CLOUDP-280230: Add Network peering CRD and controller (#2103)

* Add Network Peering CRD

* Add Network Peering controller

Signed-off-by: jose.vazquez <[email protected]>

* Update helm chart

* Fixup peering not found return

* Add deletion protection on network peerings

* Fix indexers

Signed-off-by: jose.vazquez <[email protected]>

* Explain containers are required for peering

* Allow to set ID to manage exiting peering

Signed-off-by: jose.vazquez <[email protected]>

* Avoid not found errors when already removed

* Move CEL defs

* Simplify conversion check

* Remove unneeded extra lines

* Clear TODO

* Fix message wording

* Remove unused copy left over error

* Update api/v1/project_reference_cel_test.go

Do log instead of print

Co-authored-by: Sergiusz Urbaniak <[email protected]>

* Fix deletion greediness properly

* Remove trace

---------

Signed-off-by: jose.vazquez <[email protected]>
Co-authored-by: Sergiusz Urbaniak <[email protected]>

Author: josvazg

.github/workflows/test-e2e.yml

@@ -186,6 +186,7 @@ jobs:
             "ip-access-list",
             "dry-run",
             "networkcontainer-controller",
+            "networkpeering-controller",
           ]
     steps:
       - name: Get repo files from cache

.mockery.yaml

@@ -17,3 +17,4 @@ packages:
   github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/maintenancewindow:
   github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/encryptionatrest:
   github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/networkcontainer:
+  github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/networkpeering:

PROJECT

@@ -135,4 +135,12 @@ resources:
   kind: AtlasNetworkContainer
   path: github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1
   version: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: mongodb.com
+  group: atlas
+  kind: AtlasNetworkPeering
+  path: github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1
+  version: v1
 version: "3"

api/v1/atlasnetworkcontainer_types.go

@@ -74,7 +74,7 @@ type AtlasNetworkContainerSpec struct {
 
 // AtlasNetworkContainerConfig defines the Atlas specifics of the desired state of a Network Container
 type AtlasNetworkContainerConfig struct {
-	// ID is the container identified for an already existent network container to be managed by the operator.
+	// ID is the container identifier for an already existent network container to be managed by the operator.
 	// This field can be used in conjunction with cidrBlock to update the cidrBlock of an existing container.
 	// This field is immutable.
 	// +optional

api/v1/atlasnetworkpeering_types.go

@@ -16,14 +16,81 @@ limitations under the License.
 
 package v1
 
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/status"
+)
+
+func init() {
+	SchemeBuilder.Register(&AtlasNetworkPeering{}, &AtlasNetworkPeeringList{})
+}
+
+// AtlasNetworkPeering is the Schema for the AtlasNetworkPeering API
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
+// +kubebuilder:printcolumn:name="Provider",type=string,JSONPath=`.spec.provider`
+// +kubebuilder:printcolumn:name="Id",type=string,JSONPath=`.status.id`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
+// +kubebuilder:subresource:status
+// +groupName:=atlas.mongodb.com
+// +kubebuilder:resource:categories=atlas,shortName=anp
+type AtlasNetworkPeering struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AtlasNetworkPeeringSpec          `json:"spec,omitempty"`
+	Status status.AtlasNetworkPeeringStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// AtlasNetworkPeeringList contains a list of AtlasNetworkPeering
+type AtlasNetworkPeeringList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AtlasNetworkPeering `json:"items"`
+}
+
+// AtlasNetworkPeeringSpec defines the desired state of AtlasNetworkPeering
+// +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && !has(self.projectRef)) || (!has(self.externalProjectRef) && has(self.projectRef))",message="must define only one project reference through externalProjectRef or projectRef"
+// +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && has(self.connectionSecret)) || !has(self.externalProjectRef)",message="must define a local connection secret when referencing an external project"
+// +kubebuilder:validation:XValidation:rule="(has(self.containerRef.name) && !has(self.containerRef.id)) || (!has(self.containerRef.name) && has(self.containerRef.id))",message="must either have a container Atlas id or Kubernetes name, but not both (or neither)"
+// +kubebuilder:validation:XValidation:rule="(self.id == oldSelf.id) || (!has(self.id) && !has(oldSelf.id))",message="id is immutable"
+type AtlasNetworkPeeringSpec struct {
+	ProjectDualReference `json:",inline"`
+
+	ContainerRef ContainerDualReference `json:"containerRef"`
+
+	AtlasNetworkPeeringConfig `json:",inline"`
+}
+
+// ContainerDualReference refers to an Network Container either by Kubernetes name or Atlas ID
+type ContainerDualReference struct {
+	// Name of the container Kubernetes resource, must be present in the same namespace
+	// Use either name or ID, not both.
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// ID is the Atlas identifier of the Network Container Atlas resource this Peering Connection relies on
+	// Use either name or ID, not both.
+	// +optional
+	ID string `json:"id,omitempty"`
+}
+
+// AtlasNetworkPeeringConfig defines the Atlas specifics of the desired state of Peering Connections
 type AtlasNetworkPeeringConfig struct {
+	// ID is the peering identifier for an already existent network peering to be managed by the operator.
+	// This field is immutable.
+	// +optional
+	ID string `json:"id,omitempty"`
+
 	// Name of the cloud service provider for which you want to create the network peering service.
 	// +kubebuilder:validation:Enum=AWS;GCP;AZURE
 	// +kubebuilder:validation:Required
 	Provider string `json:"provider"`
-	// ID of the network peer container. If not set, operator will create a new container with ContainerRegion and AtlasCIDRBlock input.
-	// +optional
-	ContainerID string `json:"containerId"`
 
