Update gateway usage (#4264)

* Update gateway usage 1. Update NGINX ingress annotations. 2. Remove usage references to APISIX. Signed-off-by: zzjin <[email protected]> * Remove all gzip relative annotations. Moved from ingress gateway annotation to backend server decide. Signed-off-by: zzjin <[email protected]> * Fix main.go conflict. Signed-off-by: zzjin <[email protected]> * Rewrite all rewrite-target annotation Remove static-cdn image. Remove adminer zalando support. Signed-off-by: zzjin <[email protected]> * update ingress,setup higress annotations. Signed-off-by: zzjin <[email protected]> --------- Signed-off-by: zzjin <[email protected]>
labring · Nov 21, 2023 · 9095a2e · 9095a2e
1 parent f9f2d61
commit 9095a2e
Show file tree

Hide file tree

Showing 56 changed files with 119 additions and 1,506 deletions.
diff --git a/controllers/db/adminer/api/v1/adminer_types.go b/controllers/db/adminer/api/v1/adminer_types.go
@@ -23,12 +23,11 @@ import (
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
-// +kubebuilder:validation:Enum=nginx;apisix
+// +kubebuilder:validation:Enum=nginx
 type IngressType string
 
 const (
-	Nginx  IngressType = "nginx"
-	Apisix IngressType = "apisix"
+	Nginx IngressType = "nginx"
 )
 
 // AdminerSpec defines the desired state of Adminer

diff --git a/controllers/db/adminer/config/crd/bases/adminer.db.sealos.io_adminers.yaml b/controllers/db/adminer/config/crd/bases/adminer.db.sealos.io_adminers.yaml
@@ -69,7 +69,6 @@ spec:
                 default: nginx
                 enum:
                 - nginx
-                - apisix
                 type: string
               keepalived:
                 type: string

diff --git a/controllers/db/adminer/controllers/adminer_controller.go b/controllers/db/adminer/controllers/adminer_controller.go
@@ -21,7 +21,6 @@ import (
 	"os"
 	"time"
 
-	apisix "github.com/apache/apisix-ingress-controller/pkg/kube/apisix/apis/config/v2beta3"
 	"github.com/jaevor/go-nanoid"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -90,12 +89,6 @@ type AdminerReconciler struct {
 //+kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch;create;update;patch;delete
 
-// No needed for now
-//-kubebuilder:rbac:groups=apisix.apache.org,resources=apisixroutes,verbs=get;list;watch;create;update;patch;delete
-//-kubebuilder:rbac:groups=apisix.apache.org,resources=apisixtlses,verbs=get;list;watch;create;update;patch;delete
-//-kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete
-//-kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
-
 //-kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
@@ -424,8 +417,6 @@ func (r *AdminerReconciler) syncIngress(ctx context.Context, adminer *adminerv1.
 	switch adminer.Spec.IngressType {
 	case adminerv1.Nginx:
 		err = r.syncNginxIngress(ctx, adminer, host)
-	case adminerv1.Apisix:
-		err = r.syncApisixIngress(ctx, adminer, host)
 	}
 	return err
 }
@@ -462,66 +453,6 @@ func (r *AdminerReconciler) syncNginxIngress(ctx context.Context, adminer *admin
 	return nil
 }
 
-func (r *AdminerReconciler) syncApisixIngress(ctx context.Context, adminer *adminerv1.Adminer, host string) error {
-	// 1. sync ApisixRoute
-	apisixRoute := &apisix.ApisixRoute{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      adminer.Name,
-			Namespace: adminer.Namespace,
-		},
-	}
-	if _, err := controllerutil.CreateOrUpdate(ctx, r.Client, apisixRoute, func() error {
-		expectRoute := r.createApisixRoute(adminer, host)
-		if len(apisixRoute.Spec.HTTP) == 0 {
-			apisixRoute.Spec.HTTP = expectRoute.Spec.HTTP
-		} else {
-			apisixRoute.Spec.HTTP[0].Name = expectRoute.Spec.HTTP[0].Name
-			apisixRoute.Spec.HTTP[0].Match = expectRoute.Spec.HTTP[0].Match
-			apisixRoute.Spec.HTTP[0].Backends = expectRoute.Spec.HTTP[0].Backends
-			apisixRoute.Spec.HTTP[0].Timeout = expectRoute.Spec.HTTP[0].Timeout
-			apisixRoute.Spec.HTTP[0].Authentication = expectRoute.Spec.HTTP[0].Authentication
-		}
-		return controllerutil.SetControllerReference(adminer, apisixRoute, r.Scheme)
-	}); err != nil {
-		return err
-	}
-
-	// 2. sync ApisixTls
-	if r.tlsEnabled {
-		apisixTLS := &apisix.ApisixTls{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      adminer.Name,
-				Namespace: adminer.Namespace,
-			},
-		}
-		if _, err := controllerutil.CreateOrUpdate(ctx, r.Client, apisixTLS, func() error {
-			expectTLS := r.createApisixTLS(adminer, host)
-			if apisixTLS.Spec != nil {
-				apisixTLS.Spec.Hosts = expectTLS.Spec.Hosts
-				apisixTLS.Spec.Secret = expectTLS.Spec.Secret
-			} else {
-				apisixTLS.Spec = expectTLS.Spec
-			}
-			return controllerutil.SetControllerReference(adminer, apisixTLS, r.Scheme)
-		}); err != nil {
-			return err
-		}
-	}
-
-	protocol := protocolHTTPS
-	if !r.tlsEnabled {
-		protocol = protocolHTTP
-	}
-
-	domain := protocol + host
-	if adminer.Status.Domain != domain {
-		adminer.Status.Domain = domain
-		return r.Status().Update(ctx, adminer)
-	}
-
-	return nil
-}
-
 func (r *AdminerReconciler) fillDefaultValue(ctx context.Context, adminer *adminerv1.Adminer) error {
 	hasUpdate := false
 

