add bucketaccess(class) types, and tidy all CEL rules

Add Kubernetes API (client) types for BucketAccess and
BucketAccessClass. Since these are the last API types, also standardize
CEL rule invocations for existing types.

Signed-off-by: Blaine Gardner <[email protected]>

Author: BlaineEXE

client/apis/objectstorage/v1alpha2/bucket_types.go

@@ -37,6 +37,9 @@ const (
 )
 
 // BucketSpec defines the desired state of Bucket
+// +kubebuilder:validation:XValidation:message="parameters map is immutable",rule="has(oldSelf.parameters) == has(self.parameters)"
+// +kubebuilder:validation:XValidation:message="protocols list is immutable",rule="has(oldSelf.protocols) == has(self.protocols)"
+// +kubebuilder:validation:XValidation:message="existingBucketID is immutable",rule="has(oldSelf.existingBucketID) == has(self.existingBucketID)"
 type BucketSpec struct {
 	// driverName is the name of the driver that fulfills requests for this Bucket.
 	// +required
@@ -81,36 +84,41 @@ type BucketSpec struct {
 }
 
 // BucketClaimReference is a reference to a BucketClaim object.
+// +kubebuilder:validation:XValidation:message="namespace is immutable once set",rule="!has(oldSelf.namespace) || has(self.namespace)"
+// +kubebuilder:validation:XValidation:message="uid is immutable once set",rule="!has(oldSelf.uid) || has(self.uid)"
 type BucketClaimReference struct {
 	// name is the name of the BucketClaim being referenced.
 	// +required
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:XValidation:message="driverName is immutable",rule="self == oldSelf"
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="name is immutable",rule="self == oldSelf"
 	Name string `json:"name"`
 
 	// namespace is the namespace of the BucketClaim being referenced.
 	// If empty, the Kubernetes 'default' namespace is assumed.
 	// namespace is immutable except to update '' to 'default'.
 	// +optional
 	// +kubebuilder:validation:MinLength=0
-	// +kubebuilder:validation:XValidation:message="driverName is immutable",rule="(oldSelf == '' && self == 'default') || self == oldSelf"
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="namespace is immutable",rule="(oldSelf == '' && self == 'default') || self == oldSelf"
 	Namespace string `json:"namespace"`
 
 	// uid is the UID of the BucketClaim being referenced.
-	// Once set, the UID is immutable.
 	// +optional
-	// +kubebuilder:validation:XValidation:message="driverName is immutable",rule="oldSelf == '' || self == oldSelf"
+	// +kubebuilder:validation:XValidation:message="uid is immutable once set",rule="oldSelf == '' || self == oldSelf"
 	UID types.UID `json:"uid"`
 }
 
 // BucketStatus defines the observed state of Bucket.
+// +kubebuilder:validation:XValidation:message="bucketID is immutable once set",rule="!has(oldSelf.bucketID) || has(self.bucketID)"
+// +kubebuilder:validation:XValidation:message="protocols is immutable once set",rule="!has(oldSelf.protocols) || has(self.protocols)"
 type BucketStatus struct {
 	// readyToUse indicates that the bucket is ready for consumption by workloads.
 	ReadyToUse bool `json:"readyToUse"`
 
 	// bucketID is the unique identifier for the backend bucket known to the driver.
-	// Once set, this is immutable.
-	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable",rule="oldSelf == '' || self == oldSelf"
+	// +optional
+	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable once set",rule="oldSelf == '' || self == oldSelf"
 	BucketID string `json:"bucketID"`
 
 	// protocols is the set of protocols the Bucket reports to support. BucketAccesses can request

client/apis/objectstorage/v1alpha2/bucketaccess_types.go

@@ -22,10 +22,12 @@ import (
 
 // BucketAccessAuthenticationType specifies what authentication mechanism is used for provisioning
 // bucket access.
+// +enum
+// +kubebuilder:validation:Enum:="";Key;ServiceAccount
 type BucketAccessAuthenticationType string
 
 const (
-	// The driver will generate a protocol-appropriate access key that clients can use to
+	// The driver should generate a protocol-appropriate access key that clients can use to
 	// authenticate to the backend object store.
 	BucketAccessAuthenticationTypeKey = "Key"
 
@@ -34,39 +36,148 @@ const (
 	BucketAccessAuthenticationTypeServiceAccount = "ServiceAccount"
 )
 
