Merge pull request #169 from BlaineEXE/bucketaccess-types

add bucketaccess(class) types, and tidy all CEL rules

Author: k8s-ci-robot

client/apis/objectstorage/v1alpha2/bucket_types.go

@@ -37,6 +37,9 @@ const (
 )
 
 // BucketSpec defines the desired state of Bucket
+// +kubebuilder:validation:XValidation:message="parameters map is immutable",rule="has(oldSelf.parameters) == has(self.parameters)"
+// +kubebuilder:validation:XValidation:message="protocols list is immutable",rule="has(oldSelf.protocols) == has(self.protocols)"
+// +kubebuilder:validation:XValidation:message="existingBucketID is immutable",rule="has(oldSelf.existingBucketID) == has(self.existingBucketID)"
 type BucketSpec struct {
 	// driverName is the name of the driver that fulfills requests for this Bucket.
 	// +required
@@ -81,36 +84,41 @@ type BucketSpec struct {
 }
 
 // BucketClaimReference is a reference to a BucketClaim object.
+// +kubebuilder:validation:XValidation:message="namespace is immutable once set",rule="!has(oldSelf.namespace) || has(self.namespace)"
+// +kubebuilder:validation:XValidation:message="uid is immutable once set",rule="!has(oldSelf.uid) || has(self.uid)"
 type BucketClaimReference struct {
 	// name is the name of the BucketClaim being referenced.
 	// +required
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:XValidation:message="driverName is immutable",rule="self == oldSelf"
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="name is immutable",rule="self == oldSelf"
 	Name string `json:"name"`
 
 	// namespace is the namespace of the BucketClaim being referenced.
 	// If empty, the Kubernetes 'default' namespace is assumed.
 	// namespace is immutable except to update '' to 'default'.
 	// +optional
 	// +kubebuilder:validation:MinLength=0
-	// +kubebuilder:validation:XValidation:message="driverName is immutable",rule="(oldSelf == '' && self == 'default') || self == oldSelf"
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="namespace is immutable",rule="(oldSelf == '' && self == 'default') || self == oldSelf"
 	Namespace string `json:"namespace"`
 
 	// uid is the UID of the BucketClaim being referenced.
-	// Once set, the UID is immutable.
 	// +optional
-	// +kubebuilder:validation:XValidation:message="driverName is immutable",rule="oldSelf == '' || self == oldSelf"
+	// +kubebuilder:validation:XValidation:message="uid is immutable once set",rule="oldSelf == '' || self == oldSelf"
 	UID types.UID `json:"uid"`
 }
 
 // BucketStatus defines the observed state of Bucket.
+// +kubebuilder:validation:XValidation:message="bucketID is immutable once set",rule="!has(oldSelf.bucketID) || has(self.bucketID)"
+// +kubebuilder:validation:XValidation:message="protocols is immutable once set",rule="!has(oldSelf.protocols) || has(self.protocols)"
 type BucketStatus struct {
 	// readyToUse indicates that the bucket is ready for consumption by workloads.
 	ReadyToUse bool `json:"readyToUse"`
 
 	// bucketID is the unique identifier for the backend bucket known to the driver.
-	// Once set, this is immutable.
-	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable",rule="oldSelf == '' || self == oldSelf"
+	// +optional
+	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable once set",rule="oldSelf == '' || self == oldSelf"
 	BucketID string `json:"bucketID"`
 
 	// protocols is the set of protocols the Bucket reports to support. BucketAccesses can request

client/apis/objectstorage/v1alpha2/bucketaccess_types.go

@@ -22,10 +22,12 @@ import (
 
 // BucketAccessAuthenticationType specifies what authentication mechanism is used for provisioning
 // bucket access.
+// +enum
+// +kubebuilder:validation:Enum:="";Key;ServiceAccount
 type BucketAccessAuthenticationType string
 
 const (
-	// The driver will generate a protocol-appropriate access key that clients can use to
+	// The driver should generate a protocol-appropriate access key that clients can use to
 	// authenticate to the backend object store.
 	BucketAccessAuthenticationTypeKey = "Key"
 
@@ -34,39 +36,148 @@ const (
 	BucketAccessAuthenticationTypeServiceAccount = "ServiceAccount"
 )
 
