Skip to content

Commit

Permalink
[ENH] ✨ implement s3instanceref and default and add
Browse files Browse the repository at this point in the history 
allowedNamespaces
  • Loading branch information
Eneman Donatien authored and Eneman Donatien committed Oct 16, 2024
1 parent 34b85b3 commit d561441
Show file tree
Hide file tree
Showing 28 changed files with 1,006 additions and 842 deletions.
37 changes: 18 additions & 19 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,25 +74,16 @@ The operator exposes a few parameters, meant to be set as arguments, though it's

The parameters are summarized in the table below :

| Flag name | Default | Environment variable | Multiple values allowed | Description |
| ------------------------------- | ---------------- | -------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| `health-probe-bind-address` | `:8081` | - | no | The address the probe endpoint binds to. Comes from Operator SDK. |
| `leader-elect` | `false` | - | no | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. Comes from Operator SDK. |
| `metrics-bind-address` | `:8080` | - | no | The address the metric endpoint binds to. Comes from Operator SDK. |
| `region` | `us-east-1` | - | no | The region to configure for the S3 client. |
| `s3-access-key` | - | `S3_ACCESS_KEY` | no | The access key used to interact with the S3 server. |
| `s3-ca-certificate-base64` | - | - | yes | (Optional) Base64 encoded, PEM format CA certificate, for https requests to the S3 server. |
| `s3-ca-certificate-bundle-path` | - | - | no | (Optional) Path to a CA certificates bundle file, for https requests to the S3 server. |
| `s3-endpoint-url` | `localhost:9000` | - | no | Hostname (or hostname:port) of the S3 server. |
| `s3-provider` | `minio` | - | no | S3 provider (possible values : `minio`, `mockedS3Provider`) |
| `s3-secret-key` | - | `S3_SECRET_KEY` | no | The secret key used to interact with the S3 server. |
| `useSsl` | true | - | no | Use of SSL/TLS to connect to the S3 server |
| `bucket-deletion` | false | - | no | Trigger bucket deletion on the S3 backend upon CR deletion. Will fail if bucket is not empty. |
| `policy-deletion` | false | - | no | Trigger policy deletion on the S3 backend upon CR deletion |
| `path-deletion` | false | - | no | Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator. |
| `s3User-deletion` | false | - | no | Trigger S3User deletion on the S3 backend upon CR deletion. |
| `override-existing-secret` | false | - | no | Update secret linked to s3User if already exist, else noop |
| `s3LabelSelector` | "" | - | no | Filter resource that this instance will manage. If Empty all resource in the cluster will be manage |
| Flag name | Default | Environment variable | Multiple values allowed | Description |
| --------------------------- | ------- | -------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| `health-probe-bind-address` | `:8081` | - | no | The address the probe endpoint binds to. Comes from Operator SDK. |
| `leader-elect` | `false` | - | no | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. Comes from Operator SDK. |
| `metrics-bind-address` | `:8080` | - | no | The address the metric endpoint binds to. Comes from Operator SDK. | |
| `bucket-deletion` | false | - | no | Trigger bucket deletion on the S3 backend upon CR deletion. Will fail if bucket is not empty. |
| `policy-deletion` | false | - | no | Trigger policy deletion on the S3 backend upon CR deletion |
| `path-deletion` | false | - | no | Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator. |
| `s3User-deletion` | false | - | no | Trigger S3User deletion on the S3 backend upon CR deletion. |
| `override-existing-secret` | false | - | no | Update secret linked to s3User if already exist, else noop |
## Minimal rights needed to work

