Merge pull request #163 from BlaineEXE/sidecar-bucket-reconcile

Add initial sidecar implementation for dynamic Bucket provisioning

Author: k8s-ci-robot

client/apis/objectstorage/v1alpha2/bucket_types.go

@@ -70,6 +70,14 @@ type BucketSpec struct {
 	// allowed to bind to this Bucket.
 	// +required
 	BucketClaimRef BucketClaimReference `json:"bucketClaim"`
+
+	// existingBucketID is the unique identifier for an existing backend bucket known to the driver.
+	// Use driver documentation to determine how to set this value.
+	// This field is used only for Bucket static provisioning.
+	// This field will be empty when the Bucket is dynamically provisioned from a BucketClaim.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="existingBucketID is immutable",rule="self == oldSelf"
+	ExistingBucketID string `json:"existingBucketID,omitempty"`
 }
 
 // BucketClaimReference is a reference to a BucketClaim object.
@@ -97,11 +105,30 @@ type BucketClaimReference struct {
 
 // BucketStatus defines the observed state of Bucket.
 type BucketStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// readyToUse indicates that the bucket is ready for consumption by workloads.
+	ReadyToUse bool `json:"readyToUse"`
+
+	// bucketID is the unique identifier for the backend bucket known to the driver.
+	// Once set, this is immutable.
+	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable",rule="oldSelf == '' || self == oldSelf"
+	BucketID string `json:"bucketID"`
 
-	// For Kubernetes API conventions, see:
-	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+	// protocols is the set of protocols the Bucket reports to support. BucketAccesses can request
+	// access to this BucketClaim using any of the protocols reported here.
+	// +optional
+	// +listType=set
+	Protocols []ObjectProtocol `json:"protocols"`
+
+	// BucketInfo reported by the driver, rendered in the COSI_<PROTOCOL>_<KEY> format used for the
+	// BucketAccess Secret. e.g., COSI_S3_ENDPOINT, COSI_AZURE_STORAGE_ACCOUNT.
+	// This should not contain any sensitive information.
+	// +optional
+	BucketInfo map[string]string `json:"bucketInfo,omitempty"`
+
+	// Error holds the most recent error message, with a timestamp.
+	// This is cleared when provisioning is successful.
+	// +optional
+	Error *TimestampedError `json:"error,omitempty"`
 }
 
 // +kubebuilder:object:root=true

client/apis/objectstorage/v1alpha2/bucketaccess_types.go

@@ -20,6 +20,20 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// BucketAccessAuthenticationType specifies what authentication mechanism is used for provisioning
+// bucket access.
+type BucketAccessAuthenticationType string
+
+const (
+	// The driver will generate a protocol-appropriate access key that clients can use to
+	// authenticate to the backend object store.
+	BucketAccessAuthenticationTypeKey = "Key"
+
+	// The driver should configure the system such that Pods using the given ServiceAccount
+	// authenticate to the backend object store automatically.
+	BucketAccessAuthenticationTypeServiceAccount = "ServiceAccount"
+)
+
 // BucketAccessSpec defines the desired state of BucketAccess
 type BucketAccessSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster

client/apis/objectstorage/v1alpha2/protocols.go

@@ -17,19 +17,129 @@ limitations under the License.
 package v1alpha2
 
 /*
-This file contains all definitions for the various object store protocols.
+This file describes the end-user representation of the various object store protocols.
 */
 
+// TODO: can we write doc generation and linting for the definitions in this file?
+
 // ObjectProtocol represents an object protocol type.
 type ObjectProtocol string
 
 const (
 	// ObjectProtocolS3 represents the S3 object protocol type.
-	ObjectProtocolS3 = "S3"
+	ObjectProtocolS3 ObjectProtocol = "S3"
 
 	// ObjectProtocolS3 represents the Azure Blob object protocol type.
-	ObjectProtocolAzure = "Azure"
+	ObjectProtocolAzure ObjectProtocol = "Azure"
 
