move openshift/cloud-credential-operator API into openshift/api #683
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: joelddiaz The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
specifically the `assert` package
Move the api currently stored in github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential into openshift/api/cloudcredential. Add Makefile hooks for generating deepcopy/CRD. This is primarily a direct copy over from cloud-credential-operator except for: 1) a brand new `cloudcredential/register.go` 2) a `cloudcredential/v1/doc.go` with extra annotations 3) updated path for the k8s:conversion-gen annotation in `cloudcredential/v1/register.go` 4) cleaned up `cloudcredential/v1/doc.go` The deepcopy has been regenerated, the swagger newly generated, and the CRD generated as well (matches current CRD in `openshift/cloud-credential-operator/manifests/00-crd.yaml`.
joelddiaz
force-pushed
the
cloud-cred-op-types
branch
from
b131f88 to
84068c0
Compare
| // DeepCopyInto will perform a DeepCopy into the provided AWSProviderSpec | ||
| func (in *AWSProviderSpec) DeepCopyInto(out *AWSProviderSpec) { | ||
| *out = *in | ||
| out.TypeMeta = in.TypeMeta |
There was a problem hiding this comment.
isn't this implicit from *out = *in?
| // TODO: these types should eventually be broken out, along with the actuator, to a separate repo. | ||
|
|
||
| // AWSProviderSpec contains the required information to create a user policy in AWS. | ||
| // +k8s:deepcopy-gen=false |
There was a problem hiding this comment.
The field in AWSProviderSpec.StatementEntries[].PolicyCondition being of type map[string]map[string]interface{}. This means we cannot generate DeepCopy. The interface{} unfortunately snuck into our API while DeepCopy generation was mistakenly turned off (restored in openshift/cloud-credential-operator#204 ).
There was a problem hiding this comment.
Just create custom deepcopy funcs for IAMPolicyCondition or even IAMPolicyConditionKeyValue. Doesn't that work? No need to disable generation for these normal structs.
| // Action describes the particular AWS service actions that should be allowed or denied. (i.e. ec2:StartInstances, iam:ChangePassword) | ||
| Action []string `json:"action"` | ||
| // Resource specifies the object(s) this statement should apply to. (or "*" for all) | ||
| Resource string `json:"resource"` |
There was a problem hiding this comment.
should any of these be required?
There was a problem hiding this comment.
I suppose we could default to "*" if Resource is not set, but I'm not thrilled with the idea that by default we would be granting permissions with the least restrictions possible. If there were a workable minimum-permissions-by-default, I could definitely see making this not required.
There was a problem hiding this comment.
I don't think we need to require any of these, they seem optional, similarly how we do in audit. But defaulting to * is not a good idea. Default should be empty which means none.
There was a problem hiding this comment.
@soltysh sorry, getting back to this after some other unrelated work. If we mark this optional, and the empty string is treated as None, is there any value in defining a list of permissions and then saying that you can perform all those actions against nothing? What have we gained by making the field optional?
There was a problem hiding this comment.
Question: since this is an embedded type hidden behind a RawExtension, what effect does annotating these fields have?
| // +k8s:deepcopy-gen=false | ||
| type StatementEntry struct { | ||
| // Effect indicates if this policy statement is to Allow or Deny. | ||
| Effect string `json:"effect"` |
There was a problem hiding this comment.
this is an enum? Add kubebuilder markers.
There was a problem hiding this comment.
I believe today the only allowed values are "Allow" or "Deny" so I supposes we can make this an enum.
There was a problem hiding this comment.
Same question here, for an embedded type behind a RawExtension, what effect does annotating these fields have? (I annotated it as an enum, and there was no difference in the generated CRD which confused me until I realized this was behind the spec.providerSpec RawExtension.)
There was a problem hiding this comment.
That's a kubebuilder question. It might have special code to generate a RawExtensins schema.
| User string `json:"user"` | ||
| // Policy is the name of the policy attached to the user in AWS. | ||
| Policy string `json:"policy"` | ||
| } |
There was a problem hiding this comment.
