Fix: make apiserver work behind a feature toggle (#73891)

Co-authored-by: Charandas Batra <charandas.batra@grafana.com>

pkg/server/module_server.go

@@ -11,6 +11,7 @@ import (
 	"sync"
 
 	"github.com/grafana/dskit/services"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
 
 	"github.com/grafana/grafana/pkg/api"
 	"github.com/grafana/grafana/pkg/infra/log"
@@ -21,8 +22,8 @@ import (
 
 // NewModule returns an instance of a ModuleServer, responsible for managing
 // dskit modules (services).
-func NewModule(opts Options, apiOpts api.ServerOptions, cfg *setting.Cfg) (*ModuleServer, error) {
-	s, err := newModuleServer(opts, apiOpts, cfg)
+func NewModule(opts Options, apiOpts api.ServerOptions, features featuremgmt.FeatureToggles, cfg *setting.Cfg) (*ModuleServer, error) {
+	s, err := newModuleServer(opts, apiOpts, features, cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -34,7 +35,7 @@ func NewModule(opts Options, apiOpts api.ServerOptions, cfg *setting.Cfg) (*Modu
 	return s, nil
 }
 
-func newModuleServer(opts Options, apiOpts api.ServerOptions, cfg *setting.Cfg) (*ModuleServer, error) {
+func newModuleServer(opts Options, apiOpts api.ServerOptions, features featuremgmt.FeatureToggles, cfg *setting.Cfg) (*ModuleServer, error) {
 	rootCtx, shutdownFn := context.WithCancel(context.Background())
 
 	s := &ModuleServer{
@@ -44,6 +45,7 @@ func newModuleServer(opts Options, apiOpts api.ServerOptions, cfg *setting.Cfg)
 		shutdownFn:       shutdownFn,
 		shutdownFinished: make(chan struct{}),
 		log:              log.New("base-server"),
+		features:         features,
 		cfg:              cfg,
 		pidFile:          opts.PidFile,
 		version:          opts.Version,
@@ -61,6 +63,7 @@ type ModuleServer struct {
 	opts    Options
 	apiOpts api.ServerOptions
 
+	features         featuremgmt.FeatureToggles
 	context          context.Context
 	shutdownFn       context.CancelFunc
 	log              log.Logger
@@ -106,7 +109,7 @@ func (s *ModuleServer) Run() error {
 	s.log.Debug("Waiting on services...")
 
 	// Only allow individual dskit modules to run in dev mode.
-	if s.cfg.Env != "dev" {
+	if s.cfg.Env != "development" {
 		if len(s.cfg.Target) > 1 || s.cfg.Target[0] != "all" {
 			s.log.Error("dskit module targeting is only supported in dev mode. Falling back to 'all'")
 			s.cfg.Target = []string{"all"}
@@ -119,9 +122,13 @@ func (s *ModuleServer) Run() error {
 		return NewService(s.cfg, s.opts, s.apiOpts)
 	})
 
-	m.RegisterModule(modules.GrafanaAPIServer, func() (services.Service, error) {
-		return grafanaapiserver.New(path.Join(s.cfg.DataPath, "k8s"))
-	})
+	if s.features.IsEnabled(featuremgmt.FlagGrafanaAPIServer) {
+		m.RegisterModule(modules.GrafanaAPIServer, func() (services.Service, error) {
+			return grafanaapiserver.New(path.Join(s.cfg.DataPath, "k8s"))
+		})
+	} else {
+		s.log.Debug("apiserver feature is disabled")
+	}
 
 	m.RegisterModule(modules.All, nil)
 

pkg/services/grafana-apiserver/service.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/grafana/dskit/services"
-	"github.com/grafana/grafana-apiserver/pkg/certgenerator"
 	grafanaapiserveroptions "github.com/grafana/grafana-apiserver/pkg/cmd/server/options"
+	"github.com/grafana/grafana/pkg/modules"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/request/headerrequest"
 	"k8s.io/apiserver/pkg/authentication/user"
@@ -21,7 +21,7 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/klog/v2"
 
-	"github.com/grafana/grafana/pkg/modules"
+	"github.com/grafana/grafana-apiserver/pkg/certgenerator"
 )
 
 const (
@@ -78,7 +78,6 @@ func (s *service) start(ctx context.Context) error {
 	o.RecommendedOptions.Authorization.AlwaysAllowPaths = []string{"*"}
 	o.RecommendedOptions.Authorization.AlwaysAllowGroups = []string{user.SystemPrivilegedGroup, "grafana"}
 	o.RecommendedOptions.Etcd = nil
-	// TODO: setting CoreAPI to nil currently segfaults in grafana-apiserver
 	o.RecommendedOptions.CoreAPI = nil
 
 	// Get the util to get the paths to pre-generated certs
@@ -86,13 +85,11 @@ func (s *service) start(ctx context.Context) error {
 		K8sDataPath: s.dataPath,
 	}
 
-	err := certUtil.InitializeCACertPKI()
-	if err != nil {
+	if err := certUtil.InitializeCACertPKI(); err != nil {
 		return err
 	}
 
-	err = certUtil.EnsureApiServerPKI(certgenerator.DefaultAPIServerIp)
-	if err != nil {
+	if err := certUtil.EnsureApiServerPKI(certgenerator.DefaultAPIServerIp); err != nil {
 		return err
 	}
 
@@ -140,6 +137,33 @@ func (s *service) start(ctx context.Context) error {
 
 	prepared := server.GenericAPIServer.PrepareRun()
 
+	// TODO: not sure if we can still inject RouteRegister with the new module server setup
+	// Disabling the /k8s endpoint until we have a solution
+
+	/* handler := func(c *contextmodel.ReqContext) {
+		req := c.Req
+		req.URL.Path = strings.TrimPrefix(req.URL.Path, "/k8s")
+		if req.URL.Path == "" {
+			req.URL.Path = "/"
+		}
+		ctx := req.Context()
+		signedInUser := appcontext.MustUser(ctx)
+
+		req.Header.Set("X-Remote-User", strconv.FormatInt(signedInUser.UserID, 10))
+		req.Header.Set("X-Remote-Group", "grafana")
+		req.Header.Set("X-Remote-Extra-token-name", signedInUser.Name)
+		req.Header.Set("X-Remote-Extra-org-role", string(signedInUser.OrgRole))
+		req.Header.Set("X-Remote-Extra-org-id", strconv.FormatInt(signedInUser.OrgID, 10))
+		req.Header.Set("X-Remote-Extra-user-id", strconv.FormatInt(signedInUser.UserID, 10))
+
+		resp := responsewriter.WrapForHTTP1Or2(c.Resp)
+		prepared.GenericAPIServer.Handler.ServeHTTP(resp, req)
+	}
+	/* s.rr.Group("/k8s", func(k8sRoute routing.RouteRegister) {
+		k8sRoute.Any("/", middleware.ReqSignedIn, handler)
+		k8sRoute.Any("/*", middleware.ReqSignedIn, handler)
+	}) */
+
 	go func() {
 		s.stoppedCh <- prepared.Run(s.stopCh)
 	}()