+// BucketAccessMode describes the Read/Write mode an access should have for a bucket.
+// +enum
+// +kubebuilder:validation:Enum:=ReadWrite;ReadOnly;WriteOnly
+type BucketAccessMode string
+
+const (
+	// BucketAccessModeReadWrite represents read-write access mode.
+	BucketAccessModeReadWrite BucketAccessMode = "ReadWrite"
+
+	// BucketAccessModeReadOnly represents read-only access mode.
+	BucketAccessModeReadOnly BucketAccessMode = "ReadOnly"
+
+	// BucketAccessModeWriteOnly represents write-only access mode.
+	BucketAccessModeWriteOnly BucketAccessMode = "WriteOnly"
+)
+
 // BucketAccessSpec defines the desired state of BucketAccess
+// +kubebuilder:validation:XValidation:message="serviceAccountName is immutable",rule="has(oldSelf.serviceAccountName) == has(self.serviceAccountName)"
 type BucketAccessSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-	// The following markers will use OpenAPI v3 schema to validate the value
-	// More info: https://book.kubebuilder.io/reference/markers/crd-validation.html
+	// bucketClaims is a list of BucketClaims the provisioned access must have permissions for,
+	// along with per-BucketClaim access parameters and system output definitions.
+	// At least one BucketClaim must be referenced.
+	// Multiple references to the same BucketClaim are not permitted.
+	// +required
+	// +listType=map
+	// +listMapKey=bucketClaimName
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:XValidation:message="bucketClaims list is immutable",rule="self == oldSelf"
+	BucketClaims []BucketClaimAccess `json:"bucketClaims"`
 
-	// foo is an example field of BucketAccess. Edit bucketaccess_types.go to remove/update
+	// bucketAccessClassName selects the BucketAccessClass for provisioning the access.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="bucketAccessClassName is immutable",rule="self == oldSelf"
+	BucketAccessClassName string `json:"bucketAccessClassName"`
+
+	// protocol is the object storage protocol that the provisioned access must use.
+	// +required
+	// +kubebuilder:validation:XValidation:message="protocol is immutable",rule="self == oldSelf"
+	Protocol ObjectProtocol `json:"protocol"`
+
+	// serviceAccountName is the name of the Kubernetes ServiceAccount that user application Pods
+	// intend to use for access to referenced BucketClaims.
+	// This has different behavior based on the BucketAccessClass's defined AuthenticationType:
+	// - Key: This field is ignored.
+	// - ServiceAccount: This field is required. The driver should configure the system so that Pods
+	//   using the ServiceAccount authenticate to the object storage backend automatically.
 	// +optional
-	Foo *string `json:"foo,omitempty"`
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="serviceAccountName is immutable",rule="self == oldSelf"
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // BucketAccessStatus defines the observed state of BucketAccess.
+// +kubebuilder:validation:XValidation:message="accountID is immutable once set",rule="!has(oldSelf.accountID) || has(self.accountID)"
+// +kubebuilder:validation:XValidation:message="accessedBuckets is immutable once set",rule="!has(oldSelf.accessedBuckets) || has(self.accessedBuckets)"
+// +kubebuilder:validation:XValidation:message="driverName is immutable once set",rule="!has(oldSelf.driverName) || has(self.driverName)"
+// +kubebuilder:validation:XValidation:message="authenticationType is immutable once set",rule="!has(oldSelf.authenticationType) || has(self.authenticationType)"
+// +kubebuilder:validation:XValidation:message="parameters is immutable once set",rule="!has(oldSelf.parameters) || has(self.parameters)"
 type BucketAccessStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
-	// For Kubernetes API conventions, see:
-	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
-
-	// conditions represent the current state of the BucketAccess resource.
-	// Each condition has a unique type and reflects the status of a specific aspect of the resource.
-	//
-	// Standard condition types include:
-	// - "Available": the resource is fully functional
-	// - "Progressing": the resource is being created or updated
-	// - "Degraded": the resource failed to reach or maintain its desired state
-	//
-	// The status of each condition is one of True, False, or Unknown.
+	// readyToUse indicates that the BucketAccess is ready for consumption by workloads.
+	ReadyToUse bool `json:"readyToUse"`
+
+	// accountID is the unique identifier for the backend access known to the driver.
+	// This field is populated by the COSI Sidecar once access has been successfully granted.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="accountId is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	AccountID string `json:"accountID"`
+
+	// accessedBuckets is a list of Buckets the provisioned access must have permissions for, along
+	// with per-Bucket access options. This field is populated by the COSI Controller based on the
+	// referenced BucketClaims in the spec.
+	// +optional
 	// +listType=map
-	// +listMapKey=type
+	// +listMapKey=bucketName
+	// +kubebuilder:validation:XValidation:message="accessedBuckets is immutable once set",rule="oldSelf.size() == 0 || self == oldSelf"
+	AccessedBuckets []AccessedBucket `json:"accessedBuckets"`
+
+	// driverName holds a copy of the BucketAccessClass driver name from the time of BucketAccess
+	// provisioning. This field is populated by the COSI Controller.
 	// +optional
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
+	// +kubebuilder:validation:XValidation:message="driverName is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	DriverName string `json:"driverName"`
+
+	// authenticationType holds a copy of the BucketAccessClass authentication type from the time of
+	// BucketAccess provisioning. This field is populated by the COSI Controller.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="authenticationType is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	AuthenticationType BucketAccessAuthenticationType `json:"authenticationType"`
+
+	// parameters holds a copy of the BucketAccessClass parameters from the time of BucketAccess
+	// provisioning. This field is populated by the COSI Controller.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="accessedBuckets is immutable once set",rule="oldSelf.size() == 0 || self == oldSelf"
+	Parameters map[string]string `json:"parameters,omitempty"`
+
+	// error holds the most recent error message, with a timestamp.
+	// This is cleared when provisioning is successful.
+	// +optional
+	Error *TimestampedError `json:"error,omitempty"`
+}
+
+// BucketClaimAccess selects a BucketClaim for access, defines access parameters for the
+// corresponding bucket, and specifies where user-consumable bucket information and access
+// credentials for the accessed bucket will be stored.
+type BucketClaimAccess struct {
+	// bucketClaimName is the name of a BucketClaim the access should have permissions for.
+	// The BucketClaim must be in the same Namespace as the BucketAccess.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	BucketClaimName string `json:"bucketClaimName"`
+
+	// accessMode is the Read/Write access mode that the access should have for the bucket.
+	// Possible values: ReadWrite, ReadOnly, WriteOnly.
+	// +required
+	AccessMode BucketAccessMode `json:"accessMode"`
+
+	// accessSecretName is the name of a Kubernetes Secret that COSI should create and populate with
+	// bucket info and access credentials for the bucket.
+	// The Secret is created in the same Namespace as the BucketAccess and is deleted when the
+	// BucketAccess is deleted and deprovisioned.
+	// The Secret name must be unique across all bucketClaimRefs for all BucketAccesses in the same
+	// Namespace.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	AccessSecretName string `json:"accessSecretName"`
+}
+
+// AccessedBucket identifies a Bucket and corresponding access parameters.
+type AccessedBucket struct {
+	// bucketName is the name of a Bucket the access should have permissions for.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	BucketName string `json:"bucketName"`
+
+	// accessMode is the Read/Write access mode that the access should have for the bucket.
+	// +required
+	AccessMode BucketAccessMode `json:"accessMode"`
 }
 
