Add VpcAssociationPolicy CRD (#396)

* Add VpcAssociationPolicy CRD

* Address PR comments

---------

Co-authored-by: Zijun Wang <[email protected]>

config/crds/bases/application-networking.k8s.aws_vpcassociationpolicies.yaml

@@ -0,0 +1,107 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: vpcassociationpolicies.application-networking.k8s.aws
+spec:
+  group: application-networking.k8s.aws
+  names:
+    categories:
+    - gateway-api
+    kind: VpcAssociationPolicy
+    listKind: VpcAssociationPolicyList
+    plural: vpcassociationpolicies
+    shortNames:
+    - vap
+    singular: vpcassociationpolicy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy.
+            properties:
+              associateWithVpc:
+                description: "AssociateWithVpc indicates whether the VpcServiceNetworkAssociation
+                  should be created for the current VPC of k8s cluster. \n Both this
+                  flag and Gateway annotation \"application-networking.k8s.aws/lattice-vpc-association\"
+                  are reserved tentatively for backward compatibility. Either one
+                  of them set to true or both of them undefined will result in the
+                  VpcServiceNetworkAssociation created."
+                type: boolean
+              securityGroupIds:
+                description: "SecurityGroupIds defines the security groups enforced
+                  on the VpcServiceNetworkAssociation. Security groups does not take
+                  effect if AssociateWithVpc is set to false. \n For more details,
+                  please check the VPC Lattice documentation https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html"
+                items:
+                  maxLength: 32
+                  minLength: 3
+                  pattern: ^sg-[0-9a-z]+$
+                  type: string
+                minItems: 1
+                type: array
+              targetRef:
+                description: "TargetRef points to the kubernetes Gateway resource
+                  that will have this policy attached. \n This field is following
+                  the guidelines of Kubernetes Gateway API policy attachment."
+                properties:
+                  group:
+                    description: Group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: Kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: Name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the referent. When
+                      unspecified, the local namespace is inferred. Even when policy
+                      targets a resource in a different namespace, it MUST only apply
+                      to traffic originating from the same namespace as the policy.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - group
+                - kind
+                - name
+                type: object
+            required:
+            - targetRef
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}

config/crds/kustomization.yaml

@@ -6,3 +6,4 @@ resources:
   - bases/multicluster.x-k8s.io_serviceimports.yaml
   - bases/externaldns.k8s.io_dnsendpoints.yaml
   - bases/application-networking.k8s.aws_targetgrouppolicies.yaml
+  - bases/application-networking.k8s.aws_vpcassociationpolicies.yaml

config/rbac/cluster-role-controller.yaml

@@ -294,3 +294,21 @@ rules:
     - targetgrouppolicies/finalizers
   verbs:
     - update
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - vpcassociationpolicies
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - vpcassociationpolicies/finalizers
+  verbs:
+    - update

