Operator: Component server side scope filtering (dapr#7615)

* Operator: Component server side scope filtering

Today, daprd's will receive Component from the operator, regardless of
whether they are scoped for that Component or not. This means that
clients do receive components (including its associated secrets) that
they are not scoped for.

Updates Operator API ComponentUpdate to perform service side Component
Scope filtering based on the authenticated client App ID. When a
Component is de-scoped, daprd will receive a DELETE for the previous
Component manifest. When a Component is scoped-in, daprd will receive an
CREATE for the new Component manifest.

Updates Operator API ListComponents to perform service side Component
Scope filtering based on the authenticated client App ID.

Uses updated events batcher which ensures queue items are sent in order.

Signed-off-by: joshvanl <[email protected]>

* Add 2 daprds for operator informer tests

Signed-off-by: joshvanl <[email protected]>

* Fix control plane trust domain

Signed-off-by: joshvanl <[email protected]>

* Update github.com/dapr/kit to master

Signed-off-by: joshvanl <[email protected]>

* go mod tidy

Signed-off-by: joshvanl <[email protected]>

* Fix incorrect pointer manifest compare

Signed-off-by: joshvanl <[email protected]>

---------

Signed-off-by: joshvanl <[email protected]>
Co-authored-by: Dapr Bot <[email protected]>
Co-authored-by: Yaron Schneider <[email protected]>
Signed-off-by: Elena Kolevska <[email protected]>

Author: 3 people

pkg/apis/components/v1alpha1/types.go

@@ -15,6 +15,7 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/dapr/dapr/pkg/apis/common"
 	"github.com/dapr/dapr/pkg/apis/components"
@@ -76,6 +77,14 @@ func (c Component) NameValuePairs() []common.NameValuePair {
 	return c.Spec.Metadata
 }
 
+func (c Component) ClientObject() client.Object {
+	return &c
+}
+
+func (c Component) GetScopes() []string {
+	return c.Scopes
+}
+
 // EmptyMetaDeepCopy returns a new instance of the component type with the
 // TypeMeta's Kind and APIVersion fields set.
 func (c Component) EmptyMetaDeepCopy() metav1.Object {

pkg/apis/httpEndpoint/v1alpha1/types.go

@@ -15,6 +15,7 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/dapr/dapr/pkg/apis/common"
 	httpendpoint "github.com/dapr/dapr/pkg/apis/httpEndpoint"
@@ -108,6 +109,14 @@ func (h HTTPEndpoint) HasTLSPrivateKey() bool {
 	return h.Spec.ClientTLS != nil && h.Spec.ClientTLS.PrivateKey != nil && h.Spec.ClientTLS.PrivateKey.Value != nil
 }
 
+func (h HTTPEndpoint) ClientObject() client.Object {
+	return &h
+}
+
+func (h HTTPEndpoint) GetScopes() []string {
+	return h.Scopes
+}
+
 // EmptyMetaDeepCopy returns a new instance of the component type with the
 // TypeMeta's Kind and APIVersion fields set.
 func (h HTTPEndpoint) EmptyMetaDeepCopy() metav1.Object {

pkg/apis/subscriptions/v1alpha1/types.go

@@ -15,6 +15,7 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/dapr/dapr/pkg/apis/common"
 	"github.com/dapr/dapr/pkg/apis/subscriptions"
@@ -107,3 +108,11 @@ func (s Subscription) LogName() string {
 func (s Subscription) NameValuePairs() []common.NameValuePair {
 	return nil
 }
+
+func (s Subscription) ClientObject() client.Object {
+	return &s
+}
+
+func (s Subscription) GetScopes() []string {
+	return s.Scopes
+}

pkg/apis/subscriptions/v2alpha1/types.go

@@ -15,6 +15,7 @@ package v2alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/dapr/dapr/pkg/apis/common"
 	"github.com/dapr/dapr/pkg/apis/subscriptions"
@@ -138,3 +139,11 @@ func (s Subscription) LogName() string {
 func (s Subscription) NameValuePairs() []common.NameValuePair {
 	return nil
 }
+
+func (s Subscription) ClientObject() client.Object {
+	return &s
+}
+
+func (s Subscription) GetScopes() []string {
+	return s.Scopes
+}

pkg/internal/apis/namevaluepair.go

@@ -17,6 +17,7 @@ import (
 	"fmt"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/dapr/dapr/pkg/apis/common"
 )
@@ -61,3 +62,11 @@ func (g GenericNameValueResource) LogName() string {
 func (g GenericNameValueResource) EmptyMetaDeepCopy() metav1.Object {
 	return &metav1.ObjectMeta{Name: g.Name}
 }
+
+func (g GenericNameValueResource) ClientObject() client.Object {
+	return nil
+}
+
+func (g GenericNameValueResource) GetScopes() []string {
+	return nil
+}

pkg/operator/api/api.go

@@ -23,13 +23,16 @@ import (
 	"sync/atomic"
 
