feat(frontend): metrics-sdk support and devbox implement (#6613)

* feat: basic feat

* feat: test

* feat: perf code to full feat

* chore: update readme.md

* feat: optional namespace

* perf: podName logic adjust

* chore: Prometheus->Metrics

* chore: test adjust

* chore: test logResult

* chore: readme.zh-CN.md

* chore: remove minio type

* chore: adjust launchpad storage to disk

* chore: transform enum to type

* fix: try to fix ts bug

* feat: devbox metrics support

* feat: adjust other route

* fix: whitelistKubernetesHosts sdk transform bug

* feat: cache

Author: mlhiter

frontend/packages/metrics-sdk/README.md

@@ -0,0 +1,57 @@
+{
+  "name": "sealos-metrics-sdk",
+  "version": "0.1.0",
+  "description": "Sealos metrics monitoring SDK",
+  "type": "module",
+  "author": "mlhiter",
+  "scripts": {
+    "test": "tsx test/index.ts",
+    "build": "rollup -c",
+    "dev": "rollup -c -w"
+  },
+  "exports": {
+    ".": {
+      "import": "./dist/index.esm.js",
+      "require": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "typesVersions": {
+    "*": {
+      "*": [
+        "./dist/index.d.ts"
+      ]
+    }
+  },
+  "files": [
+    "dist/",
+    "README.zh-CN.md",
+    "README.md"
+  ],
+  "keywords": [
+    "sealos",
+    "metrics",
+    "monitoring",
+    "sdk"
+  ],
+  "license": "Apache-2.0",
+  "dependencies": {
+    "axios": "^1.5.1",
+    "dayjs": "^1.11.10"
+  },
+  "peerDependencies": {
+    "@kubernetes/client-node": "^0.18.1"
+  },
+  "devDependencies": {
+    "@kubernetes/client-node": "^0.18.1",
+    "@rollup/plugin-typescript": "^11.1.4",
+    "@types/node": "^20.7.1",
+    "dotenv": "^16.3.1",
+    "rollup": "2.79.1",
+    "rollup-plugin-copy": "^3.5.0",
+    "rollup-plugin-dts": "^4.2.3",
+    "tslib": "^2.6.2",
+    "tsx": "^4.7.0",
+    "typescript": "^5.0.0"
+  }
+}

frontend/packages/metrics-sdk/README.zh-CN.md

@@ -0,0 +1,44 @@
+import typescript from '@rollup/plugin-typescript';
+import dts from 'rollup-plugin-dts';
+import copy from 'rollup-plugin-copy';
+
+const external = ['axios', 'dayjs', '@kubernetes/client-node'];
+
+export default [
+  {
+    input: 'src/index.ts',
+    output: [
+      {
+        file: 'dist/index.js',
+        format: 'cjs',
+        sourcemap: true
+      },
+      {
+        file: 'dist/index.esm.js',
+        format: 'es',
+        sourcemap: true
+      }
+    ],
+    external,
+    plugins: [
+      typescript({
+        tsconfig: './tsconfig.json',
+        declaration: false
+      })
+    ]
+  },
+  {
+    input: 'src/index.ts',
+    output: {
+      file: 'dist/index.d.ts',
+      format: 'es'
+    },
+    external,
+    plugins: [
+      dts(),
+      copy({
+        targets: [{ src: 'package.json', dest: 'dist' }]
+      })
+    ]
+  }
+];

