger.Errorw("validation err, Validate", "err", err, "payload", bean)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	// RBAC enforcer applying
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceCluster, casbin.ActionCreate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+	//RBAC enforcer Ends
+	ctx, cancel := context.WithCancel(r.Context())
+	if cn, ok := w.(http.CloseNotifier); ok {
+		go func(done <-chan struct{}, closed <-chan bool) {
+			select {
+			case <-done:
+			case <-closed:
+				cancel()
+			}
+		}(ctx.Done(), cn.CloseNotify())
+	}
+	if util2.IsBaseStack() {
+		ctx = context.WithValue(ctx, "token", token)
+	} else {
+		acdToken, err := impl.argoUserService.GetLatestDevtronArgoCdUserToken()
+		if err != nil {
+			impl.logger.Errorw("error in getting acd token", "err", err)
+			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+			return
+		}
+		ctx = context.WithValue(ctx, "token", acdToken)
+	}
+	res, err := impl.clusterService.ValidateKubeconfig(bean.Config)
+	if err != nil {
+		impl.logger.Errorw("error in validating kubeconfig")
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
 func (impl ClusterRestHandlerImpl) FindAll(w http.ResponseWriter, r *http.Request) {
 	token := r.Header.Get("token")
 	clusterList, err := impl.clusterService.FindAllWithoutConfig()

@@ -40,6 +40,14 @@ func (impl ClusterRouterImpl) InitClusterRouter(clusterRouter *mux.Router) {
 		Methods("POST").
 		HandlerFunc(impl.clusterRestHandler.Save)
 
+	clusterRouter.Path("/saveClusters").
+		Methods("POST").
+		HandlerFunc(impl.clusterRestHandler.SaveClusters)
+
+	clusterRouter.Path("/validate").
+		Methods("POST").
+		HandlerFunc(impl.clusterRestHandler.ValidateKubeconfig)
+
 	clusterRouter.Path("").
 		Methods("GET").
 		Queries("id", "{id}").

@@ -140,7 +140,7 @@ func (impl *HelmAppServiceImpl) listApplications(ctx context.Context, clusterIds
 	for _, clusterDetail := range clusters {
 		config := &ClusterConfig{
 			ApiServerUrl: clusterDetail.ServerUrl,
-			Token:        clusterDetail.Config["bearer_token"],
+			Token:        clusterDetail.Config[util.BearerToken],
 			ClusterId:    int32(clusterDetail.Id),
 			ClusterName:  clusterDetail.ClusterName,
 		}
@@ -265,7 +265,7 @@ func (impl *HelmAppServiceImpl) GetClusterConf(clusterId int) (*ClusterConfig, e
 	}
 	config := &ClusterConfig{
 		ApiServerUrl: cluster.ServerUrl,
-		Token:        cluster.Config["bearer_token"],
+		Token:        cluster.Config[util.BearerToken],
 		ClusterId:    int32(cluster.Id),
 		ClusterName:  cluster.ClusterName,
 	}

@@ -93,9 +93,14 @@ func (impl *K8sInformerFactoryImpl) BuildInformer(clusterInfo []*bean.ClusterInf
 			impl.buildInformerAndNamespaceList(info.ClusterName, restConfig, &impl.mutex)
 		} else {
 			c := &rest.Config{
-				Host:            info.ServerUrl,
-				BearerToken:     info.BearerToken,
-				TLSClientConfig: rest.TLSClientConfig{Insecure: true},
+				Host:        info.ServerUrl,
+				BearerToken: info.BearerToken,
+				TLSClientConfig: rest.TLSClientConfig{
+					Insecure: info.InsecureSkipTLSVerify,
+					KeyData:  []byte(info.KeyData),
+					CertData: []byte(info.CertData),
+					CAData:   []byte(info.CAData),
+				},
 			}
 			impl.buildInformerAndNamespaceList(info.ClusterName, c, &impl.mutex)
 		}

@@ -221,7 +221,7 @@ func (impl *TelemetryEventClientImpl) SummaryDetailsForTelemetry() (cluster []cl
 		req := &client.AppListRequest{}
 		config := &client.ClusterConfig{
 			ApiServerUrl: clusterDetail.ServerUrl,
-			Token:        clusterDetail.Config["bearer_token"],
+			Token:        clusterDetail.Config[util2.BearerToken],
 			ClusterId:    int32(clusterDetail.Id),
 			ClusterName:  clusterDetail.ClusterName,
 		}

@@ -56,10 +56,21 @@ type K8sUtil struct {
 }
 
 type ClusterConfig struct {
-	Host        string
-	BearerToken string
+	ClusterName           string
+	Host                  string
+	BearerToken           string
+	InsecureSkipTLSVerify bool
+	KeyData               string
+	CertData              string
+	CAData                string
 }
 
