Update code logic

.asf.yaml

@@ -34,6 +34,7 @@ github:
       # only disable force push
       # foo: bar
   labels:
+    - grpc
     - dubbo
     - consul
     - dubbo-go-pixiu

dubbod/planet/pkg/bootstrap/server.go

@@ -100,8 +100,9 @@ type Server struct {
 	httpMux     *http.ServeMux
 	httpsMux    *http.ServeMux // webhooks
 
-	ConfigStores           []model.ConfigStoreController
-	configController       model.ConfigStoreController
+	ConfigStores     []model.ConfigStoreController
+	configController model.ConfigStoreController
+
 	multiclusterController *multicluster.Controller
 
 	fileWatcher filewatcher.FileWatcher

dubbod/security/pkg/credentialfetcher/fetcher.go

@@ -23,6 +23,8 @@ import (
 	"github.com/apache/dubbo-kubernetes/pkg/security"
 )
 
+// If the credential generator does not have a JWT or is not configured with any secure credentials,
+// it will obtain them from the Kubernetes token plugin.
 func NewCredFetcher(credtype string) (security.CredFetcher, error) {
 	switch credtype {
 	case security.JWT, "":

dubbod/security/pkg/credentialfetcher/plugin/token.go

@@ -31,6 +31,7 @@ type KubernetesTokenPlugin struct {
 
 func CreateTokenPlugin() *KubernetesTokenPlugin {
 	return &KubernetesTokenPlugin{
+		// e.g: /var/run/secrets/kubernetes.io/serviceaccount/token
 		path: "",
 	}
 }

dubbod/security/pkg/k8s/configutil.go

@@ -61,6 +61,10 @@ func InsertDataToConfigMap(client kclient.Client[*v1.ConfigMap], meta metav1.Obj
 	return nil
 }
 
+// Plugin new data into the ConfigMap.
+// Returns true if the content has changed.
+// Returns false if the content is exactly the same.
+// Avoids meaningless updates.
 func insertData(cm *v1.ConfigMap, data map[string]string) bool {
 	if cm.Data == nil {
 		cm.Data = data

dubbod/security/pkg/k8s/controller/casecret.go

@@ -22,6 +22,9 @@ type CaSecretController struct {
 	client corev1.CoreV1Interface
 }
 
+// Create a CA certificate secret
+// Rotate CAs
+// Synchronize CAs to various namespaces
 func NewCaSecretController(core corev1.CoreV1Interface) *CaSecretController {
 	cs := &CaSecretController{
 		client: core,

dubbod/security/pkg/util/certutil.go

@@ -46,14 +46,10 @@ func (cu CertUtilImpl) GetWaitTime(certBytes []byte, now time.Time) (time.Durati
 		return time.Duration(0), fmt.Errorf("certificate already expired at %s, but now is %s",
 			cert.NotAfter, now)
 	}
-	// Note: multiply time.Duration(int64) by an int (gracePeriodPercentage) will cause overflow (e.g.,
-	// when duration is time.Hour * 90000). So float64 is used instead.
 	gracePeriod := time.Duration(float64(cert.NotAfter.Sub(cert.NotBefore)) * (float64(cu.gracePeriodPercentage) / 100))
-	// waitTime is the duration between now and the grace period starts.
-	// It is the time until cert expiration minus the length of grace period.
+
 	waitTime := timeToExpire - gracePeriod
 	if waitTime < 0 {
-		// We are within the grace period.
 		return time.Duration(0), fmt.Errorf("got a certificate that should be renewed now")
 	}
 	return waitTime, nil

manifests/charts/dubbo-control/dubbo-discovery/files/gateway.yaml

@@ -46,7 +46,7 @@ spec:
       serviceAccountName: {{ .ServiceAccount }}
       containers:
       - name: dubbo-proxy
-        image: mfordjody/proxyadapter:0.3.1-debug
+        image: mfordjody/proxyadapter:0.3.2-debug
         imagePullPolicy: Always
         ports:
         - containerPort: 15020

manifests/charts/dubbo-control/dubbo-discovery/templates/deployment.yaml

@@ -19,7 +19,7 @@ spec:
       serviceAccountName: dubbod
       containers:
         - name: discovery
-          image: "mfordjody/planet:0.3.1-debug"
+          image: "mfordjody/planet:0.3.2-debug"
           imagePullPolicy: Always
           args:
             - "discovery"