 	// ObjectProtocolS3 represents the Google Cloud Storage object protocol type.
-	ObjectProtocolGcs = "GCS"
+	ObjectProtocolGcs ObjectProtocol = "GCS"
+)
+
+// A CosiEnvVar defines a COSI environment variable that contains backend bucket or access info.
+// Vars marked "Required" will be present with non-empty values in BucketAccess Secrets.
+// Some required vars may only be required in certain contexts, like when a specific
+// AuthenticationType is used.
+// Some vars are only relevant for specific protocols.
+// Non-relevant vars will not be present, even when marked "Required".
+// Vars are used as data keys in BucketAccess Secrets.
+// Vars must be all-caps and must begin with `COSI_`.
+type CosiEnvVar string
+
+// A BucketInfoVar defines a protocol-specific COSI environment variable that contains backend
+// bucket info.
+// All protocol-specific vars include the all-caps protocol name after `COSI_`. E.g., `COSI_AZURE_`.
+type BucketInfoVar CosiEnvVar
+
+// A CredentialVar defines a protocol-specific COSI environment variable that contains backend
+// bucket access credential info.
+// All protocol-specific vars include the all-caps protocol name after `COSI_`. E.g., `COSI_AZURE_`.
+type CredentialVar CosiEnvVar
+
+const (
+	// Required. The protocol associated with a BucketAccess.
+	// Will be a string representing an ObjectProtocol type.
+	BucketInfoVar_Protocol BucketInfoVar = "COSI_PROTOCOL"
+
+	// Optional. The certificate authority that clients can use to authenticate a BucketAccess.
+	CredentialVar_CertificateAuthority CredentialVar = "COSI_CERTIFICATE_AUTHORITY"
+)
+
+/*
+ * S3 protocol variables
+ */
+
+// bucket info vars
+const (
+	// Required. The S3 bucket ID as used by clients.
+	BucketInfoVar_S3_BucketId BucketInfoVar = "COSI_S3_BUCKET_ID"
+
+	// Required. The S3 endpoint for the bucket.
+	BucketInfoVar_S3_Endpoint BucketInfoVar = "COSI_S3_ENDPOINT"
+
+	// Required. The S3 region for the bucket.
+	BucketInfoVar_S3_Region BucketInfoVar = "COSI_S3_REGION"
+
+	// Required. The S3 addressing style. One of `path` or `virtual`.
+	// See: https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html.
+	BucketInfoVar_S3_AddressingStyle BucketInfoVar = "COSI_S3_ADDRESSING_STYLE"
+)
+
+// nolint:gosec // credential vars, not hardcoded credentials
+const (
+	// Required for `AuthenticationType=Key`. The S3 access key ID.
+	CredentialVar_S3_AccessKeyId CredentialVar = "COSI_S3_ACCESS_KEY_ID" // nolint:gosec // no a cred
+
+	// Required for `AuthenticationType=Key`. The S3 access secret key.
+	CredentialVar_S3_AccessSecretKey CredentialVar = "COSI_S3_ACCESS_SECRET_KEY" // nolint:gosec // no a cred
+)
+
+/*
+ * Azure protocol variables
+ */
+
+// bucket info vars
+const (
+	// Required. The ID of the Azure storage account.
+	BucketInfoVar_Azure_StorageAccount BucketInfoVar = "COSI_AZURE_STORAGE_ACCOUNT"
+)
+
+// nolint:gosec // credential vars, not hardcoded credentials
+const (
+	// Required for `AuthenticationType=Key`. Azure SAS access token.
+	// Note that this includes the resource URI as well as token in its definition.
+	// See: https://learn.microsoft.com/en-us/azure/storage/common/media/storage-sas-overview/sas-storage-uri.svg
+	CredentialVar_Azure_AccessToken CredentialVar = "COSI_AZURE_ACCESS_TOKEN"
+
+	// Optional. The timestamp when access will expire.
+	// Empty if unset. Otherwise, date+time in ISO 8601 format.
+	CredentialVar_Azure_ExpiryTimestamp CredentialVar = "COSI_AZURE_EXPIRY_TIMESTAMP"
+)
+
+/*
+ * Google Cloud Storage (GCS) protocol variables
+ */
+
+// bucket info vars
+const (
+	// Required. The GCS project ID.
+	BucketInfoVar_GCS_ProjectId BucketInfoVar = "COSI_GCS_PROJECT_ID"
+
+	// Required. GCS bucket name as used by clients.
+	BucketInfoVar_GCS_BucketName BucketInfoVar = "COSI_GCS_BUCKET_NAME"
+)
+
+// nolint:gosec // credential vars, not hardcoded credentials
+const (
+	// Required for `AuthenticationType=Key`. HMAC access ID.
+	CredentialVar_GCS_AccessId CredentialVar = "COSI_GCS_ACCESS_ID"
+
+	// Required for `AuthenticationType=Key`. HMAC secret.
+	CredentialVar_GCS_AccessSecret CredentialVar = "COSI_GCS_ACCESS_SECRET"
+
+	// GCS private key name.
+	CredentialVar_GCS_PrivateKeyName CredentialVar = "COSI_GCS_PRIVATE_KEY_NAME"
+
+	// GCS service account name.
+	CredentialVar_GCS_ServiceAccount CredentialVar = "COSI_GCS_SERVICE_ACCOUNT"
 )