 // +kubebuilder:object:root=true

client/apis/objectstorage/v1alpha2/bucketaccessclass_types.go

@@ -20,42 +20,46 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
 // BucketAccessClassSpec defines the desired state of BucketAccessClass
 type BucketAccessClassSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-	// The following markers will use OpenAPI v3 schema to validate the value
-	// More info: https://book.kubebuilder.io/reference/markers/crd-validation.html
+	// driverName is the name of the driver that fulfills requests for this BucketAccessClass.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	DriverName string `json:"driverName"`
+
+	// authenticationType specifies which authentication mechanism is used bucket access.
+	// Possible values:
+	//  - Key: The driver should generate a protocol-appropriate access key that clients can use to
+	//    authenticate to the backend object store.
+	//  - ServiceAccount: The driver should configure the system such that Pods using the given
+	//    ServiceAccount authenticate to the backend object store automatically.
+	// +required
+	// +kubebuilder:validation:Enum:=Key;ServiceAccount
+	AuthenticationType BucketAccessAuthenticationType `json:"authenticationType"`
+
+	// parameters is an opaque map of driver-specific configuration items passed to the driver that
+	// fulfills requests for this BucketAccessClass.
+	// +optional
+	Parameters map[string]string `json:"parameters,omitempty"`
 
-	// foo is an example field of BucketAccessClass. Edit bucketaccessclass_types.go to remove/update
+	// featureOptions can be used to adjust various COSI access provisioning behaviors.
 	// +optional
-	Foo *string `json:"foo,omitempty"`
+	FeatureOptions BucketAccessFeatureOptions `json:"featureOptions,omitempty"`
 }
 
