kubernetes-sigs
diff --git a/‎client/apis/objectstorage/v1alpha2/bucket_types.go‎
Lines changed: 43 additions & 8 deletions b/‎client/apis/objectstorage/v1alpha2/bucket_types.go‎
Lines changed: 43 additions & 8 deletions
diff --git a/‎client/apis/objectstorage/v1alpha2/bucketaccess_types.go‎
Lines changed: 148 additions & 23 deletions b/‎client/apis/objectstorage/v1alpha2/bucketaccess_types.go‎
Lines changed: 148 additions & 23 deletions
diff --git a/‎client/apis/objectstorage/v1alpha2/bucketaccessclass_types.go‎
Lines changed: 34 additions & 33 deletions b/‎client/apis/objectstorage/v1alpha2/bucketaccessclass_types.go‎
Lines changed: 34 additions & 33 deletions
@@ -37,6 +37,9 @@ const (
 )
 
 // BucketSpec defines the desired state of Bucket
+// +kubebuilder:validation:XValidation:message="parameters map is immutable",rule="has(oldSelf.parameters) == has(self.parameters)"
+// +kubebuilder:validation:XValidation:message="protocols list is immutable",rule="has(oldSelf.protocols) == has(self.protocols)"
+// +kubebuilder:validation:XValidation:message="existingBucketID is immutable",rule="has(oldSelf.existingBucketID) == has(self.existingBucketID)"
 type BucketSpec struct {
 	// driverName is the name of the driver that fulfills requests for this Bucket.
 	// +required
@@ -70,38 +73,70 @@ type BucketSpec struct {
 	// allowed to bind to this Bucket.
 	// +required
 	BucketClaimRef BucketClaimReference `json:"bucketClaim"`
+
+	// existingBucketID is the unique identifier for an existing backend bucket known to the driver.
+	// Use driver documentation to determine how to set this value.
+	// This field is used only for Bucket static provisioning.
+	// This field will be empty when the Bucket is dynamically provisioned from a BucketClaim.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="existingBucketID is immutable",rule="self == oldSelf"
+	ExistingBucketID string `json:"existingBucketID,omitempty"`
 }
 
 // BucketClaimReference is a reference to a BucketClaim object.
+// +kubebuilder:validation:XValidation:message="namespace is immutable once set",rule="!has(oldSelf.namespace) || has(self.namespace)"
+// +kubebuilder:validation:XValidation:message="uid is immutable once set",rule="!has(oldSelf.uid) || has(self.uid)"
 type BucketClaimReference struct {
 	// name is the name of the BucketClaim being referenced.
 	// +required
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:XValidation:message="driverName is immutable",rule="self == oldSelf"
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="name is immutable",rule="self == oldSelf"
 	Name string `json:"name"`
 
 	// namespace is the namespace of the BucketClaim being referenced.
 	// If empty, the Kubernetes 'default' namespace is assumed.
 	// namespace is immutable except to update '' to 'default'.
 	// +optional
 	// +kubebuilder:validation:MinLength=0
-	// +kubebuilder:validation:XValidation:message="driverName is immutable",rule="(oldSelf == '' && self == 'default') || self == oldSelf"
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="namespace is immutable",rule="(oldSelf == '' && self == 'default') || self == oldSelf"
 	Namespace string `json:"namespace"`
 
 	// uid is the UID of the BucketClaim being referenced.
-	// Once set, the UID is immutable.
 	// +optional
-	// +kubebuilder:validation:XValidation:message="driverName is immutable",rule="oldSelf == '' || self == oldSelf"
+	// +kubebuilder:validation:XValidation:message="uid is immutable once set",rule="oldSelf == '' || self == oldSelf"
 	UID types.UID `json:"uid"`
 }
 
 // BucketStatus defines the observed state of Bucket.
+// +kubebuilder:validation:XValidation:message="bucketID is immutable once set",rule="!has(oldSelf.bucketID) || has(self.bucketID)"
+// +kubebuilder:validation:XValidation:message="protocols is immutable once set",rule="!has(oldSelf.protocols) || has(self.protocols)"
 type BucketStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// readyToUse indicates that the bucket is ready for consumption by workloads.
+	ReadyToUse bool `json:"readyToUse"`
 
