implement mulittenancy

Author: Eneman Donatien

Dockerfile

@@ -15,6 +15,8 @@ RUN go mod download
 COPY main.go main.go
 COPY api/ api/
 COPY controllers/ controllers/
+COPY internal/ internal/
+
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command

README.md

@@ -4,7 +4,7 @@ This Operator SDK based tool aims at managing S3 related resources (buckets, pol
 
 ## At a glance
 
-- Current S3 providers : [Minio](https://github.com/InseeFrLab/s3-operator/blob/main/controllers/s3/factory/minioS3Client.go)
+- Current S3 providers : [Minio](https://github.com/InseeFrLab/s3-operator/blob/main/internal/s3/factory/minioS3Client.go)
 - Currently managed S3 resources : [buckets](https://github.com/InseeFrLab/s3-operator/blob/main/api/v1alpha1/bucket_types.go), [policies](https://github.com/InseeFrLab/s3-operator/blob/main/api/v1alpha1/policy_types.go)
 
 ## Compatibility
@@ -21,14 +21,16 @@ At its heart, the operator revolves around CRDs that match S3 resources :
 - `buckets.s3.onyxia.sh`
 - `policies.s3.onyxia.sh`
 - `paths.s3.onyxia.sh`
-- `users.s3.onyxia.sh`
+- `s3Users.s3.onyxia.sh`
+- `s3Instances.s3.onyxia.sh`
 
 The custom resources based on these CRDs are a somewhat simplified projection of the real S3 resources. From the operator's point of view : 
 
 - A `Bucket` CR matches a S3 bucket, and only has a name, a quota (actually two, [see Bucket example in *Usage* section below](#bucket)), and optionally, a set of paths
 - A `Policy` CR matches a "canned" policy (not a bucket policy, but a global one, that can be attached to a user), and has a name, and its actual content (IAM JSON)
 - A `Path` CR matches a set of paths inside of a policy. This is akin to the `paths` property of the `Bucket` CRD, except `Path` is not responsible for Bucket creation. 
 - A `S3User` CR matches a user in the s3 server, and has a name, a set of policy and a set of group.
+- A `S3Instance` CR matches a s3Instance. 
 
 Each custom resource based on these CRDs on Kubernetes is to be matched with a resource on the S3 instance. If the CR and the corresponding S3 resource diverge, the operator will create or update the S3 resource to bring it back to.
 
@@ -90,7 +92,7 @@ The parameters are summarized in the table below :
 | `path-deletion`                 | false            | -                    | no                      | Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator.                          |
 | `s3User-deletion`               | false            | -                    | no                      | Trigger S3User deletion on the S3 backend upon CR deletion.                                                                                    |
 | `override-existing-secret`      | false            | -                    | no                      | Update secret linked to s3User if already exist, else noop                                                                                     |
-
+| `s3LabelSelector`               | ""               | -                    | no                      | Filter resource that this instance will manage. If Empty all resource in the cluster will be manage                                            |
 ## Minimal rights needed to work
 
 The Operator need at least this rights:
@@ -147,6 +149,29 @@ The Operator need at least this rights:
 - The same will happen if you modify a CR - the operator will adjust the S3 bucket or policy accordingly - with the notable exception that it will not delete paths for buckets.
 - Upon deleting a CR, the corresponding bucket or policy will be left as is, as mentioned in the [*Description* section above](#description)
 
+An instance of S3Operator can manage multiple S3. On each resource created you can set where to create it. To add multiple instance of S3 see S3Instance example. On each object deployed you can attach it to an existing s3Instance. If no instance is set on the resource, S3Operator will failback to default instance configured by env var.
+
+### S3Instance example
+
+```yaml
+apiVersion: s3.onyxia.sh/v1alpha1
+kind: S3Instance
+metadata:
+  labels:
+    app.kubernetes.io/name: bucket
+    app.kubernetes.io/instance: bucket-sample
+    app.kubernetes.io/part-of: s3-operator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: s3-operator
+  name: s3-default-instance                     # Name of the S3Instance
+spec:
+  s3Provider: minio                             # Type of the Provider. Can be "mockedS3Provider" or "minio"
+  urlEndpoint: minio.example.com                # URL of the Provider
+  secretName: minio-credentials                 # Name of the secret containing 2 Keys S3_ACCESS_KEY and S3_SECRET_KEY
+  region: us-east-1                             # Region of the Provider
+  useSSL: true                                  # useSSL to query the Provider
+```
+
 ### Bucket example
 
 ```yaml
@@ -182,6 +207,10 @@ spec:
   quota:
     default: 10000000    
     # override: 20000000
+  
+  # Optionnal, let empty if you have configured the default s3 else use an existing s3Instance
+  s3InstanceRef: "s3-default-instance"
+  
 
 ```
 
@@ -202,6 +231,9 @@ spec:
   # Policy name (on S3 server, as opposed to the name of the CR)
   name: dummy-policy
 
