Merge pull request #20 from vshn/add/policy

Add policy management
vshn · Sep 5, 2023 · b10fbca · b10fbca
2 parents 20fc9e3 + 8803671
commit b10fbca
Show file tree

Hide file tree

Showing 53 changed files with 1,919 additions and 58 deletions.
diff --git a/Makefile b/Makefile
@@ -85,6 +85,7 @@ install-crd: generate ## Install CRDs into cluster
 .PHONY: install-samples
 install-samples: export KUBECONFIG = $(KIND_KUBECONFIG)
 install-samples: ## Install samples into cluster
+	kubectl apply -f ./samples/_secret.yaml
 	yq ./samples/minio*.yaml | kubectl apply -f -
 
 .PHONY: delete-samples
@@ -131,6 +132,7 @@ webhook-debug:
 	kubectl annotate validatingwebhookconfigurations.admissionregistration.k8s.io validating-webhook-configuration cert-manager.io/inject-ca-from- && \
 	kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io validating-webhook-configuration -oyaml | \
 	yq e "del(.webhooks[0].clientConfig.service) | .webhooks[0].clientConfig.caBundle |= \"$$cabundle\" | .webhooks[0].clientConfig.url |= \"https://$$HOSTIP:9443//validate-minio-crossplane-io-v1-bucket\"" - | \
-	yq e "del(.webhooks[1].clientConfig.service) | .webhooks[1].clientConfig.caBundle |= \"$$cabundle\" | .webhooks[1].clientConfig.url |= \"https://$$HOSTIP:9443//validate-minio-crossplane-io-v1-user\"" - | \
+	yq e "del(.webhooks[1].clientConfig.service) | .webhooks[1].clientConfig.caBundle |= \"$$cabundle\" | .webhooks[1].clientConfig.url |= \"https://$$HOSTIP:9443//validate-minio-crossplane-io-v1-policy\"" - | \
+	yq e "del(.webhooks[2].clientConfig.service) | .webhooks[2].clientConfig.caBundle |= \"$$cabundle\" | .webhooks[2].clientConfig.url |= \"https://$$HOSTIP:9443//validate-minio-crossplane-io-v1-user\"" - | \
 	kubectl apply -f - && \
 	kubectl annotate validatingwebhookconfigurations.admissionregistration.k8s.io validating-webhook-configuration kubectl.kubernetes.io/last-applied-configuration-
diff --git a/README.md b/README.md
@@ -48,12 +48,14 @@ To test and troubleshoot the webhooks on the cluster, simply apply your changes
 
 1.  Make sure you have all CRDs and validation webhook registrations installed.
     ```bash
-    make install-samples
+    make install-crd
+    kubectl apply -f package/webhook
     ```
 2.  To debug the webhook in an IDE, we need to generate certificates:
     ```bash
     make webhook-debug
     # if necessary with another endpoint name, depending on your docker setup
+    # if you change the webhook_service_name variable, you need to clean out the old certificates
     make webhook-debug -e webhook_service_name=$HOSTIP
     ```
 3.  Start the operator in your IDE with `WEBHOOK_TLS_CERT_DIR` environment set to `.work/webhooks`.
@@ -63,6 +65,13 @@ To test and troubleshoot the webhooks on the cluster, simply apply your changes
     make install-samples
     ```
 
+### Run operator in debugger
+
+* `make crossplane-setup minio-setup install-crds` to install crossplane and minio in the kind cluster
+* `kubectl apply -f samples/_secret.yaml samples/minio.crossplane.io_providerconfig.yaml`
+* `EXPORT KUBECONFIG=.work/kind/kind-kubeconfig`
+* `go run . --log-level 1 operator`
+
 ### Crossplane Provider Mechanics
 
 For detailed information on how Crossplane Provider works from a development perspective check [provider mechanics documentation page](https://kb.vshn.ch/app-catalog/explanations/crossplane_provider_mechanics.html).