-	// For Kubernetes API conventions, see:
-	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+	// bucketID is the unique identifier for the backend bucket known to the driver.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="boundBucketName is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	BucketID string `json:"bucketID"`
+
+	// protocols is the set of protocols the Bucket reports to support. BucketAccesses can request
+	// access to this BucketClaim using any of the protocols reported here.
+	// +optional
+	// +listType=set
+	Protocols []ObjectProtocol `json:"protocols"`
+
+	// BucketInfo reported by the driver, rendered in the COSI_<PROTOCOL>_<KEY> format used for the
+	// BucketAccess Secret. e.g., COSI_S3_ENDPOINT, COSI_AZURE_STORAGE_ACCOUNT.
+	// This should not contain any sensitive information.
+	// +optional
+	BucketInfo map[string]string `json:"bucketInfo,omitempty"`
+
+	// Error holds the most recent error message, with a timestamp.
+	// This is cleared when provisioning is successful.
+	// +optional
+	Error *TimestampedError `json:"error,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 
@@ -20,39 +20,164 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// BucketAccessAuthenticationType specifies what authentication mechanism is used for provisioning
+// bucket access.
+// +enum
+// +kubebuilder:validation:Enum:="";Key;ServiceAccount
+type BucketAccessAuthenticationType string
+
+const (
+	// The driver should generate a protocol-appropriate access key that clients can use to
+	// authenticate to the backend object store.
+	BucketAccessAuthenticationTypeKey = "Key"
+
+	// The driver should configure the system such that Pods using the given ServiceAccount
+	// authenticate to the backend object store automatically.
+	BucketAccessAuthenticationTypeServiceAccount = "ServiceAccount"
+)
+
+// BucketAccessMode describes the Read/Write mode an access should have for a bucket.
+// +enum
+// +kubebuilder:validation:Enum:=ReadWrite;ReadOnly;WriteOnly
+type BucketAccessMode string
+
+const (
+	// BucketAccessModeReadWrite represents read-write access mode.
+	BucketAccessModeReadWrite BucketAccessMode = "ReadWrite"
+
+	// BucketAccessModeReadOnly represents read-only access mode.
+	BucketAccessModeReadOnly BucketAccessMode = "ReadOnly"
+
+	// BucketAccessModeWriteOnly represents write-only access mode.
+	BucketAccessModeWriteOnly BucketAccessMode = "WriteOnly"
+)
+
 // BucketAccessSpec defines the desired state of BucketAccess
+// +kubebuilder:validation:XValidation:message="serviceAccountName is immutable",rule="has(oldSelf.serviceAccountName) == has(self.serviceAccountName)"
 type BucketAccessSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-	// The following markers will use OpenAPI v3 schema to validate the value
-	// More info: https://book.kubebuilder.io/reference/markers/crd-validation.html
+	// bucketClaims is a list of BucketClaims the provisioned access must have permissions for,
+	// along with per-BucketClaim access parameters and system output definitions.
+	// At least one BucketClaim must be referenced.
+	// Multiple references to the same BucketClaim are not permitted.
+	// +required
+	// +listType=map
+	// +listMapKey=bucketClaimName
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:XValidation:message="bucketClaims list is immutable",rule="self == oldSelf"
+	BucketClaims []BucketClaimAccess `json:"bucketClaims"`
 