pkg/config/mesh/mesh.go

@@ -145,6 +145,7 @@ func DefaultMeshGlobalConfig() *meshv1alpha1.MeshGlobalConfig {
 
 func DefaultProxyConfig() *meshv1alpha1.ProxyConfig {
 	return &meshv1alpha1.ProxyConfig{
+		ConfigPath:             constants.ConfigPathDir,
 		DiscoveryAddress:       "dubbod.dubbo-system.svc:15012",
 		ControlPlaneAuthPolicy: meshv1alpha1.AuthenticationPolicy_MUTUAL_TLS,
 		StatusPort:             15020,

pkg/dubbo-agent/agent.go

@@ -125,8 +125,6 @@ func NewAgent(proxyConfig *mesh.ProxyConfig, agentOpts *AgentOptions, sopts *sec
 }
 
 func (a *Agent) Run(ctx context.Context) (func(), error) {
-	// TODO initLocalDNSServer?
-
 	if a.cfg.WorkloadIdentitySocketFile != filepath.Base(a.cfg.WorkloadIdentitySocketFile) {
 		return nil, fmt.Errorf("workload identity socket file override must be a filename, not a path: %s", a.cfg.WorkloadIdentitySocketFile)
 	}

pkg/kube/inject/inject.go

@@ -114,7 +114,7 @@ func RunTemplate(params InjectionParameters) (mergedPod *corev1.Pod, templatePod
 		MeshGlobalConfig: meshGlobalConfig,
 		Values:           params.valuesConfig.asMap,
 		Revision:         params.revision,
-		ProxyImage:       getProxyImage(params.valuesConfig.asMap, "mfordjody/proxyadapter:0.3.1-debug"),
+		ProxyImage:       getProxyImage(params.valuesConfig.asMap, "mfordjody/proxyadapter:0.3.2-debug"),
 		CompliancePolicy: common_features.CompliancePolicy,
 	}
 

pkg/security/security.go

@@ -18,14 +18,12 @@ package security
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 
-	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/peer"
 
 	dubbolog "github.com/apache/dubbo-kubernetes/pkg/log"
@@ -56,9 +54,7 @@ const (
 )
 
 const (
-	BearerTokenPrefix = "Bearer "
-	K8sTokenPrefix    = "Dubbo "
-	CertSigner        = "CertSigner"
+	CertSigner = "CertSigner"
 )
 
 type AuthContext struct {
@@ -94,11 +90,6 @@ type AuthSource int
 
 const (
 	AuthSourceClientCertificate AuthSource = iota
-	AuthSourceIDToken
-)
-
-const (
-	authorizationMeta = "authorization"
 )
 
 type KubernetesInfo struct {
@@ -235,42 +226,6 @@ func CheckWorkloadCertificate(certChainFilePath, keyFilePath, rootCertFilePath s
 	return true
 }
 
-func ExtractBearerToken(ctx context.Context) (string, error) {
-	md, ok := metadata.FromIncomingContext(ctx)
-	if !ok {
-		return "", fmt.Errorf("no metadata is attached")
-	}
-
-	authHeader, exists := md[authorizationMeta]
-	if !exists {
-		return "", fmt.Errorf("no HTTP authorization header exists")
-	}
-
-	for _, value := range authHeader {
-		if strings.HasPrefix(value, BearerTokenPrefix) {
-			return strings.TrimPrefix(value, BearerTokenPrefix), nil
-		}
-	}
-
-	return "", fmt.Errorf("no bearer token exists in HTTP authorization header")
-}
-
-func ExtractRequestToken(req *http.Request) (string, error) {
-	value := req.Header.Get(authorizationMeta)
-	if value == "" {
-		return "", fmt.Errorf("no HTTP authorization header exists")
-	}
-
-	if strings.HasPrefix(value, BearerTokenPrefix) {
-		return strings.TrimPrefix(value, BearerTokenPrefix), nil
-	}
-	if strings.HasPrefix(value, K8sTokenPrefix) {
-		return strings.TrimPrefix(value, K8sTokenPrefix), nil
-	}
-
-	return "", fmt.Errorf("no bearer token exists in HTTP authorization header")
-}
-
 // GetConnectionAddress extracts the peer address from the gRPC context.
 // It returns "unknown" if the peer information is not available.
 func GetConnectionAddress(ctx context.Context) string {