feat(assuredworkloads): implement AssuredWorkloadsWorkload via direct controller#6664
feat(assuredworkloads): implement AssuredWorkloadsWorkload via direct controller#6664codebot-robot wants to merge 18 commits intoGoogleCloudPlatform:masterfrom
Conversation
… controller This change implements the AssuredWorkloadsWorkload resource using the direct controller approach. It includes: - Updates to the CRD and API types to include `organizationRef` and `location`. - Implementation of the direct controller logic. - Updates to the mockgcp service to support `CreateWorkload`. - New test case in `pkg/test/resourcefixture`.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Addressed potential issue with enum slice conversion in AssuredWorkloadsWorkload mapper. This should resolve the fuzz-roundtrip failure. |
|
Added unit tests for AssuredWorkloadsWorkload mapper to verify the fix and ensure correctness of enum list conversion. |
|
--- INVESTIGATION REPORT ---
Run ID: 22209866743
Action Taken: Fix applied
|
- Add missing 'refs' import in workload_controller.go. - Update basicassuredworkloadsworkload test fixture (update.yaml) to match golden file expectations (update displayName, preserve labels). - Update golden files for basicassuredworkloadsworkload to match current MockGCP behavior (inclusion of labels). - Include generated code updates (workload_types.go, mappers) that were pending.
|
--- INVESTIGATION REPORT ---
Run ID: 22244409762
|
fkc1e100
requested review from
cheftako and
justinsb
and removed request for
cheftako
out.log
Outdated
| @@ -0,0 +1,3287 @@ | |||
| tests-e2e-fixtures-assuredworkloads UNKNOWN STEP 2026-02-22T22:31:23.2670397Z Current runner version: '2.331.0' | |||
There was a problem hiding this comment.
We do not need to add this log file.
out.log
Outdated
| tests-e2e-fixtures-assuredworkloads UNKNOWN STEP 2026-02-22T22:39:43.6218668Z === RUN TestAllInSeries/fixtures/bigquerytable-externaldata-parquet-direct | ||
| tests-e2e-fixtures-assuredworkloads UNKNOWN STEP 2026-02-22T22:39:43.6220982Z unified_test.go:233: skipping test basic/bigquery/v1beta1/bigquerytable/bigquerytable-externaldata-parquet-direct because group "bigquery.cnrm.cloud.google.com" did not match ONLY_TEST_APIGROUPS=assuredworkloads.cnrm.cloud.google.com | ||
| tests-e2e-fixtures-assuredworkloads UNKNOWN STEP 2026-02-22T22:39:43.6222871Z === RUN TestAllInSeries/fixtures/bigquerytable-full | ||
| tests-e2e-fixtures-assuredworkloads UNKNOWN STEP 2026-02-22T22:39:43.6224805Z unified_test.go:233: skipping test basic/bigquery/v1beta1/bigquerytable/bigquerytable-full because group "bigquery.cnrm.cloud.google.com" did not match |
There was a problem hiding this comment.
Same with out_fixtures.log, we do not need to add this file too.
| [refs] crd=apigeenataddresses.apigee.cnrm.cloud.google.com version=v1alpha1: field ".spec.instanceId" should be a reference | ||
| [refs] crd=appengineflexibleappversions.appengine.cnrm.cloud.google.com version=v1alpha1: field ".spec.serviceAccount" should be a reference | ||
| [refs] crd=appenginestandardappversions.appengine.cnrm.cloud.google.com version=v1alpha1: field ".spec.serviceAccount" should be a reference | ||
| [refs] crd=assuredworkloadsworkloads.assuredworkloads.cnrm.cloud.google.com version=v1alpha1: field ".spec.provisionedResourcesParent" should be a reference |
There was a problem hiding this comment.
I am not sure on this one. Should this field be a reference or we are okay with it being a string field for now @gemmahou?
There was a problem hiding this comment.
There was a problem hiding this comment.
Thanks for the clarification! Yes let's do it the right way and make it a reference.
|
|
||
| provisionedResourcesParent := "" | ||
| if obj.Spec.ProvisionedResourcesParent != nil { | ||
| folder, err := refs.ResolveFolder(ctx, reader, obj, obj.Spec.ProvisionedResourcesParent) |
There was a problem hiding this comment.
ResolveFolder takes in ref *FolderRef but obj.Spec.ProvisionedResourcesParent is a string. https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/apis/refs/v1beta1/folderref.go#L75
There was a problem hiding this comment.
Seems like codebot already added this field obj.Spec.ProvisionedResourcesParent as a reference(code)
|
|
||
| paths := []string{} | ||
| if direct.ValueOf(desired.Spec.DisplayName) != a.actual.DisplayName { | ||
| paths = append(paths, "display_name") |
There was a problem hiding this comment.
Just double checking, are displayName and labels the only two fields that can be updated?
| if err != nil { | ||
| return nil, err | ||
| } | ||
| provisionedResourcesParent = fmt.Sprintf("folders/%s", folder.FolderID) |
There was a problem hiding this comment.
We don't resolve reference fields this way. Let's use the common normalize function to resolve reference fields. Example:
| if mapCtx.Err() != nil { | ||
| return mapCtx.Err() | ||
| } | ||
| resource.ProvisionedResourcesParent = a.provisionedResourcesParent |
There was a problem hiding this comment.
With the suggested resolver change in my previous comment, this should be handled in the mapper's AssuredWorkloadsWorkloadSpec_ToProto function
| } | ||
| // MISSING: Etag | ||
| out.Labels = in.Labels | ||
| // ProvisionedResourcesParent is handled manually in the controller |
There was a problem hiding this comment.
With the suggest resolver change in my previous comment, we should handle the conversion of this reference filed here.
codebot-robot
force-pushed
the
issue_6650
branch
from
10853c5 to
2842f7f
Compare
| return nil, fmt.Errorf("error converting to %T: %w", obj, err) | ||
| } | ||
|
|
||
| if err := common.NormalizeReferences(ctx, reader, obj, nil); err != nil { |
There was a problem hiding this comment.
In my previous comment I suggested to use common.NormalizeReferences, but that requires the reference, FolderRef, to implement the Ref interface. I think it's unnecessary to refactor FolderRef in this PR, so let's use the resolveFolder function instead, example:
| // folders/{folder_id} | ||
| // +kcc:proto:field=google.cloud.assuredworkloads.v1.Workload.provisioned_resources_parent | ||
| // ProvisionedResourcesParent *string `json:"provisionedResourcesParent,omitempty"` | ||
| ProvisionedResourcesParent *refs.FolderRef `json:"provisionedResourcesParent,omitempty"` |
There was a problem hiding this comment.
Should be ProvisionedResourcesParentRef, to avoid the additional entry in missingrefs.txt.
|
--- INVESTIGATION REPORT --- Run ID: 22464724992 Run ID: 22402440645
|
4 participants
BRIEF Change description
This PR implements the
AssuredWorkloadsWorkloadresource using the direct controller approach.Fixes #6650
WHY do we need this change?
To support Assured Workloads resources in Config Connector, allowing users to manage compliance-related environments via KCC.
Special notes for your reviewer:
The PR includes:
AssuredWorkloadsWorkload.Does this PR add something which needs to be 'release noted'?
Additional documentation e.g., references, usage docs, etc.:
Intended Milestone
Tests you have done
Verified that the packages build successfully.
Added e2e fixture tests in
pkg/test/resourcefixture/testdata/basic/assuredworkloads/v1alpha1/workload/basic.Tested against MockGCP (build was verified, full e2e run was skipped due to environment constraints).
Run
make ready-prto ensure this PR is ready for review.Perform necessary E2E testing for changed resources.