+// BucketAccessMode describes the Read/Write mode an access should have for a bucket.
+// +enum
+// +kubebuilder:validation:Enum:=ReadWrite;ReadOnly;WriteOnly
+type BucketAccessMode string
+
+const (
+	// BucketAccessModeReadWrite represents read-write access mode.
+	BucketAccessModeReadWrite BucketAccessMode = "ReadWrite"
+
+	// BucketAccessModeReadOnly represents read-only access mode.
+	BucketAccessModeReadOnly BucketAccessMode = "ReadOnly"
+
+	// BucketAccessModeWriteOnly represents write-only access mode.
+	BucketAccessModeWriteOnly BucketAccessMode = "WriteOnly"
+)
+
 // BucketAccessSpec defines the desired state of BucketAccess
+// +kubebuilder:validation:XValidation:message="serviceAccountName is immutable",rule="has(oldSelf.serviceAccountName) == has(self.serviceAccountName)"
 type BucketAccessSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-	// The following markers will use OpenAPI v3 schema to validate the value
-	// More info: https://book.kubebuilder.io/reference/markers/crd-validation.html
+	// bucketClaims is a list of BucketClaims the provisioned access must have permissions for,
+	// along with per-BucketClaim access parameters and system output definitions.
+	// At least one BucketClaim must be referenced.
+	// Multiple references to the same BucketClaim are not permitted.
+	// +required
+	// +listType=map
+	// +listMapKey=bucketClaimName
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:XValidation:message="bucketClaims list is immutable",rule="self == oldSelf"
+	BucketClaims []BucketClaimAccess `json:"bucketClaims"`
 
-	// foo is an example field of BucketAccess. Edit bucketaccess_types.go to remove/update
+	// bucketAccessClassName selects the BucketAccessClass for provisioning the access.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="bucketAccessClassName is immutable",rule="self == oldSelf"
+	BucketAccessClassName string `json:"bucketAccessClassName"`
+
+	// protocol is the object storage protocol that the provisioned access must use.
+	// +required
+	// +kubebuilder:validation:XValidation:message="protocol is immutable",rule="self == oldSelf"
+	Protocol ObjectProtocol `json:"protocol"`
+
+	// serviceAccountName is the name of the Kubernetes ServiceAccount that user application Pods
+	// intend to use for access to referenced BucketClaims.
+	// This has different behavior based on the BucketAccessClass's defined AuthenticationType:
+	// - Key: This field is ignored.
+	// - ServiceAccount: This field is required. The driver should configure the system so that Pods
+	//   using the ServiceAccount authenticate to the object storage backend automatically.
 	// +optional
-	Foo *string `json:"foo,omitempty"`
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="serviceAccountName is immutable",rule="self == oldSelf"
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // BucketAccessStatus defines the observed state of BucketAccess.
+// +kubebuilder:validation:XValidation:message="accountID is immutable once set",rule="!has(oldSelf.accountID) || has(self.accountID)"
+// +kubebuilder:validation:XValidation:message="accessedBuckets is immutable once set",rule="!has(oldSelf.accessedBuckets) || has(self.accessedBuckets)"
+// +kubebuilder:validation:XValidation:message="driverName is immutable once set",rule="!has(oldSelf.driverName) || has(self.driverName)"
+// +kubebuilder:validation:XValidation:message="authenticationType is immutable once set",rule="!has(oldSelf.authenticationType) || has(self.authenticationType)"
+// +kubebuilder:validation:XValidation:message="parameters is immutable once set",rule="!has(oldSelf.parameters) || has(self.parameters)"
 type BucketAccessStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
-	// For Kubernetes API conventions, see:
-	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
-
-	// conditions represent the current state of the BucketAccess resource.
-	// Each condition has a unique type and reflects the status of a specific aspect of the resource.
-	//
-	// Standard condition types include:
-	// - "Available": the resource is fully functional
-	// - "Progressing": the resource is being created or updated
-	// - "Degraded": the resource failed to reach or maintain its desired state
-	//
-	// The status of each condition is one of True, False, or Unknown.
+	// readyToUse indicates that the BucketAccess is ready for consumption by workloads.
+	ReadyToUse bool `json:"readyToUse"`
+
+	// accountID is the unique identifier for the backend access known to the driver.
+	// This field is populated by the COSI Sidecar once access has been successfully granted.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="accountId is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	AccountID string `json:"accountID"`
+
+	// accessedBuckets is a list of Buckets the provisioned access must have permissions for, along
+	// with per-Bucket access options. This field is populated by the COSI Controller based on the
+	// referenced BucketClaims in the spec.
+	// +optional
 	// +listType=map
-	// +listMapKey=type
+	// +listMapKey=bucketName
+	// +kubebuilder:validation:XValidation:message="accessedBuckets is immutable once set",rule="oldSelf.size() == 0 || self == oldSelf"
+	AccessedBuckets []AccessedBucket `json:"accessedBuckets"`
+
+	// driverName holds a copy of the BucketAccessClass driver name from the time of BucketAccess
+	// provisioning. This field is populated by the COSI Controller.
 	// +optional
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
+	// +kubebuilder:validation:XValidation:message="driverName is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	DriverName string `json:"driverName"`
+
+	// authenticationType holds a copy of the BucketAccessClass authentication type from the time of
+	// BucketAccess provisioning. This field is populated by the COSI Controller.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="authenticationType is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	AuthenticationType BucketAccessAuthenticationType `json:"authenticationType"`
+
+	// parameters holds a copy of the BucketAccessClass parameters from the time of BucketAccess
+	// provisioning. This field is populated by the COSI Controller.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="accessedBuckets is immutable once set",rule="oldSelf.size() == 0 || self == oldSelf"
+	Parameters map[string]string `json:"parameters,omitempty"`
+
+	// error holds the most recent error message, with a timestamp.
+	// This is cleared when provisioning is successful.
+	// +optional
+	Error *TimestampedError `json:"error,omitempty"`
+}
+
+// BucketClaimAccess selects a BucketClaim for access, defines access parameters for the
+// corresponding bucket, and specifies where user-consumable bucket information and access
+// credentials for the accessed bucket will be stored.
+type BucketClaimAccess struct {
+	// bucketClaimName is the name of a BucketClaim the access should have permissions for.
+	// The BucketClaim must be in the same Namespace as the BucketAccess.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	BucketClaimName string `json:"bucketClaimName"`
+
+	// accessMode is the Read/Write access mode that the access should have for the bucket.
+	// Possible values: ReadWrite, ReadOnly, WriteOnly.
+	// +required
+	AccessMode BucketAccessMode `json:"accessMode"`
+
+	// accessSecretName is the name of a Kubernetes Secret that COSI should create and populate with
+	// bucket info and access credentials for the bucket.
+	// The Secret is created in the same Namespace as the BucketAccess and is deleted when the
+	// BucketAccess is deleted and deprovisioned.
+	// The Secret name must be unique across all bucketClaimRefs for all BucketAccesses in the same
+	// Namespace.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	AccessSecretName string `json:"accessSecretName"`
+}
+
+// AccessedBucket identifies a Bucket and corresponding access parameters.
+type AccessedBucket struct {
+	// bucketName is the name of a Bucket the access should have permissions for.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	BucketName string `json:"bucketName"`
+
+	// accessMode is the Read/Write access mode that the access should have for the bucket.
+	// +required
+	AccessMode BucketAccessMode `json:"accessMode"`
 }
 
