CLOUDP-190400: Merge deletion protection bits (#1026)

* Add deletion protection flags to manager and support in database_user controller (#1003)

* CLOUDP-175080: Support deletion protection for Atlas projects (#1028)

* Disable and hide deletion protection (#1052)

Signed-off-by: Jose Vazquez <[email protected]>

---------

Signed-off-by: Jose Vazquez <[email protected]>
Co-authored-by: Helder Santana <[email protected]>

Author: josvazg

Dockerfile

@@ -27,9 +27,9 @@ ENV TARGET_OS=${TARGETOS}
 
 RUN make manager
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2
 
-RUN microdnf install yum &&\
+RUN microdnf install -y yum &&\
   yum -y update &&\
   yum -y upgrade &&\
   yum clean all &&\

cmd/manager/main.go

@@ -25,8 +25,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/version"
-
 	"go.uber.org/zap/zapcore"
 	ctrzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
 
@@ -52,7 +50,17 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/connectionsecret"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/watch"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/util/kube"
-	// +kubebuilder:scaffold:imports
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/version"
+)
+
+const (
+	objectDeletionProtectionFlag       = "object-deletion-protection"
+	subobjectDeletionProtectionFlag    = "subobject-deletion-protection"
+	objectDeletionProtectionDefault    = false
+	subobjectDeletionProtectionDefault = false
+
+	objectDeletionProtectionEnvVar    = "UNSUPPORTED_OBJECT_DELETION_PROTECTION"
+	subobjectDeletionProtectionEnvVar = "UNSUPPORTED_SUBOBJECT_DELETION_PROTECTION"
 )
 
 var (
@@ -62,9 +70,7 @@ var (
 
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
-
 	utilruntime.Must(mdbv1.AddToScheme(scheme))
-	// +kubebuilder:scaffold:scheme
 }
 
 func main() {
@@ -144,28 +150,32 @@ func main() {
 	}
 
 	if err = (&atlasproject.AtlasProjectReconciler{
-		Client:           mgr.GetClient(),
-		Log:              logger.Named("controllers").Named("AtlasProject").Sugar(),
-		Scheme:           mgr.GetScheme(),
-		AtlasDomain:      config.AtlasDomain,
-		ResourceWatcher:  watch.NewResourceWatcher(),
-		GlobalAPISecret:  config.GlobalAPISecret,
-		GlobalPredicates: globalPredicates,
-		EventRecorder:    mgr.GetEventRecorderFor("AtlasProject"),
+		Client:                      mgr.GetClient(),
+		Log:                         logger.Named("controllers").Named("AtlasProject").Sugar(),
+		Scheme:                      mgr.GetScheme(),
+		AtlasDomain:                 config.AtlasDomain,
+		ResourceWatcher:             watch.NewResourceWatcher(),
+		GlobalAPISecret:             config.GlobalAPISecret,
+		GlobalPredicates:            globalPredicates,
+		EventRecorder:               mgr.GetEventRecorderFor("AtlasProject"),
+		ObjectDeletionProtection:    config.ObjectDeletionProtection,
+		SubObjectDeletionProtection: config.SubObjectDeletionProtection,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "AtlasProject")
 		os.Exit(1)
 	}
 
 	if err = (&atlasdatabaseuser.AtlasDatabaseUserReconciler{
-		Client:           mgr.GetClient(),
-		Log:              logger.Named("controllers").Named("AtlasDatabaseUser").Sugar(),
-		Scheme:           mgr.GetScheme(),
-		AtlasDomain:      config.AtlasDomain,
-		ResourceWatcher:  watch.NewResourceWatcher(),
-		GlobalAPISecret:  config.GlobalAPISecret,
-		GlobalPredicates: globalPredicates,
-		EventRecorder:    mgr.GetEventRecorderFor("AtlasDatabaseUser"),
+		ResourceWatcher:             watch.NewResourceWatcher(),
+		Client:                      mgr.GetClient(),
+		Log:                         logger.Named("controllers").Named("AtlasDatabaseUser").Sugar(),
+		Scheme:                      mgr.GetScheme(),
+		AtlasDomain:                 config.AtlasDomain,
+		GlobalAPISecret:             config.GlobalAPISecret,
+		EventRecorder:               mgr.GetEventRecorderFor("AtlasDatabaseUser"),
+		GlobalPredicates:            globalPredicates,
+		ObjectDeletionProtection:    config.ObjectDeletionProtection,
+		SubObjectDeletionProtection: config.SubObjectDeletionProtection,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "AtlasDatabaseUser")
 		os.Exit(1)
@@ -203,15 +213,17 @@ func main() {
 }
 
 type Config struct {
-	AtlasDomain          string
-	EnableLeaderElection bool
-	MetricsAddr          string
-	Namespace            string
-	WatchedNamespaces    map[string]bool
-	ProbeAddr            string
-	GlobalAPISecret      client.ObjectKey
-	LogLevel             string
-	LogEncoder           string
+	AtlasDomain                 string
+	EnableLeaderElection        bool
+	MetricsAddr                 string
+	Namespace                   string
+	WatchedNamespaces           map[string]bool
+	ProbeAddr                   string
+	GlobalAPISecret             client.ObjectKey
+	LogLevel                    string
+	LogEncoder                  string
+	ObjectDeletionProtection    bool
+	SubObjectDeletionProtection bool
 }
 