+const DEFAULT_CLUSTER = "default_cluster"
+const BearerToken = "bearer_token"
+const CertificateAuthorityData = "cert_auth_data"
+const CertData = "cert_data"
+const TlsKey = "tls_key"
+
 func NewK8sUtil(logger *zap.SugaredLogger, runTimeConfig *client.RuntimeConfig) *K8sUtil {
 	usr, err := user.Current()
 	if err != nil {
@@ -74,11 +85,34 @@ func NewK8sUtil(logger *zap.SugaredLogger, runTimeConfig *client.RuntimeConfig)
 	return &K8sUtil{logger: logger, runTimeConfig: runTimeConfig, kubeconfig: kubeconfig}
 }
 
+func (impl K8sUtil) GetRestConfigByCluster(configMap *ClusterConfig) (*rest.Config, error) {
+	bearerToken := configMap.BearerToken
+	var restConfig *rest.Config
+	var err error
+	if configMap.ClusterName == DEFAULT_CLUSTER && len(bearerToken) == 0 {
+		restConfig, err = impl.GetK8sClusterRestConfig()
+		if err != nil {
+			impl.logger.Errorw("error in getting rest config for default cluster", "err", err)
+			return nil, err
+		}
+	} else {
+		restConfig = &rest.Config{Host: configMap.Host, BearerToken: bearerToken, TLSClientConfig: rest.TLSClientConfig{Insecure: configMap.InsecureSkipTLSVerify}}
+		if configMap.InsecureSkipTLSVerify == false {
+			restConfig.TLSClientConfig.ServerName = restConfig.ServerName
+			restConfig.TLSClientConfig.KeyData = []byte(configMap.KeyData)
+			restConfig.TLSClientConfig.CertData = []byte(configMap.CertData)
+			restConfig.TLSClientConfig.CAData = []byte(configMap.CAData)
+		}
+	}
+	return restConfig, nil
+}
+
 func (impl K8sUtil) GetClient(clusterConfig *ClusterConfig) (*v12.CoreV1Client, error) {
-	cfg := &rest.Config{}
-	cfg.Host = clusterConfig.Host
-	cfg.BearerToken = clusterConfig.BearerToken
-	cfg.Insecure = true
+	cfg, err := impl.GetRestConfigByCluster(clusterConfig)
+	if err != nil {
+		impl.logger.Errorw("error in getting rest config for default cluster", "err", err)
+		return nil, err
+	}
 	httpClient, err := OverrideK8sHttpClientWithTracer(cfg)
 	if err != nil {
 		return nil, err
@@ -88,10 +122,11 @@ func (impl K8sUtil) GetClient(clusterConfig *ClusterConfig) (*v12.CoreV1Client,
 }
 
 func (impl K8sUtil) GetClientSet(clusterConfig *ClusterConfig) (*kubernetes.Clientset, error) {
-	cfg := &rest.Config{}
-	cfg.Host = clusterConfig.Host
-	cfg.BearerToken = clusterConfig.BearerToken
-	cfg.Insecure = true
+	cfg, err := impl.GetRestConfigByCluster(clusterConfig)
+	if err != nil {
+		impl.logger.Errorw("error in getting rest config for default cluster", "err", err)
+		return nil, err
+	}
 	httpClient, err := OverrideK8sHttpClientWithTracer(cfg)
 	if err != nil {
 		return nil, err
@@ -157,10 +192,11 @@ func (impl K8sUtil) GetK8sClient() (*v12.CoreV1Client, error) {
 }
 
 func (impl K8sUtil) GetK8sDiscoveryClient(clusterConfig *ClusterConfig) (*discovery.DiscoveryClient, error) {
-	cfg := &rest.Config{}
-	cfg.Host = clusterConfig.Host
-	cfg.BearerToken = clusterConfig.BearerToken
-	cfg.Insecure = true
+	cfg, err := impl.GetRestConfigByCluster(clusterConfig)
+	if err != nil {
+		impl.logger.Errorw("error in getting rest config for default cluster", "err", err)
+		return nil, err
+	}
 	httpClient, err := OverrideK8sHttpClientWithTracer(cfg)
 	if err != nil {
 		return nil, err
@@ -504,7 +540,7 @@ func (impl K8sUtil) ListNamespaces(client *v12.CoreV1Client) (*v1.NamespaceList,
 }
 
 func (impl K8sUtil) GetClientByToken(serverUrl string, token map[string]string) (*v12.CoreV1Client, error) {
-	bearerToken := token["bearer_token"]
+	bearerToken := token[BearerToken]
 	clusterCfg := &ClusterConfig{Host: serverUrl, BearerToken: bearerToken}
 	client, err := impl.GetClient(clusterCfg)
 	if err != nil {

@@ -3469,7 +3469,7 @@ func (impl *AppServiceImpl) createHelmAppForCdPipeline(overrideRequest *bean.Val
 		}
 
 		releaseName := pipeline.DeploymentAppName
-		bearerToken := envOverride.Environment.Cluster.Config["bearer_token"]
+		bearerToken := envOverride.Environment.Cluster.Config[BearerToken]
 
 		releaseIdentifier := &client2.ReleaseIdentifier{
 			ReleaseName:      releaseName,