feat: detect usage of deprecated custom resources in our agent (#418)

* detect usage of deprecated custom resources in our agent

* bump client

* gen mock

* find deprecated object

* linter

* linter

* add unit test

* check served flag

* resolve conflicts

Author: zreigz

cmd/agent/console.go

@@ -54,7 +54,7 @@ func registerConsoleReconcilersOrDie(
 	consoleClient client.Client,
 ) {
 	mgr.AddReconcilerOrDie(service.Identifier, func() (v1.Reconciler, error) {
-		r, err := service.NewServiceReconciler(consoleClient, config, args.ControllerCacheTTL(), args.ManifestCacheTTL(), args.ManifestCacheJitter(), args.RestoreNamespace(), args.ConsoleUrl())
+		r, err := service.NewServiceReconciler(consoleClient, k8sClient, config, args.ControllerCacheTTL(), args.ManifestCacheTTL(), args.ManifestCacheJitter(), args.RestoreNamespace(), args.ConsoleUrl())
 		return r, err
 	})
 

pkg/client/cluster.go

@@ -3,6 +3,7 @@ package client
 import (
 	console "github.com/pluralsh/console/go/client"
 	"github.com/pluralsh/polly/containers"
+	"github.com/samber/lo"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
@@ -61,7 +62,7 @@ func appendUniqueExternalDNSNamespace(slice []*string, newValue *string) []*stri
 	return sliceSet.List()
 }
 
-func (c *client) RegisterRuntimeServices(svcs map[string]*NamespaceVersion, serviceId *string, serviceMesh *console.ServiceMesh) error {
+func (c *client) RegisterRuntimeServices(svcs map[string]*NamespaceVersion, deprecated []console.DeprecatedCustomResourceAttributes, serviceId *string, serviceMesh *console.ServiceMesh) error {
 	inputs := make([]*console.RuntimeServiceAttributes, 0)
 	var layouts *console.OperationalLayoutAttributes
 	for name, nv := range svcs {
@@ -96,7 +97,7 @@ func (c *client) RegisterRuntimeServices(svcs map[string]*NamespaceVersion, serv
 	}
 
 	layouts = initServiceMesh(layouts, serviceMesh)
-	_, err := c.consoleClient.RegisterRuntimeServices(c.ctx, inputs, layouts, nil, serviceId)
+	_, err := c.consoleClient.RegisterRuntimeServices(c.ctx, inputs, layouts, lo.ToSlicePtr(deprecated), serviceId)
 	return err
 }
 

pkg/client/console.go

@@ -43,7 +43,7 @@ type Client interface {
 	GetCredentials() (url, token string)
 	PingCluster(attributes console.ClusterPing) error
 	Ping(vsn string) error
-	RegisterRuntimeServices(svcs map[string]*NamespaceVersion, serviceId *string, serviceMesh *console.ServiceMesh) error
+	RegisterRuntimeServices(svcs map[string]*NamespaceVersion, deprecated []console.DeprecatedCustomResourceAttributes, serviceId *string, serviceMesh *console.ServiceMesh) error
 	UpsertVirtualCluster(parentID string, attributes console.ClusterAttributes) (*console.GetClusterWithToken_Cluster, error)
 	IsClusterExists(id string) (bool, error)
 	GetCluster(id string) (*console.TinyClusterFragment, error)

pkg/controller/service/reconciler.go

@@ -21,6 +21,7 @@ import (
 	"sigs.k8s.io/cli-utils/pkg/common"
 	"sigs.k8s.io/cli-utils/pkg/inventory"
 	"sigs.k8s.io/cli-utils/pkg/object"
+	ctrclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
@@ -37,6 +38,7 @@ import (
 	manis "github.com/pluralsh/deployment-operator/pkg/manifests"
 	"github.com/pluralsh/deployment-operator/pkg/ping"
 	"github.com/pluralsh/deployment-operator/pkg/websocket"
+	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 )
 
 const (
@@ -60,9 +62,11 @@ type ServiceReconciler struct {
 	restoreNamespace string
 	mapper           meta.RESTMapper
 	pinger           *ping.Pinger
+	apiExtClient     *apiextensionsclient.Clientset
+	k8sClient        ctrclient.Client
 }
 
-func NewServiceReconciler(consoleClient client.Client, config *rest.Config, refresh, manifestTTL, manifestTTLJitter time.Duration, restoreNamespace, consoleURL string) (*ServiceReconciler, error) {
+func NewServiceReconciler(consoleClient client.Client, k8sClient ctrclient.Client, config *rest.Config, refresh, manifestTTL, manifestTTLJitter time.Duration, restoreNamespace, consoleURL string) (*ServiceReconciler, error) {
 	utils.DisableClientLimits(config)
 