 // ParseConfiguration fills the 'OperatorConfig' from the flags passed to the program
@@ -251,6 +263,8 @@ func parseConfiguration() Config {
 		config.Namespace = watchedNamespace
 	}
 
+	configureDeletionProtection(&config)
+
 	return config
 }
 
@@ -303,3 +317,35 @@ func initCustomZapLogger(level, encoding string) (*zap.Logger, error) {
 	}
 	return cfg.Build()
 }
+
+func configureDeletionProtection(config *Config) {
+	if config == nil {
+		return
+	}
+	config.ObjectDeletionProtection = objectDeletionProtectionDefault
+	config.SubObjectDeletionProtection = subobjectDeletionProtectionDefault
+
+	// TODO: replace with the CLI flags at feature completion
+	enableDeletionProtectionFromEnvVars(config, version.Version)
+}
+
+func enableDeletionProtectionFromEnvVars(config *Config, v string) {
+	if version.IsRelease(v) {
+		if isOn(os.Getenv(objectDeletionProtectionEnvVar)) ||
+			isOn(os.Getenv(subobjectDeletionProtectionEnvVar)) {
+			log.Printf("Deletion Protection feature is not available yet in production releases")
+		}
+		return
+	}
+
+	if isOn(os.Getenv(objectDeletionProtectionEnvVar)) {
+		config.ObjectDeletionProtection = true
+	}
+	if isOn(os.Getenv(subobjectDeletionProtectionEnvVar)) {
+		config.SubObjectDeletionProtection = true
+	}
+}
+
+func isOn(value string) bool {
+	return strings.ToLower(value) == "on"
+}

cmd/manager/main_test.go

@@ -0,0 +1,89 @@
+package main
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/version"
+)
+
+const (
+	nonReleaseVersion = "1.8.0-30-g81233c6-dirty"
+	releaseVersion    = "1.9.0-certified"
+)
+
+func TestDeletionProtectionDisabledByDefault(t *testing.T) {
+	os.Unsetenv(objectDeletionProtectionEnvVar)
+	os.Unsetenv(subobjectDeletionProtectionEnvVar)
+
+	cfg := Config{
+		ObjectDeletionProtection:    objectDeletionProtectionDefault,
+		SubObjectDeletionProtection: subobjectDeletionProtectionDefault,
+	}
+	enableDeletionProtectionFromEnvVars(&cfg, version.DefaultVersion)
+
+	assert.Equal(t, false, cfg.ObjectDeletionProtection)
+	assert.Equal(t, false, cfg.SubObjectDeletionProtection)
+}
+
+func TestDeletionProtectionIgnoredOnReleases(t *testing.T) {
+	version.Version = releaseVersion
+	os.Setenv(objectDeletionProtectionEnvVar, "On")
+	os.Setenv(subobjectDeletionProtectionEnvVar, "On")
+
+	cfg := Config{
+		ObjectDeletionProtection:    objectDeletionProtectionDefault,
+		SubObjectDeletionProtection: subobjectDeletionProtectionDefault,
+	}
+	enableDeletionProtectionFromEnvVars(&cfg, releaseVersion)
+
+	assert.Equal(t, false, cfg.ObjectDeletionProtection)
+	assert.Equal(t, false, cfg.SubObjectDeletionProtection)
+}
+
+func TestDeletionProtectionEnabledAsEnvVars(t *testing.T) {
+	testCases := []struct {
+		title            string
+		objDelProtect    bool
+		subObjDelProtect bool
+	}{
+		{
+			"both env vars set on non release version enables both protections",
+			true,
+			true,
+		},
+		{
+			"obj env var set on non release version enables obj protection only",
+			true,
+			false,
+		},
+		{
+			"subobj env var set on non release version enables subobj protection only",
+			false,
+			true,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.title, func(t *testing.T) {
+			os.Unsetenv(objectDeletionProtectionEnvVar)
+			os.Unsetenv(subobjectDeletionProtectionEnvVar)
+			if tc.objDelProtect {
+				os.Setenv(objectDeletionProtectionEnvVar, "On")
+			}
+			if tc.subObjDelProtect {
+				os.Setenv(subobjectDeletionProtectionEnvVar, "On")
+			}
+
+			cfg := Config{
+				ObjectDeletionProtection:    objectDeletionProtectionDefault,
+				SubObjectDeletionProtection: subobjectDeletionProtectionDefault,
+			}
+			enableDeletionProtectionFromEnvVars(&cfg, nonReleaseVersion)
+
+			assert.Equal(t, tc.objDelProtect, cfg.ObjectDeletionProtection)
+			assert.Equal(t, tc.subObjDelProtect, cfg.SubObjectDeletionProtection)
+		})
+	}
+}

helm-charts

@@ -18,7 +18,6 @@ type AtlasCustomResource interface {
 }
 
 var _ AtlasCustomResource = &AtlasProject{}
-
 var _ AtlasCustomResource = &AtlasDeployment{}
-
+var _ AtlasCustomResource = &AtlasDatabaseUser{}
 var _ AtlasCustomResource = &AtlasDataFederation{}

pkg/api/v1/atlascustomresource.go

@@ -226,8 +226,8 @@ func (p *AtlasProject) WithLabels(labels map[string]string) *AtlasProject {
 	return p
 }
 
-func (p *AtlasProject) WithAnnotations(labels map[string]string) *AtlasProject {
-	p.Labels = labels
+func (p *AtlasProject) WithAnnotations(annotations map[string]string) *AtlasProject {
+	p.Annotations = annotations
 	return p
 }