2024-07-10 06:08:13 +08:00
|
|
|
|
package resource
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2025-04-17 18:58:58 +08:00
|
|
|
|
"context"
|
2024-07-10 06:08:13 +08:00
|
|
|
|
"encoding/json"
|
|
|
|
|
|
"fmt"
|
2025-08-21 01:54:31 +08:00
|
|
|
|
"iter"
|
2024-07-10 06:08:13 +08:00
|
|
|
|
"log/slog"
|
2024-07-16 22:43:15 +08:00
|
|
|
|
"net/http"
|
2024-07-10 06:08:13 +08:00
|
|
|
|
"sync"
|
2024-10-07 16:01:53 +08:00
|
|
|
|
"sync/atomic"
|
2024-07-10 06:08:13 +08:00
|
|
|
|
"time"
|
|
|
|
|
|
|
2025-10-01 17:52:09 +08:00
|
|
|
|
"github.com/Masterminds/semver"
|
2025-05-21 15:49:49 +08:00
|
|
|
|
"github.com/google/uuid"
|
2024-10-17 18:18:29 +08:00
|
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
2024-07-10 06:08:13 +08:00
|
|
|
|
"go.opentelemetry.io/otel/trace"
|
|
|
|
|
|
"go.opentelemetry.io/otel/trace/noop"
|
|
|
|
|
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
|
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2024-07-17 22:40:03 +08:00
|
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
2024-11-09 13:09:46 +08:00
|
|
|
|
|
2025-01-21 17:06:55 +08:00
|
|
|
|
claims "github.com/grafana/authlib/types"
|
2025-07-01 17:22:55 +08:00
|
|
|
|
"github.com/grafana/dskit/backoff"
|
2025-10-06 16:02:03 +08:00
|
|
|
|
|
2024-11-09 13:09:46 +08:00
|
|
|
|
"github.com/grafana/grafana/pkg/apimachinery/utils"
|
2025-09-30 20:59:33 +08:00
|
|
|
|
"github.com/grafana/grafana/pkg/apimachinery/validation"
|
2025-08-11 20:22:56 +08:00
|
|
|
|
secrets "github.com/grafana/grafana/pkg/registry/apis/secret/contracts"
|
2025-05-16 03:36:52 +08:00
|
|
|
|
"github.com/grafana/grafana/pkg/storage/unified/resourcepb"
|
2025-07-01 17:22:55 +08:00
|
|
|
|
"github.com/grafana/grafana/pkg/util/scheduler"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
2024-07-30 18:16:16 +08:00
|
|
|
|
// ResourceServer implements all gRPC services
|
2024-07-10 06:08:13 +08:00
|
|
|
|
type ResourceServer interface {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
resourcepb.ResourceStoreServer
|
|
|
|
|
|
resourcepb.BulkStoreServer
|
|
|
|
|
|
resourcepb.ResourceIndexServer
|
|
|
|
|
|
resourcepb.ManagedObjectIndexServer
|
|
|
|
|
|
resourcepb.BlobStoreServer
|
|
|
|
|
|
resourcepb.DiagnosticsServer
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-31 17:05:59 +08:00
|
|
|
|
type ListIterator interface {
|
2025-04-11 22:25:40 +08:00
|
|
|
|
// Next advances iterator and returns true if there is next value is available from the iterator.
|
|
|
|
|
|
// Error() should be checked after every call of Next(), even when Next() returns true.
|
2024-07-31 17:05:59 +08:00
|
|
|
|
Next() bool // sql.Rows
|
|
|
|
|
|
|
2025-04-11 22:25:40 +08:00
|
|
|
|
// Error returns iterator error, if any. This should be checked after any Next() call.
|
|
|
|
|
|
// (Some iterator implementations return true from Next, but also set the error at the same time).
|
2024-07-31 17:05:59 +08:00
|
|
|
|
Error() error
|
|
|
|
|
|
|
2025-04-11 22:25:40 +08:00
|
|
|
|
// ContinueToken returns the token that can be used to start iterating *after* this item
|
2024-07-31 17:05:59 +08:00
|
|
|
|
ContinueToken() string
|
|
|
|
|
|
|
|
|
|
|
|
// ResourceVersion of the current item
|
|
|
|
|
|
ResourceVersion() int64
|
|
|
|
|
|
|
|
|
|
|
|
// Namespace of the current item
|
|
|
|
|
|
// Used for fast(er) authz filtering
|
|
|
|
|
|
Namespace() string
|
|
|
|
|
|
|
|
|
|
|
|
// Name of the current item
|
|
|
|
|
|
// Used for fast(er) authz filtering
|
|
|
|
|
|
Name() string
|
|
|
|
|
|
|
2024-11-12 19:52:04 +08:00
|
|
|
|
// Folder of the current item
|
|
|
|
|
|
// Used for fast(er) authz filtering
|
|
|
|
|
|
Folder() string
|
|
|
|
|
|
|
2024-07-31 17:05:59 +08:00
|
|
|
|
// Value for the current item
|
|
|
|
|
|
Value() []byte
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-11-12 19:52:04 +08:00
|
|
|
|
type BackendReadResponse struct {
|
|
|
|
|
|
// Metadata
|
2025-05-16 03:36:52 +08:00
|
|
|
|
Key *resourcepb.ResourceKey
|
2024-11-12 19:52:04 +08:00
|
|
|
|
Folder string
|
|
|
|
|
|
|
2025-04-17 18:58:58 +08:00
|
|
|
|
// GUID that is used internally
|
|
|
|
|
|
GUID string
|
2024-11-12 19:52:04 +08:00
|
|
|
|
// The new resource version
|
|
|
|
|
|
ResourceVersion int64
|
|
|
|
|
|
// The properties
|
|
|
|
|
|
Value []byte
|
|
|
|
|
|
// Error details
|
2025-05-16 03:36:52 +08:00
|
|
|
|
Error *resourcepb.ErrorResult
|
2024-11-12 19:52:04 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
// The StorageBackend is an internal abstraction that supports interacting with
|
|
|
|
|
|
// the underlying raw storage medium. This interface is never exposed directly,
|
|
|
|
|
|
// it is provided by concrete instances that actually write values.
|
|
|
|
|
|
type StorageBackend interface {
|
|
|
|
|
|
// Write a Create/Update/Delete,
|
|
|
|
|
|
// NOTE: the contents of WriteEvent have been validated
|
|
|
|
|
|
// Return the revisionVersion for this event or error
|
|
|
|
|
|
WriteEvent(context.Context, WriteEvent) (int64, error)
|
|
|
|
|
|
|
2024-07-30 18:16:16 +08:00
|
|
|
|
// Read a resource from storage optionally at an explicit version
|
2025-05-16 03:36:52 +08:00
|
|
|
|
ReadResource(context.Context, *resourcepb.ReadRequest) *BackendReadResponse
|
2024-07-10 06:08:13 +08:00
|
|
|
|
|
2024-07-31 17:05:59 +08:00
|
|
|
|
// When the ResourceServer executes a List request, this iterator will
|
2024-07-10 06:08:13 +08:00
|
|
|
|
// query the backend for potential results. All results will be
|
|
|
|
|
|
// checked against the kubernetes requirements before finally returning
|
|
|
|
|
|
// results. The list options can be used to improve performance
|
|
|
|
|
|
// but are the the final answer.
|
2025-05-16 03:36:52 +08:00
|
|
|
|
ListIterator(context.Context, *resourcepb.ListRequest, func(ListIterator) error) (int64, error)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
|
2025-05-23 21:00:18 +08:00
|
|
|
|
// ListHistory is like ListIterator, but it returns the history of a resource
|
|
|
|
|
|
ListHistory(context.Context, *resourcepb.ListRequest, func(ListIterator) error) (int64, error)
|
|
|
|
|
|
|
2025-08-21 01:54:31 +08:00
|
|
|
|
// ListModifiedSince will return all resources that have changed since the given resource version.
|
|
|
|
|
|
// If a resource has changes, only the latest change will be returned.
|
|
|
|
|
|
ListModifiedSince(ctx context.Context, key NamespacedResource, sinceRv int64) (int64, iter.Seq2[*ModifiedResource, error])
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
// Get all events from the store
|
|
|
|
|
|
// For HA setups, this will be more events than the local WriteEvent above!
|
|
|
|
|
|
WatchWriteEvents(ctx context.Context) (<-chan *WrittenEvent, error)
|
2024-11-07 02:58:07 +08:00
|
|
|
|
|
2024-12-05 18:58:13 +08:00
|
|
|
|
// Get resource stats within the storage backend. When namespace is empty, it will apply to all
|
|
|
|
|
|
GetResourceStats(ctx context.Context, namespace string, minCount int) ([]ResourceStats, error)
|
2024-12-04 01:20:27 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-08-21 01:54:31 +08:00
|
|
|
|
type ModifiedResource struct {
|
|
|
|
|
|
Action resourcepb.WatchEvent_Type
|
|
|
|
|
|
Key resourcepb.ResourceKey
|
|
|
|
|
|
Value []byte
|
|
|
|
|
|
ResourceVersion int64
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-04 01:20:27 +08:00
|
|
|
|
type ResourceStats struct {
|
|
|
|
|
|
NamespacedResource
|
|
|
|
|
|
|
|
|
|
|
|
Count int64
|
|
|
|
|
|
ResourceVersion int64
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-10-17 18:18:29 +08:00
|
|
|
|
// This interface is not exposed to end users directly
|
|
|
|
|
|
// Access to this interface is already gated by access control
|
|
|
|
|
|
type BlobSupport interface {
|
|
|
|
|
|
// Indicates if storage layer supports signed urls
|
|
|
|
|
|
SupportsSignedURLs() bool
|
|
|
|
|
|
|
|
|
|
|
|
// Get the raw blob bytes and metadata -- limited to protobuf message size
|
|
|
|
|
|
// For larger payloads, we should use presigned URLs to upload from the client
|
2025-05-16 03:36:52 +08:00
|
|
|
|
PutResourceBlob(context.Context, *resourcepb.PutBlobRequest) (*resourcepb.PutBlobResponse, error)
|
2024-10-17 18:18:29 +08:00
|
|
|
|
|
|
|
|
|
|
// Get blob contents. When possible, this will return a signed URL
|
|
|
|
|
|
// For large payloads, signed URLs are required to avoid protobuf message size limits
|
2025-05-16 03:36:52 +08:00
|
|
|
|
GetResourceBlob(ctx context.Context, resource *resourcepb.ResourceKey, info *utils.BlobInfo, mustProxy bool) (*resourcepb.GetBlobResponse, error)
|
2024-10-17 18:18:29 +08:00
|
|
|
|
|
|
|
|
|
|
// TODO? List+Delete? This is for admin access
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
type QOSEnqueuer interface {
|
2025-07-03 18:02:05 +08:00
|
|
|
|
Enqueue(ctx context.Context, tenantID string, runnable func()) error
|
2025-07-01 17:22:55 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-08-27 00:40:22 +08:00
|
|
|
|
type QueueConfig struct {
|
|
|
|
|
|
MaxBackoff time.Duration
|
|
|
|
|
|
MinBackoff time.Duration
|
|
|
|
|
|
MaxRetries int
|
|
|
|
|
|
Timeout time.Duration
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-10-17 18:18:29 +08:00
|
|
|
|
type BlobConfig struct {
|
|
|
|
|
|
// The CDK configuration URL
|
|
|
|
|
|
URL string
|
|
|
|
|
|
|
|
|
|
|
|
// Directly implemented blob support
|
|
|
|
|
|
Backend BlobSupport
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-11-21 13:53:25 +08:00
|
|
|
|
// Passed as input to the constructor
|
|
|
|
|
|
type SearchOptions struct {
|
|
|
|
|
|
// The raw index backend (eg, bleve, frames, parquet, etc)
|
|
|
|
|
|
Backend SearchBackend
|
|
|
|
|
|
|
|
|
|
|
|
// The supported resource types
|
|
|
|
|
|
Resources DocumentBuilderSupplier
|
|
|
|
|
|
|
|
|
|
|
|
// How many threads should build indexes
|
2025-10-01 17:52:09 +08:00
|
|
|
|
InitWorkerThreads int
|
2024-12-04 01:20:27 +08:00
|
|
|
|
|
|
|
|
|
|
// Skip building index on startup for small indexes
|
|
|
|
|
|
InitMinCount int
|
2025-05-09 21:36:21 +08:00
|
|
|
|
|
2025-10-01 17:52:09 +08:00
|
|
|
|
// How often to rebuild dashboard index. 0 disables periodic rebuilds.
