feat(openclaw): per-tenant tag override + platform default ConfigMap (tag-only)
All checks were successful
Build and Push / build (push) Successful in 1m52s
All checks were successful
Build and Push / build (push) Successful in 1m52s
This commit is contained in:
71
src/app/[locale]/admin/openclaw/page.tsx
Normal file
71
src/app/[locale]/admin/openclaw/page.tsx
Normal file
@@ -0,0 +1,71 @@
|
||||
import { redirect } from "next/navigation";
|
||||
import { getTranslations } from "next-intl/server";
|
||||
import { getSessionUser } from "@/lib/session";
|
||||
import { listTenants, getOpenClawDefaults } from "@/lib/k8s";
|
||||
import { OpenClawAdminPanel } from "@/components/admin/openclaw-admin-panel";
|
||||
|
||||
/**
|
||||
* /admin/openclaw — platform-default OpenClaw image + per-tenant
|
||||
* overrides table.
|
||||
*
|
||||
* Two sections:
|
||||
* 1. Default — readable from `pieced-openclaw-config` ConfigMap.
|
||||
* Editable via the same form. Empty fields show as "(unset)"
|
||||
* and the operator falls back to its built-in default in that
|
||||
* case (intentionally invisible to the portal — the binary's
|
||||
* baked version moves with releases and we don't want the UI
|
||||
* to claim a misleading "current default").
|
||||
* 2. Tenant table — every tenant in the cluster with its current
|
||||
* override (or "follows default"). Clicking a row opens a small
|
||||
* inline editor.
|
||||
*
|
||||
* Authorization is gated server-side: `user.isPlatform` only. Any
|
||||
* other user gets redirected to /dashboard.
|
||||
*/
|
||||
export default async function OpenClawAdminPage() {
|
||||
const user = await getSessionUser();
|
||||
if (!user) redirect("/login");
|
||||
if (!user.isPlatform) redirect("/dashboard");
|
||||
const t = await getTranslations("openclawAdmin");
|
||||
|
||||
// Parallel fetch — defaults and tenants are independent.
|
||||
const [defaults, tenants] = await Promise.all([
|
||||
getOpenClawDefaults(),
|
||||
listTenants(),
|
||||
]);
|
||||
|
||||
// Sort tenants: overridden first (more interesting to review),
|
||||
// then alphabetically by display name. Helps the admin spot which
|
||||
// tenants are off the platform default at a glance.
|
||||
const sorted = [...tenants].sort((a, b) => {
|
||||
const aOverride = a.spec.openClawImage ? 1 : 0;
|
||||
const bOverride = b.spec.openClawImage ? 1 : 0;
|
||||
if (aOverride !== bOverride) return bOverride - aOverride;
|
||||
return (a.spec.displayName || a.metadata.name).localeCompare(
|
||||
b.spec.displayName || b.metadata.name
|
||||
);
|
||||
});
|
||||
|
||||
return (
|
||||
<main className="max-w-5xl mx-auto px-6 py-8">
|
||||
<div className="mb-8 animate-in">
|
||||
<h1 className="font-display text-2xl font-semibold accent-rule">
|
||||
{t("title")}
|
||||
</h1>
|
||||
<p className="text-sm text-text-secondary mt-3">{t("subtitle")}</p>
|
||||
</div>
|
||||
|
||||
<OpenClawAdminPanel
|
||||
initialDefaults={defaults}
|
||||
tenants={sorted.map((tn) => ({
|
||||
name: tn.metadata.name,
|
||||
displayName: tn.spec.displayName || tn.metadata.name,
|
||||
phase: tn.status?.phase ?? "Unknown",
|
||||
override: tn.spec.openClawImage?.tag
|
||||
? { tag: tn.spec.openClawImage.tag }
|
||||
: null,
|
||||
}))}
|
||||
/>
|
||||
</main>
|
||||
);
|
||||
}
|
||||
@@ -22,11 +22,22 @@ export default async function AdminPage() {
|
||||
|
||||
return (
|
||||
<div>
|
||||
<div className="mb-8 animate-in">
|
||||
<h1 className="font-display text-2xl font-semibold accent-rule mb-2">
|
||||
{t("title")}
|
||||
</h1>
|
||||
<p className="text-text-secondary text-sm mt-4">{t("subtitle")}</p>
|
||||
<div className="mb-8 animate-in flex items-end justify-between gap-4 flex-wrap">
|
||||
<div>
|
||||
<h1 className="font-display text-2xl font-semibold accent-rule mb-2">
|
||||
{t("title")}
|
||||
</h1>
|
||||
<p className="text-text-secondary text-sm mt-4">{t("subtitle")}</p>
|
||||
</div>
|
||||
{/* Sub-tools: links to other admin pages. Plain links rather
|
||||
than nav-shell entries — these are platform-team utilities,
|
||||
not main navigation. */}
|
||||
<a
|
||||
href="/admin/openclaw"
|
||||
className="text-sm px-4 py-2 rounded-lg border border-border text-text-secondary hover:text-text-primary hover:border-text-secondary transition-colors"
|
||||
>
|
||||
{t("openclawTool")}
|
||||
</a>
|
||||
</div>
|
||||
|
||||
<div className="animate-in animate-in-delay-1">
|
||||
|
||||
75
src/app/api/admin/openclaw/route.ts
Normal file
75
src/app/api/admin/openclaw/route.ts
Normal file
@@ -0,0 +1,75 @@
|
||||
import { NextRequest, NextResponse } from "next/server";
|
||||
import { z } from "zod";
|
||||
import { getSessionUser } from "@/lib/session";
|
||||
import { getOpenClawDefaults, setOpenClawDefaults } from "@/lib/k8s";
|
||||
import { safeError } from "@/lib/errors";
|
||||
|
||||
/**
|
||||
* Platform-wide default OpenClaw image tag (admin-only).
