Implement SaaS-Based Approval Workflow for ClientIntents #569
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nto evya/approved_intents_crd
…raphQL mutations and queries for applied intents requests
…lientIntents for every clientIntents while the operator will wait for the migration to end.
1. When first reconciled - add finalizer 2. When deleted - trigger approvedClientIntent deletion a. If does not exist - remove finalizer b. If exists - delete approvedClientIntent and return 3. When approvedClientIntents is deleted - remove finalizer from clientIntents before removing its own
omris94
changed the title
clientIntents
omris94
commented
Mar 17, 2025
| ExternallyManagedPolicyWorkloadsKey = "externallyManagedPolicyWorkloads" | ||
|
|
||
| EnableIntentsCloudApproval = "enable-intents-cloud-approval" | ||
| EnableIntentsCloudApprovalDefault = true |
Contributor
Author
There was a problem hiding this comment.
Change before merge
amitlicht
reviewed
Mar 18, 2025
| ObservedGeneration int64 `json:"observedGeneration"` | ||
| // ResolvedIPs stores resolved IPs for a domain name - the network mapper populates it when DNS internetTarget is used | ||
| // +optional | ||
| ResolvedIPs []ResolvedIPs `json:"resolvedIPs,omitempty" yaml:"resolvedIPs,omitempty"` |
Contributor
There was a problem hiding this comment.
Don't forget to open a PR to update the mapper with this change + release them together
Comment on lines
82
to
83
| //+kubebuilder:rbac:groups=k8s.otterize.com,resources=postgresqlserverconfigs,verbs=get;list;watch;create;update;patch;delete | ||
| //+kubebuilder:rbac:groups=k8s.otterize.com,resources=mysqlserverconfigs,verbs=get;list;watch;create;update;patch;delete |
Contributor
There was a problem hiding this comment.
Cleanup required RBAC permissions here
| // Will be handled elsewhere | ||
| return nil | ||
| } | ||
| if intents.Status.ReviewStatus == "" { |
Contributor
There was a problem hiding this comment.
shouldn't this already be handled by the main flow? I'd expect the main flow to ensure the status is set.
Co-authored-by: Amit Lichtenberg <[email protected]>
Co-authored-by: Amit Lichtenberg <[email protected]>
Co-authored-by: Amit Lichtenberg <[email protected]>
Co-authored-by: Amit Lichtenberg <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request introduces a SaaS-based approval workflow for
ClientIntentswithin the Otterize intents-operator. By default, there are no changes to the user API unless explicitly configured by the user.Key Changes
ApprovedClientIntents CRD:
A new Custom Resource Definition (CRD) named
ApprovedClientIntentshas been added. This CRD representsClientIntentsresources that have been approved, facilitating a controlled and auditable access management process.Refactoring of Intents Reconciliation:
The existing
IntentsReconcilerlogic has been refactored intoApprovedIntentsReconciler. All operations previously triggered by the reconciliation of intents now utilize the newApprovedClientIntentsCRD, ensuring that only approved intents are enforced.Introduction of Approval Flow Reconciler:
A new reconciler has been implemented to handle the approval flow. By default, the operator auto-approves any
ClientIntents. If configured to integrate with the cloud, it reports theClientIntentsas access requests to the cloud and awaits approval status. Once a request is approved, it triggers the creation of anApprovedClientIntentsresource.Testing
Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.
Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests.
Also include details of the environment this PR was developed in (language/platform/browser version).
Checklist