 	_, deployToken := consoleClient.GetCredentials()
@@ -80,7 +84,10 @@ func NewServiceReconciler(consoleClient client.Client, config *rest.Config, refr
 	if err != nil {
 		return nil, err
 	}
-
+	apiExtClient, err := apiextensionsclient.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
 	invFactory := inventory.ClusterClientFactory{StatusPolicy: inventory.StatusPolicyNone}
 
 	a, err := newApplier(invFactory, f)
@@ -109,6 +116,8 @@ func NewServiceReconciler(consoleClient client.Client, config *rest.Config, refr
 		pinger:           ping.New(consoleClient, discoveryClient, f),
 		restoreNamespace: restoreNamespace,
 		mapper:           mapper,
+		apiExtClient:     apiExtClient,
+		k8sClient:        k8sClient,
 	}, nil
 }
 
@@ -273,14 +282,16 @@ func (s *ServiceReconciler) Poll(ctx context.Context) error {
 	}
 
 	pager := s.ListServices(ctx)
+
 	for pager.HasNext() {
 		services, err := pager.NextPage()
 		if err != nil {
 			logger.Error(err, "failed to fetch service list from deployments service")
 			return err
 		}
 		for _, svc := range services {
-			// If services arg is provided, we can skip services that are not on the list.
+			// If services arg is provided, we can skip
+			// services that are not on the list.
 			if args.SkipService(svc.Node.ID) {
 				continue
 			}

pkg/controller/service/reconciler_scraper.go

@@ -2,10 +2,17 @@ package service
 
 import (
 	"context"
+	"fmt"
+	"sort"
 	"strings"
 
 	"github.com/Masterminds/semver/v3"
+	console "github.com/pluralsh/console/go/client"
+	v1 "github.com/pluralsh/deployment-operator/pkg/controller/v1"
+	"github.com/pluralsh/deployment-operator/pkg/scraper"
+	"github.com/samber/lo"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/pluralsh/deployment-operator/pkg/cache"
@@ -47,8 +54,7 @@ func (s *ServiceReconciler) ScrapeKube(ctx context.Context) {
 
 	serviceMesh := cache.ServiceMesh(hasEBPFDaemonSet)
 	logger.Info("detected service mesh", "serviceMesh", serviceMesh)
-
-	if err := s.consoleClient.RegisterRuntimeServices(runtimeServices, nil, serviceMesh); err != nil {
+	if err := s.consoleClient.RegisterRuntimeServices(runtimeServices, s.GetDeprecatedCustomResources(ctx), nil, serviceMesh); err != nil {
 		logger.Error(err, "failed to register runtime services, this is an ignorable error but could mean your console needs to be upgraded")
 	}
 }
@@ -100,3 +106,112 @@ func addVersion(services map[string]*client.NamespaceVersion, name, vsn string)
 		services[name].Version = vsn
 	}
 }
+
+func (s *ServiceReconciler) getVersionedCrd(ctx context.Context) (map[string][]v1.NormalizedVersion, error) {
+	crdList, err := s.apiExtClient.ApiextensionsV1().CustomResourceDefinitions().List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	crdVersionsMap := make(map[string][]v1.NormalizedVersion, len(crdList.Items))
+	for _, crd := range crdList.Items {
+		kind := crd.Spec.Names.Kind
+		group := crd.Spec.Group
+		groupKind := fmt.Sprintf("%s/%s", group, kind)
+		var parsedVersions []v1.NormalizedVersion
+		for _, v := range crd.Spec.Versions {
+			parsed, ok := v1.ParseVersion(v.Name)
+			if !ok {
+				continue
+			}
+			// flag enabling/disabling this version from being served via REST APIs
+			if !v.Served {
+				continue
+			}
+			parsedVersions = append(parsedVersions, *parsed)
+		}
+		sort.Slice(parsedVersions, func(i, j int) bool {
+			return v1.CompareVersions(parsedVersions[i], parsedVersions[j])
+		})
+		crdVersionsMap[groupKind] = parsedVersions
+	}
+
+	return crdVersionsMap, nil
+}
+
+func (s *ServiceReconciler) GetDeprecatedCustomResources(ctx context.Context) []console.DeprecatedCustomResourceAttributes {
+	logger := log.FromContext(ctx)
+	crds, err := s.getVersionedCrd(ctx)
+	if err != nil {
+		logger.Error(err, "failed to retrieve versioned CRDs")
+		return nil
+	}
+
+	var deprecated []console.DeprecatedCustomResourceAttributes
+	for groupKind, versions := range crds {
+		gkList := strings.Split(groupKind, "/")
+		if len(gkList) != 2 {
+			continue
+		}
+		group := gkList[0]
+		kind := gkList[1]
+		d := s.getDeprecatedCustomResourceObjects(ctx, versions, group, kind)
+		deprecated = append(deprecated, d...)
+	}
+	return deprecated
+}
+
+func (s *ServiceReconciler) getDeprecatedCustomResourceObjects(ctx context.Context, versions []v1.NormalizedVersion, group, kind string) []console.DeprecatedCustomResourceAttributes {
+	var deprecatedCustomResourceAttributes []console.DeprecatedCustomResourceAttributes
+	versionPairs := getVersionPairs(versions)
+	for _, version := range versionPairs {
+		gvk := schema.GroupVersionKind{
+			Group:   group,
+			Version: version.PreviousVersion,
+			Kind:    kind,
+		}
+
+		pager := scraper.ListResources(ctx, s.k8sClient, gvk, nil)
+		for pager.HasNext() {
+			items, err := pager.NextPage()
+			if err != nil {
+				break
+			}
+			for _, item := range items {
+				attr := console.DeprecatedCustomResourceAttributes{
+					Group:       group,
+					Kind:        kind,
+					Name:        item.GetName(),
+					Version:     version.PreviousVersion,
+					NextVersion: version.LatestVersion,
+				}
+				if item.GetNamespace() != "" {
+					attr.Namespace = lo.ToPtr(item.GetNamespace())
+				}
+				deprecatedCustomResourceAttributes = append(deprecatedCustomResourceAttributes, attr)
+			}
+		}
+	}
+	return deprecatedCustomResourceAttributes
+}
+
+type VersionPair struct {
+	LatestVersion   string
+	PreviousVersion string
+}
+
+func getVersionPairs(versions []v1.NormalizedVersion) []VersionPair {
+	// Helper function for creating VersionPair
+	createVersionPair := func(latest, previous v1.NormalizedVersion) VersionPair {
+		return VersionPair{
+			LatestVersion:   latest.Raw,
+			PreviousVersion: previous.Raw,
+		}
+	}
+
+	versionPairs := make([]VersionPair, 0, len(versions)-1) // Preallocate slice capacity
+	for i := 0; i < len(versions)-1; i++ {
+		versionPair := createVersionPair(versions[i], versions[i+1])
+		versionPairs = append(versionPairs, versionPair)
+	}
+	return versionPairs
+}