 // +kubebuilder:object:root=true

client/apis/objectstorage/v1alpha2/bucketaccessclass_types.go

@@ -20,42 +20,46 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
 // BucketAccessClassSpec defines the desired state of BucketAccessClass
 type BucketAccessClassSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-	// The following markers will use OpenAPI v3 schema to validate the value
-	// More info: https://book.kubebuilder.io/reference/markers/crd-validation.html
+	// driverName is the name of the driver that fulfills requests for this BucketAccessClass.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	DriverName string `json:"driverName"`
+
+	// authenticationType specifies which authentication mechanism is used bucket access.
+	// Possible values:
+	//  - Key: The driver should generate a protocol-appropriate access key that clients can use to
+	//    authenticate to the backend object store.
+	//  - ServiceAccount: The driver should configure the system such that Pods using the given
+	//    ServiceAccount authenticate to the backend object store automatically.
+	// +required
+	// +kubebuilder:validation:Enum:=Key;ServiceAccount
+	AuthenticationType BucketAccessAuthenticationType `json:"authenticationType"`
+
+	// parameters is an opaque map of driver-specific configuration items passed to the driver that
+	// fulfills requests for this BucketAccessClass.
+	// +optional
+	Parameters map[string]string `json:"parameters,omitempty"`
 
-	// foo is an example field of BucketAccessClass. Edit bucketaccessclass_types.go to remove/update
+	// featureOptions can be used to adjust various COSI access provisioning behaviors.
 	// +optional
-	Foo *string `json:"foo,omitempty"`
+	FeatureOptions BucketAccessFeatureOptions `json:"featureOptions,omitempty"`
 }
 