The Operator need at least this rights:
Expand Down Expand Up @@ -170,6 +161,7 @@ spec:
secretName: minio-credentials # Name of the secret containing 2 Keys S3_ACCESS_KEY and S3_SECRET_KEY
region: us-east-1 # Region of the Provider
useSSL: true # useSSL to query the Provider
allowedNamespaces: [] # namespaces allowed to have buckets, policies, ... Wildcard prefix/suffix allowed. If empty only the same namespace as s3instance is allowed
```
### Bucket example
Expand Down Expand Up @@ -307,6 +299,13 @@ spec:

Each S3user is linked to a kubernetes secret which have the same name that the S3User. The secret contains 2 keys: `accessKey` and `secretKey`.

### :info: How works s3InstanceRef

S3InstanceRef can get the following values:
- empty: In this case the s3instance use will be the default one configured at startup if the namespace is in the namespace allowed for this s3Instance
- `s3InstanceName`: In this case the s3Instance use will be the s3Instance with the name `s3InstanceName` in the current namespace (if the current namespace is allowed)
- `namespace/s3InstanceName`: In this case the s3Instance use will be the s3Instance with the name `s3InstanceName` in the namespace `namespace` (if the current namespace is allowed to use this s3Instance)

## Operator SDK generated guidelines

<details>
Expand Down
1 change: 1 addition & 0 deletions api/v1alpha1/bucket_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ type BucketSpec struct {

// s3InstanceRef where create the bucket
// +kubebuilder:validation:Optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
S3InstanceRef string `json:"s3InstanceRef,omitempty"`

// Quota to apply to the bucket
Expand Down
1 change: 1 addition & 0 deletions api/v1alpha1/path_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ type PathSpec struct {

// s3InstanceRef where create the Paths
// +kubebuilder:validation:Optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
}

Expand Down
1 change: 1 addition & 0 deletions api/v1alpha1/policy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ type PolicySpec struct {

// s3InstanceRef where create the Policy
// +kubebuilder:validation:Optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
}

Expand Down
36 changes: 28 additions & 8 deletions api/v1alpha1/s3instance_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,23 +32,43 @@ type S3InstanceSpec struct {

// url of the S3Instance
// +kubebuilder:validation:Required
UrlEndpoint string `json:"urlEndpoint"`
Url string `json:"url"`

// SecretName associated to the S3Instance containing accessKey and secretKey
// Ref to Secret associated to the S3Instance containing accessKey and secretKey
// +kubebuilder:validation:Required
SecretName string `json:"secretName"`
SecretRef string `json:"secretRef"`

// region associated to the S3Instance
// +kubebuilder:validation:Required
// +kubebuilder:validation:Optional
Region string `json:"region"`

// useSSL when connecting to the S3Instance
// Secret containing key ca.crt with the certificate associated to the S3InstanceUrl
// +kubebuilder:validation:Optional
CaCertSecretRef string `json:"caCertSecretRef,omitempty"`

// AllowedNamespaces to use this S3InstanceUrl if empty only the namespace of this instance url is allowed to use it
// +kubebuilder:validation:Optional
AllowedNamespaces []string `json:"allowedNamespaces,omitempty"`

// BucketDeletionEnabled Trigger bucket deletion on the S3 backend upon CR deletion. Will fail if bucket is not empty.
// +kubebuilder:validation:Optional
// +kubebuilder:default=false
BucketDeletionEnabled bool `json:"bucketDeletionEnabled,omitempty"`

// PolicyDeletionEnabled Trigger policy deletion on the S3 backend upon CR deletion.
// +kubebuilder:validation:Optional
// +kubebuilder:default=false
PolicyDeletionEnabled bool `json:"policyDeletionEnabled,omitempty"`

// PathDeletionEnabled Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator.
// +kubebuilder:validation:Optional
UseSSL bool `json:"useSSL,omitempty"`
// +kubebuilder:default=false
PathDeletionEnabled bool `json:"pathDeletionEnabled,omitempty"`

// CaCertificatesBase64 associated to the S3InstanceUrl
// S3UserDeletionEnabled Trigger S3 deletion on the S3 backend upon CR deletion.
// +kubebuilder:validation:Optional
CaCertificatesBase64 []string `json:"caCertificateBase64,omitempty"`
// +kubebuilder:default=false
S3UserDeletionEnabled bool `json:"s3UserDeletionEnabled,omitempty"`
}

// S3InstanceStatus defines the observed state of S3Instance
Expand Down
1 change: 1 addition & 0 deletions api/v1alpha1/s3user_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ type S3UserSpec struct {

// s3InstanceRef where create the user
// +kubebuilder:validation:Optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
}

Expand Down
16 changes: 16 additions & 0 deletions api/v1alpha1/types.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
