InseeFrLab
diff --git a/‎README.md‎
Lines changed: 18 additions & 19 deletions b/‎README.md‎
Lines changed: 18 additions & 19 deletions
diff --git a/‎api/v1alpha1/bucket_types.go‎
Lines changed: 3 additions & 2 deletions b/‎api/v1alpha1/bucket_types.go‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎api/v1alpha1/path_types.go‎
Lines changed: 2 additions & 1 deletion b/‎api/v1alpha1/path_types.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/v1alpha1/policy_types.go‎
Lines changed: 2 additions & 1 deletion b/‎api/v1alpha1/policy_types.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/v1alpha1/s3instance_types.go‎
Lines changed: 27 additions & 8 deletions b/‎api/v1alpha1/s3instance_types.go‎
Lines changed: 27 additions & 8 deletions
diff --git a/‎api/v1alpha1/s3user_types.go‎
Lines changed: 2 additions & 1 deletion b/‎api/v1alpha1/s3user_types.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/v1alpha1/types.go‎
Lines changed: 16 additions & 0 deletions b/‎api/v1alpha1/types.go‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 2 additions & 2 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎config/crd/bases/s3.onyxia.sh_buckets.yaml‎
Lines changed: 5 additions & 0 deletions b/‎config/crd/bases/s3.onyxia.sh_buckets.yaml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎config/crd/bases/s3.onyxia.sh_paths.yaml‎
Lines changed: 4 additions & 0 deletions b/‎config/crd/bases/s3.onyxia.sh_paths.yaml‎
Lines changed: 4 additions & 0 deletions
@@ -74,25 +74,16 @@ The operator exposes a few parameters, meant to be set as arguments, though it's
 
 The parameters are summarized in the table below :
 
-| Flag name                       | Default          | Environment variable | Multiple values allowed | Description                                                                                                                                    |
-| ------------------------------- | ---------------- | -------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
-| `health-probe-bind-address`     | `:8081`          | -                    | no                      | The address the probe endpoint binds to. Comes from Operator SDK.                                                                              |
-| `leader-elect`                  | `false`          | -                    | no                      | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. Comes from Operator SDK. |
-| `metrics-bind-address`          | `:8080`          | -                    | no                      | The address the metric endpoint binds to. Comes from Operator SDK.                                                                             |
-| `region`                        | `us-east-1`      | -                    | no                      | The region to configure for the S3 client.                                                                                                     |
-| `s3-access-key`                 | -                | `S3_ACCESS_KEY`      | no                      | The access key used to interact with the S3 server.                                                                                            |
-| `s3-ca-certificate-base64`      | -                | -                    | yes                     | (Optional) Base64 encoded, PEM format CA certificate, for https requests to the S3 server.                                                     |
-| `s3-ca-certificate-bundle-path` | -                | -                    | no                      | (Optional) Path to a CA certificates bundle file, for https requests to the S3 server.                                                         |
-| `s3-endpoint-url`               | `localhost:9000` | -                    | no                      | Hostname (or hostname:port) of the S3 server.                                                                                                  |
-| `s3-provider`                   | `minio`          | -                    | no                      | S3 provider (possible values : `minio`, `mockedS3Provider`)                                                                                    |
-| `s3-secret-key`                 | -                | `S3_SECRET_KEY`      | no                      | The secret key used to interact with  the S3 server.                                                                                           |
-| `useSsl`                        | true             | -                    | no                      | Use of SSL/TLS to connect to the S3 server                                                                                                     |
-| `bucket-deletion`               | false            | -                    | no                      | Trigger bucket deletion on the S3 backend upon CR deletion. Will fail if bucket is not empty.                                                  |
-| `policy-deletion`               | false            | -                    | no                      | Trigger policy deletion on the S3 backend upon CR deletion                                                                                     |
-| `path-deletion`                 | false            | -                    | no                      | Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator.                          |
-| `s3User-deletion`               | false            | -                    | no                      | Trigger S3User deletion on the S3 backend upon CR deletion.                                                                                    |
-| `override-existing-secret`      | false            | -                    | no                      | Update secret linked to s3User if already exist, else noop                                                                                     |
-| `s3LabelSelector`               | ""               | -                    | no                      | Filter resource that this instance will manage. If Empty all resource in the cluster will be manage                                            |