frontend/packages/metrics-sdk/package.json

@@ -0,0 +1,262 @@
+import * as k8s from '@kubernetes/client-node';
+import * as http from 'http';
+import * as https from 'https';
+import * as net from 'net';
+
+export class AuthService {
+  private kubeconfig: string;
+  private k8sApi?: k8s.CoreV1Api;
+  private authApi?: k8s.AuthorizationV1Api;
+  private kubeConfig?: k8s.KubeConfig;
+  private whitelistKubernetesHosts: string[];
+  private authCache: Map<string, { allowed: boolean; expiresAt: number }>;
+  private cacheTTL: number;
+  private inFlightAuth: Map<string, Promise<void>>;
+  private lastCacheSweepAt: number;
+  private readonly cacheSweepIntervalMs: number;
+
+  constructor(kubeconfig: string, whitelistKubernetesHosts?: string[], cacheTTL?: number) {
+    this.kubeconfig = kubeconfig;
+    this.whitelistKubernetesHosts =
+      whitelistKubernetesHosts ||
+      (process.env.WHITELIST_KUBERNETES_HOSTS || '')
+        .split(',')
+        .map((host) => host.trim())
+        .filter(Boolean);
+    this.cacheTTL = cacheTTL ?? 300000; // 5 minutes default
+    this.authCache = new Map();
+    this.inFlightAuth = new Map();
+    this.lastCacheSweepAt = 0;
+    this.cacheSweepIntervalMs = 60000;
+  }
+
+  resolveNamespace(namespace?: string): string {
+    if (namespace && namespace.trim().length > 0) {
+      return namespace;
+    }
+    const contextNamespace = this.getCurrentContextNamespace();
+    if (!contextNamespace) {
+      throw new Error('Namespace not found');
+    }
+    return contextNamespace;
+  }
+
+  private getKubernetesHostFromEnv(): string {
+    const host = process.env.KUBERNETES_SERVICE_HOST;
+    const port = process.env.KUBERNETES_SERVICE_PORT;
+    if (!host || !port) return '';
+    const formattedHost = net.isIPv6(host) ? `[${host}]` : host;
+    return `https://${formattedHost}:${port}`;
+  }
+
+  private isWhitelistKubernetesHost(host: string): boolean {
+    return this.whitelistKubernetesHosts.includes(host);
+  }
+
+  private getKubeConfig(): k8s.KubeConfig {
+    if (this.kubeConfig) {
+      return this.kubeConfig;
+    }
+
+    const kc = new k8s.KubeConfig();
+    kc.loadFromString(this.kubeconfig);
+    const cluster = kc.getCurrentCluster();
+    if (!cluster) {
+      throw new Error('No active cluster');
+    }
+
+    if (!this.isWhitelistKubernetesHost(cluster.server)) {
+      const k8sHost = this.getKubernetesHostFromEnv();
+      if (!k8sHost) {
+        throw new Error('unable to get the sealos host');
+      }
+      const clusters = kc
+        .getClusters()
+        .map((item) => (item.name === cluster.name ? { ...item, server: k8sHost } : item));
+      kc.loadFromOptions({
+        clusters,
+        users: kc.getUsers(),
+        contexts: kc.getContexts(),
+        currentContext: kc.getCurrentContext()
+      });
+    }
+
+    this.kubeConfig = kc;
+    return kc;
+  }
+
+  private getCurrentContextNamespace(): string | undefined {
+    const kc = this.getKubeConfig();
+    const contextName = kc.getCurrentContext();
+    if (!contextName) return undefined;
+    return kc.getContextObject(contextName)?.namespace;
+  }
+
+  private sweepExpiredCache(): void {
+    if (this.cacheTTL <= 0 || this.authCache.size === 0) return;
+    const now = Date.now();
+    if (now - this.lastCacheSweepAt < this.cacheSweepIntervalMs) return;
+    this.lastCacheSweepAt = now;
+    for (const [namespace, cache] of this.authCache.entries()) {
+      if (cache.expiresAt <= now) {
+        this.authCache.delete(namespace);
+      }
+    }
+  }
+
+  private async pingReadyz(): Promise<void> {
+    const kc = this.getKubeConfig();
+    const cluster = kc.getCurrentCluster();
+    if (!cluster) {
+      throw new Error('No active cluster');
+    }
+    const serverUrl = new URL(cluster.server);
+    const isHttps = serverUrl.protocol === 'https:';
+    const port = serverUrl.port ? Number(serverUrl.port) : isHttps ? 443 : 80;
+
+    const requestOptions: https.RequestOptions = {