client/apis/objectstorage/v1alpha2/zz_generated.deepcopy.go

@@ -93,6 +93,16 @@ spec:
                 x-kubernetes-validations:
                 - message: driverName is immutable
                   rule: self == oldSelf
+              existingBucketID:
+                description: |-
+                  existingBucketID is the unique identifier for an existing backend bucket known to the driver.
+                  Use driver documentation to determine how to set this value.
+                  This field is used only for Bucket static provisioning.
+                  This field will be empty when the Bucket is dynamically provisioned from a BucketClaim.
+                type: string
+                x-kubernetes-validations:
+                - message: existingBucketID is immutable
+                  rule: self == oldSelf
               parameters:
                 additionalProperties:
                   type: string
@@ -122,6 +132,54 @@ spec:
             type: object
           status:
             description: status defines the observed state of Bucket
+            properties:
+              bucketID:
+                description: |-
+                  bucketID is the unique identifier for the backend bucket known to the driver.
+                  Once set, this is immutable.
+                type: string
+                x-kubernetes-validations:
+                - message: boundBucketName is immutable
+                  rule: oldSelf == '' || self == oldSelf
+              bucketInfo:
+                additionalProperties:
+                  type: string
+                description: |-
+                  BucketInfo reported by the driver, rendered in the COSI_<PROTOCOL>_<KEY> format used for the
+                  BucketAccess Secret. e.g., COSI_S3_ENDPOINT, COSI_AZURE_STORAGE_ACCOUNT.
+                  This should not contain any sensitive information.
+                type: object
+              error:
+                description: |-
+                  Error holds the most recent error message, with a timestamp.
+                  This is cleared when provisioning is successful.
+                properties:
+                  message:
+                    description: |-
+                      message is a string detailing the encountered error.
+                      NOTE: message will be logged, and it should not contain sensitive information.
+                    type: string
+                  time:
+                    description: time is the timestamp when the error was encountered.
+                    format: date-time
+                    type: string
+                type: object
+              protocols:
+                description: |-
+                  protocols is the set of protocols the Bucket reports to support. BucketAccesses can request
+                  access to this BucketClaim using any of the protocols reported here.
+                items:
+                  description: ObjectProtocol represents an object protocol type.
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+              readyToUse:
+                description: readyToUse indicates that the bucket is ready for consumption
+                  by workloads.
+                type: boolean
+            required:
+            - bucketID
+            - readyToUse
             type: object
         required:
         - spec

client/config/crd/objectstorage.k8s.io_buckets.yaml

@@ -66,6 +66,8 @@ _Appears in:_
 | `status` _[BucketAccessStatus](#bucketaccessstatus)_ | status defines the observed state of BucketAccess |  |  |
 
 
+
+
 #### BucketAccessClass
 
 
@@ -370,6 +372,8 @@ _Appears in:_
 | `Delete` | BucketDeletionPolicyDelete configures COSI to delete the Bucket object as well as the backend<br />bucket when a Bucket resource is deleted.<br /> |
 