|
|
|
|
|
|
DashboardIndexMaxAge time.Duration
|
2025-07-24 03:59:24 +08:00
|
|
|
|
|
2025-10-01 17:52:09 +08:00
|
|
|
|
// Maximum age of file-based index that can be reused. Ignored if zero.
|
|
|
|
|
|
MaxIndexAge time.Duration
|
|
|
|
|
|
|
|
|
|
|
|
// Minimum build version for reusing file-based indexes. Ignored if nil.
|
|
|
|
|
|
MinBuildVersion *semver.Version
|
|
|
|
|
|
|
|
|
|
|
|
// Number of workers to use for index rebuilds.
|
|
|
|
|
|
IndexRebuildWorkers int
|
2025-10-06 16:02:03 +08:00
|
|
|
|
|
|
|
|
|
|
// Minimum time between index updates. This is also used as a delay after a successful write operation, to guarantee
|
|
|
|
|
|
// that subsequent search will observe the effect of the writing.
|
|
|
|
|
|
IndexMinUpdateInterval time.Duration
|
2024-11-21 13:53:25 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
type ResourceServerOptions struct {
|
|
|
|
|
|
// OTel tracer
|
|
|
|
|
|
Tracer trace.Tracer
|
|
|
|
|
|
|
|
|
|
|
|
// Real storage backend
|
|
|
|
|
|
Backend StorageBackend
|
|
|
|
|
|
|
2024-10-17 18:18:29 +08:00
|
|
|
|
// The blob configuration
|
|
|
|
|
|
Blob BlobConfig
|
|
|
|
|
|
|
2024-11-21 13:53:25 +08:00
|
|
|
|
// Search options
|
|
|
|
|
|
Search SearchOptions
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
// Diagnostics
|
2025-05-16 03:36:52 +08:00
|
|
|
|
Diagnostics resourcepb.DiagnosticsServer
|
2024-07-10 06:08:13 +08:00
|
|
|
|
|
|
|
|
|
|
// Check if a user has access to write folders
|
|
|
|
|
|
// When this is nil, no resources can have folders configured
|
2024-11-13 20:17:15 +08:00
|
|
|
|
WriteHooks WriteAccessHooks
|
|
|
|
|
|
|
|
|
|
|
|
// Link RBAC
|
2025-01-21 17:06:55 +08:00
|
|
|
|
AccessClient claims.AccessClient
|
2024-07-10 06:08:13 +08:00
|
|
|
|
|
2025-08-11 20:22:56 +08:00
|
|
|
|
// Manage secure values
|
|
|
|
|
|
SecureValues secrets.InlineSecureValueSupport
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
// Callbacks for startup and shutdown
|
|
|
|
|
|
Lifecycle LifecycleHooks
|
|
|
|
|
|
|
|
|
|
|
|
// Get the current time in unix millis
|
|
|
|
|
|
Now func() int64
|
2024-10-17 18:18:29 +08:00
|
|
|
|
|
|
|
|
|
|
// Registerer to register prometheus Metrics for the Resource server
|
|
|
|
|
|
Reg prometheus.Registerer
|
2025-02-28 20:39:39 +08:00
|
|
|
|
|
|
|
|
|
|
storageMetrics *StorageMetrics
|
2025-03-13 22:09:38 +08:00
|
|
|
|
|
|
|
|
|
|
IndexMetrics *BleveIndexMetrics
|
2025-06-13 21:59:46 +08:00
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
// MaxPageSizeBytes is the maximum size of a page in bytes.
|
2025-06-13 21:59:46 +08:00
|
|
|
|
MaxPageSizeBytes int
|
2025-07-01 17:22:55 +08:00
|
|
|
|
|
|
|
|
|
|
// QOSQueue is the quality of service queue used to enqueue
|
2025-08-27 00:40:22 +08:00
|
|
|
|
QOSQueue QOSEnqueuer
|
|
|
|
|
|
QOSConfig QueueConfig
|
2025-07-24 03:59:24 +08:00
|
|
|
|
|
2025-09-24 22:54:35 +08:00
|
|
|
|
OwnsIndexFn func(key NamespacedResource) (bool, error)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-08-14 20:31:24 +08:00
|
|
|
|
func NewResourceServer(opts ResourceServerOptions) (*server, error) {
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if opts.Tracer == nil {
|
|
|
|
|
|
opts.Tracer = noop.NewTracerProvider().Tracer("resource-server")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if opts.Backend == nil {
|
|
|
|
|
|
return nil, fmt.Errorf("missing Backend implementation")
|
|
|
|
|
|
}
|
2024-10-01 03:46:14 +08:00
|
|
|
|
|
2024-11-13 20:17:15 +08:00
|
|
|
|
if opts.AccessClient == nil {
|
2025-01-21 17:06:55 +08:00
|
|
|
|
opts.AccessClient = claims.FixedAccessClient(true) // everything OK
|
2024-11-13 20:17:15 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if opts.Diagnostics == nil {
|
|
|
|
|
|
opts.Diagnostics = &noopService{}
|
|
|
|
|
|
}
|
2025-07-01 17:22:55 +08:00
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if opts.Now == nil {
|
|
|
|
|
|
opts.Now = func() int64 {
|
|
|
|
|
|
return time.Now().UnixMilli()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-06-13 21:59:46 +08:00
|
|
|
|
if opts.MaxPageSizeBytes <= 0 {
|
|
|
|
|
|
// By default, we use 2MB for the page size.
|
|
|
|
|
|
opts.MaxPageSizeBytes = 1024 * 1024 * 2
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
if opts.QOSQueue == nil {
|
|
|
|
|
|
opts.QOSQueue = scheduler.NewNoopQueue()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-08-27 00:40:22 +08:00
|
|
|
|
if opts.QOSConfig.Timeout == 0 {
|
|
|
|
|
|
opts.QOSConfig.Timeout = 30 * time.Second
|
|
|
|
|
|
}
|
|
|
|
|
|
if opts.QOSConfig.MaxBackoff == 0 {
|
|
|
|
|
|
opts.QOSConfig.MaxBackoff = 1 * time.Second
|
|
|
|
|
|
}
|
|
|
|
|
|
if opts.QOSConfig.MinBackoff == 0 {
|
|
|
|
|
|
opts.QOSConfig.MinBackoff = 100 * time.Millisecond
|
|
|
|
|
|
}
|
|
|
|
|
|
if opts.QOSConfig.MaxRetries == 0 {
|
|
|
|
|
|
opts.QOSConfig.MaxRetries = 3
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-10-17 18:18:29 +08:00
|
|
|
|
// Initialize the blob storage
|
|
|
|
|
|
blobstore := opts.Blob.Backend
|
2025-01-09 04:08:10 +08:00
|
|
|
|
if blobstore == nil {
|
|
|
|
|
|
if opts.Blob.URL != "" {
|
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
|
bucket, err := OpenBlobBucket(ctx, opts.Blob.URL)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
blobstore, err = NewCDKBlobSupport(ctx, CDKBlobSupportOptions{
|
|
|
|
|
|
Tracer: opts.Tracer,
|
|
|
|
|
|
Bucket: NewInstrumentedBucket(bucket, opts.Reg, opts.Tracer),
|
|
|
|
|
|
})
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
// Check if the backend supports blob storage
|
|
|
|
|
|
blobstore, _ = opts.Backend.(BlobSupport)
|
2024-10-17 18:18:29 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-10-22 07:15:11 +08:00
|
|
|
|
logger := slog.Default().With("logger", "resource-server")
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
// Make this cancelable
|
2025-01-24 21:03:23 +08:00
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
2024-11-07 02:58:07 +08:00
|
|
|
|
s := &server{
|
2025-06-13 21:59:46 +08:00
|
|
|
|
tracer: opts.Tracer,
|
|
|
|
|
|
log: logger,
|
|
|
|
|
|
backend: opts.Backend,
|
|
|
|
|
|
blob: blobstore,
|
|
|
|
|
|
diagnostics: opts.Diagnostics,
|
|
|
|
|
|
access: opts.AccessClient,
|
2025-08-11 20:22:56 +08:00
|
|
|
|
secure: opts.SecureValues,
|
2025-06-13 21:59:46 +08:00
|
|
|
|
writeHooks: opts.WriteHooks,
|
|
|
|
|
|
lifecycle: opts.Lifecycle,
|
|
|
|
|
|
now: opts.Now,
|
|
|
|
|
|
ctx: ctx,
|
|
|
|
|
|
cancel: cancel,
|
|
|
|
|
|
storageMetrics: opts.storageMetrics,
|
|
|
|
|
|
indexMetrics: opts.IndexMetrics,
|
|
|
|
|
|
maxPageSizeBytes: opts.MaxPageSizeBytes,
|
2025-07-01 17:22:55 +08:00
|
|
|
|
reg: opts.Reg,
|
|
|
|
|
|
queue: opts.QOSQueue,
|
2025-08-27 00:40:22 +08:00
|
|
|
|
queueConfig: opts.QOSConfig,
|
2025-10-06 16:02:03 +08:00
|
|
|
|
|
|
|
|
|
|
artificialSuccessfulWriteDelay: opts.Search.IndexMinUpdateInterval,
|
2024-11-07 02:58:07 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-11-21 13:53:25 +08:00
|
|
|
|
if opts.Search.Resources != nil {
|
|
|
|
|
|
var err error
|
2025-09-24 22:54:35 +08:00
|
|
|
|
s.search, err = newSearchSupport(opts.Search, s.backend, s.access, s.blob, opts.Tracer, opts.IndexMetrics, opts.OwnsIndexFn)
|
2024-11-21 13:53:25 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-10 12:32:19 +08:00
|
|
|
|
err := s.Init(ctx)
|
|
|
|
|
|
if err != nil {
|
2025-02-12 01:57:46 +08:00
|
|
|
|
s.log.Error("resource server init failed", "error", err)
|
2024-12-10 12:32:19 +08:00
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-11-07 02:58:07 +08:00
|
|
|
|
return s, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var _ ResourceServer = &server{}
|
|
|
|
|
|
|
|
|
|
|
|
type server struct {
|
2025-02-28 20:39:39 +08:00
|
|
|
|
tracer trace.Tracer
|
|
|
|
|
|
log *slog.Logger
|
|
|
|
|
|
backend StorageBackend
|
|
|
|
|
|
blob BlobSupport
|
2025-08-11 20:22:56 +08:00
|
|
|
|
secure secrets.InlineSecureValueSupport
|
2025-02-28 20:39:39 +08:00
|
|
|
|
search *searchSupport
|
2025-05-16 03:36:52 +08:00
|
|
|
|
diagnostics resourcepb.DiagnosticsServer
|
2025-02-28 20:39:39 +08:00
|
|
|
|
access claims.AccessClient
|
|
|
|
|
|
writeHooks WriteAccessHooks
|
|
|
|
|
|
lifecycle LifecycleHooks
|
|
|
|
|
|
now func() int64
|
|
|
|
|
|
mostRecentRV atomic.Int64 // The most recent resource version seen by the server
|
|
|
|
|
|
storageMetrics *StorageMetrics
|
2025-03-13 22:09:38 +08:00
|
|
|
|
indexMetrics *BleveIndexMetrics
|
2024-07-10 06:08:13 +08:00
|
|
|
|
|
|
|
|
|
|
// Background watch task -- this has permissions for everything
|
|
|
|
|
|
ctx context.Context
|
|
|
|
|
|
cancel context.CancelFunc
|
|
|
|
|
|
broadcaster Broadcaster[*WrittenEvent]
|
|
|
|
|
|
|
|
|
|
|
|
// init checking
|
|
|
|
|
|
once sync.Once
|
|
|
|
|
|
initErr error
|
2025-06-13 21:59:46 +08:00
|
|
|
|
|
|
|
|
|
|
maxPageSizeBytes int
|
2025-07-01 17:22:55 +08:00
|
|
|
|
reg prometheus.Registerer
|
|
|
|
|
|
queue QOSEnqueuer
|
2025-08-27 00:40:22 +08:00
|
|
|
|
queueConfig QueueConfig
|
2025-10-06 16:02:03 +08:00
|
|
|
|
|
|
|
|
|
|
// This value is used by storage server to artificially delay returning response after successful
|
|
|
|
|
|
// write operations to make sure that subsequent search by the same client will return up-to-date results.