+      method: 'GET',
+      hostname: serverUrl.hostname,
+      port,
+      path: '/readyz',
+      protocol: serverUrl.protocol,
+      headers: {}
+    };
+
+    await kc.applytoHTTPSOptions(requestOptions);
+
+    await new Promise<void>((resolve, reject) => {
+      const requester = isHttps ? https : http;
+      const req = requester.request(requestOptions, (res) => {
+        let body = '';
+        res.on('data', (chunk) => {
+          body += chunk.toString();
+        });
+        res.on('end', () => {
+          if (body.trim() === 'ok') {
+            resolve();
+            return;
+          }
+          reject(new Error(`ping apiserver is no ok: ${body}`));
+        });
+      });
+      req.on('error', (error) => {
+        reject(new Error(`ping apiserver error: ${error.message}`));
+      });
+      req.end();
+    });
+  }
+
+  private getK8sClient(): { coreApi: k8s.CoreV1Api; authApi: k8s.AuthorizationV1Api } {
+    if (this.k8sApi && this.authApi) {
+      return { coreApi: this.k8sApi, authApi: this.authApi };
+    }
+
+    const kc = this.getKubeConfig();
+
+    this.k8sApi = kc.makeApiClient(k8s.CoreV1Api);
+    this.authApi = kc.makeApiClient(k8s.AuthorizationV1Api);
+
+    return { coreApi: this.k8sApi, authApi: this.authApi };
+  }
+
+  async authenticate(namespace: string): Promise<void> {
+    const ns = namespace.trim();
+    if (!ns) {
+      throw new Error('Namespace not found');
+    }
+
+    this.sweepExpiredCache();
+
+    if (this.cacheTTL > 0) {
+      const cached = this.authCache.get(ns);
+      if (cached) {
+        if (cached.expiresAt > Date.now()) {
+          if (!cached.allowed) {
+            throw new Error('No permission for this namespace');
+          }
+          return;
+        }
+        this.authCache.delete(ns);
+      }
+    }
+
+    const inFlight = this.inFlightAuth.get(ns);
+    if (inFlight) return inFlight;
+
+    const { authApi } = this.getK8sClient();
+
+    const authPromise = (async () => {
+      await this.pingReadyz();
+
+      const review: k8s.V1SelfSubjectAccessReview = {
+        apiVersion: 'authorization.k8s.io/v1',
+        kind: 'SelfSubjectAccessReview',
+        spec: {
+          resourceAttributes: {
+            namespace: ns,
+            verb: 'get',
+            group: '',
+            version: 'v1',
+            resource: 'pods'
+          }
+        }
+      };
+
+      try {
+        const response = await authApi.createSelfSubjectAccessReview(review);
+
+        if (!response.body.status?.allowed) {
+          if (this.cacheTTL > 0) {
+            this.authCache.set(ns, {
+              allowed: false,
+              expiresAt: Date.now() + this.cacheTTL
+            });
+          }
+          throw new Error('No permission for this namespace');
+        }
+
+        if (this.cacheTTL > 0) {
+          this.authCache.set(ns, {
+            allowed: true,
+            expiresAt: Date.now() + this.cacheTTL
+          });
+        }
+      } catch (error) {
+        if (error instanceof Error) {
+          throw new Error(`Authentication failed: ${error.message}`);
+        }
+        throw error;
+      }
+    })().finally(() => {
+      this.inFlightAuth.delete(ns);
+    });
+
+    this.inFlightAuth.set(ns, authPromise);
+    return authPromise;
+  }
+
+  clearCache(): void {
+    this.authCache.clear();
+  }
+
+  clearNamespaceCache(namespace: string): void {
+    this.authCache.delete(namespace);
+  }
+
+  getCacheStats(): {
+    size: number;
+    entries: Array<{ namespace: string; allowed: boolean; expiresIn: number }>;
+  } {
+    this.sweepExpiredCache();
+    const entries = Array.from(this.authCache.entries()).map(([namespace, cache]) => ({
+      namespace,
+      allowed: cache.allowed,
+      expiresIn: Math.max(0, cache.expiresAt - Date.now())
+    }));
+    return {
+      size: this.authCache.size,
+      entries
+    };
+  }
+}

frontend/packages/metrics-sdk/rollup.config.js

@@ -0,0 +1 @@
+export * from './auth';