package v1alpha1

// Definitions to manage status condition types
const (
// ConditionReconciled represents the status of the resource reconciliation
ConditionReconciled = "Reconciled"
)

// Definitions to manage status condition reasons
const (
Reconciling = "Reconciling"
Unreachable = "Unreachable"
CreationFailure = "CreationFailure"
Reconciled = "Reconciled"
DeletionFailure = "DeletionFailure"
)
4 changes: 2 additions & 2 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions config/crd/bases/s3.onyxia.sh_buckets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ spec:
s3InstanceRef:
description: s3InstanceRef where create the bucket
type: string
x-kubernetes-validations:
- message: S3InstanceRef is immutable
rule: self == oldSelf
required:
- name
- quota
Expand Down
3 changes: 3 additions & 0 deletions config/crd/bases/s3.onyxia.sh_paths.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ spec:
s3InstanceRef:
description: s3InstanceRef where create the Paths
type: string
x-kubernetes-validations:
- message: S3InstanceRef is immutable
rule: self == oldSelf
required:
- bucketName
type: object
Expand Down
3 changes: 3 additions & 0 deletions config/crd/bases/s3.onyxia.sh_policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,9 @@ spec:
s3InstanceRef:
description: s3InstanceRef where create the Policy
type: string
x-kubernetes-validations:
- message: S3InstanceRef is immutable
rule: self == oldSelf
required:
- name
- policyContent
Expand Down
46 changes: 34 additions & 12 deletions config/crd/bases/s3.onyxia.sh_s3instances.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,32 +35,54 @@ spec:
spec:
description: S3InstanceSpec defines the desired state of S3Instance
properties:
caCertificateBase64:
description: CaCertificatesBase64 associated to the S3InstanceUrl
allowedNamespaces:
description: AllowedNamespaces to use this S3InstanceUrl if empty
only the namespace of this instance url is allowed to use it
items:
type: string
type: array
bucketDeletionEnabled:
default: false
description: BucketDeletionEnabled Trigger bucket deletion on the
S3 backend upon CR deletion. Will fail if bucket is not empty.
type: boolean
caCertSecretRef:
description: Secret containing key ca.crt with the certificate associated
to the S3InstanceUrl
type: string
pathDeletionEnabled:
default: false
description: PathDeletionEnabled Trigger path deletion on the S3 backend
upon CR deletion. Limited to deleting the `.keep` files used by
the operator.
type: boolean
policyDeletionEnabled:
default: false
description: PolicyDeletionEnabled Trigger policy deletion on the
S3 backend upon CR deletion.
type: boolean
region:
description: region associated to the S3Instance
type: string
s3Provider:
description: type of the S3Instance
type: string
secretName:
description: SecretName associated to the S3Instance containing accessKey
and secretKey
s3UserDeletionEnabled:
default: false
description: S3UserDeletionEnabled Trigger S3 deletion on the S3 backend
upon CR deletion.
type: boolean
secretRef:
description: Ref to Secret associated to the S3Instance containing
accessKey and secretKey
type: string
urlEndpoint:
url:
description: url of the S3Instance
type: string
useSSL:
description: useSSL when connecting to the S3Instance
type: boolean
required:
- region
- s3Provider
- secretName
- urlEndpoint
- secretRef
- url
type: object
status:
description: S3InstanceStatus defines the observed state of S3Instance
Expand Down
3 changes: 3 additions & 0 deletions config/crd/bases/s3.onyxia.sh_s3users.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ spec:
s3InstanceRef:
description: s3InstanceRef where create the user
type: string
x-kubernetes-validations:
- message: S3InstanceRef is immutable
rule: self == oldSelf
secretName:
description: SecretName associated to the S3User
type: string
Expand Down
31 changes: 24 additions & 7 deletions config/samples/s3.onyxia.sh_v1alpha1_s3instance.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,32 @@ apiVersion: s3.onyxia.sh/v1alpha1
kind: S3Instance
metadata:
labels:
app.kubernetes.io/name: bucket
app.kubernetes.io/instance: bucket-sample
app.kubernetes.io/name: s3instance
app.kubernetes.io/instance: s3instance-sample
app.kubernetes.io/part-of: s3-operator
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/created-by: s3-operator
name: s3-default-instance
name: s3instance-sample
spec:
s3Provider: minio
urlEndpoint: minio.example.com
secretName: minio-credentials
region: us-east-1
useSSL: true
url: https://minio.example.com
secretRef: minio-credentials
caCertSecretRef: minio-certificates
# allowedNamespaces: "*" # if not present only resources from the same namespace is allowed
# region: us-east-1
---
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: <Password>
---
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: <Password>
Loading

0 comments on commit d561441

Please sign in to comment.