|
|
|
|
|
|
// Set from SearchOptions.IndexMinUpdateInterval.
|
|
|
|
|
|
artificialSuccessfulWriteDelay time.Duration
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Init implements ResourceServer.
|
2024-07-23 01:08:30 +08:00
|
|
|
|
func (s *server) Init(ctx context.Context) error {
|
2024-07-10 06:08:13 +08:00
|
|
|
|
s.once.Do(func() {
|
|
|
|
|
|
// Call lifecycle hooks
|
|
|
|
|
|
if s.lifecycle != nil {
|
2024-07-23 01:08:30 +08:00
|
|
|
|
err := s.lifecycle.Init(ctx)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
s.initErr = fmt.Errorf("initialize Resource Server: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-11-21 13:53:25 +08:00
|
|
|
|
// initialize the search index
|
|
|
|
|
|
if s.initErr == nil && s.search != nil {
|
|
|
|
|
|
s.initErr = s.search.init(ctx)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-10 12:32:19 +08:00
|
|
|
|
// Start watching for changes
|
|
|
|
|
|
if s.initErr == nil {
|
|
|
|
|
|
s.initErr = s.initWatcher()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if s.initErr != nil {
|
2025-02-12 01:57:46 +08:00
|
|
|
|
s.log.Error("error running resource server init", "error", s.initErr)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
})
|
|
|
|
|
|
return s.initErr
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-23 01:08:30 +08:00
|
|
|
|
func (s *server) Stop(ctx context.Context) error {
|
2024-07-10 06:08:13 +08:00
|
|
|
|
s.initErr = fmt.Errorf("service is stopping")
|
|
|
|
|
|
|
2024-07-23 01:08:30 +08:00
|
|
|
|
var stopFailed bool
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if s.lifecycle != nil {
|
2024-07-23 01:08:30 +08:00
|
|
|
|
err := s.lifecycle.Stop(ctx)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
stopFailed = true
|
|
|
|
|
|
s.initErr = fmt.Errorf("service stopeed with error: %w", err)
|
|
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-01 17:52:09 +08:00
|
|
|
|
if s.search != nil {
|
|
|
|
|
|
s.search.stop()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
// Stops the streaming
|
|
|
|
|
|
s.cancel()
|
|
|
|
|
|
|
|
|
|
|
|
// mark the value as done
|
2024-07-23 01:08:30 +08:00
|
|
|
|
if stopFailed {
|
|
|
|
|
|
return s.initErr
|
|
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
s.initErr = fmt.Errorf("service is stopped")
|
2024-07-23 01:08:30 +08:00
|
|
|
|
|
|
|
|
|
|
return nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Old value indicates an update -- otherwise a create
|
2025-07-12 00:47:54 +08:00
|
|
|
|
//
|
|
|
|
|
|
//nolint:gocyclo
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) newEvent(ctx context.Context, user claims.AuthInfo, key *resourcepb.ResourceKey, value, oldValue []byte) (*WriteEvent, *resourcepb.ErrorResult) {
|
2024-07-17 22:40:03 +08:00
|
|
|
|
tmp := &unstructured.Unstructured{}
|
2024-08-02 15:27:10 +08:00
|
|
|
|
err := tmp.UnmarshalJSON(value)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if err != nil {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, AsErrorResult(err)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
2024-07-17 22:40:03 +08:00
|
|
|
|
obj, err := utils.MetaAccessor(tmp)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if err != nil {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, AsErrorResult(err)
|
2024-07-17 22:40:03 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-10-23 16:29:41 +08:00
|
|
|
|
if obj.GetUID() == "" {
|
2024-11-13 00:58:32 +08:00
|
|
|
|
// TODO! once https://github.com/grafana/grafana/pull/96086 is deployed everywhere
|
|
|
|
|
|
// return nil, NewBadRequestError("object is missing UID")
|
2024-10-23 16:29:41 +08:00
|
|
|
|
s.log.Error("object is missing UID", "key", key)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if obj.GetResourceVersion() != "" {
|
|
|
|
|
|
s.log.Error("object must not include a resource version", "key", key)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-01-17 20:54:25 +08:00
|
|
|
|
// Make sure the command labels are not saved
|
|
|
|
|
|
for k := range obj.GetLabels() {
|
2025-03-27 04:50:53 +08:00
|
|
|
|
if k == utils.LabelKeyGetHistory || k == utils.LabelKeyGetTrash || k == utils.LabelGetFullpath {
|
2025-01-17 20:54:25 +08:00
|
|
|
|
return nil, NewBadRequestError("can not save label: " + k)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-04-09 19:05:37 +08:00
|
|
|
|
if obj.GetAnnotation(utils.AnnoKeyGrantPermissions) != "" {
|
|
|
|
|
|
return nil, NewBadRequestError("can not save annotation: " + utils.AnnoKeyGrantPermissions)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-17 22:40:03 +08:00
|
|
|
|
event := &WriteEvent{
|
|
|
|
|
|
Value: value,
|
|
|
|
|
|
Key: key,
|
|
|
|
|
|
Object: obj,
|
2025-05-21 15:49:49 +08:00
|
|
|
|
GUID: uuid.New().String(),
|
2024-07-17 22:40:03 +08:00
|
|
|
|
}
|
2025-04-14 22:57:40 +08:00
|
|
|
|
|
2024-07-17 22:40:03 +08:00
|
|
|
|
if oldValue == nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
event.Type = resourcepb.WatchEvent_ADDED
|
2024-07-17 22:40:03 +08:00
|
|
|
|
} else {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
event.Type = resourcepb.WatchEvent_MODIFIED
|
2024-07-17 22:40:03 +08:00
|
|
|
|
|
|
|
|
|
|
temp := &unstructured.Unstructured{}
|
|
|
|
|
|
err = temp.UnmarshalJSON(oldValue)
|
|
|
|
|
|
if err != nil {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, AsErrorResult(err)
|
2024-07-17 22:40:03 +08:00
|
|
|
|
}
|
|
|
|
|
|
event.ObjectOld, err = utils.MetaAccessor(temp)
|
|
|
|
|
|
if err != nil {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, AsErrorResult(err)
|
2024-07-17 22:40:03 +08:00
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-08-11 20:22:56 +08:00
|
|
|
|
// Verify that this resource can reference secure values
|
2025-08-14 20:31:24 +08:00
|
|
|
|
if err := canReferenceSecureValues(ctx, obj, event.ObjectOld, s.secure); err != nil {
|
|
|
|
|
|
return nil, err
|
2025-08-11 20:22:56 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if key.Namespace != obj.GetNamespace() {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, NewBadRequestError("key/namespace do not match")
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
gvk := obj.GetGroupVersionKind()
|
|
|
|
|
|
if gvk.Kind == "" {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, NewBadRequestError("expecting resources with a kind in the body")
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
if gvk.Version == "" {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, NewBadRequestError("expecting resources with an apiVersion")
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
if gvk.Group != "" && gvk.Group != key.Group {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, NewBadRequestError(
|
2024-07-10 06:08:13 +08:00
|
|
|
|
fmt.Sprintf("group in key does not match group in the body (%s != %s)", key.Group, gvk.Group),
|
|
|
|
|
|
)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// This needs to be a create function
|
|
|
|
|
|
if key.Name == "" {
|
|
|
|
|
|
if obj.GetName() == "" {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, NewBadRequestError("missing name")
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
key.Name = obj.GetName()
|
|
|
|
|
|
} else if key.Name != obj.GetName() {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, NewBadRequestError(
|
2024-07-10 06:08:13 +08:00
|
|
|
|
fmt.Sprintf("key/name do not match (key: %s, name: %s)", key.Name, obj.GetName()))
|
|
|
|
|
|
}
|
2025-09-30 20:59:33 +08:00
|
|
|
|
if errs := validation.IsValidGrafanaName(obj.GetName()); err != nil {
|
|
|
|
|
|
return nil, NewBadRequestError(errs[0])
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-04-14 22:57:40 +08:00
|
|
|
|
// For folder moves, we need to check permissions on both folders
|
|
|
|
|
|
if s.isFolderMove(event) {
|
|
|
|
|
|
if err := s.checkFolderMovePermissions(ctx, user, key, event.ObjectOld.GetFolder(), obj.GetFolder()); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
// Regular permission check for create/update
|
|
|
|
|
|
check := claims.CheckRequest{
|
|
|
|
|
|
Verb: utils.VerbCreate,
|
|
|
|
|
|
Group: key.Group,
|
|
|
|
|
|
Resource: key.Resource,
|
|
|
|
|
|
Namespace: key.Namespace,
|
|
|
|
|
|
}
|
2025-01-15 16:23:56 +08:00
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
if event.Type == resourcepb.WatchEvent_MODIFIED {
|
2025-04-14 22:57:40 +08:00
|
|
|
|
check.Verb = utils.VerbUpdate
|
|
|
|
|
|
check.Name = key.Name
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-01 22:40:28 +08:00
|
|
|
|
a, err := s.access.Check(ctx, user, check, obj.GetFolder())
|
2025-04-14 22:57:40 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, AsErrorResult(err)
|
|
|
|
|
|
}
|
|
|
|
|
|
if !a.Allowed {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return nil, &resourcepb.ErrorResult{
|
2025-04-14 22:57:40 +08:00
|
|
|
|
Code: http.StatusForbidden,
|
|
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2024-11-13 20:17:15 +08:00
|
|
|
|
|
2025-03-05 14:54:20 +08:00
|
|
|
|
m, ok := obj.GetManagerProperties()
|
|
|
|
|
|
if ok && m.Kind == utils.ManagerKindRepo {
|
|
|
|
|
|
err = s.writeHooks.CanWriteValueFromRepository(ctx, user, m.Identity)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if err != nil {
|
2024-08-02 15:27:10 +08:00
|
|
|
|
return nil, AsErrorResult(err)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return event, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-04-14 22:57:40 +08:00
|
|
|
|
// isFolderMove determines if an event represents a resource being moved between folders
|
|
|
|
|
|
func (s *server) isFolderMove(event *WriteEvent) bool {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return event.Type == resourcepb.WatchEvent_MODIFIED &&
|
2025-04-14 22:57:40 +08:00
|
|
|
|
event.ObjectOld != nil &&
|
|
|
|
|
|
event.ObjectOld.GetFolder() != event.Object.GetFolder()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// checkFolderMovePermissions handles permission checks when a resource is being moved between folders
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) checkFolderMovePermissions(ctx context.Context, user claims.AuthInfo, key *resourcepb.ResourceKey, oldFolder, newFolder string) *resourcepb.ErrorResult {
|
2025-04-14 22:57:40 +08:00
|
|
|
|
// First check if user can update the resource in the original folder
|
|
|
|
|
|
updateCheck := claims.CheckRequest{
|
|
|
|
|
|
Verb: utils.VerbUpdate,
|
|
|
|
|
|
Group: key.Group,
|
|
|
|
|
|
Resource: key.Resource,
|
|
|
|
|
|
Namespace: key.Namespace,
|
|
|
|
|
|
Name: key.Name,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-01 22:40:28 +08:00
|
|
|
|
a, err := s.access.Check(ctx, user, updateCheck, oldFolder)
|
2025-04-14 22:57:40 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return AsErrorResult(err)
|
|
|
|
|
|
}
|
|
|
|
|
|
if !a.Allowed {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ErrorResult{
|
2025-04-14 22:57:40 +08:00
|
|
|
|
Code: http.StatusForbidden,
|
|
|
|
|
|
Message: "not allowed to update resource in the source folder",
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Then check if user can create the resource in the destination folder
|
|
|
|
|
|
createCheck := claims.CheckRequest{
|
|
|
|
|
|
Verb: utils.VerbCreate,
|
|
|
|
|
|
Group: key.Group,
|
|
|
|
|
|
Resource: key.Resource,
|
|
|
|
|
|
Namespace: key.Namespace,
|
2025-10-01 22:40:28 +08:00
|
|
|
|
Name: key.Name,
|
2025-04-14 22:57:40 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-01 22:40:28 +08:00
|
|
|
|
a, err = s.access.Check(ctx, user, createCheck, newFolder)
|
2025-04-14 22:57:40 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return AsErrorResult(err)
|
|
|
|
|
|
}
|
|
|
|
|
|
if !a.Allowed {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ErrorResult{
|
2025-04-14 22:57:40 +08:00
|
|
|
|
Code: http.StatusForbidden,
|
|
|
|
|
|
Message: "not allowed to create resource in the destination folder",
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) Create(ctx context.Context, req *resourcepb.CreateRequest) (*resourcepb.CreateResponse, error) {
|
2024-07-10 06:08:13 +08:00
|
|
|
|
ctx, span := s.tracer.Start(ctx, "storage_server.Create")
|
|
|
|
|
|
defer span.End()
|
|
|
|
|
|
|
2025-09-29 01:53:07 +08:00
|
|
|
|
if r := verifyRequestKey(req.Key); r != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("invalid request key: %s", r.Message)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp := &resourcepb.CreateResponse{}
|
2025-01-21 17:06:55 +08:00
|
|
|
|
user, ok := claims.AuthInfoFrom(ctx)
|
2024-08-12 14:49:34 +08:00
|
|
|
|
if !ok || user == nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp.Error = &resourcepb.ErrorResult{
|
2024-08-02 15:27:10 +08:00
|
|
|
|
Message: "no user found in context",
|
|
|
|
|
|
Code: http.StatusUnauthorized,
|
|
|
|
|
|
}
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
var (
|
|
|
|
|
|
res *resourcepb.CreateResponse
|
|
|
|
|
|
err error
|
|
|
|
|
|
)
|
2025-08-27 00:40:22 +08:00
|
|
|
|
runErr := s.runInQueue(ctx, req.Key.Namespace, func(queueCtx context.Context) {
|
|
|
|
|
|
res, err = s.create(queueCtx, user, req)
|
2025-07-01 17:22:55 +08:00
|
|
|
|
})
|
|
|
|
|
|
if runErr != nil {
|
|
|
|
|
|
return HandleQueueError(runErr, func(e *resourcepb.ErrorResult) *resourcepb.CreateResponse {
|
|
|
|
|
|
return &resourcepb.CreateResponse{Error: e}
|
|
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-06 16:02:03 +08:00
|
|
|
|
s.sleepAfterSuccessfulWriteOperation(res, err)
|
|
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
return res, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *server) create(ctx context.Context, user claims.AuthInfo, req *resourcepb.CreateRequest) (*resourcepb.CreateResponse, error) {
|
|
|
|
|
|
rsp := &resourcepb.CreateResponse{}
|
|
|
|
|
|
|
2024-08-02 15:27:10 +08:00
|
|
|
|
event, e := s.newEvent(ctx, user, req.Key, req.Value, nil)
|
|
|
|
|
|
if e != nil {
|
|
|
|
|
|
rsp.Error = e
|
2024-07-30 18:16:16 +08:00
|
|
|
|
return rsp, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
2024-11-13 20:17:15 +08:00
|
|
|
|
|
2025-03-31 21:06:31 +08:00
|
|
|
|
// If the resource already exists, the create will return an already exists error that is remapped appropriately by AsErrorResult.
|
|
|
|
|
|
// This also benefits from ACID behaviours on our databases, so we avoid race conditions.
|
2024-08-12 14:49:34 +08:00
|
|
|
|
var err error
|
2024-07-17 22:40:03 +08:00
|
|
|
|
rsp.ResourceVersion, err = s.backend.WriteEvent(ctx, *event)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if err != nil {
|
2024-07-30 18:16:16 +08:00
|
|
|
|
rsp.Error = AsErrorResult(err)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
2024-10-07 16:01:53 +08:00
|
|
|
|
s.log.Debug("server.WriteEvent", "type", event.Type, "rv", rsp.ResourceVersion, "previousRV", event.PreviousRV, "group", event.Key.Group, "namespace", event.Key.Namespace, "name", event.Key.Name, "resource", event.Key.Resource)
|
2024-07-30 18:16:16 +08:00
|
|
|
|
return rsp, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-06 16:02:03 +08:00
|
|
|
|
type responseWithErrorResult interface {
|
|
|
|
|
|
GetError() *resourcepb.ErrorResult
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// sleepAfterSuccessfulWriteOperation will sleep for a specified time if the operation was successful.
|
|
|
|
|
|
// Returns boolean indicating whether the sleep was performed or not (used in testing).
|
|
|
|
|
|
//
|
|
|
|
|
|
// This sleep is performed to guarantee search-after-write consistency, when rate-limiting updates to search index.
|
|
|
|
|
|
func (s *server) sleepAfterSuccessfulWriteOperation(res responseWithErrorResult, err error) bool {
|
|
|
|
|
|
if s.artificialSuccessfulWriteDelay <= 0 {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
// No sleep necessary if operation failed.
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// We expect that non-nil interface values with typed nils can still handle GetError() call.
|
|
|
|
|
|
if res != nil {
|
|
|
|
|
|
errRes := res.GetError()
|
|
|
|
|
|
if errRes != nil {
|
|
|
|
|
|
// No sleep necessary if operation failed.
