Throttle handling of shoot events in the frontend

backend/__fixtures__/config.js

@@ -22,6 +22,7 @@ const defaultConfig = {
   apiServerUrl: 'https://kubernetes.external.foo.bar',
   apiServerCaData: toBase64(ca),
   tokenRequestAudiences: ['aud1', 'aud2'],
+  experimentalUseWatchCacheForListShoots: 'no',
   gitHub: {
     apiUrl: 'https://api.github.com',
     org: 'gardener',

backend/__fixtures__/shoots.js

@@ -119,6 +119,9 @@ const shoots = {
     const items = shoots.list(namespace)
     return find(items, ['metadata.name', name])
   },
+  getByUid (uid) {
+    return find(shootList, ['metadata.uid', uid])
+  },
   list (namespace) {
     const items = cloneDeep(shootList)
     return namespace

backend/lib/cache/index.js

@@ -7,6 +7,7 @@
 const _ = require('lodash')
 const { NotFound } = require('http-errors')
 const createTicketCache = require('./tickets')
+const { parseSelectors, filterBySelectors } = require('../utils')
 
 /*
   In file `lib/api.js` the synchronization is started with the privileged dashboardClient.
@@ -97,12 +98,23 @@ module.exports = {
       .get('spec.namespace')
       .value()
   },
-  getShoots () {
-    return cache.getShoots()
+  getShoots (namespace, query = {}) {
+    let items = cache.getShoots()
+    if (namespace && namespace !== '_all') {
+      items = items.filter(item => item.metadata.namespace === namespace)
+    }
+    const selectors = parseSelectors(query.labelSelector?.split(',') ?? [])
+    if (selectors.length) {
+      items = items.filter(filterBySelectors(selectors))
+    }
+    return items
   },
   getShoot (namespace, name) {
     return cache.get('shoots').find({ metadata: { namespace, name } })
   },
+  getShootByUid (uid) {
+    return cache.get('shoots').find(['metadata.uid', uid])
+  },
   getControllerRegistrations () {
     return cache.getControllerRegistrations()
   },

backend/lib/io.js

@@ -13,7 +13,7 @@ const createError = require('http-errors')
 const kubernetesClient = require('@gardener-dashboard/kube-client')
 const cache = require('./cache')
 const logger = require('./logger')
-const { projectFilter } = require('./utils')
+const { projectFilter, trimObjectMetadata } = require('./utils')
 const { authenticate } = require('./security')
 const { authorization } = require('./services')
 
@@ -126,6 +126,103 @@ async function unsubscribe (socket, key) {
   }
 }
 
+function parseRooms (socket) {
+  let isAdmin = false
+  const namespaces = []
+  const qualifiedNames = []
+  for (const room of Array.from(socket.rooms)) {
+    if (room === socket.id) {
+      continue
+    }
+    const parts = room.split(';')
+    const keys = parts[0].split(':')
+    if (keys.shift() !== 'shoots') {
+      continue
+    }
+    if (keys.pop() === 'admin') {
+      isAdmin = true
+    }
+    if (parts.length < 2) {
+      continue
+    }
+    const [namespace, name] = parts[1].split('/')
+    if (!name) {
+      namespaces.push(namespace)
+    } else {
+      qualifiedNames.push([namespace, name].join('/'))
+    }
+  }
+  return [
+    isAdmin,
+    namespaces,
+    qualifiedNames
+  ]
+}
+
+function synchronizeShoots (socket, uids = []) {
+  const user = getUserFromSocket(socket)
+  const [
+    isAdmin,
+    namespaces,
+    qualifiedNames
+  ] = parseRooms(socket)
+
+  return uids.map(uid => {
+    const object = cache.getShootByUid(uid)
+    if (!object) {
+      // the shoot has been removed from the cache
+      return {
+        kind: 'Status',
+        apiVersion: 'v1',
+        status: 'Failure',
+        message: `Shoot with uid ${uid} is no longer available`,
+        reason: 'Gone',
+        details: {
+          uid,
+          group: 'core.gardener.cloud',
+          kind: 'shoots'
+        },
+        code: 410
+      }
+    }
+    const { namespace, name } = object.metadata
+    const qualifiedName = [namespace, name].join('/')
+    if (!isAdmin && !namespaces.includes(namespace) && !qualifiedNames.includes(qualifiedName)) {
+      // the socket has NOT joined a room (admin, namespace or individual shoot) the current shoot belongs to
+      logger.error('User %s has no authorization to synchronize shoot %s in namespace %s', user.id, name, namespace)
+      return {
+        kind: 'Status',
+        apiVersion: 'v1',
+        status: 'Failure',
+        message: `Insufficient authorization to synchronize shoot ${name} in namespace ${namespace}`,
+        reason: 'Forbidden',
+        details: {
+          uid,
+          name,
+          namespace,
+          group: 'core.gardener.cloud',
+          kind: 'shoots'
+        },
+        code: 403
+      }
+    }
+    // only send all shoot details for single shoot subscriptions
+    if (!qualifiedNames.includes(qualifiedName)) {
+      trimObjectMetadata(object)
+    }
+    return object
+  })
+}
+
+function synchronize (socket, key, ...args) {
+  switch (key) {
+    case 'shoots':
+      return synchronizeShoots(socket, ...args)
+    default:
+      throw new TypeError(`Invalid synchronization type - ${key}`)
+  }
+}
+
 function setDisconnectTimeout (socket, delay) {
   delay = Math.min(2147483647, delay) // setTimeout delay must not exceed 32-bit signed integer
   logger.debug('Socket %s will expire in %d seconds', socket.id, Math.floor(delay / 1000))
@@ -205,6 +302,19 @@ function init (httpServer, cache) {
       }
     })
 