None of the status fields are required. When cloud-cred-operator is running in "passthrough" mode, no users are created, and no policies are created. The credentials are simply copied as-is from the secret kube-system/aws-creds.
|
|
||
| // IAMPolicyConditionKeyValue - mapping of values for the chosen type | ||
| // +k8s:deepcopy-gen=false | ||
| type IAMPolicyConditionKeyValue map[string]interface{} |
There was a problem hiding this comment.
what are the values? Arbitrary JSON? It needs kubebuilder markers for that (x-kubernetes-preserve-unknown-fields).
There was a problem hiding this comment.
Yes, to the cloud-cred-operator, this is basically arbitrary (and IMO quite complex https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html ) JSON that just gets passed through to the AWS API calls as-is. I'll work on adding the markers.
There was a problem hiding this comment.
Compare the JSON type here: https://github.com/kubernetes/apiextensions-apiserver/blob/master/pkg/apis/apiextensions/v1/types_jsonschema.go#L59
You migth want to replicate what it does with a custom deepcopy func.
|
|
||
| // IAMPolicyCondition - map of condition types, with associated key - value mapping | ||
| // +k8s:deepcopy-gen=false | ||
| type IAMPolicyCondition map[string]IAMPolicyConditionKeyValue |
There was a problem hiding this comment.
Again, the interface{} messes up the auto DeepCopy generation here.
|
|
||
| "k8s.io/apimachinery/pkg/runtime" | ||
|
|
||
| "github.com/stretchr/testify/assert" |
There was a problem hiding this comment.
The goal of this repo is to have minimal set of dependencies, I'd prefer to use go built-in mechanism over fancy assert libraries here.
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ |
There was a problem hiding this comment.
No need for this copyright note, we have the license file at the root of this repo and that's sufficient.
| // Action describes the particular AWS service actions that should be allowed or denied. (i.e. ec2:StartInstances, iam:ChangePassword) | ||
| Action []string `json:"action"` | ||
| // Resource specifies the object(s) this statement should apply to. (or "*" for all) | ||
| Resource string `json:"resource"` |
There was a problem hiding this comment.
I don't think we need to require any of these, they seem optional, similarly how we do in audit. But defaulting to * is not a good idea. Default should be empty which means none.
| ) | ||
|
|
||
| // NewScheme creates a new Scheme | ||
| func NewScheme() (*runtime.Scheme, error) { |
There was a problem hiding this comment.
This file is quite unexpected here. Eventual codecs should be created where this is being used, not in API.
There was a problem hiding this comment.
Sounds like we should move this back to the CCO repo @joelddiaz
| &AWSProviderStatus{}, &AWSProviderSpec{}, | ||
| &AzureProviderStatus{}, &AzureProviderSpec{}, | ||
| &GCPProviderStatus{}, &GCPProviderSpec{}, | ||
| &VSphereProviderStatus{}, &VSphereProviderSpec{}, |
There was a problem hiding this comment.
This seems off. The usual k8s api is to have:
- spec - what user specified
- status - what the controller achieved
but in your case spec and status are separate, why? I believe this can't be changed at the moment but I must admit this is unexpected.
There was a problem hiding this comment.
This looks suspicious, all of these cloud specific types are embedded in the CredentialsRequest RawExtensions. I'm wondering if we need to add these as known types at all. It might be related to serialization as we do have to decode them in the cloud specific actuators.
There was a problem hiding this comment.
If these types are embedded I don't think they should be part of openshift/api at all.
There was a problem hiding this comment.
I actually considered removing this in the CCO repo (openshift/cloud-credential-operator#219) as prep-work before opening this PR, but it was never merged. I can certainly resurrect that PR and stop registering these types.
|
@joelddiaz: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
needs-rebase
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
|
@openshift-bot: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
Move the api currently stored in github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential into openshift/api/cloudcredential.
Add Makefile hooks for generating deepcopy/CRD.
This is primarily a direct copy over from cloud-credential-operator except for:
cloudcredential/register.gocloudcredential/v1/doc.gowith extra annotationscloudcredential/v1/register.gocloudcredential/v1/doc.goThe deepcopy has been regenerated, the swagger newly generated, and the CRD generated as well (matches current CRD in
openshift/cloud-credential-operator/manifests/00-crd.yaml.