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
time.Sleep(s.artificialSuccessfulWriteDelay)
|
|
|
|
|
|
return true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) Update(ctx context.Context, req *resourcepb.UpdateRequest) (*resourcepb.UpdateResponse, error) {
|
2024-07-10 06:08:13 +08:00
|
|
|
|
ctx, span := s.tracer.Start(ctx, "storage_server.Update")
|
|
|
|
|
|
defer span.End()
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp := &resourcepb.UpdateResponse{}
|
2025-01-21 17:06:55 +08:00
|
|
|
|
user, ok := claims.AuthInfoFrom(ctx)
|
2024-08-12 14:49:34 +08:00
|
|
|
|
if !ok || user == nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp.Error = &resourcepb.ErrorResult{
|
2024-08-02 15:27:10 +08:00
|
|
|
|
Message: "no user found in context",
|
|
|
|
|
|
Code: http.StatusUnauthorized,
|
|
|
|
|
|
}
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if req.ResourceVersion < 0 {
|
2024-07-30 18:16:16 +08:00
|
|
|
|
rsp.Error = AsErrorResult(apierrors.NewBadRequest("update must include the previous version"))
|
2024-07-10 06:08:13 +08:00
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
var (
|
|
|
|
|
|
res *resourcepb.UpdateResponse
|
|
|
|
|
|
err error
|
|
|
|
|
|
)
|
2025-08-27 00:40:22 +08:00
|
|
|
|
runErr := s.runInQueue(ctx, req.Key.Namespace, func(queueCtx context.Context) {
|
|
|
|
|
|
res, err = s.update(queueCtx, user, req)
|
2025-07-01 17:22:55 +08:00
|
|
|
|
})
|
|
|
|
|
|
if runErr != nil {
|
|
|
|
|
|
return HandleQueueError(runErr, func(e *resourcepb.ErrorResult) *resourcepb.UpdateResponse {
|
|
|
|
|
|
return &resourcepb.UpdateResponse{Error: e}
|
|
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-06 16:02:03 +08:00
|
|
|
|
s.sleepAfterSuccessfulWriteOperation(res, err)
|
|
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
return res, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *server) update(ctx context.Context, user claims.AuthInfo, req *resourcepb.UpdateRequest) (*resourcepb.UpdateResponse, error) {
|
|
|
|
|
|
rsp := &resourcepb.UpdateResponse{}
|
2025-05-16 03:36:52 +08:00
|
|
|
|
latest := s.backend.ReadResource(ctx, &resourcepb.ReadRequest{
|
2024-07-10 06:08:13 +08:00
|
|
|
|
Key: req.Key,
|
|
|
|
|
|
})
|
2024-07-30 18:16:16 +08:00
|
|
|
|
if latest.Error != nil {
|
|
|
|
|
|
return rsp, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
if latest.Value == nil {
|
2024-07-30 18:16:16 +08:00
|
|
|
|
rsp.Error = NewBadRequestError("current value does not exist")
|
|
|
|
|
|
return rsp, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-01 23:00:02 +08:00
|
|
|
|
// TODO: once we know the client is always sending the RV, require ResourceVersion > 0
|
|
|
|
|
|
// See: https://github.com/grafana/grafana/pull/111866
|
2024-07-13 07:01:24 +08:00
|
|
|
|
if req.ResourceVersion > 0 && latest.ResourceVersion != req.ResourceVersion {
|
2025-10-01 23:00:02 +08:00
|
|
|
|
return &resourcepb.UpdateResponse{
|
|
|
|
|
|
Error: &ErrOptimisticLockingFailed,
|
|
|
|
|
|
}, nil
|
2024-07-13 07:01:24 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-08-02 15:27:10 +08:00
|
|
|
|
event, e := s.newEvent(ctx, user, req.Key, req.Value, latest.Value)
|
|
|
|
|
|
if e != nil {
|
|
|
|
|
|
rsp.Error = e
|
2024-08-12 14:49:34 +08:00
|
|
|
|
return rsp, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
event.Type = resourcepb.WatchEvent_MODIFIED
|
2024-07-10 06:08:13 +08:00
|
|
|
|
event.PreviousRV = latest.ResourceVersion
|
|
|
|
|
|
|
2024-08-12 14:49:34 +08:00
|
|
|
|
var err error
|
2024-07-17 22:40:03 +08:00
|
|
|
|
rsp.ResourceVersion, err = s.backend.WriteEvent(ctx, *event)
|
|
|
|
|
|
if err != nil {
|
2024-07-30 18:16:16 +08:00
|
|
|
|
rsp.Error = AsErrorResult(err)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
2024-07-30 18:16:16 +08:00
|
|
|
|
return rsp, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) Delete(ctx context.Context, req *resourcepb.DeleteRequest) (*resourcepb.DeleteResponse, error) {
|
2024-07-10 06:08:13 +08:00
|
|
|
|
ctx, span := s.tracer.Start(ctx, "storage_server.Delete")
|
|
|
|
|
|
defer span.End()
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp := &resourcepb.DeleteResponse{}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if req.ResourceVersion < 0 {
|
|
|
|
|
|
return nil, apierrors.NewBadRequest("update must include the previous version")
|
|
|
|
|
|
}
|
2025-01-21 17:06:55 +08:00
|
|
|
|
user, ok := claims.AuthInfoFrom(ctx)
|
2024-11-13 20:17:15 +08:00
|
|
|
|
if !ok || user == nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp.Error = &resourcepb.ErrorResult{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Message: "no user found in context",
|
|
|
|
|
|
Code: http.StatusUnauthorized,
|
|
|
|
|
|
}
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
var (
|
|
|
|
|
|
res *resourcepb.DeleteResponse
|
|
|
|
|
|
err error
|
|
|
|
|
|
)
|
|
|
|
|
|
|
2025-08-27 00:40:22 +08:00
|
|
|
|
runErr := s.runInQueue(ctx, req.Key.Namespace, func(queueCtx context.Context) {
|
|
|
|
|
|
res, err = s.delete(queueCtx, user, req)
|
2025-07-01 17:22:55 +08:00
|
|
|
|
})
|
|
|
|
|
|
if runErr != nil {
|
|
|
|
|
|
return HandleQueueError(runErr, func(e *resourcepb.ErrorResult) *resourcepb.DeleteResponse {
|
|
|
|
|
|
return &resourcepb.DeleteResponse{Error: e}
|
|
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-06 16:02:03 +08:00
|
|
|
|
s.sleepAfterSuccessfulWriteOperation(res, err)
|
|
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
return res, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *server) delete(ctx context.Context, user claims.AuthInfo, req *resourcepb.DeleteRequest) (*resourcepb.DeleteResponse, error) {
|
|
|
|
|
|
rsp := &resourcepb.DeleteResponse{}
|
2025-05-16 03:36:52 +08:00
|
|
|
|
latest := s.backend.ReadResource(ctx, &resourcepb.ReadRequest{
|
2024-07-10 06:08:13 +08:00
|
|
|
|
Key: req.Key,
|
|
|
|
|
|
})
|
2024-07-30 18:16:16 +08:00
|
|
|
|
if latest.Error != nil {
|
|
|
|
|
|
rsp.Error = latest.Error
|
|
|
|
|
|
return rsp, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
if req.ResourceVersion > 0 && latest.ResourceVersion != req.ResourceVersion {
|
2025-10-01 23:00:02 +08:00
|
|
|
|
rsp.Error = &ErrOptimisticLockingFailed
|
2024-07-30 18:16:16 +08:00
|
|
|
|
return rsp, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-01-21 17:06:55 +08:00
|
|
|
|
access, err := s.access.Check(ctx, user, claims.CheckRequest{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Verb: "delete",
|
|
|
|
|
|
Group: req.Key.Group,
|
|
|
|
|
|
Resource: req.Key.Resource,
|
|
|
|
|
|
Namespace: req.Key.Namespace,
|
|
|
|
|
|
Name: req.Key.Name,
|
2025-10-01 22:40:28 +08:00
|
|
|
|
}, latest.Folder)
|
2024-11-13 20:17:15 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
rsp.Error = AsErrorResult(err)
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
if !access.Allowed {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp.Error = &resourcepb.ErrorResult{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Code: http.StatusForbidden,
|
|
|
|
|
|
}
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
now := metav1.NewTime(time.UnixMilli(s.now()))
|
|
|
|
|
|
event := WriteEvent{
|
|
|
|
|
|
Key: req.Key,
|
2025-05-16 03:36:52 +08:00
|
|
|
|
Type: resourcepb.WatchEvent_DELETED,
|
2024-07-10 06:08:13 +08:00
|
|
|
|
PreviousRV: latest.ResourceVersion,
|
2025-05-21 15:49:49 +08:00
|
|
|
|
GUID: uuid.New().String(),
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
2025-01-17 20:54:25 +08:00
|
|
|
|
marker := &unstructured.Unstructured{}
|
2024-11-13 20:17:15 +08:00
|
|
|
|
err = json.Unmarshal(latest.Value, marker)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, apierrors.NewBadRequest(
|
|
|
|
|
|
fmt.Sprintf("unable to read previous object, %v", err))
|
|
|
|
|
|
}
|
2025-07-10 17:34:36 +08:00
|
|
|
|
oldObj, err := utils.MetaAccessor(marker)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
obj, err := utils.MetaAccessor(marker)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
obj.SetDeletionTimestamp(&now)
|
|
|
|
|
|
obj.SetUpdatedTimestamp(&now.Time)
|
|
|
|
|
|
obj.SetManagedFields(nil)
|
|
|
|
|
|
obj.SetFinalizers(nil)
|
2025-07-03 18:02:05 +08:00
|
|
|
|
obj.SetUpdatedBy(user.GetUID())
|
2025-01-17 20:54:25 +08:00
|
|
|
|
obj.SetGeneration(utils.DeletedGeneration)
|
|
|
|
|
|
obj.SetAnnotation(utils.AnnoKeyKubectlLastAppliedConfig, "") // clears it
|
2025-07-10 17:34:36 +08:00
|
|
|
|
event.ObjectOld = oldObj
|
|
|
|
|
|
event.Object = obj
|
2025-01-17 20:54:25 +08:00
|
|
|
|
event.Value, err = marker.MarshalJSON()
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, apierrors.NewBadRequest(
|
|
|
|
|
|
fmt.Sprintf("unable creating deletion marker, %v", err))
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
rsp.ResourceVersion, err = s.backend.WriteEvent(ctx, event)
|
2024-07-30 18:16:16 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
rsp.Error = AsErrorResult(err)
|
|
|
|
|
|
}
|
|
|
|
|
|
return rsp, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) Read(ctx context.Context, req *resourcepb.ReadRequest) (*resourcepb.ReadResponse, error) {
|
2025-01-21 17:06:55 +08:00
|
|
|
|
user, ok := claims.AuthInfoFrom(ctx)
|
2024-11-13 20:17:15 +08:00
|
|
|
|
if !ok || user == nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ReadResponse{
|
|
|
|
|
|
Error: &resourcepb.ErrorResult{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Message: "no user found in context",
|
|
|
|
|
|
Code: http.StatusUnauthorized,
|
|
|
|
|
|
}}, nil
|
|
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
|
|
|
|
|
|
if req.Key.Resource == "" {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ReadResponse{Error: NewBadRequestError("missing resource")}, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-07-01 17:22:55 +08:00