+| Flag name                   | Default | Environment variable | Multiple values allowed | Description                                                                                                                                    |
+| --------------------------- | ------- | -------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
+| `health-probe-bind-address` | `:8081` | -                    | no                      | The address the probe endpoint binds to. Comes from Operator SDK.                                                                              |
+| `leader-elect`              | `false` | -                    | no                      | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. Comes from Operator SDK. |
+| `metrics-bind-address`      | `:8080` | -                    | no                      | The address the metric endpoint binds to. Comes from Operator SDK.                                                                             |  |
+| `bucket-deletion`           | false   | -                    | no                      | Trigger bucket deletion on the S3 backend upon CR deletion. Will fail if bucket is not empty.                                                  |
+| `policy-deletion`           | false   | -                    | no                      | Trigger policy deletion on the S3 backend upon CR deletion                                                                                     |
+| `path-deletion`             | false   | -                    | no                      | Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator.                          |
+| `s3User-deletion`           | false   | -                    | no                      | Trigger S3User deletion on the S3 backend upon CR deletion.                                                                                    |
+| `override-existing-secret`  | false   | -                    | no                      | Update secret linked to s3User if already exist, else noop                                                                                     |
 ## Minimal rights needed to work
 
 The Operator need at least this rights:
@@ -170,6 +161,7 @@ spec:
   secretName: minio-credentials                 # Name of the secret containing 2 Keys S3_ACCESS_KEY and S3_SECRET_KEY
   region: us-east-1                             # Region of the Provider
   useSSL: true                                  # useSSL to query the Provider
+  allowedNamespaces: []                         # namespaces allowed to have buckets, policies, ... Wildcard prefix/suffix allowed. If empty only the same namespace as s3instance is allowed
 ```
 
 ### Bucket example
@@ -307,6 +299,13 @@ spec:
 
 Each S3user is linked to a kubernetes secret which have the same name that the S3User. The secret contains 2 keys: `accessKey` and `secretKey`.
 
+### :info: How works s3InstanceRef
+
+S3InstanceRef can get the following values:
+- empty: In this case the s3instance use will be the default one configured at startup if the namespace is in the namespace allowed for this s3Instance
+- `s3InstanceName`: In this case the s3Instance use will be the s3Instance with the name `s3InstanceName` in the current namespace (if the current namespace is allowed)
+- `namespace/s3InstanceName`: In this case the s3Instance use will be the s3Instance with the name `s3InstanceName` in the namespace `namespace` (if the current namespace is allowed to use this s3Instance)
+
 ## Operator SDK generated guidelines
 
 <details>
 
@@ -37,8 +37,9 @@ type BucketSpec struct {
 	Paths []string `json:"paths,omitempty"`
 
 	// s3InstanceRef where create the bucket
-	// +kubebuilder:validation:Optional
-	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
+	// +kubebuilder:default=s3-operator/default
+	S3InstanceRef string `json:"s3InstanceRef"`
 
 	// Quota to apply to the bucket
 	// +kubebuilder:validation:Required
 
@@ -37,7 +37,8 @@ type PathSpec struct {
 	Paths []string `json:"paths,omitempty"`
 
 	// s3InstanceRef where create the Paths
-	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=s3-operator/default
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
 	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
 }
 
 
@@ -37,7 +37,8 @@ type PolicySpec struct {
 	PolicyContent string `json:"policyContent"`
 
 	// s3InstanceRef where create the Policy
-	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=s3-operator/default
+    // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
 	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
 }
 
 
@@ -28,27 +28,46 @@ type S3InstanceSpec struct {
 
 	// type of the S3Instance
 	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="S3Provider is immutable"
+	// +kubebuilder:default=minio
+	// +kubebuilder:validation:Enum=minio;mockedS3Provider
 	S3Provider string `json:"s3Provider"`
 
 	// url of the S3Instance
 	// +kubebuilder:validation:Required
-	UrlEndpoint string `json:"urlEndpoint"`
+	Url string `json:"url"`
 
-	// SecretName associated to the S3Instance containing accessKey and secretKey
+	// Ref to Secret associated to the S3Instance containing accessKey and secretKey
 	// +kubebuilder:validation:Required
-	SecretName string `json:"secretName"`
+	SecretRef string `json:"secretRef"`
 
 	// region associated to the S3Instance
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	Region string `json:"region"`
 
-	// useSSL when connecting to the S3Instance
+	// Secret containing key ca.crt with the certificate associated to the S3InstanceUrl
 	// +kubebuilder:validation:Optional
-	UseSSL bool `json:"useSSL,omitempty"`
+	CaCertSecretRef string `json:"caCertSecretRef,omitempty"`
 
-	// CaCertificatesBase64 associated to the S3InstanceUrl
+	// AllowedNamespaces to use this S3InstanceUrl if empty only the namespace of this instance url is allowed to use it
 	// +kubebuilder:validation:Optional
-	CaCertificatesBase64 []string `json:"caCertificateBase64,omitempty"`
+	AllowedNamespaces []string `json:"allowedNamespaces,omitempty"`
+
+	// BucketDeletionEnabled Trigger bucket deletion on the S3 backend upon CR deletion. Will fail if bucket is not empty.
+	// +kubebuilder:default=false
+	BucketDeletionEnabled bool `json:"bucketDeletionEnabled"`
+
+	// PolicyDeletionEnabled Trigger policy deletion on the S3 backend upon CR deletion.
+	// +kubebuilder:default=false
+	PolicyDeletionEnabled bool `json:"policyDeletionEnabled"`
+
+	// PathDeletionEnabled Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator.
+	// +kubebuilder:default=false
+	PathDeletionEnabled bool `json:"pathDeletionEnabled"`
+
+	// S3UserDeletionEnabled Trigger S3 deletion on the S3 backend upon CR deletion.
+	// +kubebuilder:default=false
+	S3UserDeletionEnabled bool `json:"s3UserDeletionEnabled"`
 }
 
 // S3InstanceStatus defines the observed state of S3Instance
 
@@ -39,7 +39,8 @@ type S3UserSpec struct {
 	SecretName string `json:"secretName"`
 
 	// s3InstanceRef where create the user
-	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=s3-operator/default
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"
 	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
 }
 
 
@@ -0,0 +1,16 @@
+package v1alpha1
+
+// Definitions to manage status condition types
+const (
+	// ConditionReconciled represents the status of the resource reconciliation
+	ConditionReconciled = "Reconciled"
+)
+
+// Definitions to manage status condition reasons
+const (
+	Reconciling     = "Reconciling"
+	Unreachable     = "Unreachable"
+	CreationFailure = "CreationFailure"
+	Reconciled      = "Reconciled"
+	DeletionFailure = "DeletionFailure"
+)
@@ -58,11 +58,16 @@ spec:
                 - default
                 type: object
               s3InstanceRef:
+                default: s3-operator/default
                 description: s3InstanceRef where create the bucket
                 type: string
+                x-kubernetes-validations:
+                - message: s3InstanceRef is immutable
+                  rule: self == oldSelf
             required:
             - name
             - quota
+            - s3InstanceRef
             type: object
           status:
             description: BucketStatus defines the observed state of Bucket
 
@@ -44,8 +44,12 @@ spec:
                   type: string
                 type: array
               s3InstanceRef:
+                default: s3-operator/default
                 description: s3InstanceRef where create the Paths
                 type: string
+                x-kubernetes-validations:
+                - message: s3InstanceRef is immutable
+                  rule: self == oldSelf
             required:
             - bucketName
             type: object
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,8 @@ type PathSpec struct {`
`37`	`37`	Paths []string `json:"paths,omitempty"`
`38`	`38`
`39`	`39`	`// s3InstanceRef where create the Paths`
`40`		`- // +kubebuilder:validation:Optional`
	`40`	`+ // +kubebuilder:default=s3-operator/default`
	`41`	`+ // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"`
`41`	`42`	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
`42`	`43`	`}`
`43`	`44`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,8 @@ type PolicySpec struct {`
`37`	`37`	PolicyContent string `json:"policyContent"`
`38`	`38`
`39`	`39`	`// s3InstanceRef where create the Policy`
`40`		`- // +kubebuilder:validation:Optional`
	`40`	`+ // +kubebuilder:default=s3-operator/default`
	`41`	`+ // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"`
`41`	`42`	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
`42`	`43`	`}`
`43`	`44`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,8 @@ type S3UserSpec struct {`
`39`	`39`	SecretName string `json:"secretName"`
`40`	`40`
`41`	`41`	`// s3InstanceRef where create the user`
`42`		`- // +kubebuilder:validation:Optional`
	`42`	`+ // +kubebuilder:default=s3-operator/default`
	`43`	`+ // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="s3InstanceRef is immutable"`
`43`	`44`	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
`44`	`45`	`}`
`45`	`46`