setting up for providers on the CR (#30)

* setting up for providers on the CR

* setting up for providers on the CR

* secret validation

* secret validation

Author: AlexsJones

README.md

@@ -7,6 +7,10 @@
 
 The open-feature-operator is a Kubernetes native operator that allows you to expose feature flags to your applications. It injects a [flagd](https://github.com/open-feature/flagd) sidecar into your pod and allows you to poll the flagd server for feature flags in a variety of ways.
 
+### Deploy the latest release
+
+`kubectl apply -f https://github.com/open-feature/open-feature-operator/releases/download/v0.0.1/release.yaml`
+
 ### Architecture
 
 As per the issue [here](https://github.com/open-feature/research/issues/1)
@@ -69,5 +73,5 @@ root@nginx:/# curl localhost:8080
 
 #### Run the example
 
-1. `kubectl apply -f config/samples/config_v1alpha1_featureflagconfiguration.yaml`
+1. `kubectl apply -f config/samples/crds/featureflagconfiguration.yaml`
 1. `kubectl apply -f config/samples/pod.yaml`

apis/core/v1alpha1/featureflagconfiguration_types.go

@@ -29,11 +29,18 @@ import (
 type FeatureFlagConfigurationSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
-
-	// Foo is an example field of FeatureFlagConfiguration. Edit featureflagconfiguration_types.go to remove/update
+	// +optional
+	Provider *FeatureFlagProvider `json:"provider"`
+	// FeatureFlagSpec is the json representation of the feature flag
 	FeatureFlagSpec string `json:"featureFlagSpec,omitempty"`
 }
 
+type FeatureFlagProvider struct {
+	// +kubebuilder:validation:Enum=flagD
+	Name        string                 `json:"name"`
+	Credentials corev1.ObjectReference `json:"credentials"`
+}
+
 // FeatureFlagConfigurationStatus defines the observed state of FeatureFlagConfiguration
 type FeatureFlagConfigurationStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
@@ -86,7 +93,7 @@ func GenerateFfConfigMap(name string, namespace string, references []metav1.Owne
 			OwnerReferences: references,
 		},
 		Data: map[string]string{
-			"config.yaml": spec.FeatureFlagSpec,
+			"config.json": spec.FeatureFlagSpec,
 		},
 	}
 }

apis/core/v1alpha1/zz_generated.deepcopy.go

@@ -38,9 +38,81 @@ spec:
               FeatureFlagConfiguration
             properties:
               featureFlagSpec:
-                description: Foo is an example field of FeatureFlagConfiguration.
-                  Edit featureflagconfiguration_types.go to remove/update
+                description: FeatureFlagSpec is the json representation of the feature
+                  flag
                 type: string
+              provider:
+                description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+                  Important: Run "make" to regenerate code after modifying this file'
+                properties:
+                  credentials:
+                    description: 'ObjectReference contains enough information to let
+                      you inspect or modify the referred object. --- New uses of this
+                      type are discouraged because of difficulty describing its usage
+                      when embedded in APIs. 1. Ignored fields.  It includes many
+                      fields which are not generally honored.  For instance, ResourceVersion
+                      and FieldPath are both very rarely valid in actual usage. 2.
+                      Invalid usage help.  It is impossible to add specific help for
+                      individual usage.  In most embedded usages, there are particular
+                      restrictions like, "must refer only to types A and B" or "UID
+                      not honored" or "name must be restricted". Those cannot be well
+                      described when embedded. 3. Inconsistent validation.  Because
+                      the usages are different, the validation rules are different
+                      by usage, which makes it hard for users to predict what will
+                      happen. 4. The fields are both imprecise and overly precise.  Kind
+                      is not a precise mapping to a URL. This can produce ambiguity
+                      during interpretation and require a REST mapping.  In most cases,
+                      the dependency is on the group,resource tuple and the version
+                      of the actual struct is irrelevant. 5. We cannot easily change
+                      it.  Because this type is embedded in many locations, updates
+                      to this type will affect numerous schemas.  Don''t make new
+                      APIs embed an underspecified API type they do not control. Instead
+                      of using this type, create a locally provided and used type
+                      that is well-focused on your reference. For example, ServiceReferences
+                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                      .'
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  name:
+                    enum:
+                    - flagD
+                    type: string
+                required:
+                - credentials
+                - name
+                type: object
             type: object
           status:
             description: FeatureFlagConfigurationStatus defines the observed state