-// BucketAccessClassStatus defines the observed state of BucketAccessClass.
-type BucketAccessClassStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
-	// For Kubernetes API conventions, see:
-	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
-
-	// conditions represent the current state of the BucketAccessClass resource.
-	// Each condition has a unique type and reflects the status of a specific aspect of the resource.
-	//
-	// Standard condition types include:
-	// - "Available": the resource is fully functional
-	// - "Progressing": the resource is being created or updated
-	// - "Degraded": the resource failed to reach or maintain its desired state
-	//
-	// The status of each condition is one of True, False, or Unknown.
-	// +listType=map
-	// +listMapKey=type
+// BucketAccessFeatureOptions defines various COSI access provisioning behaviors.
+type BucketAccessFeatureOptions struct {
+	// disallowedBucketAccessModes is a list of disallowed Read/Write access modes. A BucketAccess
+	// using this class will not be allowed to request access to a BucketClaim with any access mode
+	// listed here.
 	// +optional
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
+	// +listType=set
+	DisallowedBucketAccessModes []BucketAccessMode `json:"disallowedBucketAccessModes,omitempty"`
+
+	// disallowMultiBucketAccess disables the ability for a BucketAccess to reference multiple
+	// BucketClaims when set.
+	// +optional
+	DisallowMultiBucketAccess bool `json:"disallowMultiBucketAccess,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -73,11 +77,8 @@ type BucketAccessClass struct {
 
 	// spec defines the desired state of BucketAccessClass
 	// +required
+	// +kubebuilder:validation:XValidation:message="BucketAccessClass spec is immutable",rule="self == oldSelf"
 	Spec BucketAccessClassSpec `json:"spec"`
-
-	// status defines the observed state of BucketAccessClass
-	// +optional
-	Status BucketAccessClassStatus `json:"status,omitempty,omitzero"`
 }
 
 // +kubebuilder:object:root=true

client/apis/objectstorage/v1alpha2/bucketclaim_types.go

@@ -22,11 +22,15 @@ import (
 
 // BucketClaimSpec defines the desired state of BucketClaim
 // +kubebuilder:validation:ExactlyOneOf=bucketClassName;existingBucketName
+// +kubebuilder:validation:XValidation:message="bucketClassName is immutable",rule="has(oldSelf.bucketClassName) == has(self.bucketClassName)"
+// +kubebuilder:validation:XValidation:message="existingBucketName is immutable",rule="has(oldSelf.existingBucketName) == has(self.existingBucketName)"
+// +kubebuilder:validation:XValidation:message="protocols list is immutable",rule="has(oldSelf.protocols) == has(self.protocols)"
 type BucketClaimSpec struct {
 	// bucketClassName selects the BucketClass for provisioning the BucketClaim.
 	// This field is used only for BucketClaim dynamic provisioning.
 	// If unspecified, existingBucketName must be specified for binding to an existing Bucket.
 	// +optional
+	// +kubebuilder:validation:MaxLength=253
 	// +kubebuilder:validation:XValidation:message="bucketClassName is immutable",rule="self == oldSelf"
 	BucketClassName string `json:"bucketClassName,omitempty"`
 
@@ -41,15 +45,19 @@ type BucketClaimSpec struct {
 	// This field is used only for BucketClaim static provisioning.
 	// If unspecified, bucketClassName must be specified for dynamically provisioning a new bucket.
 	// +optional
+	// +kubebuilder:validation:MaxLength=253
 	// +kubebuilder:validation:XValidation:message="existingBucketName is immutable",rule="self == oldSelf"
 	ExistingBucketName string `json:"existingBucketName,omitempty"`
 }
 
 // BucketClaimStatus defines the observed state of BucketClaim.
+// +kubebuilder:validation:XValidation:message="boundBucketName is immutable once set",rule="!has(oldSelf.boundBucketName) || has(self.boundBucketName)"
+// +kubebuilder:validation:XValidation:message="protocols is immutable once set",rule="!has(oldSelf.protocols) || has(self.protocols)"
 type BucketClaimStatus struct {
 	// boundBucketName is the name of the Bucket this BucketClaim is bound to.
-	// Once set, this is immutable.
-	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable",rule="oldSelf == '' || self == oldSelf"
+	// +optional
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable once set",rule="oldSelf == '' || self == oldSelf"
 	BoundBucketName string `json:"boundBucketName"`
 
 	// readyToUse indicates that the bucket is ready for consumption by workloads.

client/apis/objectstorage/v1alpha2/protocols.go

@@ -23,6 +23,7 @@ This file describes the end-user representation of the various object store prot
 // TODO: can we write doc generation and linting for the definitions in this file?
 
 // ObjectProtocol represents an object protocol type.
+// +kubebuilder:validation:Enum:=S3;Azure;GCS
 type ObjectProtocol string
 
 const (