pkg/controller/service/reconciler_scraper_test.go

@@ -0,0 +1,70 @@
+package service_test
+
+import (
+	"context"
+	"time"
+
+	"github.com/pluralsh/deployment-operator/pkg/controller/service"
+	"github.com/pluralsh/deployment-operator/pkg/test/mocks"
+	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Scraper", Ordered, func() {
+	Context("When reconciling a resource", func() {
+		const (
+			resourceName = "default"
+			namespace    = "default"
+		)
+
+		ctx := context.Background()
+
+		typeNamespacedName := types.NamespacedName{
+			Name:      resourceName,
+			Namespace: "default",
+		}
+
+		backup := &velerov1.Backup{}
+
+		BeforeAll(func() {
+			By("creating the custom resource for the Kind Backup")
+			err := kClient.Get(ctx, typeNamespacedName, backup)
+			if err != nil && errors.IsNotFound(err) {
+				resource := &velerov1.Backup{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      resourceName,
+						Namespace: namespace,
+					},
+					Spec: velerov1.BackupSpec{},
+				}
+				Expect(kClient.Create(ctx, resource)).To(Succeed())
+			}
+		})
+
+		AfterAll(func() {
+			resource := &velerov1.Backup{}
+			err := kClient.Get(ctx, typeNamespacedName, resource)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Cleanup the specific resource instance Backup")
+			Expect(kClient.Delete(ctx, resource)).To(Succeed())
+		})
+
+		It("should return deprecated resources", func() {
+			fakeConsoleClient := mocks.NewClientMock(mocks.TestingT)
+			fakeConsoleClient.On("GetCredentials").Return("", "")
+
+			reconciler, err := service.NewServiceReconciler(fakeConsoleClient, kClient, cfg, time.Minute, time.Minute, time.Minute, namespace, "http://localhost:8080")
+			Expect(err).NotTo(HaveOccurred())
+			ds := reconciler.GetDeprecatedCustomResources(ctx)
+			Expect(ds).To(HaveLen(1))
+			Expect(ds[0].Version).To(Equal("v1"))
+			Expect(ds[0].NextVersion).To(Equal("v2alpha1"))
+		})
+	})
+})

pkg/controller/service/reconciler_test.go

@@ -107,7 +107,7 @@ var _ = Describe("Reconciler", Ordered, func() {
 			fakeConsoleClient.On("UpdateComponents", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil)
 			fakeConsoleClient.On("UpdateServiceErrors", mock.Anything, mock.Anything).Return(nil)
 
-			reconciler, err := service.NewServiceReconciler(fakeConsoleClient, cfg, time.Minute, time.Minute, time.Second*10, namespace, "http://localhost:8080")
+			reconciler, err := service.NewServiceReconciler(fakeConsoleClient, kClient, cfg, time.Minute, time.Minute, time.Second*10, namespace, "http://localhost:8080")
 			Expect(err).NotTo(HaveOccurred())
 			_, err = reconciler.Reconcile(ctx, serviceId)
 			Expect(err).NotTo(HaveOccurred())

pkg/controller/service/suite_test.go

@@ -22,13 +22,11 @@ import (
 	"runtime"
 	"testing"
 
-	"k8s.io/client-go/rest"
-
-	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
-
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"