config/crd/bases/core.openfeature.dev_featureflagconfigurations.yaml

@@ -0,0 +1,12 @@
+apiVersion: core.openfeature.dev/v1alpha1
+kind: FeatureFlagConfiguration
+metadata:
+  name: featureflagconfiguration-sample
+spec:
+  provider:
+    name: "flagD"
+    credentials: 
+      name: "sample-provider-secret"
+      namespace: "default"
+  featureFlagSpec: |
+    {}

config/samples/crds/custom_provider.yaml

@@ -4,4 +4,4 @@ metadata:
   name: featureflagconfiguration-sample
 spec:
   featureFlagSpec: |
-    {} 
+    {}

config/samples/config_v1alpha1_featureflagconfiguration.yaml renamed to config/samples/crds/featureflagconfiguration.yaml

@@ -104,6 +104,18 @@ func (r *FeatureFlagConfigurationReconciler) Reconcile(ctx context.Context, req
 		return r.finishReconcile(nil, false)
 	}
 
+	// Check the provider on the FeatureFlagConfiguration
+	if ffconf.Spec.Provider == nil {
+		r.Log.Info("No provider specified for FeatureFlagConfiguration, using FlagD")
+		ffconf.Spec.Provider = &corev1alpha1.FeatureFlagProvider{
+			Name: "flagD",
+		}
+		if err := r.Update(ctx, ffconf); err != nil {
+			r.Log.Error(err, "Failed to update FeatureFlagConfiguration Provider")
+			return r.finishReconcile(err, false)
+		}
+	}
+
 	// Get list of configmaps
 	configMapList := &corev1.ConfigMapList{}
 	var ffConfigMapList []corev1.ConfigMap

controllers/featureflagconfiguration_controller.go

@@ -3,15 +3,17 @@ package webhooks
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"net/http"
 	"strings"
 
+	"k8s.io/apimachinery/pkg/api/errors"
+
 	"github.com/go-logr/logr"
 	corev1alpha1 "github.com/open-feature/open-feature-operator/apis/core/v1alpha1"
 	"github.com/open-feature/open-feature-operator/pkg/utils"
 	"github.com/xeipuuv/gojsonschema"
+	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
@@ -45,6 +47,16 @@ func (m *FeatureFlagConfigurationValidator) Handle(ctx context.Context, req admi
 			return admission.Denied(fmt.Sprintf("FeatureFlagSpec is not valid JSON: %s", err.Error()))
 		}
 	}
+
+	if config.Spec.Provider.Credentials.Name != "" {
+		// Check the provider and whether it has an existing secret
+		providerKeySecret := corev1.Secret{}
+		if err := m.Client.Get(ctx, client.ObjectKey{Name: config.Spec.Provider.Credentials.Name,
+			Namespace: config.Spec.Provider.Credentials.Namespace}, &providerKeySecret); errors.IsNotFound(err) {
+			return admission.Denied("credentials secret not found")
+		}
+	}
+
 	return admission.Allowed("")
 }
 
@@ -76,7 +88,7 @@ func (m *FeatureFlagConfigurationValidator) validateJSONSchema(schemaJSON string
 		for _, desc := range result.Errors() {
 			sb.WriteString(fmt.Sprintf("- %s\n", desc))
 		}
-		return errors.New(sb.String())
+		return errors.NewBadRequest(sb.String())
 	}
 	return nil
 }