|
|
|
|
var (
|
|
|
|
|
|
res *resourcepb.ReadResponse
|
|
|
|
|
|
err error
|
|
|
|
|
|
)
|
2025-08-27 00:40:22 +08:00
|
|
|
|
runErr := s.runInQueue(ctx, req.Key.Namespace, func(queueCtx context.Context) {
|
|
|
|
|
|
res, err = s.read(queueCtx, user, req)
|
2025-07-01 17:22:55 +08:00
|
|
|
|
})
|
|
|
|
|
|
if runErr != nil {
|
|
|
|
|
|
return HandleQueueError(runErr, func(e *resourcepb.ErrorResult) *resourcepb.ReadResponse {
|
|
|
|
|
|
return &resourcepb.ReadResponse{Error: e}
|
|
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return res, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *server) read(ctx context.Context, user claims.AuthInfo, req *resourcepb.ReadRequest) (*resourcepb.ReadResponse, error) {
|
2024-07-30 18:16:16 +08:00
|
|
|
|
rsp := s.backend.ReadResource(ctx, req)
|
2025-04-10 08:14:39 +08:00
|
|
|
|
if rsp.Error != nil && rsp.Error.Code == http.StatusNotFound {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ReadResponse{Error: rsp.Error}, nil
|
2025-04-10 08:14:39 +08:00
|
|
|
|
}
|
2024-11-13 20:17:15 +08:00
|
|
|
|
|
2025-01-21 17:06:55 +08:00
|
|
|
|
a, err := s.access.Check(ctx, user, claims.CheckRequest{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Verb: "get",
|
|
|
|
|
|
Group: req.Key.Group,
|
|
|
|
|
|
Resource: req.Key.Resource,
|
|
|
|
|
|
Namespace: req.Key.Namespace,
|
|
|
|
|
|
Name: req.Key.Name,
|
2025-10-01 22:40:28 +08:00
|
|
|
|
}, rsp.Folder)
|
2024-11-13 20:17:15 +08:00
|
|
|
|
if err != nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ReadResponse{Error: AsErrorResult(err)}, nil
|
2024-11-13 20:17:15 +08:00
|
|
|
|
}
|
|
|
|
|
|
if !a.Allowed {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ReadResponse{
|
|
|
|
|
|
Error: &resourcepb.ErrorResult{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Code: http.StatusForbidden,
|
|
|
|
|
|
}}, nil
|
|
|
|
|
|
}
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ReadResponse{
|
2024-11-12 19:52:04 +08:00
|
|
|
|
ResourceVersion: rsp.ResourceVersion,
|
|
|
|
|
|
Value: rsp.Value,
|
|
|
|
|
|
Error: rsp.Error,
|
|
|
|
|
|
}, nil
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) List(ctx context.Context, req *resourcepb.ListRequest) (*resourcepb.ListResponse, error) {
|
2024-10-25 05:05:33 +08:00
|
|
|
|
ctx, span := s.tracer.Start(ctx, "storage_server.List")
|
|
|
|
|
|
defer span.End()
|
|
|
|
|
|
|
2025-01-17 20:54:25 +08:00
|
|
|
|
// The history + trash queries do not yet support additional filters
|
2025-05-16 03:36:52 +08:00
|
|
|
|
if req.Source != resourcepb.ListRequest_STORE {
|
2025-01-17 20:54:25 +08:00
|
|
|
|
if len(req.Options.Fields) > 0 || len(req.Options.Labels) > 0 {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ListResponse{
|
2025-01-17 20:54:25 +08:00
|
|
|
|
Error: NewBadRequestError("unexpected field/label selector for history query"),
|
|
|
|
|
|
}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-01-21 17:06:55 +08:00
|
|
|
|
user, ok := claims.AuthInfoFrom(ctx)
|
2024-11-13 20:17:15 +08:00
|
|
|
|
if !ok || user == nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ListResponse{
|
|
|
|
|
|
Error: &resourcepb.ErrorResult{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Message: "no user found in context",
|
|
|
|
|
|
Code: http.StatusUnauthorized,
|
|
|
|
|
|
}}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-01-17 20:54:25 +08:00
|
|
|
|
// Do not allow label query for trash/history
|
|
|
|
|
|
for _, v := range req.Options.Labels {
|
|
|
|
|
|
if v.Key == utils.LabelKeyGetHistory || v.Key == utils.LabelKeyGetTrash {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ListResponse{Error: NewBadRequestError("history and trash must be requested as source")}, nil
|
2025-01-17 20:54:25 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-09-25 23:54:38 +08:00
|
|
|
|
// Fast path for getting single value in a list
|
|
|
|
|
|
if rsp := s.tryFastPathList(ctx, req); rsp != nil {
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-31 17:05:59 +08:00
|
|
|
|
if req.Limit < 1 {
|
2025-09-01 17:09:40 +08:00
|
|
|
|
req.Limit = 500 // default max 500 items in a page
|
2024-07-31 17:05:59 +08:00
|
|
|
|
}
|
2025-06-13 21:59:46 +08:00
|
|
|
|
maxPageBytes := s.maxPageSizeBytes
|
2024-07-31 17:05:59 +08:00
|
|
|
|
pageBytes := 0
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp := &resourcepb.ListResponse{}
|
2024-11-13 20:17:15 +08:00
|
|
|
|
|
|
|
|
|
|
key := req.Options.Key
|
2025-09-18 22:24:22 +08:00
|
|
|
|
checker, _, err := s.access.Compile(ctx, user, claims.ListRequest{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Group: key.Group,
|
|
|
|
|
|
Resource: key.Resource,
|
|
|
|
|
|
Namespace: key.Namespace,
|
2025-01-16 21:11:55 +08:00
|
|
|
|
Verb: utils.VerbGet,
|
2024-11-13 20:17:15 +08:00
|
|
|
|
})
|
2025-06-24 16:17:34 +08:00
|
|
|
|
var trashChecker claims.ItemChecker // only for trash
|
|
|
|
|
|
if req.Source == resourcepb.ListRequest_TRASH {
|
2025-09-18 22:24:22 +08:00
|
|
|
|
trashChecker, _, err = s.access.Compile(ctx, user, claims.ListRequest{
|
2025-06-24 16:17:34 +08:00
|
|
|
|
Group: key.Group,
|
|
|
|
|
|
Resource: key.Resource,
|
|
|
|
|
|
Namespace: key.Namespace,
|
|
|
|
|
|
Verb: utils.VerbSetPermissions, // Basically Admin
|
|
|
|
|
|
})
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return &resourcepb.ListResponse{Error: AsErrorResult(err)}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2024-11-13 20:17:15 +08:00
|
|
|
|
if err != nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ListResponse{Error: AsErrorResult(err)}, nil
|
2024-11-13 20:17:15 +08:00
|
|
|
|
}
|
|
|
|
|
|
if checker == nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.ListResponse{Error: &resourcepb.ErrorResult{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Code: http.StatusForbidden,
|
|
|
|
|
|
}}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-23 21:00:18 +08:00
|
|
|
|
iterFunc := func(iter ListIterator) error {
|
2024-07-31 17:05:59 +08:00
|
|
|
|
for iter.Next() {
|
|
|
|
|
|
if err := iter.Error(); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
item := &resourcepb.ResourceWrapper{
|
2024-07-31 17:05:59 +08:00
|
|
|
|
ResourceVersion: iter.ResourceVersion(),
|
|
|
|
|
|
Value: iter.Value(),
|
|
|
|
|
|
}
|
2025-06-24 16:17:34 +08:00
|
|
|
|
// Trash is only accessible to admins or the user who deleted the object
|
|
|
|
|
|
if req.Source == resourcepb.ListRequest_TRASH {
|
|
|
|
|
|
if !s.isTrashItemAuthorized(ctx, iter, trashChecker) {
|
|
|
|
|
|
continue
|
|
|
|
|
|
}
|
|
|
|
|
|
} else if !checker(iter.Name(), iter.Folder()) {
|
2024-11-13 20:17:15 +08:00
|
|
|
|
continue
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-31 17:05:59 +08:00
|
|
|
|
pageBytes += len(item.Value)
|
|
|
|
|
|
rsp.Items = append(rsp.Items, item)
|
|
|
|
|
|
if len(rsp.Items) >= int(req.Limit) || pageBytes >= maxPageBytes {
|
|
|
|
|
|
t := iter.ContinueToken()
|
|
|
|
|
|
if iter.Next() {
|
|
|
|
|
|
rsp.NextPageToken = t
|
|
|
|
|
|
}
|
2025-04-11 22:25:40 +08:00
|
|
|
|
return iter.Error()
|
2024-07-31 17:05:59 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2025-04-11 22:25:40 +08:00
|
|
|
|
return iter.Error()
|
2025-05-23 21:00:18 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var rv int64
|
|
|
|
|
|
switch req.Source {
|
|
|
|
|
|
case resourcepb.ListRequest_STORE:
|
|
|
|
|
|
rv, err = s.backend.ListIterator(ctx, req, iterFunc)
|
|
|
|
|
|
case resourcepb.ListRequest_HISTORY, resourcepb.ListRequest_TRASH:
|
|
|
|
|
|
rv, err = s.backend.ListHistory(ctx, req, iterFunc)
|
|
|
|
|
|
default:
|
|
|
|
|
|
return nil, apierrors.NewBadRequest(fmt.Sprintf("invalid list source: %v", req.Source))
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-31 17:05:59 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
rsp.Error = AsErrorResult(err)
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if rv < 1 {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp.Error = &resourcepb.ErrorResult{
|
2024-07-31 17:05:59 +08:00
|
|
|
|
Code: http.StatusInternalServerError,
|
|
|
|
|
|
Message: fmt.Sprintf("invalid resource version for list: %v", rv),
|
|
|
|
|
|
}
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
rsp.ResourceVersion = rv
|
|
|
|
|
|
return rsp, err
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-09-25 23:54:38 +08:00
|
|
|
|
// Some list queries can be calculated with simple reads
|
|
|
|
|
|
func (s *server) tryFastPathList(ctx context.Context, req *resourcepb.ListRequest) *resourcepb.ListResponse {
|
|
|
|
|
|
if req.Source != resourcepb.ListRequest_STORE || req.Options.Key.Namespace == "" {
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
for _, v := range req.Options.Fields {
|
|
|
|
|
|
if v.Key == "metadata.name" && v.Operator == `=` {
|
|
|
|
|
|
if len(v.Values) == 1 {
|
|
|
|
|
|
read := &resourcepb.ReadRequest{
|
|
|
|
|
|
Key: req.Options.Key,
|
|
|
|
|
|
ResourceVersion: req.ResourceVersion,
|
|
|
|
|
|
}
|
|
|
|
|
|
read.Key.Name = v.Values[0]
|
|
|
|
|
|
found, err := s.Read(ctx, read)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return &resourcepb.ListResponse{Error: AsErrorResult(err)}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Return a value when it exists
|
|
|
|
|
|
rsp := &resourcepb.ListResponse{}
|
|
|
|
|
|
if len(found.Value) > 0 {
|
|
|
|
|
|
rsp.Items = []*resourcepb.ResourceWrapper{{
|
|
|
|
|
|
Value: found.Value,
|
|
|
|
|
|
ResourceVersion: found.ResourceVersion,
|
|
|
|
|
|
}}
|
|
|
|
|
|
}
|
|
|
|
|
|
return rsp
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-06-24 16:17:34 +08:00
|
|
|
|
// isTrashItemAuthorized checks if the user has access to the trash item.