 
+
+
 #### BucketList
 
 
@@ -408,6 +412,7 @@ _Appears in:_
 | `parameters` _object (keys:string, values:string)_ | parameters is an opaque map of driver-specific configuration items passed to the driver that<br />fulfills requests for this Bucket. |  |  |
 | `protocols` _[ObjectProtocol](#objectprotocol) array_ | protocols lists object store protocols that the provisioned Bucket must support.<br />If specified, COSI will verify that each item is advertised as supported by the driver. |  |  |
 | `bucketClaim` _[BucketClaimReference](#bucketclaimreference)_ | bucketClaim references the BucketClaim that resulted in the creation of this Bucket.<br />For statically-provisioned buckets, set the namespace and name of the BucketClaim that is<br />allowed to bind to this Bucket. |  |  |
+| `existingBucketID` _string_ | existingBucketID is the unique identifier for an existing backend bucket known to the driver.<br />Use driver documentation to determine how to set this value.<br />This field is used only for Bucket static provisioning.<br />This field will be empty when the Bucket is dynamically provisioned from a BucketClaim. |  |  |
 
 
 #### BucketStatus
@@ -421,6 +426,36 @@ BucketStatus defines the observed state of Bucket.
 _Appears in:_
 - [Bucket](#bucket)
 
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `readyToUse` _boolean_ | readyToUse indicates that the bucket is ready for consumption by workloads. |  |  |
+| `bucketID` _string_ | bucketID is the unique identifier for the backend bucket known to the driver.<br />Once set, this is immutable. |  |  |
+| `protocols` _[ObjectProtocol](#objectprotocol) array_ | protocols is the set of protocols the Bucket reports to support. BucketAccesses can request<br />access to this BucketClaim using any of the protocols reported here. |  |  |
+| `bucketInfo` _object (keys:string, values:string)_ | BucketInfo reported by the driver, rendered in the COSI_<PROTOCOL>_<KEY> format used for the<br />BucketAccess Secret. e.g., COSI_S3_ENDPOINT, COSI_AZURE_STORAGE_ACCOUNT.<br />This should not contain any sensitive information. |  |  |
+| `error` _[TimestampedError](#timestampederror)_ | Error holds the most recent error message, with a timestamp.<br />This is cleared when provisioning is successful. |  |  |
+
+
+#### CosiEnvVar
+
+_Underlying type:_ _string_
+
+A CosiEnvVar defines a COSI environment variable that contains backend bucket or access info.
+Vars marked "Required" will be present with non-empty values in BucketAccess Secrets.
+Some required vars may only be required in certain contexts, like when a specific
+AuthenticationType is used.
+Some vars are only relevant for specific protocols.
+Non-relevant vars will not be present, even when marked "Required".
+Vars are used as data keys in BucketAccess Secrets.
+Vars must be all-caps and must begin with `COSI_`.
+
+
+
+_Appears in:_
+- [BucketInfoVar](#bucketinfovar)
+- [CredentialVar](#credentialvar)
+
+
+
 
 
 #### ObjectProtocol
@@ -435,7 +470,13 @@ _Appears in:_
 - [BucketClaimSpec](#bucketclaimspec)
 - [BucketClaimStatus](#bucketclaimstatus)
 - [BucketSpec](#bucketspec)
+- [BucketStatus](#bucketstatus)
 
+| Field | Description |
+| --- | --- |
+| `S3` | ObjectProtocolS3 represents the S3 object protocol type.<br /> |
+| `Azure` | ObjectProtocolS3 represents the Azure Blob object protocol type.<br /> |
+| `GCS` | ObjectProtocolS3 represents the Google Cloud Storage object protocol type.<br /> |
 
 
 #### TimestampedError
@@ -448,6 +489,7 @@ TimestampedError contains an error message with timestamp.
 
 _Appears in:_
 - [BucketClaimStatus](#bucketclaimstatus)
+- [BucketStatus](#bucketstatus)
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |