implement granular managementPolicies

Signed-off-by: lsviben <[email protected]>

Author: lsviben

apis/common/v1/policies.go

@@ -16,23 +16,39 @@ limitations under the License.
 
 package v1
 
-// A ManagementPolicy determines how should Crossplane controllers manage an
-// external resource.
-// +kubebuilder:validation:Enum=FullControl;ObserveOnly;OrphanOnDelete
-type ManagementPolicy string
+// ManagementPolicies determine how should Crossplane controllers manage an
+// external resource through an array of ManagementActions.
+type ManagementPolicies []ManagementAction
+
+// A ManagementAction represents an action that the Crossplane controllers
+// can take on an external resource.
+// +kubebuilder:validation:Enum=Observe;Create;Update;Delete;LateInitialize;*
+type ManagementAction string
 
 const (
-	// ManagementFullControl means the external resource is fully controlled
-	// by Crossplane controllers, including its deletion.
-	ManagementFullControl ManagementPolicy = "FullControl"
+	// ManagementActionObserve means that the managed resource status.atProvider
+	// will be updated with the external resource state.
+	ManagementActionObserve ManagementAction = "Observe"
+
+	// ManagementActionCreate means that the external resource will be created
+	// using the managed resource spec.initProvider and spec.forProvider.
+	ManagementActionCreate ManagementAction = "Create"
+
+	// ManagementActionUpdate means that the external resource will be updated
+	// using the managed resource spec.forProvider.
+	ManagementActionUpdate ManagementAction = "Update"
+
+	// ManagementActionDelete means that the external resource will be deleted
+	// when the managed resource is deleted.
+	ManagementActionDelete ManagementAction = "Delete"
 
-	// ManagementObserveOnly means the external resource will only be observed
-	// by Crossplane controllers, but not modified or deleted.
-	ManagementObserveOnly ManagementPolicy = "ObserveOnly"
+	// ManagementActionLateInitialize means that unspecified fields of the managed
+	// resource spec.forProvider will be updated with the external resource state.
+	ManagementActionLateInitialize ManagementAction = "LateInitialize"
 
-	// ManagementOrphanOnDelete means the external resource will be orphaned
-	// when its managed resource is deleted.
-	ManagementOrphanOnDelete ManagementPolicy = "OrphanOnDelete"
+	// ManagementActionAll means that all of the above actions will be taken
+	// by the Crossplane controllers.
+	ManagementActionAll ManagementAction = "*"
 )
 
 // A DeletionPolicy determines what should happen to the underlying external

apis/common/v1/resource.go

@@ -205,20 +205,22 @@ type ResourceSpec struct {
 	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
 	// unless the relevant Crossplane feature flag is enabled, and may be
 	// changed or removed without notice.
-	// ManagementPolicy specifies the level of control Crossplane has over the
-	// managed external resource.
+	// ManagementPolicies specify the array of actions Crossplane is allowed to
+	// take on the managed and external resources.
 	// This field is planned to replace the DeletionPolicy field in a future
 	// release. Currently, both could be set independently and non-default
-	// values would be honored if the feature flag is enabled.
+	// values would be honored if the feature flag is enabled. If both are
+	// custom, the DeletionPolicy field will be ignored.
 	// See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
+	// and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md
 	// +optional
-	// +kubebuilder:default=FullControl
-	ManagementPolicy ManagementPolicy `json:"managementPolicy,omitempty"`
+	// +kubebuilder:default={"*"}
+	ManagementPolicies ManagementPolicies `json:"managementPolicies,omitempty"`
 
 	// DeletionPolicy specifies what will happen to the underlying external
 	// when this managed resource is deleted - either "Delete" or "Orphan" the
 	// external resource.
-	// This field is planned to be deprecated in favor of the ManagementPolicy
+	// This field is planned to be deprecated in favor of the ManagementPolicies
 	// field in a future release. Currently, both could be set independently and
 	// non-default values would be honored if the feature flag is enabled.
 	// See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223

apis/common/v1/zz_generated.deepcopy.go

@@ -0,0 +1,22 @@
+/*
+Copyright 2023 The Crossplane Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package feature
+
+// EnableAlphaManagementPolicies enables alpha support for
+// Management Policies. See the below design for more details.
+// https://github.com/crossplane/crossplane/pull/3531
+const EnableAlphaManagementPolicies Flag = "EnableAlphaManagementPolicies"

pkg/feature/features.go

@@ -0,0 +1,208 @@
+/*
+Copyright 2023 The Crossplane Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package managed
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+
+	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
+)
+
+// ManagementPoliciesResolver is used to perform management policy checks
+// based on the management policy and if the management policy feature is enabled.
+type ManagementPoliciesResolver struct {
+	enabled            bool
+	supportedPolicies  []sets.Set[xpv1.ManagementAction]
+	managementPolicies sets.Set[xpv1.ManagementAction]
+	deletionPolicy     xpv1.DeletionPolicy
+}
+
+// A ManagementPoliciesResolverOption configures a ManagementPoliciesResolver.
+type ManagementPoliciesResolverOption func(*ManagementPoliciesResolver)
+
+// WithSupportedManagementPolicies sets the supported management policies.
+func WithSupportedManagementPolicies(supportedManagementPolicies []sets.Set[xpv1.ManagementAction]) ManagementPoliciesResolverOption {
+	return func(r *ManagementPoliciesResolver) {
+		r.supportedPolicies = supportedManagementPolicies
+	}
+}
+
+func defaultSupportedManagementPolicies() []sets.Set[xpv1.ManagementAction] {
+	return []sets.Set[xpv1.ManagementAction]{
+		// Default (all), the standard behaviour of crossplane in which all
+		// reconciler actions are done.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionAll),
+		// All actions explicitly set, the same as default.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve, xpv1.ManagementActionCreate, xpv1.ManagementActionUpdate, xpv1.ManagementActionLateInitialize, xpv1.ManagementActionDelete),
+		// ObserveOnly, just observe action is done, the external resource is
+		// considered as read-only.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve),
+		// Pause, no action is being done. Alternative to setting the pause
+		// annotation.
+		sets.New[xpv1.ManagementAction](),
+		// No LateInitialize filling in the spec.forProvider, allowing some
+		// external resource fields to be managed externally.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve, xpv1.ManagementActionCreate, xpv1.ManagementActionUpdate, xpv1.ManagementActionDelete),
+		// No Delete, the external resource is not deleted when the managed
+		// resource is deleted.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve, xpv1.ManagementActionCreate, xpv1.ManagementActionUpdate, xpv1.ManagementActionLateInitialize),
+		// No Delete and no LateInitialize, the external resource is not deleted
+		// when the managed resource is deleted and the spec.forProvider is not
+		// late initialized.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve, xpv1.ManagementActionCreate, xpv1.ManagementActionUpdate),
+		// No Update, the external resource is not updated when the managed
+		// resource is updated. Useful for immutable external resources.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve, xpv1.ManagementActionCreate, xpv1.ManagementActionDelete, xpv1.ManagementActionLateInitialize),
+		// No Update and no Delete, the external resource is not updated
+		// when the managed resource is updated and the external resource
+		// is not deleted when the managed resource is deleted.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve, xpv1.ManagementActionCreate, xpv1.ManagementActionLateInitialize),
+		// No Update and no LateInitialize, the external resource is not updated
+		// when the managed resource is updated and the spec.forProvider is not
+		// late initialized.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve, xpv1.ManagementActionCreate, xpv1.ManagementActionDelete),
+		// No Update, no Delete and no LateInitialize, the external resource is
+		// not updated when the managed resource is updated, the external resource
+		// is not deleted when the managed resource is deleted and the
+		// spec.forProvider is not late initialized.
+		sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve, xpv1.ManagementActionCreate),
+	}
+}
+
+// NewManagementPoliciesResolver returns an ManagementPolicyChecker based
+// on the management policies and if the management policies feature
+// is enabled.
+func NewManagementPoliciesResolver(managementPolicyEnabled bool, managementPolicy xpv1.ManagementPolicies, deletionPolicy xpv1.DeletionPolicy, o ...ManagementPoliciesResolverOption) ManagementPoliciesChecker {
+	r := &ManagementPoliciesResolver{
+		enabled:            managementPolicyEnabled,
+		supportedPolicies:  defaultSupportedManagementPolicies(),
+		managementPolicies: sets.New[xpv1.ManagementAction](managementPolicy...),
+		deletionPolicy:     deletionPolicy,
+	}
+
+	for _, ro := range o {
+		ro(r)
+	}
+
+	return r
+}
+
+// Validate checks if the management policy is valid.
+// If the management policy feature is disabled, but uses a non-default value,
+// it returns an error.
+// If the management policy feature is enabled, but uses a non-supported value,
+// it returns an error.
+func (m *ManagementPoliciesResolver) Validate() error {
+	// check if its disabled, but uses a non-default value.
+	if !m.enabled {
+		if !m.managementPolicies.Equal(sets.New[xpv1.ManagementAction](xpv1.ManagementActionAll)) && m.managementPolicies.Len() != 0 {
+			return fmt.Errorf(errFmtManagementPolicyNonDefault, m.managementPolicies.UnsortedList())
+		}
+		// if its just disabled we don't care about supported policies
+		return nil
+	}
+
+	// check if the policy is a non-supported combination
+	for _, p := range m.supportedPolicies {
+		if p.Equal(m.managementPolicies) {
+			return nil
+		}
+	}
+	return fmt.Errorf(errFmtManagementPolicyNotSupported, m.managementPolicies.UnsortedList())
+}
+
+// IsPaused returns true if the management policy is empty and the
+// management policies feature is enabled
+func (m *ManagementPoliciesResolver) IsPaused() bool {
+	if !m.enabled {
+		return false
+	}
+	return m.managementPolicies.Len() == 0
+}
+
+// ShouldCreate returns true if the Create action is allowed.
+// If the management policy feature is disabled, it returns true.
+func (m *ManagementPoliciesResolver) ShouldCreate() bool {
+	if !m.enabled {
+		return true
+	}
+	return m.managementPolicies.HasAny(xpv1.ManagementActionCreate, xpv1.ManagementActionAll)
+}
+
+// ShouldUpdate returns true if the Update action is allowed.
+// If the management policy feature is disabled, it returns true.
+func (m *ManagementPoliciesResolver) ShouldUpdate() bool {
+	if !m.enabled {
+		return true
+	}
+	return m.managementPolicies.HasAny(xpv1.ManagementActionUpdate, xpv1.ManagementActionAll)
+}
+
+// ShouldLateInitialize returns true if the LateInitialize action is allowed.
+// If the management policy feature is disabled, it returns true.
+func (m *ManagementPoliciesResolver) ShouldLateInitialize() bool {
+	if !m.enabled {
+		return true
+	}
+	return m.managementPolicies.HasAny(xpv1.ManagementActionLateInitialize, xpv1.ManagementActionAll)
+}
+
+// ShouldOnlyObserve returns true if the Observe action is allowed and all
+// other actions are not allowed. If the management policy feature is disabled,
+// it returns false.
+func (m *ManagementPoliciesResolver) ShouldOnlyObserve() bool {
+	if !m.enabled {
+		return false
+	}
+	return m.managementPolicies.Equal(sets.New[xpv1.ManagementAction](xpv1.ManagementActionObserve))
+}
+
+// ShouldDelete returns true based on the combination of the deletionPolicy and
+// the managementPolicies. If the management policy feature is disabled, it
+// returns true if the deletionPolicy is set to "Delete". Otherwise, it checks
+// which field is set to a non-default value and makes a decision based on that.
+// We need to be careful until we completely remove the deletionPolicy in favor
+// of managementPolicies which conflict with the deletionPolicy regarding
+// deleting of the external resource. This function implements the proposal in
+// the Ignore Changes design doc under the "Deprecation of `deletionPolicy`".
+func (m *ManagementPoliciesResolver) ShouldDelete() bool {
+	if !m.enabled {
+		return m.deletionPolicy != xpv1.DeletionOrphan
+	}
+
+	// delete external resource if both the deletionPolicy and the
+	// managementPolicies are set to delete
+	if m.deletionPolicy == xpv1.DeletionDelete && m.managementPolicies.HasAny(xpv1.ManagementActionDelete, xpv1.ManagementActionAll) {
+		return true
+	}
+	// if the managementPolicies is not default, and it contains the deletion
+	// action, we should delete the external resource
+	if !m.managementPolicies.Equal(sets.New[xpv1.ManagementAction](xpv1.ManagementActionAll)) && m.managementPolicies.Has(xpv1.ManagementActionDelete) {
+		return true
+	}
+
+	// For all other cases, we should orphan the external resource.
+	// Obvious cases:
+	// DeletionOrphan && ManagementPolicies without Delete Action
+	// Conflicting cases:
+	// DeletionOrphan && Management Policy ["*"] (obeys non-default configuration)
+	// DeletionDelete && ManagementPolicies that does not include the Delete
+	// Action (obeys non-default configuration)
+	return false
+}