diff --git a/controllers/terminal/api/v1/terminal_types.go b/controllers/terminal/api/v1/terminal_types.go index 49701dd8bcf..97b6dca1006 100644 --- a/controllers/terminal/api/v1/terminal_types.go +++ b/controllers/terminal/api/v1/terminal_types.go @@ -56,6 +56,7 @@ type TerminalSpec struct { type TerminalStatus struct { AvailableReplicas int32 `json:"availableReplicas"` ServiceName string `json:"serviceName"` + SecretHeader string `json:"secretHeader"` Domain string `json:"domain"` } @@ -64,7 +65,6 @@ type TerminalStatus struct { //+kubebuilder:printcolumn:name="User",type=string,JSONPath=".spec.user" //+kubebuilder:printcolumn:name="Keepalived",type=string,JSONPath=".spec.keepalived" //+kubebuilder:printcolumn:name="Domain",type=string,JSONPath=".status.domain" -//+kubebuilder:printcolumn:name="APIServer",priority=1,type=string,JSONPath=".spec.apiServer" //+kubebuilder:printcolumn:name="LastUpdateTime",priority=1,type=string,JSONPath=".metadata.annotations.lastUpdateTime" //+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" diff --git a/controllers/terminal/config/crd/bases/terminal.sealos.io_terminals.yaml b/controllers/terminal/config/crd/bases/terminal.sealos.io_terminals.yaml index bb422284113..4ef9bcee596 100644 --- a/controllers/terminal/config/crd/bases/terminal.sealos.io_terminals.yaml +++ b/controllers/terminal/config/crd/bases/terminal.sealos.io_terminals.yaml @@ -38,10 +38,6 @@ spec: - jsonPath: .status.domain name: Domain type: string - - jsonPath: .spec.apiServer - name: APIServer - priority: 1 - type: string - jsonPath: .metadata.annotations.lastUpdateTime name: LastUpdateTime priority: 1 @@ -107,11 +103,14 @@ spec: type: integer domain: type: string + secretHeader: + type: string serviceName: type: string required: - availableReplicas - domain + - secretHeader - serviceName type: object type: object diff --git a/controllers/terminal/controllers/ingress.go b/controllers/terminal/controllers/ingress.go index 5f51091e5be..4ddaa93d563 100644 --- a/controllers/terminal/controllers/ingress.go +++ b/controllers/terminal/controllers/ingress.go @@ -37,6 +37,15 @@ if ($flag = '02'){ return 403; }` func (r *TerminalReconciler) createNginxIngress(terminal *terminalv1.Terminal, host string) *networkingv1.Ingress { cors := fmt.Sprintf("https://%s,https://*.%s", r.CtrConfig.Global.CloudDomain+r.getPort(), r.CtrConfig.Global.CloudDomain+r.getPort()) + secretHeader := terminal.Status.SecretHeader + configurationSnippet := safeConfigurationSnippet + ` +proxy_set_header Authorization ""; +proxy_set_header ` + secretHeader + ` "1";` + + higressReqHeaderUpdate := ` +Authorization "" +` + secretHeader + ` "1"` + objectMeta := metav1.ObjectMeta{ Name: terminal.Name, Namespace: terminal.Namespace, @@ -50,7 +59,8 @@ func (r *TerminalReconciler) createNginxIngress(terminal *terminalv1.Terminal, h "nginx.ingress.kubernetes.io/cors-allow-origin": cors, "nginx.ingress.kubernetes.io/cors-allow-methods": "PUT, GET, POST, PATCH, OPTIONS", "nginx.ingress.kubernetes.io/cors-allow-credentials": "false", - "nginx.ingress.kubernetes.io/configuration-snippet": safeConfigurationSnippet, + "nginx.ingress.kubernetes.io/configuration-snippet": configurationSnippet, + "higress.io/request-header-control-update": higressReqHeaderUpdate, }, } diff --git a/controllers/terminal/controllers/terminal_controller.go b/controllers/terminal/controllers/terminal_controller.go index 355d034924a..8035da62a65 100644 --- a/controllers/terminal/controllers/terminal_controller.go +++ b/controllers/terminal/controllers/terminal_controller.go @@ -18,6 +18,7 @@ package controllers import ( "context" + "strings" "time" "github.com/jaevor/go-nanoid" @@ -32,9 +33,11 @@ import ( "k8s.io/client-go/rest" "k8s.io/client-go/tools/record" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/predicate" "github.com/labring/sealos/controllers/pkg/utils/label" terminalv1 "github.com/labring/sealos/controllers/terminal/api/v1" @@ -65,6 +68,10 @@ const ( MemoryLimit = "256Mi" ) +const ( + SecretHeaderPrefix = "X-SEALOS-" +) + // TerminalReconciler reconciles a Terminal object type TerminalReconciler struct { client.Client @@ -123,6 +130,13 @@ func (r *TerminalReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c } } + if terminal.Status.SecretHeader == "" { + terminal.Status.SecretHeader = r.generateSecretHeader() + if err := r.Status().Update(ctx, terminal); err != nil { + return ctrl.Result{}, err + } + } + recLabels := label.RecommendedLabels(&label.Recommended{ Name: terminal.Name, ManagedBy: label.DefaultManagedBy, @@ -262,6 +276,8 @@ func (r *TerminalReconciler) syncDeployment(ctx context.Context, terminal *termi {Name: "USER_TOKEN", Value: terminal.Spec.Token}, {Name: "NAMESPACE", Value: terminal.Namespace}, {Name: "USER_NAME", Value: terminal.Spec.User}, + // Add secret header + {Name: "AUTH_HEADER", Value: terminal.Status.SecretHeader}, } containers = []corev1.Container{ @@ -377,12 +393,18 @@ func (r *TerminalReconciler) getPort() string { return ":" + r.CtrConfig.Global.CloudPort } +func (r *TerminalReconciler) generateSecretHeader() string { + return SecretHeaderPrefix + strings.ToUpper(rand.String(5)) +} + // SetupWithManager sets up the controller with the Manager. func (r *TerminalReconciler) SetupWithManager(mgr ctrl.Manager) error { r.recorder = mgr.GetEventRecorderFor("sealos-terminal-controller") r.Config = mgr.GetConfig() return ctrl.NewControllerManagedBy(mgr). - For(&terminalv1.Terminal{}). - Owns(&appsv1.Deployment{}).Owns(&corev1.Service{}).Owns(&networkingv1.Ingress{}). + For(&terminalv1.Terminal{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})). + Owns(&appsv1.Deployment{}, builder.WithPredicates(predicate.ResourceVersionChangedPredicate{})). + Owns(&corev1.Service{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})). + Owns(&networkingv1.Ingress{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})). Complete(r) } diff --git a/controllers/terminal/deploy/manifests/deploy.yaml.tmpl b/controllers/terminal/deploy/manifests/deploy.yaml.tmpl index 51e6eb50941..c92a9e8c6c8 100644 --- a/controllers/terminal/deploy/manifests/deploy.yaml.tmpl +++ b/controllers/terminal/deploy/manifests/deploy.yaml.tmpl @@ -31,10 +31,6 @@ spec: - jsonPath: .status.domain name: Domain type: string - - jsonPath: .spec.apiServer - name: APIServer - priority: 1 - type: string - jsonPath: .metadata.annotations.lastUpdateTime name: LastUpdateTime priority: 1 @@ -91,11 +87,14 @@ spec: type: integer domain: type: string + secretHeader: + type: string serviceName: type: string required: - availableReplicas - domain + - secretHeader - serviceName type: object type: object diff --git a/frontend/providers/terminal/.env.template b/frontend/providers/terminal/.env.template index db591eb4dfa..ab07b515a07 100644 --- a/frontend/providers/terminal/.env.template +++ b/frontend/providers/terminal/.env.template @@ -1,4 +1,4 @@ NEXT_PUBLIC_MOCK_KUBECONFIG="" SITE="cloud.sealos.io" -TTYD_IMAGE="docker.io/labring4docker/terminal:1.20.4-6" +TTYD_IMAGE="docker.io/labring4docker/terminal:1.23.2-1" KEEPALIVED="30m" \ No newline at end of file diff --git a/frontend/providers/terminal/deploy/Kubefile b/frontend/providers/terminal/deploy/Kubefile index 148e9ca00c0..56eeff728d9 100644 --- a/frontend/providers/terminal/deploy/Kubefile +++ b/frontend/providers/terminal/deploy/Kubefile @@ -8,7 +8,7 @@ COPY manifests manifests ENV certSecretName="wildcard-cert" ENV cloudDomain="127.0.0.1.nip.io" ENV cloudPort="" -ENV ttydImage="docker.io/labring4docker/terminal:1.20.4-6" +ENV ttydImage="docker.io/labring4docker/terminal:1.23.2-1" ENV keepalived="30m" diff --git a/frontend/providers/terminal/deploy/images/shim/imagelist b/frontend/providers/terminal/deploy/images/shim/imagelist index 766831d1440..94c80fe764a 100644 --- a/frontend/providers/terminal/deploy/images/shim/imagelist +++ b/frontend/providers/terminal/deploy/images/shim/imagelist @@ -1 +1 @@ -docker.io/labring4docker/terminal:1.20.4-6 \ No newline at end of file +docker.io/labring4docker/terminal:1.23.2-1 \ No newline at end of file