docs/developer.md

@@ -70,6 +70,7 @@ kubectl apply -f config/crds/bases/multicluster.x-k8s.io_serviceexports.yaml
 kubectl apply -f config/crds/bases/multicluster.x-k8s.io_serviceimports.yaml
 kubectl apply -f config/crds/bases/externaldns.k8s.io_dnsendpoints.yaml
 kubectl apply -f config/crds/bases/application-networking.k8s.aws_targetgrouppolicies.yaml
+kubectl apply -f config/crds/bases/application-networking.k8s.aws_vpcassociationpolicies.yaml
 kubectl apply -f examples/gatewayclass.yaml
 ```
 

helm/crds/application-networking.k8s.aws_vpcassociationpolicies.yaml

@@ -0,0 +1,107 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: vpcassociationpolicies.application-networking.k8s.aws
+spec:
+  group: application-networking.k8s.aws
+  names:
+    categories:
+    - gateway-api
+    kind: VpcAssociationPolicy
+    listKind: VpcAssociationPolicyList
+    plural: vpcassociationpolicies
+    shortNames:
+    - vap
+    singular: vpcassociationpolicy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy.
+            properties:
+              associateWithVpc:
+                description: "AssociateWithVpc indicates whether the VpcServiceNetworkAssociation
+                  should be created for the current VPC of k8s cluster. \n Both this
+                  flag and Gateway annotation \"application-networking.k8s.aws/lattice-vpc-association\"
+                  are reserved tentatively for backward compatibility. Either one
+                  of them set to true or both of them undefined will result in the
+                  VpcServiceNetworkAssociation created."
+                type: boolean
+              securityGroupIds:
+                description: "SecurityGroupIds defines the security groups enforced
+                  on the VpcServiceNetworkAssociation. Security groups does not take
+                  effect if AssociateWithVpc is set to false. \n For more details,
+                  please check the VPC Lattice documentation https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html"
+                items:
+                  maxLength: 32
+                  minLength: 3
+                  pattern: ^sg-[0-9a-z]+$
+                  type: string
+                minItems: 1
+                type: array
+              targetRef:
+                description: "TargetRef points to the kubernetes Gateway resource
+                  that will have this policy attached. \n This field is following
+                  the guidelines of Kubernetes Gateway API policy attachment."
+                properties:
+                  group:
+                    description: Group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: Kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: Name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the referent. When
+                      unspecified, the local namespace is inferred. Even when policy
+                      targets a resource in a different namespace, it MUST only apply
+                      to traffic originating from the same namespace as the policy.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - group
+                - kind
+                - name
+                type: object
+            required:
+            - targetRef
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}

helm/templates/cluster-role-controller.yaml

@@ -309,3 +309,21 @@ rules:
     - targetgrouppolicies/finalizers
   verbs:
     - update
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - vpcassociationpolicies
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - vpcassociationpolicies/finalizers
+  verbs:
+    - update

pkg/apis/applicationnetworking/v1alpha1/targetgrouppolicy_types.go

@@ -2,7 +2,10 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+	"github.com/aws/aws-application-networking-k8s/pkg/k8s"
 )
 
 const (
@@ -125,3 +128,11 @@ const (
 	HealthCheckProtocolVersionHTTP1 HealthCheckProtocolVersion = "HTTP1"
 	HealthCheckProtocolVersionHTTP2 HealthCheckProtocolVersion = "HTTP2"
 )
+
+func (p *TargetGroupPolicy) GetTargetRef() *v1alpha2.PolicyTargetReference {
+	return p.Spec.TargetRef
+}
+
+func (p *TargetGroupPolicy) GetNamespacedName() types.NamespacedName {
+	return k8s.NamespacedName(p)
+}

pkg/apis/applicationnetworking/v1alpha1/vpcassociationpolicy_types.go

@@ -0,0 +1,71 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+	"github.com/aws/aws-application-networking-k8s/pkg/k8s"
+)
+
+const (
+	VpcAssociationPolicyKind = "VpcAssociationPolicy"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:categories=gateway-api,shortName=vap
+// +kubebuilder:storageversion
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+type VpcAssociationPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec VpcAssociationPolicySpec `json:"spec"`
+}
+
+// +kubebuilder:object:root=true
+// VpcAssociationPolicyList contains a list of VpcAssociationPolicies.
+type VpcAssociationPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []VpcAssociationPolicy `json:"items"`
+}
+
+// +kubebuilder:validation:MaxLength=32
+// +kubebuilder:validation:MinLength=3
+// +kubebuilder:validation:Pattern=`^sg-[0-9a-z]+$`
+type SecurityGroupId string
+
+// VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy.
+type VpcAssociationPolicySpec struct {
+
+	// SecurityGroupIds defines the security groups enforced on the VpcServiceNetworkAssociation.
+	// Security groups does not take effect if AssociateWithVpc is set to false.
+	//
+	// For more details, please check the VPC Lattice documentation https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	SecurityGroupIds []SecurityGroupId `json:"securityGroupIds,omitempty"`
+
+	// AssociateWithVpc indicates whether the VpcServiceNetworkAssociation should be created for the current VPC of k8s cluster.
+	//
+	// Both this flag and Gateway annotation "application-networking.k8s.aws/lattice-vpc-association" are reserved tentatively for backward compatibility.
+	// Either one of them set to true or both of them undefined will result in the VpcServiceNetworkAssociation created.
+	// +optional
+	AssociateWithVpc *bool `json:"associateWithVpc,omitempty"`
+
+	// TargetRef points to the kubernetes Gateway resource that will have this policy attached.
+	//
+	// This field is following the guidelines of Kubernetes Gateway API policy attachment.
+	TargetRef *v1alpha2.PolicyTargetReference `json:"targetRef"`
+}
+
+func (p *VpcAssociationPolicy) GetTargetRef() *v1alpha2.PolicyTargetReference {
+	return p.Spec.TargetRef
+}
+
+func (p *VpcAssociationPolicy) GetNamespacedName() types.NamespacedName {
+	return k8s.NamespacedName(p)
+}