-	// foo is an example field of BucketAccess. Edit bucketaccess_types.go to remove/update
+	// bucketAccessClassName selects the BucketAccessClass for provisioning the access.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="bucketAccessClassName is immutable",rule="self == oldSelf"
+	BucketAccessClassName string `json:"bucketAccessClassName"`
+
+	// protocol is the object storage protocol that the provisioned access must use.
+	// +required
+	// +kubebuilder:validation:XValidation:message="protocol is immutable",rule="self == oldSelf"
+	Protocol ObjectProtocol `json:"protocol"`
+
+	// serviceAccountName is the name of the Kubernetes ServiceAccount that user application Pods
+	// intend to use for access to referenced BucketClaims.
+	// This has different behavior based on the BucketAccessClass's defined AuthenticationType:
+	// - Key: This field is ignored.
+	// - ServiceAccount: This field is required. The driver should configure the system so that Pods
+	//   using the ServiceAccount authenticate to the object storage backend automatically.
 	// +optional
-	Foo *string `json:"foo,omitempty"`
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:message="serviceAccountName is immutable",rule="self == oldSelf"
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // BucketAccessStatus defines the observed state of BucketAccess.
+// +kubebuilder:validation:XValidation:message="accountID is immutable once set",rule="!has(oldSelf.accountID) || has(self.accountID)"
+// +kubebuilder:validation:XValidation:message="accessedBuckets is immutable once set",rule="!has(oldSelf.accessedBuckets) || has(self.accessedBuckets)"
+// +kubebuilder:validation:XValidation:message="driverName is immutable once set",rule="!has(oldSelf.driverName) || has(self.driverName)"
+// +kubebuilder:validation:XValidation:message="authenticationType is immutable once set",rule="!has(oldSelf.authenticationType) || has(self.authenticationType)"
+// +kubebuilder:validation:XValidation:message="parameters is immutable once set",rule="!has(oldSelf.parameters) || has(self.parameters)"
 type BucketAccessStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
-	// For Kubernetes API conventions, see:
-	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
-
-	// conditions represent the current state of the BucketAccess resource.
-	// Each condition has a unique type and reflects the status of a specific aspect of the resource.
-	//
-	// Standard condition types include:
-	// - "Available": the resource is fully functional
-	// - "Progressing": the resource is being created or updated
-	// - "Degraded": the resource failed to reach or maintain its desired state
-	//
-	// The status of each condition is one of True, False, or Unknown.
+	// readyToUse indicates that the BucketAccess is ready for consumption by workloads.
+	ReadyToUse bool `json:"readyToUse"`
+
+	// accountID is the unique identifier for the backend access known to the driver.
+	// This field is populated by the COSI Sidecar once access has been successfully granted.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="accountId is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	AccountID string `json:"accountID"`
+
+	// accessedBuckets is a list of Buckets the provisioned access must have permissions for, along
+	// with per-Bucket access options. This field is populated by the COSI Controller based on the
+	// referenced BucketClaims in the spec.
+	// +optional
 	// +listType=map
-	// +listMapKey=type
+	// +listMapKey=bucketName
+	// +kubebuilder:validation:XValidation:message="accessedBuckets is immutable once set",rule="oldSelf.size() == 0 || self == oldSelf"
+	AccessedBuckets []AccessedBucket `json:"accessedBuckets"`
+
+	// driverName holds a copy of the BucketAccessClass driver name from the time of BucketAccess
+	// provisioning. This field is populated by the COSI Controller.
 	// +optional
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
+	// +kubebuilder:validation:XValidation:message="driverName is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	DriverName string `json:"driverName"`
+
+	// authenticationType holds a copy of the BucketAccessClass authentication type from the time of
+	// BucketAccess provisioning. This field is populated by the COSI Controller.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="authenticationType is immutable once set",rule="oldSelf == '' || self == oldSelf"
+	AuthenticationType BucketAccessAuthenticationType `json:"authenticationType"`
+
+	// parameters holds a copy of the BucketAccessClass parameters from the time of BucketAccess
+	// provisioning. This field is populated by the COSI Controller.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="accessedBuckets is immutable once set",rule="oldSelf.size() == 0 || self == oldSelf"
+	Parameters map[string]string `json:"parameters,omitempty"`
+
+	// error holds the most recent error message, with a timestamp.
+	// This is cleared when provisioning is successful.
+	// +optional
+	Error *TimestampedError `json:"error,omitempty"`
+}
+
+// BucketClaimAccess selects a BucketClaim for access, defines access parameters for the
+// corresponding bucket, and specifies where user-consumable bucket information and access
+// credentials for the accessed bucket will be stored.
+type BucketClaimAccess struct {
+	// bucketClaimName is the name of a BucketClaim the access should have permissions for.
+	// The BucketClaim must be in the same Namespace as the BucketAccess.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	BucketClaimName string `json:"bucketClaimName"`
+
+	// accessMode is the Read/Write access mode that the access should have for the bucket.
+	// Possible values: ReadWrite, ReadOnly, WriteOnly.
+	// +required
+	AccessMode BucketAccessMode `json:"accessMode"`
+
+	// accessSecretName is the name of a Kubernetes Secret that COSI should create and populate with
+	// bucket info and access credentials for the bucket.
+	// The Secret is created in the same Namespace as the BucketAccess and is deleted when the
+	// BucketAccess is deleted and deprovisioned.
+	// The Secret name must be unique across all bucketClaimRefs for all BucketAccesses in the same
+	// Namespace.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	AccessSecretName string `json:"accessSecretName"`
+}
+
+// AccessedBucket identifies a Bucket and corresponding access parameters.
+type AccessedBucket struct {
+	// bucketName is the name of a Bucket the access should have permissions for.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	BucketName string `json:"bucketName"`
+
+	// accessMode is the Read/Write access mode that the access should have for the bucket.
+	// +required
+	AccessMode BucketAccessMode `json:"accessMode"`
 }
 