diff --git a/controllers/db/adminer/controllers/ingress.go b/controllers/db/adminer/controllers/ingress.go
@@ -19,43 +19,43 @@ package controllers
 import (
 	"fmt"
 	"strings"
-	"time"
 
-	apisix "github.com/apache/apisix-ingress-controller/pkg/kube/apisix/apis/config/v2beta3"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 
 	adminerv1 "github.com/labring/sealos/controllers/db/adminer/api/v1"
 )
 
-const (
-	AuthType = "basicAuth"
-)
-
 func (r *AdminerReconciler) createNginxIngress(adminer *adminerv1.Adminer, host string) *networkingv1.Ingress {
 	corsFormat := "https://%s,https://*.%s"
 	if !r.tlsEnabled {
 		corsFormat = "http://%s,http://*.%s"
 	}
 	cors := fmt.Sprintf(corsFormat, r.adminerDomain, r.adminerDomain)
 
+	annotations := map[string]string{
+		"kubernetes.io/ingress.class":                        "nginx",
+		"nginx.ingress.kubernetes.io/proxy-send-timeout":     "86400",
+		"nginx.ingress.kubernetes.io/proxy-read-timeout":     "86400",
+		"nginx.ingress.kubernetes.io/proxy-body-size":        "256m",
+		"nginx.ingress.kubernetes.io/proxy-buffer-size":      "64k",
+		"nginx.ingress.kubernetes.io/enable-cors":            "true",
+		"nginx.ingress.kubernetes.io/cors-allow-origin":      cors,
+		"nginx.ingress.kubernetes.io/cors-allow-methods":     "PUT, GET, POST, PATCH, OPTIONS",
+		"nginx.ingress.kubernetes.io/cors-allow-credentials": "false",
+		"nginx.ingress.kubernetes.io/configuration-snippet":  r.getNginxConfigurationSnippet(),
+	}
+
+	// add higress annotations support
+	higressAnno := r.getHigressAnnotations()
+	for k, v := range higressAnno {
+		annotations[k] = v
+	}
+
 	objectMeta := metav1.ObjectMeta{
-		Name:      adminer.Name,
-		Namespace: adminer.Namespace,
-		Annotations: map[string]string{
-			"kubernetes.io/ingress.class":                        "nginx",
-			"nginx.ingress.kubernetes.io/rewrite-target":         "/",
-			"nginx.ingress.kubernetes.io/proxy-send-timeout":     "86400",
-			"nginx.ingress.kubernetes.io/proxy-read-timeout":     "86400",
-			"nginx.ingress.kubernetes.io/proxy-body-size":        "256m",
-			"nginx.ingress.kubernetes.io/proxy-buffer-size":      "64k",
-			"nginx.ingress.kubernetes.io/enable-cors":            "true",
-			"nginx.ingress.kubernetes.io/cors-allow-origin":      cors,
-			"nginx.ingress.kubernetes.io/cors-allow-methods":     "PUT, GET, POST, PATCH, OPTIONS",
-			"nginx.ingress.kubernetes.io/cors-allow-credentials": "false",
-			"nginx.ingress.kubernetes.io/configuration-snippet":  r.getNginxConfigurationSnippet(),
-		},
+		Name:        adminer.Name,
+		Namespace:   adminer.Namespace,
+		Annotations: annotations,
 	}
 
 	pathType := networkingv1.PathTypePrefix
@@ -98,81 +98,26 @@ func (r *AdminerReconciler) createNginxIngress(adminer *adminerv1.Adminer, host
 	return ingress
 }
 
-// TODO: attempt use websocket https://apisix.apache.org/zh/docs/ingress-controller/concepts/apisix_route/#websocket-proxy
-func (r *AdminerReconciler) createApisixRoute(adminer *adminerv1.Adminer, host string) *apisix.ApisixRoute {
-	// config proxy_read_timeout and proxy_send_timeout
-	upstreamTimeout := &apisix.UpstreamTimeout{
-		Read: metav1.Duration{
-			Duration: time.Hour,
-		},
-		Send: metav1.Duration{
-			Duration: time.Hour,
-		},
-	}
+const (
+	clearXFrameHeader = "X-Frame-Options"
+	defaultCSPHeader  = "Content-Security-Policy"
+	defaultCSPValue   = "default-src * blob: data: *.cloud.sealos.io cloud.sealos.io; img-src * data: blob: resource: *.cloud.sealos.io cloud.sealos.io; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.cloud.sealos.io cloud.sealos.io resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.cloud.sealos.io cloud.sealos.io resource: *.baidu.com *.bdstatic.com; frame-src 'self' cloud.sealos.io *.cloud.sealos.io mailto: tel: weixin: mtt: *.baidu.com; frame-ancestors 'self' https://cloud.sealos.io https://*.cloud.sealos.io"
+	defaultXSSHeader  = "X-Xss-Protection"
+	defaultXSSValue   = "1; mode=block"
 
