Skip to content

Commit 4a29bd1

Browse files
Eneman DonatienEneman Donatien
Eneman Donatien
authored and
Eneman Donatien
committed
[ENH] ✨ implement s3instanceref and default and add
allowedNamespaces
1 parent 34b85b3 commit 4a29bd1

34 files changed

+1265
-1213
lines changed

README.md

Lines changed: 21 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -74,25 +74,12 @@ The operator exposes a few parameters, meant to be set as arguments, though it's
7474

7575
The parameters are summarized in the table below :
7676

77-
| Flag name | Default | Environment variable | Multiple values allowed | Description |
78-
| ------------------------------- | ---------------- | -------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
79-
| `health-probe-bind-address` | `:8081` | - | no | The address the probe endpoint binds to. Comes from Operator SDK. |
80-
| `leader-elect` | `false` | - | no | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. Comes from Operator SDK. |
81-
| `metrics-bind-address` | `:8080` | - | no | The address the metric endpoint binds to. Comes from Operator SDK. |
82-
| `region` | `us-east-1` | - | no | The region to configure for the S3 client. |
83-
| `s3-access-key` | - | `S3_ACCESS_KEY` | no | The access key used to interact with the S3 server. |
84-
| `s3-ca-certificate-base64` | - | - | yes | (Optional) Base64 encoded, PEM format CA certificate, for https requests to the S3 server. |
85-
| `s3-ca-certificate-bundle-path` | - | - | no | (Optional) Path to a CA certificates bundle file, for https requests to the S3 server. |
86-
| `s3-endpoint-url` | `localhost:9000` | - | no | Hostname (or hostname:port) of the S3 server. |
87-
| `s3-provider` | `minio` | - | no | S3 provider (possible values : `minio`, `mockedS3Provider`) |
88-
| `s3-secret-key` | - | `S3_SECRET_KEY` | no | The secret key used to interact with the S3 server. |
89-
| `useSsl` | true | - | no | Use of SSL/TLS to connect to the S3 server |
90-
| `bucket-deletion` | false | - | no | Trigger bucket deletion on the S3 backend upon CR deletion. Will fail if bucket is not empty. |
91-
| `policy-deletion` | false | - | no | Trigger policy deletion on the S3 backend upon CR deletion |
92-
| `path-deletion` | false | - | no | Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator. |
93-
| `s3User-deletion` | false | - | no | Trigger S3User deletion on the S3 backend upon CR deletion. |
94-
| `override-existing-secret` | false | - | no | Update secret linked to s3User if already exist, else noop |
95-
| `s3LabelSelector` | "" | - | no | Filter resource that this instance will manage. If Empty all resource in the cluster will be manage |
77+
| Flag name | Default | Environment variable | Multiple values allowed | Description |
78+
| --------------------------- | ------- | -------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
79+
| `health-probe-bind-address` | `:8081` | - | no | The address the probe endpoint binds to. Comes from Operator SDK. |
80+
| `leader-elect` | `false` | - | no | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. Comes from Operator SDK. |
81+
| `metrics-bind-address` | `:8080` | - | no | The address the metric endpoint binds to. Comes from Operator SDK. | |
82+
| `override-existing-secret` | false | - | no | Update secret linked to s3User if already exist, else noop |
9683
## Minimal rights needed to work
9784

