Merge pull request #2253 from sedefsavas/multitenancy-cont

✨ Support AWS multitenancy

Author: k8s-ci-robot

api/v1alpha2/awscluster_conversion.go

@@ -100,6 +100,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 	// Manually convert conditions
 	dst.SetConditions(restored.GetConditions())
 
+	dst.Spec.IdentityRef = restored.Spec.IdentityRef
 	return nil
 }
 

api/v1alpha2/zz_generated.conversion.go

@@ -25,6 +25,9 @@ const (
 	// ClusterFinalizer allows ReconcileAWSCluster to clean up AWS resources associated with AWSCluster before
 	// removing it from the apiserver.
 	ClusterFinalizer = "awscluster.infrastructure.cluster.x-k8s.io"
+
+	// AWSClusterControllerIdentityName is the name of the AWSClusterControllerIdentity singleton
+	AWSClusterControllerIdentityName = "default"
 )
 
 // AWSClusterSpec defines the desired state of AWSCluster
@@ -82,6 +85,34 @@ type AWSClusterSpec struct {
 	// Bastion contains options to configure the bastion host.
 	// +optional
 	Bastion Bastion `json:"bastion"`
+
+	// IdentityRef is a reference to a identity to be used when reconciling this cluster
+	// +optional
+	IdentityRef *AWSIdentityReference `json:"identityRef,omitempty"`
+}
+
+type AWSIdentityKind string
+
+var (
+	// ControllerIdentityKind defines identity reference kind as AWSClusterControllerIdentity
+	ControllerIdentityKind = AWSIdentityKind("AWSClusterControllerIdentity")
+
+	// ClusterRoleIdentityKind defines identity reference kind as AWSClusterRoleIdentity
+	ClusterRoleIdentityKind = AWSIdentityKind("AWSClusterRoleIdentity")
+
+	// ClusterStaticIdentityKind defines identity reference kind as AWSClusterStaticIdentity
+	ClusterStaticIdentityKind = AWSIdentityKind("AWSClusterStaticIdentity")
+)
+
+// AWSIdentityReference specifies a identity.
+type AWSIdentityReference struct {
+	// Name of the identity.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// Kind of the identity.
+	// +kubebuilder:validation:Enum=AWSClusterControllerIdentity;AWSClusterRoleIdentity;AWSClusterStaticIdentity
+	Kind AWSIdentityKind `json:"kind"`
 }
 
 type Bastion struct {

api/v1alpha3/awscluster_types.go

@@ -96,6 +96,14 @@ func (r *AWSCluster) ValidateUpdate(old runtime.Object) error {
 		)
 	}
 
+	// If a identityRef is already set, do not allow removal of it.
+	if oldC.Spec.IdentityRef != nil && r.Spec.IdentityRef == nil {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "identityRef"),
+				r.Spec.IdentityRef, "field cannot be set to nil"),
+		)
+	}
+
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
 
 	return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
@@ -104,6 +112,13 @@ func (r *AWSCluster) ValidateUpdate(old runtime.Object) error {
 func (r *AWSCluster) Default() {
 	SetDefaults_Bastion(&r.Spec.Bastion)
 	SetDefaults_NetworkSpec(&r.Spec.NetworkSpec)
+
+	if r.Spec.IdentityRef == nil {
+		r.Spec.IdentityRef = &AWSIdentityReference{
+			Kind: ControllerIdentityKind,
+			Name: AWSClusterControllerIdentityName,
+		}
+	}
 }
 