|
|
|
|
|
|
func (s *server) isTrashItemAuthorized(ctx context.Context, iter ListIterator, trashChecker claims.ItemChecker) bool {
|
|
|
|
|
|
user, ok := claims.AuthInfoFrom(ctx)
|
|
|
|
|
|
if !ok || user == nil {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
partial := &metav1.PartialObjectMetadata{}
|
|
|
|
|
|
err := json.Unmarshal(iter.Value(), partial)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
obj, err := utils.MetaAccessor(partial)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-09-29 04:33:57 +08:00
|
|
|
|
// provisioned objects should not be retrievable in the trash
|
|
|
|
|
|
if obj.GetAnnotation(utils.AnnoKeyManagerKind) != "" {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-06-24 16:17:34 +08:00
|
|
|
|
// Trash is only accessible to admins or the user who deleted the object
|
|
|
|
|
|
return obj.GetUpdatedBy() == user.GetUID() || trashChecker(iter.Name(), iter.Folder())
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
func (s *server) initWatcher() error {
|
|
|
|
|
|
var err error
|
|
|
|
|
|
s.broadcaster, err = NewBroadcaster(s.ctx, func(out chan<- *WrittenEvent) error {
|
|
|
|
|
|
events, err := s.backend.WatchWriteEvents(s.ctx)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
go func() {
|
2025-02-26 00:28:31 +08:00
|
|
|
|
for v := range events {
|
2025-02-25 00:02:30 +08:00
|
|
|
|
if v == nil {
|
|
|
|
|
|
s.log.Error("received nil event")
|
|
|
|
|
|
continue
|
|
|
|
|
|
}
|
2025-02-12 01:57:46 +08:00
|
|
|
|
// Skip events during batch updates
|
|
|
|
|
|
if v.PreviousRV < 0 {
|
|
|
|
|
|
continue
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-10-07 16:01:53 +08:00
|
|
|
|
s.log.Debug("Server. Streaming Event", "type", v.Type, "previousRV", v.PreviousRV, "group", v.Key.Group, "namespace", v.Key.Namespace, "resource", v.Key.Resource, "name", v.Key.Name)
|
|
|
|
|
|
s.mostRecentRV.Store(v.ResourceVersion)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
out <- v
|
|
|
|
|
|
}
|
|
|
|
|
|
}()
|
|
|
|
|
|
return nil
|
|
|
|
|
|
})
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-11-13 20:17:15 +08:00
|
|
|
|
//nolint:gocyclo
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) Watch(req *resourcepb.WatchRequest, srv resourcepb.ResourceStore_WatchServer) error {
|
2024-07-23 01:08:30 +08:00
|
|
|
|
ctx := srv.Context()
|
|
|
|
|
|
|
2025-01-21 17:06:55 +08:00
|
|
|
|
user, ok := claims.AuthInfoFrom(ctx)
|
2024-11-13 20:17:15 +08:00
|
|
|
|
if !ok || user == nil {
|
|
|
|
|
|
return apierrors.NewUnauthorized("no user found in context")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
key := req.Options.Key
|
2025-09-18 22:24:22 +08:00
|
|
|
|
checker, _, err := s.access.Compile(ctx, user, claims.ListRequest{
|
2024-11-13 20:17:15 +08:00
|
|
|
|
Group: key.Group,
|
|
|
|
|
|
Resource: key.Resource,
|
|
|
|
|
|
Namespace: key.Namespace,
|
2025-02-19 23:06:26 +08:00
|
|
|
|
Verb: utils.VerbGet,
|
2024-11-13 20:17:15 +08:00
|
|
|
|
})
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
if checker == nil {
|
|
|
|
|
|
return apierrors.NewUnauthorized("not allowed to list anything") // ?? or a single error?
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-10-07 16:01:53 +08:00
|
|
|
|
// Start listening -- this will buffer any changes that happen while we backfill.
|
|
|
|
|
|
// If events are generated faster than we can process them, then some events will be dropped.
|
|
|
|
|
|
// TODO: Think of a way to allow the client to catch up.
|
2024-07-10 06:08:13 +08:00
|
|
|
|
stream, err := s.broadcaster.Subscribe(ctx)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
defer s.broadcaster.Unsubscribe(stream)
|
|
|
|
|
|
|
2025-05-23 15:19:20 +08:00
|
|
|
|
// Determine a safe starting resource-version for the watch.
|
|
|
|
|
|
// When the client requests SendInitialEvents we will use the resource-version
|
|
|
|
|
|
// of the last object returned from the initial list (handled below).
|
|
|
|
|
|
// When the client supplies an explicit `since` we honour that.
|
|
|
|
|
|
// In the remaining case (SendInitialEvents == false && since == 0) we need
|
|
|
|
|
|
// a high-water-mark representing the current state of storage so that we
|
|
|
|
|
|
// donʼt replay events that happened before the watch was established. Using
|
|
|
|
|
|
// `mostRecentRV` – which is updated asynchronously by the broadcaster – is
|
|
|
|
|
|
// subject to races because the broadcaster may not yet have observed the
|
|
|
|
|
|
// latest committed writes. Instead we ask the backend directly for the
|
|
|
|
|
|
// current resource-version.
|
|
|
|
|
|
var mostRecentRV int64
|
2024-10-07 16:01:53 +08:00
|
|
|
|
if !req.SendInitialEvents && req.Since == 0 {
|
2025-05-23 15:19:20 +08:00
|
|
|
|
// We only need the current RV. A cheap way to obtain it is to issue a
|
|
|
|
|
|
// List with a very small limit and read the listRV returned by the
|
|
|
|
|
|
// iterator. The callback is a no-op so we avoid materialising any
|
|
|
|
|
|
// items.
|
|
|
|
|
|
listReq := &resourcepb.ListRequest{
|
|
|
|
|
|
Options: req.Options,
|
|
|
|
|
|
// This has right now no effect, as the list request only uses the limit if it lists from history or trash.
|
|
|
|
|
|
// It might be worth adding it in a subsequent PR. We only list once during setup of the watch, so it's
|
|
|
|
|
|
// fine for now.
|
|
|
|
|
|
Limit: 1,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
rv, err := s.backend.ListIterator(ctx, listReq, func(ListIterator) error { return nil })
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
// Fallback to the broadcasterʼs view if the backend lookup fails.
|
|
|
|
|
|
// This preserves previous behaviour while still eliminating the
|
|
|
|
|
|
// common race in the majority of cases.
|
|
|
|
|
|
s.log.Warn("watch: failed to fetch current RV from backend, falling back to broadcaster", "err", err)
|
|
|
|
|
|
mostRecentRV = s.mostRecentRV.Load()
|
|
|
|
|
|
} else {
|
|
|
|
|
|
mostRecentRV = rv
|
|
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
// For all other code-paths we either already have an explicit RV or we
|
|
|
|
|
|
// will derive it from the initial list below.
|
|
|
|
|
|
mostRecentRV = s.mostRecentRV.Load()
|
2024-10-07 16:01:53 +08:00
|
|
|
|
}
|
2024-10-02 02:45:47 +08:00
|
|
|
|
|
2025-05-23 15:19:20 +08:00
|
|
|
|
var initialEventsRV int64 // resource version coming from the initial events
|
2024-10-07 16:01:53 +08:00
|
|
|
|
if req.SendInitialEvents {
|
|
|
|
|
|
// Backfill the stream by adding every existing entities.
|
2025-05-16 03:36:52 +08:00
|
|
|
|
initialEventsRV, err = s.backend.ListIterator(ctx, &resourcepb.ListRequest{Options: req.Options}, func(iter ListIterator) error {
|
2024-10-07 16:01:53 +08:00
|
|
|
|
for iter.Next() {
|
|
|
|
|
|
if err := iter.Error(); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2025-05-16 03:36:52 +08:00
|
|
|
|
if err := srv.Send(&resourcepb.WatchEvent{
|
|
|
|
|
|
Type: resourcepb.WatchEvent_ADDED,
|
|
|
|
|
|
Resource: &resourcepb.WatchEvent_Resource{
|
2024-10-07 16:01:53 +08:00
|
|
|
|
Value: iter.Value(),
|
|
|
|
|
|
Version: iter.ResourceVersion(),
|
|
|
|
|
|
},
|
|
|
|
|
|
}); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2025-04-11 22:25:40 +08:00
|
|
|
|
return iter.Error()
|
2024-10-07 16:01:53 +08:00
|
|
|
|
})
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
if req.SendInitialEvents && req.AllowWatchBookmarks {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
if err := srv.Send(&resourcepb.WatchEvent{
|
|
|
|
|
|
Type: resourcepb.WatchEvent_BOOKMARK,
|
|
|
|
|
|
Resource: &resourcepb.WatchEvent_Resource{
|
2024-10-07 16:01:53 +08:00
|
|
|
|
Version: initialEventsRV,
|
|
|
|
|
|
},
|
|
|
|
|
|
}); err != nil {
|
|
|
|
|
|
return err
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-10-07 16:01:53 +08:00
|
|
|
|
var since int64 // resource version to start watching from
|
|
|
|
|
|
switch {
|
|
|
|
|
|
case req.SendInitialEvents:
|
|
|
|
|
|
since = initialEventsRV
|
|
|
|
|
|
case req.Since == 0:
|
|
|
|
|
|
since = mostRecentRV
|
|
|
|
|
|
default:
|
|
|
|
|
|
since = req.Since
|
|
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
for {
|
|
|
|
|
|
select {
|
|
|
|
|
|
case <-ctx.Done():
|
|
|
|
|
|
return nil
|
|
|
|
|
|
|
|
|
|
|
|
case event, ok := <-stream:
|
|
|
|
|
|
if !ok {
|
|
|
|
|
|
s.log.Debug("watch events closed")
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
2024-10-07 16:01:53 +08:00
|
|
|
|
s.log.Debug("Server Broadcasting", "type", event.Type, "rv", event.ResourceVersion, "previousRV", event.PreviousRV, "group", event.Key.Group, "namespace", event.Key.Namespace, "resource", event.Key.Resource, "name", event.Key.Name)
|
2024-07-10 06:08:13 +08:00
|
|
|
|
if event.ResourceVersion > since && matchesQueryKey(req.Options.Key, event.Key) {
|
2025-02-26 16:22:09 +08:00
|
|
|
|
if !checker(event.Key.Name, event.Folder) {
|
2024-11-13 20:17:15 +08:00
|
|
|
|
continue
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-10-07 16:01:53 +08:00
|
|
|
|
value := event.Value
|
|
|
|
|
|
// remove the delete marker stored in the value for deleted objects
|
2025-05-16 03:36:52 +08:00
|
|
|
|
if event.Type == resourcepb.WatchEvent_DELETED {
|
2024-10-07 16:01:53 +08:00
|
|
|
|
value = []byte{}
|
|
|
|
|
|
}
|
2025-05-16 03:36:52 +08:00
|
|
|
|
resp := &resourcepb.WatchEvent{
|
2024-07-10 06:08:13 +08:00
|
|
|
|
Timestamp: event.Timestamp,
|
|
|
|
|
|
Type: event.Type,
|
2025-05-16 03:36:52 +08:00
|
|
|
|
Resource: &resourcepb.WatchEvent_Resource{
|
2024-10-07 16:01:53 +08:00
|
|
|
|
Value: value,
|
2024-07-10 06:08:13 +08:00
|
|
|
|
Version: event.ResourceVersion,
|
|
|
|
|
|
},
|
2024-10-07 16:01:53 +08:00
|
|
|
|
}
|
|
|
|
|
|
if event.PreviousRV > 0 {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
prevObj, err := s.Read(ctx, &resourcepb.ReadRequest{Key: event.Key, ResourceVersion: event.PreviousRV})
|
2024-10-07 16:01:53 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
// This scenario should never happen, but if it does, we should log it and continue
|
|
|
|
|
|
// sending the event without the previous object. The client will decide what to do.