 // +kubebuilder:object:root=true
 
@@ -20,42 +20,46 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
 // BucketAccessClassSpec defines the desired state of BucketAccessClass
 type BucketAccessClassSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-	// The following markers will use OpenAPI v3 schema to validate the value
-	// More info: https://book.kubebuilder.io/reference/markers/crd-validation.html
+	// driverName is the name of the driver that fulfills requests for this BucketAccessClass.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	DriverName string `json:"driverName"`
+
+	// authenticationType specifies which authentication mechanism is used bucket access.
+	// Possible values:
+	//  - Key: The driver should generate a protocol-appropriate access key that clients can use to
+	//    authenticate to the backend object store.
+	//  - ServiceAccount: The driver should configure the system such that Pods using the given
+	//    ServiceAccount authenticate to the backend object store automatically.
+	// +required
+	// +kubebuilder:validation:Enum:=Key;ServiceAccount
+	AuthenticationType BucketAccessAuthenticationType `json:"authenticationType"`
+
+	// parameters is an opaque map of driver-specific configuration items passed to the driver that
+	// fulfills requests for this BucketAccessClass.
+	// +optional
+	Parameters map[string]string `json:"parameters,omitempty"`
 
-	// foo is an example field of BucketAccessClass. Edit bucketaccessclass_types.go to remove/update
+	// featureOptions can be used to adjust various COSI access provisioning behaviors.
 	// +optional
-	Foo *string `json:"foo,omitempty"`
+	FeatureOptions BucketAccessFeatureOptions `json:"featureOptions,omitempty"`
 }
 
-// BucketAccessClassStatus defines the observed state of BucketAccessClass.
-type BucketAccessClassStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
-	// For Kubernetes API conventions, see:
-	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
-
-	// conditions represent the current state of the BucketAccessClass resource.
-	// Each condition has a unique type and reflects the status of a specific aspect of the resource.
-	//
-	// Standard condition types include:
-	// - "Available": the resource is fully functional
-	// - "Progressing": the resource is being created or updated
-	// - "Degraded": the resource failed to reach or maintain its desired state
-	//
-	// The status of each condition is one of True, False, or Unknown.
-	// +listType=map
-	// +listMapKey=type
+// BucketAccessFeatureOptions defines various COSI access provisioning behaviors.
+type BucketAccessFeatureOptions struct {
+	// disallowedBucketAccessModes is a list of disallowed Read/Write access modes. A BucketAccess
+	// using this class will not be allowed to request access to a BucketClaim with any access mode
+	// listed here.
 	// +optional
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
+	// +listType=set
+	DisallowedBucketAccessModes []BucketAccessMode `json:"disallowedBucketAccessModes,omitempty"`
+
+	// disallowMultiBucketAccess disables the ability for a BucketAccess to reference multiple
+	// BucketClaims when set.
+	// +optional
+	DisallowMultiBucketAccess bool `json:"disallowMultiBucketAccess,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -73,11 +77,8 @@ type BucketAccessClass struct {
 
 	// spec defines the desired state of BucketAccessClass
 	// +required
+	// +kubebuilder:validation:XValidation:message="BucketAccessClass spec is immutable",rule="self == oldSelf"
 	Spec BucketAccessClassSpec `json:"spec"`
-
-	// status defines the observed state of BucketAccessClass
-	// +optional
-	Status BucketAccessClassStatus `json:"status,omitempty,omitzero"`
 }
 
 // +kubebuilder:object:root=true