diff --git a/controllers/account/api/v1/debt_webhook.go b/controllers/account/api/v1/debt_webhook.go index dc785c74989..d4ee33b9427 100644 --- a/controllers/account/api/v1/debt_webhook.go +++ b/controllers/account/api/v1/debt_webhook.go @@ -53,7 +53,7 @@ const ( var logger = logf.Log.WithName("debt-resource") -//+kubebuilder:webhook:path=/validate-v1-sealos-cloud,mutating=true,failurePolicy=ignore,groups="*",resources=*,verbs=create;update;delete,versions=v1,name=debt.sealos.io,admissionReviewVersions=v1,sideEffects=None +//+kubebuilder:webhook:path=/validate-v1-sealos-cloud,mutating=false,failurePolicy=ignore,groups="*",resources=*,verbs=create;update;delete,versions=v1,name=debt.sealos.io,admissionReviewVersions=v1,sideEffects=None // +kubebuilder:object:generate=false type DebtValidate struct { diff --git a/controllers/account/config/default/manager_auth_proxy_patch.yaml b/controllers/account/config/default/manager_auth_proxy_patch.yaml index 38cc076acee..4bb68896566 100644 --- a/controllers/account/config/default/manager_auth_proxy_patch.yaml +++ b/controllers/account/config/default/manager_auth_proxy_patch.yaml @@ -40,6 +40,10 @@ spec: runAsNonRoot: true allowPrivilegeEscalation: false env: + - name: DOMAIN + value: '{{ .cloudDomain }}' + - name: PORT + value: '{{ .cloudPort }}' - name: ACCOUNT_NAMESPACE value: "sealos-system" - name: NAMESPACE_NAME diff --git a/controllers/account/config/default/webhookcainjection_patch.yaml b/controllers/account/config/default/webhookcainjection_patch.yaml index 43d0d3c19b6..9ce0d73a49b 100644 --- a/controllers/account/config/default/webhookcainjection_patch.yaml +++ b/controllers/account/config/default/webhookcainjection_patch.yaml @@ -1,9 +1,9 @@ # This patch add annotation to admission webhook config and # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration +kind: ValidatingWebhookConfiguration metadata: - name: mutating-webhook-configuration + name: validating-webhook-configuration annotations: cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/controllers/account/config/manager/manager.yaml b/controllers/account/config/manager/manager.yaml index 29e6e70a74a..8c968e8ce43 100644 --- a/controllers/account/config/manager/manager.yaml +++ b/controllers/account/config/manager/manager.yaml @@ -16,7 +16,7 @@ spec: selector: matchLabels: control-plane: controller-manager - replicas: 3 + replicas: 1 template: metadata: annotations: @@ -53,9 +53,9 @@ spec: resources: limits: cpu: 1000m - memory: 1000Mi + memory: 1024Mi requests: cpu: 100m - memory: 640Mi + memory: 64Mi serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/controllers/account/config/webhook/kustomizeconfig.yaml b/controllers/account/config/webhook/kustomizeconfig.yaml index 25e21e3c963..e809f78208e 100644 --- a/controllers/account/config/webhook/kustomizeconfig.yaml +++ b/controllers/account/config/webhook/kustomizeconfig.yaml @@ -4,18 +4,11 @@ nameReference: - kind: Service version: v1 fieldSpecs: - - kind: MutatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/name - kind: ValidatingWebhookConfiguration group: admissionregistration.k8s.io path: webhooks/clientConfig/service/name namespace: -- kind: MutatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/namespace - create: true - kind: ValidatingWebhookConfiguration group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace diff --git a/controllers/account/config/webhook/manifests.yaml b/controllers/account/config/webhook/manifests.yaml index c32d250667e..fe87541c706 100644 --- a/controllers/account/config/webhook/manifests.yaml +++ b/controllers/account/config/webhook/manifests.yaml @@ -1,9 +1,9 @@ --- apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration +kind: ValidatingWebhookConfiguration