9885
The Operator need at least this rights:
@@ -166,10 +153,15 @@ metadata:
166153
name: s3-default-instance # Name of the S3Instance
167154
spec:
168155
s3Provider: minio # Type of the Provider. Can be "mockedS3Provider" or "minio"
169-
urlEndpoint: minio.example.com # URL of the Provider
170-
secretName: minio-credentials # Name of the secret containing 2 Keys S3_ACCESS_KEY and S3_SECRET_KEY
156+
url: https://minio.example.com # URL of the Provider
157+
secretRef: minio-credentials # Name of the secret containing 2 Keys S3_ACCESS_KEY and S3_SECRET_KEY
158+
caCertSecretRef: minio-certs # Name of the secret containing key ca.crt with cert of s3provider
171159
region: us-east-1 # Region of the Provider
172-
useSSL: true # useSSL to query the Provider
160+
allowedNamespaces: [] # namespaces allowed to have buckets, policies, ... Wildcard prefix/suffix allowed. If empty only the same namespace as s3instance is allowed
161+
bucketDeletionEnabled: true # Allowed bucket entity suppression on s3instance
162+
policyDeletionEnabled: true # Allowed policy entity suppression on s3instance
163+
pathDeletionEnabled: true # Allowed path entity suppression on s3instance
164+
s3UserDeletionEnabled: true # Allowed s3User entity suppression on s3instance
173165
```
174166
175167
### Bucket example
@@ -307,6 +299,13 @@ spec:
307299

308300
Each S3user is linked to a kubernetes secret which have the same name that the S3User. The secret contains 2 keys: `accessKey` and `secretKey`.
309301

302+
### :info: How works s3InstanceRef
303+
304+
S3InstanceRef can get the following values:
305+
- empty: In this case the s3instance use will be the default one configured at startup if the namespace is in the namespace allowed for this s3Instance
306+
- `s3InstanceName`: In this case the s3Instance use will be the s3Instance with the name `s3InstanceName` in the current namespace (if the current namespace is allowed)
307+
- `namespace/s3InstanceName`: In this case the s3Instance use will be the s3Instance with the name `s3InstanceName` in the namespace `namespace` (if the current namespace is allowed to use this s3Instance)
308+
310309
## Operator SDK generated guidelines
311310

312311
<details>

api/v1alpha1/bucket_types.go

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,12 @@ type BucketSpec struct {
3737
Paths []string `json:"paths,omitempty"`
3838

3939
// s3InstanceRef where create the bucket
40-
// +kubebuilder:validation:Optional
41-
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
40+
// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?(/[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)?$`
41+
// +kubebuilder:validation:MinLength=1
42+
// +kubebuilder:validation:MaxLength=127
43+
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
44+
// +kubebuilder:default=s3-operator/default
45+
S3InstanceRef string `json:"s3InstanceRef"`
4246

4347
// Quota to apply to the bucket
4448
// +kubebuilder:validation:Required

api/v1alpha1/path_types.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,11 @@ type PathSpec struct {
3737
Paths []string `json:"paths,omitempty"`
3838

3939
// s3InstanceRef where create the Paths
40-
// +kubebuilder:validation:Optional
40+
// +kubebuilder:default=s3-operator/default
41+
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
42+
// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?(/[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)?$`
43+
// +kubebuilder:validation:MinLength=1
44+
// +kubebuilder:validation:MaxLength=127
4145
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
4246
}
4347

api/v1alpha1/policy_types.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,11 @@ type PolicySpec struct {
3737
PolicyContent string `json:"policyContent"`
3838

3939
// s3InstanceRef where create the Policy
40-
// +kubebuilder:validation:Optional
40+
// +kubebuilder:default=s3-operator/default
41+
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
42+
// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?(/[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)?$`
43+
// +kubebuilder:validation:MinLength=1
44+
// +kubebuilder:validation:MaxLength=127
4145
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
4246
}
4347

api/v1alpha1/s3instance_types.go

Lines changed: 29 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -28,27 +28,46 @@ type S3InstanceSpec struct {
2828

2929
// type of the S3Instance
3030
// +kubebuilder:validation:Required
31-
S3Provider string `json:"s3Provider"`
31+
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="S3Provider is immutable"
32+
// +kubebuilder:default=minio
33+
// +kubebuilder:validation:Enum=minio;mockedS3Provider
34+
S3Provider string `json:"s3Provider,omitempty"`
3235

3336
// url of the S3Instance
3437
// +kubebuilder:validation:Required
35-
UrlEndpoint string `json:"urlEndpoint"`
38+
Url string `json:"url"`
3639

37-
// SecretName associated to the S3Instance containing accessKey and secretKey
40+
// Ref to Secret associated to the S3Instance containing accessKey and secretKey
3841
// +kubebuilder:validation:Required
39-
SecretName string `json:"secretName"`
42+
SecretRef string `json:"secretRef"`
4043

4144
// region associated to the S3Instance
42-
// +kubebuilder:validation:Required
43-
Region string `json:"region"`
45+
// +kubebuilder:validation:Optional
46+
Region string `json:"region,omitempty"`
4447

45-
// useSSL when connecting to the S3Instance
48+
// Secret containing key ca.crt with the certificate associated to the S3InstanceUrl
4649
// +kubebuilder:validation:Optional
47-
UseSSL bool `json:"useSSL,omitempty"`
50+
CaCertSecretRef string `json:"caCertSecretRef,omitempty"`
4851

49-
// CaCertificatesBase64 associated to the S3InstanceUrl
52+
// AllowedNamespaces to use this S3InstanceUrl if empty only the namespace of this instance url is allowed to use it
5053
// +kubebuilder:validation:Optional
51-
CaCertificatesBase64 []string `json:"caCertificateBase64,omitempty"`
54+
AllowedNamespaces []string `json:"allowedNamespaces,omitempty"`
55+
56+
// BucketDeletionEnabled Trigger bucket deletion on the S3 backend upon CR deletion. Will fail if bucket is not empty.
57+
// +kubebuilder:default=false
58+
BucketDeletionEnabled bool `json:"bucketDeletionEnabled,omitempty"`
59+
60+
// PolicyDeletionEnabled Trigger policy deletion on the S3 backend upon CR deletion.
61+
// +kubebuilder:default=false
62+
PolicyDeletionEnabled bool `json:"policyDeletionEnabled,omitempty"`
63+
64+
// PathDeletionEnabled Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator.
65+
// +kubebuilder:default=false
66+
PathDeletionEnabled bool `json:"pathDeletionEnabled,omitempty"`
67+
68+
// S3UserDeletionEnabled Trigger S3 deletion on the S3 backend upon CR deletion.
69+
// +kubebuilder:default=false
70+
S3UserDeletionEnabled bool `json:"s3UserDeletionEnabled,omitempty"`
5271
}
5372

5473
// S3InstanceStatus defines the observed state of S3Instance

api/v1alpha1/s3user_types.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,11 @@ type S3UserSpec struct {
3939
SecretName string `json:"secretName"`
4040

4141
// s3InstanceRef where create the user
42-
// +kubebuilder:validation:Optional
42+
// +kubebuilder:default=s3-operator/default
43+
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
44+
// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?(/[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)?$`
45+
// +kubebuilder:validation:MinLength=1
46+
// +kubebuilder:validation:MaxLength=127
4347
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
4448
}
4549

api/v1alpha1/types.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
package v1alpha1
2+
3+
// Definitions to manage status condition types
4+
const (
5+
// ConditionReconciled represents the status of the resource reconciliation
6+
ConditionReconciled = "Reconciled"
7+
)
8+
9+
// Definitions to manage status condition reasons
10+
const (
11+
Reconciling = "Reconciling"
12+
Unreachable = "Unreachable"
13+
CreationFailure = "CreationFailure"
14+
Reconciled = "Reconciled"
15+
DeletionFailure = "DeletionFailure"
16+
)

api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crd/bases/s3.onyxia.sh_buckets.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,11 +58,19 @@ spec:
5858
- default
5959
type: object
6060
s3InstanceRef:
61+
default: s3-operator/default
6162
description: s3InstanceRef where create the bucket
63+
maxLength: 127
64+
minLength: 1
65+
pattern: ^[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?(/[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)?$
6266
type: string
67+
x-kubernetes-validations:
68+
- message: s3InstanceRef is immutable
69+
rule: self == oldSelf
6370
required:
6471
- name
6572
- quota
73+
- s3InstanceRef
6674
type: object
6775
status:
6876
description: BucketStatus defines the observed state of Bucket

config/crd/bases/s3.onyxia.sh_paths.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,15 @@ spec:
4444
type: string
4545
type: array
4646
s3InstanceRef:
47+
default: s3-operator/default
4748
description: s3InstanceRef where create the Paths
49+
maxLength: 127
50+
minLength: 1
51+
pattern: ^[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?(/[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)?$
4852
type: string
53+
x-kubernetes-validations:
54+
- message: s3InstanceRef is immutable
55+
rule: self == oldSelf
4956
required:
5057
- bucketName
5158
type: object

0 commit comments

Comments
 (0)