diff --git a/apis/minio/v1/minio_types.go b/apis/minio/v1/minio_types.go
@@ -0,0 +1,29 @@
+package v1
+
+import (
+	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Updating returns a Ready condition where the service is updating.
+func Updating() xpv1.Condition {
+	return xpv1.Condition{
+		Type:               xpv1.TypeReady,
+		Status:             corev1.ConditionFalse,
+		Reason:             "Updating",
+		Message:            "The service is being updated",
+		LastTransitionTime: metav1.Now(),
+	}
+}
+
+// Disabled returns a Ready condition where the service is disabled.
+func Disabled() xpv1.Condition {
+	return xpv1.Condition{
+		Type:               xpv1.TypeReady,
+		Status:             corev1.ConditionFalse,
+		Reason:             "Disabled",
+		Message:            "The service is disabled",
+		LastTransitionTime: metav1.Now(),
+	}
+}
diff --git a/apis/minio/v1/policy_types.go b/apis/minio/v1/policy_types.go
@@ -0,0 +1,72 @@
+package v1
+
+import (
+	"reflect"
+
+	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func init() {
+	SchemeBuilder.Register(&Policy{}, &PolicyList{})
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
+// +kubebuilder:printcolumn:name="Synced",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
+// +kubebuilder:printcolumn:name="External Name",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster,categories={crossplane,minio}
+// +kubebuilder:webhook:verbs=create;update,path=/validate-minio-crossplane-io-v1-policy,mutating=false,failurePolicy=fail,groups=minio.crossplane.io,resources=policies,versions=v1,name=policies.minio.crossplane.io,sideEffects=None,admissionReviewVersions=v1
+
+type Policy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PolicySpec   `json:"spec"`
+	Status PolicyStatus `json:"status,omitempty"`
+}
+
+type PolicySpec struct {
+	xpv1.ResourceSpec `json:",inline"`
+	ForProvider       PolicyParameters `json:"forProvider,omitempty"`
+}
+
+type PolicyStatus struct {
+	xpv1.ResourceStatus `json:",inline"`
+	AtProvider          PolicyProviderStatus `json:"atProvider,omitempty"`
+}
+
+type PolicyProviderStatus struct {
+	// Policy contains the rendered policy in JSON format as it's applied on minio.
+	Policy string `json:"policy,omitempty"`
+}
+
+type PolicyParameters struct {
+	// AllowBucket will create a simple policy that allows all operations for the given bucket.
+	// Mutually exclusive to `RawPolicy`.
+	AllowBucket string `json:"allowBucket,omitempty"`
+
+	// RawPolicy describes a raw S3 policy ad verbatim.
+	// Please consult https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html for more details about the policy.
+	// Mutually exclusive to `AllowBucket`.
+	RawPolicy string `json:"rawPolicy,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+type PolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Policy `json:"items"`
+}
+
+// Dummy type metadata.
+var (
+	PolicyKind             = reflect.TypeOf(Policy{}).Name()
+	PolicyGroupKind        = schema.GroupKind{Group: Group, Kind: PolicyKind}.String()
+	PolicyKindAPIVersion   = PolicyKind + "." + SchemeGroupVersion.String()
+	PolicyGroupVersionKind = SchemeGroupVersion.WithKind(PolicyKind)
+)
diff --git a/apis/minio/v1/user_types.go b/apis/minio/v1/user_types.go
@@ -16,6 +16,7 @@ func init() {
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="Synced",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
 // +kubebuilder:printcolumn:name="External Name",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
+// +kubebuilder:printcolumn:name="Policies",type="string",JSONPath=".status.atProvider.policies"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:scope=Cluster,categories={crossplane,minio}
@@ -44,13 +45,20 @@ type UserProviderStatus struct {
 	UserName string `json:"userName,omitempty"`
 	// Status indicates the user's status on the minio instance.
 	Status string `json:"status,omitempty"`
+
+	// Policies contains a list of policies that are applied to this user
+	Policies string `json:"policies,omitempty"`
 }
 
 type UserParameters struct {
 	// UserName is the name of the user to create.
 	// Defaults to `metadata.name` if unset.
 	// Cannot be changed after user is created.
 	UserName string `json:"userName,omitempty"`
+
+	// Policies contains a list of policies that should get assigned to this user.
+	// These policies need to be created seperately by using the policy CRD.
+	Policies []string `json:"policies,omitempty"`
 }
 
 // +kubebuilder:object:root=true

diff --git a/apis/minio/v1/zz_generated.deepcopy.go b/apis/minio/v1/zz_generated.deepcopy.go