|
|
|
|
|
|
s.log.Error("error reading previous object", "key", event.Key, "resource_version", event.PreviousRV, "error", prevObj.Error)
|
|
|
|
|
|
} else {
|
|
|
|
|
|
if prevObj.ResourceVersion != event.PreviousRV {
|
|
|
|
|
|
s.log.Error("resource version mismatch", "key", event.Key, "resource_version", event.PreviousRV, "actual", prevObj.ResourceVersion)
|
|
|
|
|
|
return fmt.Errorf("resource version mismatch")
|
|
|
|
|
|
}
|
2025-05-16 03:36:52 +08:00
|
|
|
|
resp.Previous = &resourcepb.WatchEvent_Resource{
|
2024-10-07 16:01:53 +08:00
|
|
|
|
Value: prevObj.Value,
|
|
|
|
|
|
Version: prevObj.ResourceVersion,
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
if err := srv.Send(resp); err != nil {
|
2024-08-05 22:30:14 +08:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
2024-10-22 07:15:11 +08:00
|
|
|
|
|
2025-02-28 20:39:39 +08:00
|
|
|
|
if s.storageMetrics != nil {
|
|
|
|
|
|
// record latency - resource version is a unix timestamp in microseconds so we convert to seconds
|
|
|
|
|
|
latencySeconds := float64(time.Now().UnixMicro()-event.ResourceVersion) / 1e6
|
|
|
|
|
|
if latencySeconds > 0 {
|
|
|
|
|
|
s.storageMetrics.WatchEventLatency.WithLabelValues(event.Key.Resource).Observe(latencySeconds)
|
|
|
|
|
|
}
|
2024-10-22 07:15:11 +08:00
|
|
|
|
}
|
2024-07-10 06:08:13 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) Search(ctx context.Context, req *resourcepb.ResourceSearchRequest) (*resourcepb.ResourceSearchResponse, error) {
|
2024-11-27 13:57:53 +08:00
|
|
|
|
if s.search == nil {
|
2024-11-23 04:26:56 +08:00
|
|
|
|
return nil, fmt.Errorf("search index not configured")
|
|
|
|
|
|
}
|
2025-04-26 01:08:44 +08:00
|
|
|
|
|
2024-11-27 13:57:53 +08:00
|
|
|
|
return s.search.Search(ctx, req)
|
2024-10-01 03:46:14 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-11 02:37:37 +08:00
|
|
|
|
// GetStats implements ResourceServer.
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) GetStats(ctx context.Context, req *resourcepb.ResourceStatsRequest) (*resourcepb.ResourceStatsResponse, error) {
|
2024-12-11 02:37:37 +08:00
|
|
|
|
if err := s.Init(ctx); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2025-04-26 01:08:44 +08:00
|
|
|
|
|
2024-12-11 02:37:37 +08:00
|
|
|
|
if s.search == nil {
|
|
|
|
|
|
// If the backend implements "GetStats", we can use it
|
2025-05-16 03:36:52 +08:00
|
|
|
|
srv, ok := s.backend.(resourcepb.ResourceIndexServer)
|
2024-12-11 02:37:37 +08:00
|
|
|
|
if ok {
|
|
|
|
|
|
return srv.GetStats(ctx, req)
|
|
|
|
|
|
}
|
|
|
|
|
|
return nil, fmt.Errorf("search index not configured")
|
|
|
|
|
|
}
|
|
|
|
|
|
return s.search.GetStats(ctx, req)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) ListManagedObjects(ctx context.Context, req *resourcepb.ListManagedObjectsRequest) (*resourcepb.ListManagedObjectsResponse, error) {
|
2025-09-06 04:58:12 +08:00
|
|
|
|
if s.search == nil {
|
|
|
|
|
|
return nil, fmt.Errorf("search index not configured")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-03-11 00:48:53 +08:00
|
|
|
|
return s.search.ListManagedObjects(ctx, req)
|
2025-01-11 02:27:10 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) CountManagedObjects(ctx context.Context, req *resourcepb.CountManagedObjectsRequest) (*resourcepb.CountManagedObjectsResponse, error) {
|
2025-09-06 04:58:12 +08:00
|
|
|
|
if s.search == nil {
|
|
|
|
|
|
return nil, fmt.Errorf("search index not configured")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-03-11 00:48:53 +08:00
|
|
|
|
return s.search.CountManagedObjects(ctx, req)
|
2024-10-08 21:43:23 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-07-10 06:08:13 +08:00
|
|
|
|
// IsHealthy implements ResourceServer.
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) IsHealthy(ctx context.Context, req *resourcepb.HealthCheckRequest) (*resourcepb.HealthCheckResponse, error) {
|
2024-07-10 06:08:13 +08:00
|
|
|
|
return s.diagnostics.IsHealthy(ctx, req)
|
|
|
|
|
|
}
|
2024-10-17 18:18:29 +08:00
|
|
|
|
|
|
|
|
|
|
// GetBlob implements BlobStore.
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) PutBlob(ctx context.Context, req *resourcepb.PutBlobRequest) (*resourcepb.PutBlobResponse, error) {
|
2024-10-17 18:18:29 +08:00
|
|
|
|
if s.blob == nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.PutBlobResponse{Error: &resourcepb.ErrorResult{
|
2024-10-17 18:18:29 +08:00
|
|
|
|
Message: "blob store not configured",
|
|
|
|
|
|
Code: http.StatusNotImplemented,
|
|
|
|
|
|
}}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
rsp, err := s.blob.PutResourceBlob(ctx, req)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
rsp.Error = AsErrorResult(err)
|
|
|
|
|
|
}
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) getPartialObject(ctx context.Context, key *resourcepb.ResourceKey, rv int64) (utils.GrafanaMetaAccessor, *resourcepb.ErrorResult) {
|
2024-11-09 13:09:46 +08:00
|
|
|
|
if r := verifyRequestKey(key); r != nil {
|
|
|
|
|
|
return nil, r
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-05-16 03:36:52 +08:00
|
|
|
|
rsp := s.backend.ReadResource(ctx, &resourcepb.ReadRequest{
|
2024-10-17 18:18:29 +08:00
|
|
|
|
Key: key,
|
|
|
|
|
|
ResourceVersion: rv,
|
|
|
|
|
|
})
|
|
|
|
|
|
if rsp.Error != nil {
|
|
|
|
|
|
return nil, rsp.Error
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
partial := &metav1.PartialObjectMetadata{}
|
|
|
|
|
|
err := json.Unmarshal(rsp.Value, partial)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, AsErrorResult(err)
|
|
|
|
|
|
}
|
|
|
|
|
|
obj, err := utils.MetaAccessor(partial)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, AsErrorResult(err)
|
|
|
|
|
|
}
|
|
|
|
|
|
return obj, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetBlob implements BlobStore.
|
2025-05-16 03:36:52 +08:00
|
|
|
|
func (s *server) GetBlob(ctx context.Context, req *resourcepb.GetBlobRequest) (*resourcepb.GetBlobResponse, error) {
|
2024-10-17 18:18:29 +08:00
|
|
|
|
if s.blob == nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.GetBlobResponse{Error: &resourcepb.ErrorResult{
|
2024-10-17 18:18:29 +08:00
|
|
|
|
Message: "blob store not configured",
|
|
|
|
|
|
Code: http.StatusNotImplemented,
|
|
|
|
|
|
}}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-02-26 22:18:59 +08:00
|
|
|
|
var info *utils.BlobInfo
|
|
|
|
|
|
if req.Uid == "" {
|
|
|
|
|
|
// The linked blob is stored in the resource metadata attributes
|
|
|
|
|
|
obj, status := s.getPartialObject(ctx, req.Resource, req.ResourceVersion)
|
|
|
|
|
|
if status != nil {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.GetBlobResponse{Error: status}, nil
|
2025-02-26 22:18:59 +08:00
|
|
|
|
}
|
2024-10-17 18:18:29 +08:00
|
|
|
|
|
2025-02-26 22:18:59 +08:00
|
|
|
|
info = obj.GetBlob()
|
|
|
|
|
|
if info == nil || info.UID == "" {
|
2025-05-16 03:36:52 +08:00
|
|
|
|
return &resourcepb.GetBlobResponse{Error: &resourcepb.ErrorResult{
|
2025-02-26 22:18:59 +08:00
|
|
|
|
Message: "Resource does not have a linked blob",
|
|
|
|
|
|
Code: 404,
|
|
|
|
|
|
}}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
info = &utils.BlobInfo{UID: req.Uid}
|
2024-10-17 18:18:29 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
rsp, err := s.blob.GetResourceBlob(ctx, req.Resource, info, req.MustProxyBytes)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
rsp.Error = AsErrorResult(err)
|
|
|
|
|
|
}
|
|
|
|
|
|
return rsp, nil
|
|
|
|
|
|
}
|
2025-07-01 17:22:55 +08:00
|
|
|
|
|
2025-08-27 00:40:22 +08:00
|
|
|
|
func (s *server) runInQueue(ctx context.Context, tenantID string, runnable func(ctx context.Context)) error {
|
|
|
|
|
|
// Enforce a timeout for the entire operation, including queueing and execution.
|
|
|
|
|
|
queueCtx, cancel := context.WithTimeout(ctx, s.queueConfig.Timeout)
|
|
|
|
|
|
defer cancel()
|
2025-07-01 17:22:55 +08:00
|
|
|
|
|
2025-08-27 00:40:22 +08:00
|
|
|
|
done := make(chan struct{})
|
|
|
|
|
|
wrappedRunnable := func() {
|
|
|
|
|
|
defer close(done)
|
|
|
|
|
|
runnable(queueCtx)
|
2025-07-01 17:22:55 +08:00
|
|
|
|
}
|
2025-08-27 00:40:22 +08:00
|
|
|
|
|
|
|
|
|
|
// Retry enqueueing with backoff, respecting the timeout context.
|
|
|
|
|
|
boff := backoff.New(queueCtx, backoff.Config{
|
|
|
|
|
|
MinBackoff: s.queueConfig.MinBackoff,
|
|
|
|
|
|
MaxBackoff: s.queueConfig.MaxBackoff,
|
|
|
|
|
|
MaxRetries: s.queueConfig.MaxRetries,
|
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
for {
|
|
|
|
|
|
err := s.queue.Enqueue(queueCtx, tenantID, wrappedRunnable)
|
2025-07-01 17:22:55 +08:00
|
|
|
|
if err == nil {
|
2025-08-27 00:40:22 +08:00
|
|
|
|
// Successfully enqueued.
|
2025-07-01 17:22:55 +08:00
|
|
|
|
break
|
|
|
|
|
|
}
|
2025-08-27 00:40:22 +08:00
|
|
|
|
|
|
|
|
|
|
s.log.Warn("failed to enqueue runnable, retrying", "tenantID", tenantID, "error", err)
|
|
|
|
|
|
if !boff.Ongoing() {
|
|
|
|
|
|
// Backoff finished (retries exhausted or context canceled).
|
|
|
|
|
|
return fmt.Errorf("failed to enqueue for tenant %s: %w", tenantID, err)
|
|
|
|
|
|
}
|
2025-07-01 17:22:55 +08:00
|
|
|
|
boff.Wait()
|
|
|
|
|
|
}
|
2025-08-27 00:40:22 +08:00
|
|
|
|
|
|
|
|
|
|
// Wait for the runnable to complete or for the context to be done.
|
|
|
|
|
|
select {
|
|
|
|
|
|
case <-done:
|
|
|
|
|
|
return nil // Completed successfully.
|
|
|
|
|
|
case <-queueCtx.Done():
|
|
|
|
|
|
return queueCtx.Err() // Timed out or canceled while waiting for execution.
|
2025-07-01 17:22:55 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