|
||||
*
|
||||
* GET — read the current default tag from the
|
||||
* `pieced-openclaw-config` ConfigMap. Can be empty string if no
|
||||
* default is configured; the operator uses its built-in fallback
|
||||
* in that case.
|
||||
*
|
||||
* PATCH — update the tag. Send "" to clear. The operator watches
|
||||
* this ConfigMap and re-enqueues all tenants without a per-tenant
|
||||
* override on change, so existing tenants roll forward to the new
|
||||
* default automatically. Tenants WITH an override are unaffected.
|
||||
*
|
||||
* Tag-only by design — see operator notes.
|
||||
*/
|
||||
|
||||
const patchSchema = z.object({
|
||||
defaultTag: z.string().trim().max(256),
|
||||
});
|
||||
|
||||
export async function GET() {
|
||||
const user = await getSessionUser();
|
||||
if (!user) {
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
}
|
||||
if (!user.isPlatform) {
|
||||
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
|
||||
}
|
||||
try {
|
||||
return NextResponse.json(await getOpenClawDefaults());
|
||||
} catch (e: any) {
|
||||
console.error("Failed to read openclaw defaults:", e);
|
||||
return NextResponse.json(
|
||||
{ error: safeError(e, "Failed to read defaults") },
|
||||
{ status: 500 }
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export async function PATCH(req: NextRequest) {
|
||||
const user = await getSessionUser();
|
||||
if (!user) {
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
}
|
||||
if (!user.isPlatform) {
|
||||
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
|
||||
}
|
||||
const body = await req.json().catch(() => null);
|
||||
const parsed = patchSchema.safeParse(body);
|
||||
if (!parsed.success) {
|
||||
return NextResponse.json(
|
||||
{ error: "Invalid input", details: parsed.error.flatten() },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
try {
|
||||
const next = await setOpenClawDefaults({
|
||||
defaultTag: parsed.data.defaultTag,
|
||||
});
|
||||
return NextResponse.json(next);
|
||||
} catch (e: any) {
|
||||
console.error("Failed to update openclaw defaults:", e);
|
||||
return NextResponse.json(
|
||||
{ error: safeError(e, "Failed to update defaults") },
|
||||
{ status: 500 }
|
||||
);
|
||||
}
|
||||
}
|
||||
78
src/app/api/admin/tenants/[name]/openclaw-image/route.ts
Normal file
78
src/app/api/admin/tenants/[name]/openclaw-image/route.ts
Normal file
@@ -0,0 +1,78 @@
|
||||
import { NextRequest, NextResponse } from "next/server";
|
||||
import { z } from "zod";
|
||||
import { getSessionUser } from "@/lib/session";
|
||||
import { getTenant, patchTenantSpec } from "@/lib/k8s";
|
||||
import { safeError } from "@/lib/errors";
|
||||
|
||||
/**
|
||||
* Per-tenant OpenClaw image override (admin-only).
|
||||
*
|
||||
* Why admin-only: customers cannot pick OpenClaw versions. This
|
||||
* exists so the platform team can A/B-test new releases on specific
|
||||
* tenants without rolling them out fleet-wide. The endpoint enforces
|
||||
* `user.isPlatform`; even owners of the tenant's org cannot use it.
|
||||
*
|
||||
* PATCH body shapes:
|
||||
* - { tag: "2026.4.22" } → use this tag
|
||||
* - { tag: "" } or empty body → clear override (revert to platform
|
||||
* default)
|
||||
*
|
||||
* Tag-only by design — see operator notes for rationale.
|
||||
*/
|
||||
|
||||
const patchSchema = z.object({
|
||||
tag: z.string().trim().max(256).optional(),
|
||||
});
|
||||
|
||||
export async function PATCH(
|
||||
req: NextRequest,
|
||||
{ params }: { params: Promise<{ name: string }> }
|
||||
) {
|
||||
const user = await getSessionUser();
|
||||
if (!user) {
|
||||
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
}
|
||||
if (!user.isPlatform) {
|
||||
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
|
||||
}
|
||||
|
||||
const { name } = await params;
|
||||
const tenant = await getTenant(name);
|
||||
if (!tenant) {
|
||||
return NextResponse.json({ error: "Not found" }, { status: 404 });
|
||||
}
|
||||
|
||||
const body = await req.json().catch(() => null);
|
||||
const parsed = patchSchema.safeParse(body ?? {});
|
||||
if (!parsed.success) {
|
||||
return NextResponse.json(
|
||||
{ error: "Invalid input", details: parsed.error.flatten() },
|
||||
{ status: 400 }
|
||||
);
|
||||
}
|
||||
|
||||
const tag = parsed.data.tag ?? "";
|
||||
const isClearing = tag === "";
|
||||
|
||||
// Merge-patch semantics: openClawImage: null removes the field
|
||||
// from the spec; openClawImage: { tag } sets it.
|
||||
const spec: any = isClearing
|
||||
? { openClawImage: null }
|
||||
: { openClawImage: { tag } };
|
||||
|
||||
try {
|
||||
const updated = await patchTenantSpec(name, spec);
|
||||
return NextResponse.json({
|
||||
message: isClearing
|
||||
? "Override cleared; tenant follows platform default."
|
||||
: "Override set.",
|
||||
openClawImage: updated.spec.openClawImage ?? null,
|
||||
});
|
||||
} catch (e: any) {
|
||||
console.error("Failed to set tenant openclaw image:", e);
|
||||
return NextResponse.json(
|
||||
{ error: safeError(e, "Failed to update tenant image") },
|
||||
{ status: 500 }
|
||||
);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user