+  # Optionnal, let empty if you have configured the default s3 else use an existing s3Instance
+  s3InstanceRef: "s3-default-instance"
+
   # Content of the policy, as a multiline string 
   # This should be IAM compliant JSON - follow the guidelines of the actual
   # S3 provider you're using, as sometimes only a subset is available.
@@ -245,6 +277,8 @@ spec:
     - /home/alice
     - /home/bob
 
+  # Optionnal, let empty if you have configured the default s3 else use an existing s3Instance
+  s3InstanceRef: "s3-default-instance"
 
 ```
 
@@ -266,6 +300,8 @@ spec:
   policies:
     - policy-example1
     - policy-example2
+  # Optionnal, let empty if you have configured the default s3 else use an existing s3Instance
+  s3InstanceRef: "s3-default-instance"
 
 ```
 

api/v1alpha1/bucket_types.go

@@ -36,14 +36,18 @@ type BucketSpec struct {
 	// +kubebuilder:validation:Optional
 	Paths []string `json:"paths,omitempty"`
 
+	// s3InstanceRef where create the bucket
+	// +kubebuilder:validation:Optional
+	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
+
 	// Quota to apply to the bucket
 	// +kubebuilder:validation:Required
 	Quota Quota `json:"quota"`
 }
 
 // BucketStatus defines the observed state of Bucket
 type BucketStatus struct {
-	// Status management using Conditions. 
+	// Status management using Conditions.
 	// See also : https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
 	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }

api/v1alpha1/path_types.go

@@ -35,6 +35,10 @@ type PathSpec struct {
 	// Paths (folders) to create inside the bucket
 	// +kubebuilder:validation:Optional
 	Paths []string `json:"paths,omitempty"`
+
+	// s3InstanceRef where create the Paths
+	// +kubebuilder:validation:Optional
+	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
 }
 
 // PathStatus defines the observed state of Path

api/v1alpha1/policy_types.go

@@ -35,11 +35,15 @@ type PolicySpec struct {
 	// +kubebuilder:validation:Required
 	// Content of the policy (IAM JSON format)
 	PolicyContent string `json:"policyContent"`
+
+	// s3InstanceRef where create the Policy
+	// +kubebuilder:validation:Optional
+	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
 }
 
 // PolicyStatus defines the observed state of Policy
 type PolicyStatus struct {
-	// Status management using Conditions. 
+	// Status management using Conditions.
 	// See also : https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
 	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
 }

api/v1alpha1/s3instance_types.go

@@ -0,0 +1,84 @@
+/*
+Copyright 2023.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// S3InstanceSpec defines the desired state of S3Instance
+type S3InstanceSpec struct {
+
+	// type of the S3Instance
+	// +kubebuilder:validation:Required
+	S3Provider string `json:"s3Provider"`
+
+	// url of the S3Instance
+	// +kubebuilder:validation:Required
+	UrlEndpoint string `json:"urlEndpoint"`
+
+	// SecretName associated to the S3Instance containing accessKey and secretKey
+	// +kubebuilder:validation:Required
+	SecretName string `json:"secretName"`
+
+	// region associated to the S3Instance
+	// +kubebuilder:validation:Required
+	Region string `json:"region"`
+
+	// useSSL when connecting to the S3Instance
+	// +kubebuilder:validation:Optional
+	UseSSL bool `json:"useSSL,omitempty"`
+
+	// CaCertificatesBase64 associated to the S3InstanceUrl
+	// +kubebuilder:validation:Optional
+	CaCertificatesBase64 []string `json:"caCertificateBase64,omitempty"`
+}
+
+// S3InstanceStatus defines the observed state of S3Instance
+type S3InstanceStatus struct {
+	// Status management using Conditions.
+	// See also : https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// S3Instance is the Schema for the S3Instances API
+type S3Instance struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   S3InstanceSpec   `json:"spec,omitempty"`
+	Status S3InstanceStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// S3InstanceList contains a list of S3Instance
+type S3InstanceList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []S3Instance `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&S3Instance{}, &S3InstanceList{})
+}

api/v1alpha1/s3user_types.go

@@ -37,6 +37,10 @@ type S3UserSpec struct {
 	// SecretName associated to the S3User
 	// +kubebuilder:validation:Optional
 	SecretName string `json:"secretName"`
+
+	// s3InstanceRef where create the user
+	// +kubebuilder:validation:Optional
+	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
 }
 
 // S3UserStatus defines the observed state of S3User

api/v1alpha1/zz_generated.deepcopy.go

@@ -57,6 +57,9 @@ spec:
                 required:
                 - default
                 type: object
+              s3InstanceRef:
+                description: s3InstanceRef where create the bucket
+                type: string
             required:
             - name
             - quota

config/crd/bases/s3.onyxia.sh_buckets.yaml

@@ -43,6 +43,9 @@ spec:
                 items:
                   type: string
                 type: array
+              s3InstanceRef:
+                description: s3InstanceRef where create the Paths
+                type: string
             required:
             - bucketName
             type: object