 	"google.golang.org/grpc"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	componentsapi "github.com/dapr/dapr/pkg/apis/components/v1alpha1"
 	httpendpointsapi "github.com/dapr/dapr/pkg/apis/httpEndpoint/v1alpha1"
 	subapi "github.com/dapr/dapr/pkg/apis/subscriptions/v2alpha1"
+	"github.com/dapr/dapr/pkg/operator/api/informer"
 	operatorv1pb "github.com/dapr/dapr/pkg/proto/operator/v1"
 	"github.com/dapr/dapr/pkg/security"
+	"github.com/dapr/kit/concurrency"
 	"github.com/dapr/kit/logger"
 )
 
@@ -43,6 +46,7 @@ var log = logger.NewLogger("dapr.operator.api")
 
 type Options struct {
 	Client   client.Client
+	Cache    cache.Cache
 	Security security.Provider
 	Port     int
 }
@@ -51,33 +55,36 @@ type Options struct {
 type Server interface {
 	Run(context.Context) error
 	Ready(context.Context) error
-	OnComponentUpdated(context.Context, operatorv1pb.ResourceEventType, *componentsapi.Component)
-	OnHTTPEndpointUpdated(context.Context, *httpendpointsapi.HTTPEndpoint)
+
 	OnSubscriptionUpdated(context.Context, operatorv1pb.ResourceEventType, *subapi.Subscription)
+	OnHTTPEndpointUpdated(context.Context, *httpendpointsapi.HTTPEndpoint)
 }
 
 type apiServer struct {
 	operatorv1pb.UnimplementedOperatorServer
 	Client client.Client
 	sec    security.Provider
 	port   string
-	// notify all dapr runtime
-	connLock                  sync.Mutex
+
+	compInformer informer.Interface[componentsapi.Component]
+
 	endpointLock              sync.Mutex
-	allConnUpdateChan         map[string]chan *ComponentUpdateEvent
 	allEndpointsUpdateChan    map[string]chan *httpendpointsapi.HTTPEndpoint
 	allSubscriptionUpdateChan map[string]chan *SubscriptionUpdateEvent
+	connLock                  sync.Mutex
 	readyCh                   chan struct{}
 	running                   atomic.Bool
 }
 
 // NewAPIServer returns a new API server.
 func NewAPIServer(opts Options) Server {
 	return &apiServer{
-		Client:                    opts.Client,
+		Client: opts.Client,
+		compInformer: informer.New[componentsapi.Component](informer.Options{
+			Cache: opts.Cache,
+		}),
 		sec:                       opts.Security,
 		port:                      strconv.Itoa(opts.Port),
-		allConnUpdateChan:         make(map[string]chan *ComponentUpdateEvent),
 		allEndpointsUpdateChan:    make(map[string]chan *httpendpointsapi.HTTPEndpoint),
 		allSubscriptionUpdateChan: make(map[string]chan *SubscriptionUpdateEvent),
 		readyCh:                   make(chan struct{}),
@@ -106,39 +113,27 @@ func (a *apiServer) Run(ctx context.Context) error {
 	}
 	close(a.readyCh)
 
-	errCh := make(chan error)
-	go func() {
-		if rErr := s.Serve(lis); rErr != nil {
-			errCh <- fmt.Errorf("gRPC server error: %w", rErr)
-			return
-		}
-		errCh <- nil
-	}()
-
-	// Block until context is done
-	<-ctx.Done()
-
-	a.connLock.Lock()
-	for key, ch := range a.allConnUpdateChan {
-		close(ch)
-		delete(a.allConnUpdateChan, key)
-	}
-	for key, ch := range a.allSubscriptionUpdateChan {
-		close(ch)
-		delete(a.allSubscriptionUpdateChan, key)
-	}
-	a.connLock.Unlock()
-
-	s.GracefulStop()
-	err = <-errCh
-	if err != nil {
-		return err
-	}
-	err = lis.Close()
-	if err != nil && !errors.Is(err, net.ErrClosed) {
-		return fmt.Errorf("error closing listener: %w", err)
-	}
-	return nil
+	return concurrency.NewRunnerManager(
+		a.compInformer.Run,
+		func(ctx context.Context) error {
+			if err := s.Serve(lis); err != nil {
+				return fmt.Errorf("gRPC server error: %w", err)
+			}
+			return nil
+		},
+		func(ctx context.Context) error {
+			// Block until context is done
+			<-ctx.Done()
+			a.connLock.Lock()
+			for key, ch := range a.allSubscriptionUpdateChan {
+				close(ch)
+				delete(a.allSubscriptionUpdateChan, key)
+			}
+			a.connLock.Unlock()
+			s.GracefulStop()
+			return nil
+		},
+	).Run(ctx)
 }
 
 func (a *apiServer) Ready(ctx context.Context) error {