 	// AWSConfiguration is the specific AWS settings for network peering
 	// +kubebuilder:validation:Optional
@@ -36,40 +103,66 @@ type AtlasNetworkPeeringConfig struct {
 	GCPConfiguration *GCPNetworkPeeringConfiguration `json:"gcpConfiguration,omitempty"`
 }
 
-type AtlasProviderContainerConfig struct {
-	// ContainerRegion is the provider region name of Atlas network peer container. If not set, AccepterRegionName is used.
-	// +optional
-	ContainerRegion string `json:"containerRegion"`
-	// Atlas CIDR. It needs to be set if ContainerID is not set.
-	// +optional
-	AtlasCIDRBlock string `json:"atlasCidrBlock"`
-}
-
+// AWSNetworkPeeringConfiguration defines tha Atlas desired state for AWS
 type AWSNetworkPeeringConfiguration struct {
-	// AccepterRegionName is the provider region name of user's vpc.
+	// AccepterRegionName is the provider region name of user's vpc in AWS native region format
+	// +kubebuilder:validation:Required
 	AccepterRegionName string `json:"accepterRegionName"`
 	// AccountID of the user's vpc.
+	// +kubebuilder:validation:Required
 	AWSAccountID string `json:"awsAccountId,omitempty"`
 	// User VPC CIDR.
+	// +kubebuilder:validation:Required
 	RouteTableCIDRBlock string `json:"routeTableCidrBlock,omitempty"`
 	// AWS VPC ID.
+	// +kubebuilder:validation:Required
 	VpcID string `json:"vpcId,omitempty"`
 }
 
+// AzureNetworkPeeringConfiguration defines tha Atlas desired state for Azure
 type AzureNetworkPeeringConfiguration struct {
 	//AzureDirectoryID is the unique identifier for an Azure AD directory.
+	// +kubebuilder:validation:Required
 	AzureDirectoryID string `json:"azureDirectoryId,omitempty"`
 	// AzureSubscriptionID is the unique identifier of the Azure subscription in which the VNet resides.
+	// +kubebuilder:validation:Required
 	AzureSubscriptionID string `json:"azureSubscriptionId,omitempty"`
 	//ResourceGroupName is the name of your Azure resource group.
+	// +kubebuilder:validation:Required
 	ResourceGroupName string `json:"resourceGroupName,omitempty"`
 	// VNetName is name of your Azure VNet. Its applicable only for Azure.
-	VNetName string `json:"vnetName,omitempty"`
+	// +kubebuilder:validation:Required
+	VNetName string `json:"vNetName,omitempty"`
 }
 
+// GCPNetworkPeeringConfiguration defines tha Atlas desired state for Google
 type GCPNetworkPeeringConfiguration struct {
 	// User GCP Project ID. Its applicable only for GCP.
+	// +kubebuilder:validation:Required
 	GCPProjectID string `json:"gcpProjectId,omitempty"`
 	// GCP Network Peer Name. Its applicable only for GCP.
+	// +kubebuilder:validation:Required
 	NetworkName string `json:"networkName,omitempty"`
 }
+
+func (np *AtlasNetworkPeering) GetStatus() api.Status {
+	return np.Status
+}
+
+func (np *AtlasNetworkPeering) Credentials() *api.LocalObjectReference {
+	return np.Spec.ConnectionSecret
+}
+
+func (np *AtlasNetworkPeering) ProjectDualRef() *ProjectDualReference {
+	return &np.Spec.ProjectDualReference
+}
+
+func (np *AtlasNetworkPeering) UpdateStatus(conditions []api.Condition, options ...api.Option) {
+	np.Status.Conditions = conditions
+	np.Status.ObservedGeneration = np.ObjectMeta.Generation
+
+	for _, o := range options {
+		v := o.(status.AtlasNetworkPeeringStatusOption)
+		v(&np.Status)
+	}
+}