-	// ApisixRoute
-	apisixRoute := &apisix.ApisixRoute{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      adminer.Name,
-			Namespace: adminer.Namespace,
-		},
-		Spec: apisix.ApisixRouteSpec{
-			HTTP: []apisix.ApisixRouteHTTP{
-				{
-					Name: adminer.Name,
-					Match: apisix.ApisixRouteHTTPMatch{
-						Hosts: []string{host},
-						Paths: []string{"/*"},
-					},
-					Backends: []apisix.ApisixRouteHTTPBackend{
-						{
-							ServiceName: adminer.Name,
-							ServicePort: intstr.FromInt(8080),
-						},
-					},
-					Timeout: upstreamTimeout,
-					Authentication: apisix.ApisixRouteAuthentication{
-						Enable: false,
-						Type:   AuthType,
-					},
-				},
-			},
-		},
-	}
-	return apisixRoute
-}
+	defaultConfigDomain = "cloud.sealos.io"
+)
 
-func (r *AdminerReconciler) createApisixTLS(adminer *adminerv1.Adminer, host string) *apisix.ApisixTls {
-	apisixTLS := &apisix.ApisixTls{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      adminer.Name,
-			Namespace: adminer.Namespace,
-		},
-		Spec: &apisix.ApisixTlsSpec{
-			Hosts: []apisix.HostType{
-				apisix.HostType(host),
-			},
-			Secret: apisix.ApisixSecret{
-				Name:      r.secretName,
-				Namespace: r.secretNamespace,
-			},
-		},
+var (
+	defaultNginxConfigurationSnippet = fmt.Sprintf(`
+more_clear_headers "%s:";
+more_set_headers "%s: %s";
+more_set_headers "%s: %s";
+`, clearXFrameHeader, defaultCSPHeader, defaultCSPValue, defaultXSSHeader, defaultXSSValue)
+	defaultHigressAnnotations = map[string]string{
+		"higress.io/response-header-control-remove": clearXFrameHeader,
+		"higress.io/response-header-control-update": fmt.Sprintf(`%s "%s"\n%s "%s"`, defaultCSPHeader, defaultCSPValue, defaultXSSHeader, defaultXSSValue),
 	}
-
-	return apisixTLS
-}
-
-const (
-	defaultNginxConfigurationSnippet = `
-more_clear_headers "X-Frame-Options:";
-more_set_headers "Content-Security-Policy: default-src * blob: data: *.cloud.sealos.io cloud.sealos.io; img-src * data: blob: resource: *.cloud.sealos.io cloud.sealos.io; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.cloud.sealos.io cloud.sealos.io resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.cloud.sealos.io cloud.sealos.io resource: *.baidu.com *.bdstatic.com; frame-src 'self' cloud.sealos.io *.cloud.sealos.io mailto: tel: weixin: mtt: *.baidu.com; frame-ancestors 'self' https://cloud.sealos.io https://*.cloud.sealos.io";
-more_set_headers "X-Xss-Protection: 1; mode=block";
-
-if ($request_uri ~* \.(js|css|gif|jpe?g|png)) {
-expires 30d;
-add_header Cache-Control "public";
-}`
-	defaultConfigDomain = "cloud.sealos.io"
 )
 
 func (r *AdminerReconciler) getNginxConfigurationSnippet() string {
@@ -182,3 +127,16 @@ func (r *AdminerReconciler) getNginxConfigurationSnippet() string {
 
 	return defaultNginxConfigurationSnippet
 }
+
+func (r *AdminerReconciler) getHigressAnnotations() map[string]string {
+	if defaultConfigDomain != r.adminerDomain {
+		ret := map[string]string{}
+		for k, v := range defaultHigressAnnotations {
+			ret[k] = strings.ReplaceAll(v, defaultConfigDomain, r.adminerDomain)
+		}
+
+		return ret
+	}
+
+	return defaultHigressAnnotations
+}
diff --git a/controllers/db/adminer/deploy/manifests/deploy.yaml.tmpl b/controllers/db/adminer/deploy/manifests/deploy.yaml.tmpl
@@ -61,7 +61,6 @@ spec:
                 default: nginx
                 enum:
                 - nginx
-                - apisix
                 type: string
               keepalived:
                 type: string

diff --git a/controllers/db/adminer/go.mod b/controllers/db/adminer/go.mod
@@ -3,7 +3,6 @@ module github.com/labring/sealos/controllers/db/adminer
 go 1.20
 
 require (
-	github.com/apache/apisix-ingress-controller v1.4.1
 	github.com/jaevor/go-nanoid v1.3.0
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.6