metadata: creationTimestamp: null - name: mutating-webhook-configuration + name: validating-webhook-configuration webhooks: - admissionReviewVersions: - v1 diff --git a/controllers/account/controllers/account_controller.go b/controllers/account/controllers/account_controller.go index 85b8eb3406e..ced46418200 100644 --- a/controllers/account/controllers/account_controller.go +++ b/controllers/account/controllers/account_controller.go @@ -117,7 +117,7 @@ func (r *AccountReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct return ctrl.Result{}, nil } - account, err := r.syncAccount(ctx, owner, r.AccountSystemNamespace, payment.Namespace) + account, err := r.syncAccount(ctx, payment.Spec.UserID, r.AccountSystemNamespace, payment.Namespace) if err != nil { return ctrl.Result{}, fmt.Errorf("get account failed: %v", err) } @@ -219,7 +219,7 @@ func (r *AccountReconciler) syncAccount(ctx context.Context, owner, accountNames } return nil }); err != nil { - return nil, err + return nil, fmt.Errorf("failed to create account %v, err: %v", account, err) } if owner != getUsername(userNamespace) { return &account, nil diff --git a/controllers/account/controllers/debt_controller.go b/controllers/account/controllers/debt_controller.go index 4d7af89e90f..4d0cb9eaba3 100644 --- a/controllers/account/controllers/debt_controller.go +++ b/controllers/account/controllers/debt_controller.go @@ -320,7 +320,7 @@ var NoticeTemplate = map[int]string{ func (r *DebtReconciler) sendNotice(ctx context.Context, noticeType int, namespaces []string) error { now := time.Now().UTC().Unix() - ntf := v1.Notification{ + ntfTmp := &v1.Notification{ ObjectMeta: metav1.ObjectMeta{ Name: "debt-notice" + strconv.Itoa(noticeType), }, @@ -333,8 +333,9 @@ func (r *DebtReconciler) sendNotice(ctx context.Context, noticeType int, namespa }, } for i := range namespaces { + ntf := ntfTmp.DeepCopy() ntf.Namespace = namespaces[i] - if _, err := controllerutil.CreateOrUpdate(ctx, r.Client, &ntf, func() error { + if _, err := controllerutil.CreateOrUpdate(ctx, r.Client, ntf, func() error { return nil }); err != nil { return err diff --git a/controllers/account/deploy/manifests/deploy.yaml.tmpl b/controllers/account/deploy/manifests/deploy.yaml.tmpl index 7ef5b9265bd..0ad4cab9cdc 100644 --- a/controllers/account/deploy/manifests/deploy.yaml.tmpl +++ b/controllers/account/deploy/manifests/deploy.yaml.tmpl @@ -1259,15 +1259,15 @@ spec: - /manager env: - name: DOMAIN - value: {{ .cloudDomain }} + value: '{{ .cloudDomain }}' - name: PORT - value: "{{ .cloudPort }}" + value: '{{ .cloudPort }}' - name: ACCOUNT_NAMESPACE value: sealos-system - name: NAMESPACE_NAME value: user-system - name: NEW_ACCOUNT_AMOUNT - value: "ri79LzQiQrs6CVa1ctE308+AseBXbOua0RIMCXAH5hc3irs=" + value: ri79LzQiQrs6CVa1ctE308+AseBXbOua0RIMCXAH5hc3irs= - name: WHITELIST value: notifications.Notification.notification.sealos.io/v1,payments.Payment.account.sealos.io/v1,billingrecordqueries.BillingRecordQuery.account.sealos.io/v1,billinginfoqueries.BillingInfoQuery.account.sealos.io/v1,pricequeries.PriceQuery.account.sealos.io/v1 - name: ACCOUNT_SYSTEM_NAMESPACE @@ -1380,11 +1380,11 @@ spec: selfSigned: {} --- apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration +kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: account-system/account-serving-cert - name: account-mutating-webhook-configuration + name: account-validating-webhook-configuration webhooks: - admissionReviewVersions: - v1 @@ -1398,12 +1398,8 @@ webhooks: name: debt.sealos.io namespaceSelector: matchExpressions: - - key: metadata.name - operator: NotIn - values: - - account-system - - kube-system - - calico-system + - key: user.sealos.io/owner + operator: Exists rules: - apiGroups: - '*'