 func (r *AWSCluster) validateSSHKeyName() field.ErrorList {

api/v1alpha3/awscluster_webhook.go

@@ -0,0 +1,81 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/pkg/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+// log is for logging in this package.
+var _ = logf.Log.WithName("awsclustercontrolleridentity-resource")
+
+func (r *AWSClusterControllerIdentity) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+// +kubebuilder:webhook:verbs=create;update,path=/validate-infrastructure-cluster-x-k8s-io-v1alpha3-awsclustercontrolleridentity,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=infrastructure.cluster.x-k8s.io,resources=awsclustercontrolleridentities,versions=v1alpha3,name=validation.awsclustercontrolleridentity.infrastructure.cluster.x-k8s.io,sideEffects=None
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-infrastructure-cluster-x-k8s-io-v1alpha3-awsclustercontrolleridentity,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=infrastructure.cluster.x-k8s.io,resources=awsclustercontrolleridentities,versions=v1alpha3,name=default.awsclustercontrolleridentity.infrastructure.cluster.x-k8s.io,sideEffects=None
+
+var (
+	_ webhook.Validator = &AWSClusterControllerIdentity{}
+	_ webhook.Defaulter = &AWSClusterControllerIdentity{}
+)
+
+func (r *AWSClusterControllerIdentity) ValidateCreate() error {
+	// Ensures AWSClusterControllerIdentity being singleton by only allowing "default" as name
+	if r.Name != AWSClusterControllerIdentityName {
+		return field.Invalid(field.NewPath("name"),
+			r.Name, "AWSClusterControllerIdentity is a singleton and only acceptable name is default")
+	}
+
+	return nil
+}
+
+func (r *AWSClusterControllerIdentity) ValidateDelete() error {
+	return nil
+}
+
+func (r *AWSClusterControllerIdentity) ValidateUpdate(old runtime.Object) error {
+	oldP, ok := old.(*AWSClusterControllerIdentity)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected an AWSClusterControllerIdentity but got a %T", old))
+	}
+
+	if !reflect.DeepEqual(r.Spec, oldP.Spec) {
+		return errors.New("AWSClusterControllerIdentity is immutable")
+	}
+
+	if r.Name != oldP.Name {
+		return field.Invalid(field.NewPath("name"),
+			r.Name, "AWSClusterControllerIdentity is a singleton and only acceptable name is default")
+	}
+	return nil
+}
+
+func (r *AWSClusterControllerIdentity) Default() {
+}

api/v1alpha3/awsclustercontrolleridentity_webhook.go

@@ -0,0 +1,132 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"context"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestAWSClusterControllerValidateCreate(t *testing.T) {
+	tests := []struct {
+		name      string
+		identity  *AWSClusterControllerIdentity
+		wantError bool
+	}{
+		{
+			name: "only allow AWSClusterControllerIdentity creation with name default",
+			identity: &AWSClusterControllerIdentity{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "default",
+				},
+			},
+			wantError: false,
+		},
+		{
+			name: "do not allow AWSClusterControllerIdentity creation with name other than default",
+			identity: &AWSClusterControllerIdentity{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+				},
+			},
+			wantError: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			identity := tt.identity.DeepCopy()
+			identity.TypeMeta = metav1.TypeMeta{
+				APIVersion: GroupVersion.String(),
+				Kind:       "AWSClusterControllerIdentity",
+			}
+			ctx := context.TODO()
+			if err := testEnv.Create(ctx, identity); (err != nil) != tt.wantError {
+				t.Errorf("ValidateCreate() error = %v, wantErr %v", err, tt.wantError)
+			}
+			testEnv.Delete(ctx, identity)
+		})
+	}
+}
+
+func TestAWSClusterControllerValidateUpdate(t *testing.T) {
+	controllerIdentity := &AWSClusterControllerIdentity{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: GroupVersion.String(),
+			Kind:       "AWSClusterControllerIdentity",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: AWSClusterControllerIdentityName,
+		},
+		Spec: AWSClusterControllerIdentitySpec{
+			AWSClusterIdentitySpec: AWSClusterIdentitySpec{
+				AllowedNamespaces: &AllowedNamespaces{},
+			},
+		},
+	}
+
+	ctx := context.TODO()
+	defer testEnv.Delete(ctx, controllerIdentity)
+
+	if err := testEnv.Create(ctx, controllerIdentity); err != nil {
+		t.Errorf("controllerIdentity creation failed %v", err)
+	}
+
+	tests := []struct {
+		name      string
+		identity  *AWSClusterControllerIdentity
+		wantError bool
+	}{
+		{
+			name: "do not allow any spec changes",
+			identity: &AWSClusterControllerIdentity{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "default",
+				},
+			},
+			wantError: true,
+		},
+		{
+			name: "do not allow name change",
+			identity: &AWSClusterControllerIdentity{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+				},
+			},
+			wantError: true,
+		},
+		{
+			name:      "no error when updating with same object",
+			identity:  controllerIdentity,
+			wantError: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			identity := tt.identity.DeepCopy()
+			identity.TypeMeta = metav1.TypeMeta{
+				APIVersion: GroupVersion.String(),
+				Kind:       "AWSClusterControllerIdentity",
+			}
+			ctx := context.TODO()
+			if err := testEnv.Update(ctx, identity); (err != nil) != tt.wantError {
+				t.Errorf("ValidateUpdate() error = %v, wantErr %v", err, tt.wantError)
+			}
+		})
+	}
+}

api/v1alpha3/awsclustercontrolleridentity_webhook_test.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// log is for logging in this package.
+var _ = logf.Log.WithName("awsclustercontrolleridentitylist-resource")
+
+func (r *AWSClusterControllerIdentityList) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}