+    // handle 'synchronize' events
+    socket.on('synchronize', async (key, ...args) => {
+      const done = args.pop()
+      try {
+        const items = await synchronize(socket, key, ...args)
+        done({ statusCode: 200, items })
+      } catch (err) {
+        logger.error('Socket %s synchronize error: %s', socket.id, err.message)
+        const { statusCode = 500, name, message } = err
+        done({ statusCode, name, message })
+      }
+    })
+
     // handle 'disconnect' event
     socket.once('disconnect', reason => {
       clearTimeout(timeoutId)

backend/lib/routes/shoots.js

@@ -9,6 +9,7 @@
 const express = require('express')
 const { shoots } = require('../services')
 const { metricsRoute } = require('../middleware')
+const { trimObjectMetadata, useWatchCacheForListShoots } = require('../utils')
 
 const router = module.exports = express.Router({
   mergeParams: true
@@ -23,7 +24,12 @@ router.route('/')
       const user = req.user
       const namespace = req.params.namespace
       const labelSelector = req.query.labelSelector
-      res.send(await shoots.list({ user, namespace, labelSelector }))
+      const useCache = useWatchCacheForListShoots(req.query.useCache)
+      const shootList = await shoots.list({ user, namespace, labelSelector, useCache })
+      for (const object of shootList.items) {
+        trimObjectMetadata(object)
+      }
+      res.send(shootList)
     } catch (err) {
       next(err)
     }

backend/lib/services/shoots.js

@@ -9,6 +9,7 @@
 const { isHttpError } = require('@gardener-dashboard/request')
 const { cleanKubeconfig, Config } = require('@gardener-dashboard/kube-config')
 const { dashboardClient } = require('@gardener-dashboard/kube-client')
+const createError = require('http-errors')
 const utils = require('../utils')
 const cache = require('../cache')
 const authorization = require('./authorization')
@@ -20,31 +21,60 @@ const config = require('../config')
 const { decodeBase64, getSeedNameFromShoot, getSeedIngressDomain, projectFilter } = utils
 const { getSeed } = cache
 
-exports.list = async function ({ user, namespace, labelSelector, shootsWithIssuesOnly = false }) {
+exports.list = async function ({ user, namespace, labelSelector, useCache = false }) {
   const client = user.client
   const query = {}
   if (labelSelector) {
     query.labelSelector = labelSelector
-  } else if (shootsWithIssuesOnly) {
-    query.labelSelector = 'shoot.gardener.cloud/status!=healthy'
   }
   if (namespace === '_all') {
     if (await authorization.canListShoots(user)) {
+      // user is permitted to list shoots in all namespaces
+      if (useCache) {
+        return {
+          apiVersion: 'v1',
+          kind: 'List',
+          items: cache.getShoots(namespace, query)
+        }
+      }
       return client['core.gardener.cloud'].shoots.listAllNamespaces(query)
     } else {
-      const promises = _
+      // user is permitted to list shoots only in namespaces associated with their projects
+      const namespaces = _
         .chain(cache.getProjects())
         .filter(projectFilter(user, false))
-        .map(project => client['core.gardener.cloud'].shoots.list(project.spec.namespace, query))
+        .map('spec.namespace')
         .value()
-      const shootLists = await Promise.all(promises)
+      if (useCache) {
+        const isAllowedList = await Promise.all(namespaces.map(namespace => authorization.canListShoots(user, namespace)))
+        if (isAllowedList.some(value => !value)) {
+          throw createError(403, 'No authorization to list shoots in all namespaces')
+        }
+        return {
+          apiVersion: 'v1',
+          kind: 'List',
+          items: namespaces.flatMap(namespace => cache.getShoots(namespace, query))
+        }
+      }
+      const shootLists = await Promise.all(namespaces.map(namespace, client['core.gardener.cloud'].shoots.list(namespace, query)))
       return {
         apiVersion: 'v1',
         kind: 'List',
-        items: _.flatMap(shootLists, 'items')
+        items: shootLists.flatMap(({ items }) => items)
       }
     }
   }
+  if (useCache) {
+    const isAllowed = await authorization.canListShoots(user, namespace)
+    if (!isAllowed) {
+      throw createError(403, `No authorization to list shoots in namespace ${namespace}`)
+    }
+    return {
+      apiVersion: 'v1',
+      kind: 'List',
+      items: cache.getShoots(namespace, query)
+    }
+  }
   return client['core.gardener.cloud'].shoots.list(namespace, query)
 }
 