-// BucketAccessClassStatus defines the observed state of BucketAccessClass.
-type BucketAccessClassStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
-	// For Kubernetes API conventions, see:
-	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
-
-	// conditions represent the current state of the BucketAccessClass resource.
-	// Each condition has a unique type and reflects the status of a specific aspect of the resource.
-	//
-	// Standard condition types include:
-	// - "Available": the resource is fully functional
-	// - "Progressing": the resource is being created or updated
-	// - "Degraded": the resource failed to reach or maintain its desired state
-	//
-	// The status of each condition is one of True, False, or Unknown.
-	// +listType=map
-	// +listMapKey=type
+// BucketAccessFeatureOptions defines various COSI access provisioning behaviors.
+type BucketAccessFeatureOptions struct {
+	// disallowedBucketAccessModes is a list of disallowed Read/Write access modes. A BucketAccess
+	// using this class will not be allowed to request access to a BucketClaim with any access mode
+	// listed here.
 	// +optional
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
+	// +listType=set
+	DisallowedBucketAccessModes []BucketAccessMode `json:"disallowedBucketAccessModes,omitempty"`
+
+	// disallowMultiBucketAccess disables the ability for a BucketAccess to reference multiple
+	// BucketClaims when set.
+	// +optional
+	DisallowMultiBucketAccess bool `json:"disallowMultiBucketAccess,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -73,11 +77,8 @@ type BucketAccessClass struct {
 
 	// spec defines the desired state of BucketAccessClass
 	// +required
+	// +kubebuilder:validation:XValidation:message="BucketAccessClass spec is immutable",rule="self == oldSelf"
 	Spec BucketAccessClassSpec `json:"spec"`
-
-	// status defines the observed state of BucketAccessClass
-	// +optional
-	Status BucketAccessClassStatus `json:"status,omitempty,omitzero"`
 }
 
 // +kubebuilder:object:root=true

client/apis/objectstorage/v1alpha2/bucketclaim_types.go

@@ -22,11 +22,15 @@ import (
 
 // BucketClaimSpec defines the desired state of BucketClaim
 // +kubebuilder:validation:ExactlyOneOf=bucketClassName;existingBucketName
+// +kubebuilder:validation:XValidation:message="bucketClassName is immutable",rule="has(oldSelf.bucketClassName) == has(self.bucketClassName)"
+// +kubebuilder:validation:XValidation:message="existingBucketName is immutable",rule="has(oldSelf.existingBucketName) == has(self.existingBucketName)"
+// +kubebuilder:validation:XValidation:message="protocols list is immutable",rule="has(oldSelf.protocols) == has(self.protocols)"
 type BucketClaimSpec struct {
 	// bucketClassName selects the BucketClass for provisioning the BucketClaim.
 	// This field is used only for BucketClaim dynamic provisioning.
 	// If unspecified, existingBucketName must be specified for binding to an existing Bucket.
 	// +optional
+	// +kubebuilder:validation:MaxLength=253
 	// +kubebuilder:validation:XValidation:message="bucketClassName is immutable",rule="self == oldSelf"
 	BucketClassName string `json:"bucketClassName,omitempty"`
 
@@ -41,15 +45,19 @@ type BucketClaimSpec struct {
 	// This field is used only for BucketClaim static provisioning.
 	// If unspecified, bucketClassName must be specified for dynamically provisioning a new bucket.
 	// +optional
+	// +kubebuilder:validation:MaxLength=253
 	// +kubebuilder:validation:XValidation:message="existingBucketName is immutable",rule="self == oldSelf"
 	ExistingBucketName string `json:"existingBucketName,omitempty"`
 }
 
 // BucketClaimStatus defines the observed state of BucketClaim.
+// +kubebuilder:validation:XValidation:message="boundBucketName is immutable once set",rule="!has(oldSelf.boundBucketName) || has(self.boundBucketName)"
+// +kubebuilder:validation:XValidation:message="protocols is immutable once set",rule="!has(oldSelf.protocols) || has(self.protocols)"
 type BucketClaimStatus struct {
 	// boundBucketName is the name of the Bucket this BucketClaim is bound to.
-	// Once set, this is immutable.
-	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable",rule="oldSelf == '' || self == oldSelf"
+	// +optional
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable once set",rule="oldSelf == '' || self == oldSelf"
 	BoundBucketName string `json:"boundBucketName"`
 
 	// readyToUse indicates that the bucket is ready for consumption by workloads.

client/apis/objectstorage/v1alpha2/protocols.go

@@ -23,6 +23,7 @@ This file describes the end-user representation of the various object store prot
 // TODO: can we write doc generation and linting for the definitions in this file?
 
 // ObjectProtocol represents an object protocol type.
+// +kubebuilder:validation:Enum:=S3;Azure;GCS
 type ObjectProtocol string
 
 const (