api/v1/atlasnetworkpeering_types_test.go

@@ -0,0 +1,193 @@
+package v1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/common"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/test/helper/cel"
+)
+
+func TestPeeringCELChecks(t *testing.T) {
+	for _, tc := range []struct {
+		title          string
+		old            *AtlasNetworkPeering
+		obj            *AtlasNetworkPeering
+		expectedErrors []string
+	}{
+		{
+			title: "Missing container ref in peering fails",
+			obj: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{},
+			},
+			expectedErrors: []string{"spec: Invalid value: \"object\": must either have a container Atlas id or Kubernetes name, but not both (or neither)"},
+		},
+
+		{
+			title: "Named container ref works",
+			obj: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						Name: "Some-name",
+					},
+				},
+			},
+		},
+
+		{
+			title: "Container id ref works",
+			obj: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+				},
+			},
+		},
+
+		{
+			title: "Both container id and name ref fails",
+			obj: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						Name: "Some-name",
+						ID:   "some-id",
+					},
+				},
+			},
+			expectedErrors: []string{"spec: Invalid value: \"object\": must either have a container Atlas id or Kubernetes name, but not both (or neither)"},
+		},
+
+		{
+			title: "ID set works",
+			obj: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+					AtlasNetworkPeeringConfig: AtlasNetworkPeeringConfig{
+						ID: "some-peering-id",
+					},
+				},
+			},
+		},
+
+		{
+			title: "ID added in fails",
+			old: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+				},
+			},
+			obj: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+					AtlasNetworkPeeringConfig: AtlasNetworkPeeringConfig{
+						ID: "some-peering-id",
+					},
+				},
+			},
+			expectedErrors: []string{"spec: Invalid value: \"object\": no such key: id evaluating rule: id is immutable"},
+		},
+
+		{
+			title: "ID remove fails",
+			old: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+					AtlasNetworkPeeringConfig: AtlasNetworkPeeringConfig{
+						ID: "some-peering-id",
+					},
+				},
+			},
+			obj: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+				},
+			},
+			expectedErrors: []string{"spec: Invalid value: \"object\": no such key: id evaluating rule: id is immutable"},
+		},
+
+		{
+			title: "ID changed fails",
+			old: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+					AtlasNetworkPeeringConfig: AtlasNetworkPeeringConfig{
+						ID: "some-peering-id",
+					},
+				},
+			},
+			obj: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+					AtlasNetworkPeeringConfig: AtlasNetworkPeeringConfig{
+						ID: "another-peering-id",
+					},
+				},
+			},
+			expectedErrors: []string{"spec: Invalid value: \"object\": id is immutable"},
+		},
+
+		{
+			title: "ID unchanged works",
+			old: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+					AtlasNetworkPeeringConfig: AtlasNetworkPeeringConfig{
+						ID: "some-peering-id",
+					},
+				},
+			},
+			obj: &AtlasNetworkPeering{
+				Spec: AtlasNetworkPeeringSpec{
+					ContainerRef: ContainerDualReference{
+						ID: "some-id",
+					},
+					AtlasNetworkPeeringConfig: AtlasNetworkPeeringConfig{
+						ID: "some-peering-id",
+					},
+				},
+			},
+		},
+	} {
+		t.Run(tc.title, func(t *testing.T) {
+			// inject a project to avoid other CEL validations being hit
+			tc.obj.Spec.ProjectRef = &common.ResourceRefNamespaced{Name: "some-project"}
+			unstructuredObject, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&tc.obj)
+			require.NoError(t, err)
+
+			unstructuredOld := map[string]interface{}{}
+			if tc.old != nil {
+				var err error
+				tc.old.Spec.ProjectRef = &common.ResourceRefNamespaced{Name: "some-project"}
+				unstructuredOld, err = runtime.DefaultUnstructuredConverter.ToUnstructured(&tc.old)
+				require.NoError(t, err)
+			}
+
+			crdPath := "../../config/crd/bases/atlas.mongodb.com_atlasnetworkpeerings.yaml"
+			validator, err := cel.VersionValidatorFromFile(t, crdPath, "v1")
+			assert.NoError(t, err)
+			errs := validator(unstructuredObject, unstructuredOld)
+
+			require.Equal(t, tc.expectedErrors, cel.ErrorListAsStrings(errs))
+		})
+	}
+}