Add auth CRD (#188)

superseb · web-flow · commit 8db1e4f8359e · 2025-12-02T11:00:46.000+01:00
* Add auth CRD

* review comments
diff --git a/.github/workflows/pr-workflow.yaml b/.github/workflows/pr-workflow.yaml
@@ -24,6 +24,9 @@ jobs:
       - name: Helm lint (CRDs)
         run: |
           helm lint charts/qdrant-kubernetes-api
+          helm lint charts/qdrant-kubernetes-api --set includeManagementCRDs=true
+          helm lint charts/qdrant-kubernetes-api --set includeAuthCRDs=true
+          helm lint charts/qdrant-kubernetes-api --set includeManagementCRDs=true --set includeAuthCRDs=true
 
       - name: Run kubeconform
         shell: bash
diff --git a/Makefile b/Makefile
@@ -19,6 +19,10 @@ CRDS_DIR ?= crds
 lint:
 	bash -c 'files=$$(gofmt -l .) && echo $$files && [ -z "$$files" ]'
 	helm lint $(CHART_DIR)
+	helm lint $(CHART_DIR) --set includeManagementCRDs=true
+	helm lint $(CHART_DIR) --set includeAuthCRDs=true
+	helm lint $(CHART_DIR) --set includeManagementCRDs=true --set includeAuthCRDs=true
+	helm lint $(CHART_DIR)
 	golangci-lint run
 
 .PHONY: gen
@@ -28,17 +32,24 @@ gen: manifests generate format vet ## Generate code containing DeepCopy, DeepCop
 manifests: controller-gen ## Generate CustomResourceDefinition objects.
 	rm $(CHART_DIR)/templates/management-crds/*.yaml
 	rm $(CHART_DIR)/templates/region-crds/*.yaml
+	rm $(CHART_DIR)/templates/auth-crds/*.yaml
 	$(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=$(CRDS_DIR)
 	mv $(CRDS_DIR)/qdrant.io_qdrantreleases.yaml $(CHART_DIR)/templates/management-crds/
 	cp $(CRDS_DIR)/qdrant*.yaml $(CHART_DIR)/templates/region-crds/
+	mv $(CRDS_DIR)/auth.qdrant.io*.yaml $(CHART_DIR)/templates/auth-crds/
 	for file in $(CHART_DIR)/templates/management-crds/*.yaml; do \
 		echo "{{ if .Values.includeManagementCRDs }}" | cat - $$file > temp && mv temp $$file; \
 		echo "{{ end }}" >> $$file; \
 	done
-	for file in $(CHART_DIR)/templates/region-crds/*.yaml; do \
+	for file in $(CHART_DIR)/templates/region-crds/qdrant*.yaml; do \
 		echo "{{ if .Values.includeRegionCRDs }}" | cat - $$file > temp && mv temp $$file; \
 		echo "{{ end }}" >> $$file; \
 	done
+	# We only want to deploy API key CRD to regional clusters
+	for file in $(CHART_DIR)/templates/auth-crds/auth.qdrant.io*.yaml; do \
+		echo "{{ if .Values.includeAuthCRDs }}" | cat - $$file > temp && mv temp $$file; \
+		echo "{{ end }}" >> $$file; \
+	done
 	helm lint $(CHART_DIR)
 
 .PHONY: generate
diff --git a/api/auth/v1alpha1/apiauthentication_types.go b/api/auth/v1alpha1/apiauthentication_types.go
@@ -0,0 +1,47 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// APIAuthentication is a configuration for authenticating against Qdrant clusters.
+type APIAuthentication struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec APIAuthenticationSpec `json:"spec"`
+}
+
+// APIAuthenticationSpec describes the configuration for authenticating against Qdrant clusters.
+type APIAuthenticationSpec struct {
+	// +kubebuilder:validation:MinLength=128
+	// +kubebuilder:validation:MaxLength=128
+	// +optional
+	// SHA512 hash of an API key.
+	SHA512 *string `json:"sha512,omitempty"`
+
+	// +listType=set
+	// List of cluster IDs for which the API key is valid
+	ClusterIDs []string `json:"clusterIDs"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// APIAuthenticationList is the whole list of all APIAuthentication objects.
+type APIAuthenticationList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// List of APIAuthentication objects
+	Items []APIAuthentication `json:"items"`
+}
diff --git a/api/auth/v1alpha1/groupversion_info.go b/api/auth/v1alpha1/groupversion_info.go
@@ -0,0 +1,20 @@
+// Package v1alpha1 contains API Schema definitions for the qdrant.io v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=auth.qdrant.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "auth.qdrant.io", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)
diff --git a/api/auth/v1alpha1/zz_generated.deepcopy.go b/api/auth/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/qdrant-kubernetes-api/templates/auth-crds/auth.qdrant.io_apiauthentications.yaml b/charts/qdrant-kubernetes-api/templates/auth-crds/auth.qdrant.io_apiauthentications.yaml
@@ -0,0 +1,64 @@
+{{ if .Values.includeAuthCRDs }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.19.0
+  name: apiauthentications.auth.qdrant.io
+spec:
+  group: auth.qdrant.io
+  names:
+    kind: APIAuthentication
+    listKind: APIAuthenticationList
+    plural: apiauthentications
+    singular: apiauthentication
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: APIAuthentication is a configuration for authenticating against
+          Qdrant clusters.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: APIAuthenticationSpec describes the configuration for authenticating
+              against Qdrant clusters.
+            properties:
+              clusterIDs:
+                description: List of cluster IDs for which the API key is valid
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+              sha512:
+                description: SHA512 hash of an API key.
+                maxLength: 128
+                minLength: 128
+                type: string
+            required:
+            - clusterIDs
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+{{ end }}
diff --git a/charts/qdrant-kubernetes-api/values.yaml b/charts/qdrant-kubernetes-api/values.yaml
@@ -2,3 +2,5 @@
 includeManagementCRDs: false
 # Include region-crds in the deployment
 includeRegionCRDs: true
+# Include auth.qdrant.io API key CRD in the deployment
+includeAuthCRDs: false
diff --git a/docs/api.md b/docs/api.md
@@ -1,9 +1,58 @@
 # API Reference
 
 ## Packages
+- [auth.qdrant.io/v1alpha1](#authqdrantiov1alpha1)
 - [qdrant.io/v1](#qdrantiov1)
 
 
+## auth.qdrant.io/v1alpha1
+
+Package v1alpha1 contains API Schema definitions for the qdrant.io v1alpha1 API group
+
+### Resource Types
+- [APIAuthentication](#apiauthentication)
+
+
+
+#### APIAuthentication
+
+
+
+APIAuthentication is a configuration for authenticating against Qdrant clusters.
+
+
+
+_Appears in:_
+- [APIAuthenticationList](#apiauthenticationlist)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `apiVersion` _string_ | `auth.qdrant.io/v1alpha1` | | |
+| `kind` _string_ | `APIAuthentication` | | |
+| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
+| `spec` _[APIAuthenticationSpec](#apiauthenticationspec)_ |  |  |  |
+
+
+
+
+#### APIAuthenticationSpec
+
+
+
+APIAuthenticationSpec describes the configuration for authenticating against Qdrant clusters.
+
+
+
+_Appears in:_
+- [APIAuthentication](#apiauthentication)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `sha512` _string_ | SHA512 hash of an API key. |  | MaxLength: 128 <br />MinLength: 128 <br /> |
+| `clusterIDs` _string array_ | List of cluster IDs for which the API key is valid |  |  |
+
+
+
 ## qdrant.io/v1
 
 Package v1 contains API Schema definitions for the qdrant.io v1 API group