backend/lib/utils/index.js

@@ -10,6 +10,11 @@ const _ = require('lodash')
 const config = require('../config')
 const assert = require('assert').strict
 
+const EXISTS = '∃'
+const NOT_EXISTS = '!∃'
+const EQUAL = '='
+const NOT_EQUAL = '!='
+
 function decodeBase64 (value) {
   if (!value) {
     return
@@ -64,6 +69,82 @@ function projectFilter (user, canListProjects = false) {
   }
 }
 
+function trimObjectMetadata (object) {
+  object.metadata.managedFields = undefined
+  if (object.metadata.annotations) {
+    object.metadata.annotations['kubectl.kubernetes.io/last-applied-configuration'] = undefined
+  }
+  return object
+}
+
+function parseSelectors (selectors) {
+  const items = []
+  for (const selector of selectors) {
+    const [, notOperator, key, operator, value = ''] = /^(!)?([a-zA-Z0-9._/-]+)(=|==|!=)?([a-zA-Z0-9._-]+)?$/.exec(selector) ?? []
+    if (notOperator) {
+      if (!operator) {
+        items.push({ op: NOT_EXISTS, key })
+      }
+    } else if (!operator) {
+      items.push({ op: EXISTS, key })
+    } else if (operator === '!=') {
+      items.push({ op: NOT_EQUAL, key, value })
+    } else if (operator === '=' || operator === '==') {
+      items.push({ op: EQUAL, key, value })
+    }
+  }
+  return items
+}
+
+function filterBySelectors (selectors) {
+  return item => {
+    const labels = item.metadata.labels ?? {}
+    for (const { op, key, value } of selectors) {
+      const labelValue = labels[key] ?? ''
+      switch (op) {
+        case NOT_EXISTS: {
+          if (key in labels) {
+            return false
+          }
+          break
+        }
+        case EXISTS: {
+          if (!(key in labels)) {
+            return false
+          }
+          break
+        }
+        case NOT_EQUAL: {
+          if (labelValue === value) {
+            return false
+          }
+          break
+        }
+        case EQUAL: {
+          if (labelValue !== value) {
+            return false
+          }
+          break
+        }
+      }
+    }
+    return true
+  }
+}
+
+function useWatchCacheForListShoots (useCache) {
+  switch (config.experimentalUseWatchCacheForListShoots) {
+    case 'never':
+      return false
+    case 'always':
+      return true
+    case 'no':
+      return ['true', 'yes', 'on'].includes(useCache)
+    case 'yes':
+      return !['false', 'no', 'off'].includes(useCache)
+  }
+}
+
 function getConfigValue (path, defaultValue) {
   const value = _.get(config, path, defaultValue)
   if (arguments.length === 1 && typeof value === 'undefined') {
@@ -98,9 +179,19 @@ module.exports = {
   decodeBase64,
   encodeBase64,
   projectFilter,
+  trimObjectMetadata,
+  parseSelectors,
+  filterBySelectors,
+  useWatchCacheForListShoots,
   getConfigValue,
   getSeedNameFromShoot,
   shootHasIssue,
   isSeedUnreachable,
-  getSeedIngressDomain
+  getSeedIngressDomain,
+  constants: Object.freeze({
+    EXISTS,
+    NOT_EXISTS,
+    EQUAL,
+    NOT_EQUAL
+  })
 }