From 2385943726b1ec086cf04f0e0a85055c1145054e Mon Sep 17 00:00:00 2001 From: Zijun Wang <32318664+zijun726911@users.noreply.github.com> Date: Mon, 18 Sep 2023 12:24:32 -0700 Subject: [PATCH] Add VpcAssociationPolicy CRD (#396) * Add VpcAssociationPolicy CRD * Address PR comments --------- Co-authored-by: Zijun Wang --- ...orking.k8s.aws_vpcassociationpolicies.yaml | 107 ++++++++++++++++++ config/crds/kustomization.yaml | 1 + config/rbac/cluster-role-controller.yaml | 18 +++ docs/developer.md | 1 + ...orking.k8s.aws_vpcassociationpolicies.yaml | 107 ++++++++++++++++++ helm/templates/cluster-role-controller.yaml | 18 +++ .../v1alpha1/targetgrouppolicy_types.go | 11 ++ .../v1alpha1/vpcassociationpolicy_types.go | 71 ++++++++++++ .../v1alpha1/zz_generated.deepcopy.go | 88 ++++++++++++++ .../v1alpha1/zz_generated.register.go | 2 + pkg/model/core/policy.go | 11 ++ 11 files changed, 435 insertions(+) create mode 100644 config/crds/bases/application-networking.k8s.aws_vpcassociationpolicies.yaml create mode 100644 helm/crds/application-networking.k8s.aws_vpcassociationpolicies.yaml create mode 100644 pkg/apis/applicationnetworking/v1alpha1/vpcassociationpolicy_types.go create mode 100644 pkg/model/core/policy.go diff --git a/config/crds/bases/application-networking.k8s.aws_vpcassociationpolicies.yaml b/config/crds/bases/application-networking.k8s.aws_vpcassociationpolicies.yaml new file mode 100644 index 00000000..fcf06132 --- /dev/null +++ b/config/crds/bases/application-networking.k8s.aws_vpcassociationpolicies.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: vpcassociationpolicies.application-networking.k8s.aws +spec: + group: application-networking.k8s.aws + names: + categories: + - gateway-api + kind: VpcAssociationPolicy + listKind: VpcAssociationPolicyList + plural: vpcassociationpolicies + shortNames: + - vap + singular: vpcassociationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy. + properties: + associateWithVpc: + description: "AssociateWithVpc indicates whether the VpcServiceNetworkAssociation + should be created for the current VPC of k8s cluster. \n Both this + flag and Gateway annotation \"application-networking.k8s.aws/lattice-vpc-association\" + are reserved tentatively for backward compatibility. Either one + of them set to true or both of them undefined will result in the + VpcServiceNetworkAssociation created." + type: boolean + securityGroupIds: + description: "SecurityGroupIds defines the security groups enforced + on the VpcServiceNetworkAssociation. Security groups does not take + effect if AssociateWithVpc is set to false. \n For more details, + please check the VPC Lattice documentation https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html" + items: + maxLength: 32 + minLength: 3 + pattern: ^sg-[0-9a-z]+$ + type: string + minItems: 1 + type: array + targetRef: + description: "TargetRef points to the kubernetes Gateway resource + that will have this policy attached. \n This field is following + the guidelines of Kubernetes Gateway API policy attachment." + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/config/crds/kustomization.yaml b/config/crds/kustomization.yaml index b44750c4..3065722c 100644 --- a/config/crds/kustomization.yaml +++ b/config/crds/kustomization.yaml @@ -6,3 +6,4 @@ resources: - bases/multicluster.x-k8s.io_serviceimports.yaml - bases/externaldns.k8s.io_dnsendpoints.yaml - bases/application-networking.k8s.aws_targetgrouppolicies.yaml + - bases/application-networking.k8s.aws_vpcassociationpolicies.yaml diff --git a/config/rbac/cluster-role-controller.yaml b/config/rbac/cluster-role-controller.yaml index 0d4584d4..e728b747 100644 --- a/config/rbac/cluster-role-controller.yaml +++ b/config/rbac/cluster-role-controller.yaml @@ -294,3 +294,21 @@ rules: - targetgrouppolicies/finalizers verbs: - update +- apiGroups: + - application-networking.k8s.aws + resources: + - vpcassociationpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - application-networking.k8s.aws + resources: + - vpcassociationpolicies/finalizers + verbs: + - update \ No newline at end of file diff --git a/docs/developer.md b/docs/developer.md index 7886768b..42edaeea 100644 --- a/docs/developer.md +++ b/docs/developer.md @@ -70,6 +70,7 @@ kubectl apply -f config/crds/bases/multicluster.x-k8s.io_serviceexports.yaml kubectl apply -f config/crds/bases/multicluster.x-k8s.io_serviceimports.yaml kubectl apply -f config/crds/bases/externaldns.k8s.io_dnsendpoints.yaml kubectl apply -f config/crds/bases/application-networking.k8s.aws_targetgrouppolicies.yaml +kubectl apply -f config/crds/bases/application-networking.k8s.aws_vpcassociationpolicies.yaml kubectl apply -f examples/gatewayclass.yaml ``` diff --git a/helm/crds/application-networking.k8s.aws_vpcassociationpolicies.yaml b/helm/crds/application-networking.k8s.aws_vpcassociationpolicies.yaml new file mode 100644 index 00000000..fcf06132 --- /dev/null +++ b/helm/crds/application-networking.k8s.aws_vpcassociationpolicies.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: vpcassociationpolicies.application-networking.k8s.aws +spec: + group: application-networking.k8s.aws + names: + categories: + - gateway-api + kind: VpcAssociationPolicy + listKind: VpcAssociationPolicyList + plural: vpcassociationpolicies + shortNames: + - vap + singular: vpcassociationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy. + properties: + associateWithVpc: + description: "AssociateWithVpc indicates whether the VpcServiceNetworkAssociation + should be created for the current VPC of k8s cluster. \n Both this + flag and Gateway annotation \"application-networking.k8s.aws/lattice-vpc-association\" + are reserved tentatively for backward compatibility. Either one + of them set to true or both of them undefined will result in the + VpcServiceNetworkAssociation created." + type: boolean + securityGroupIds: + description: "SecurityGroupIds defines the security groups enforced + on the VpcServiceNetworkAssociation. Security groups does not take + effect if AssociateWithVpc is set to false. \n For more details, + please check the VPC Lattice documentation https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html" + items: + maxLength: 32 + minLength: 3 + pattern: ^sg-[0-9a-z]+$ + type: string + minItems: 1 + type: array + targetRef: + description: "TargetRef points to the kubernetes Gateway resource + that will have this policy attached. \n This field is following + the guidelines of Kubernetes Gateway API policy attachment." + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/helm/templates/cluster-role-controller.yaml b/helm/templates/cluster-role-controller.yaml index 36bcec35..695f28bb 100644 --- a/helm/templates/cluster-role-controller.yaml +++ b/helm/templates/cluster-role-controller.yaml @@ -309,3 +309,21 @@ rules: - targetgrouppolicies/finalizers verbs: - update +- apiGroups: + - application-networking.k8s.aws + resources: + - vpcassociationpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - application-networking.k8s.aws + resources: + - vpcassociationpolicies/finalizers + verbs: + - update diff --git a/pkg/apis/applicationnetworking/v1alpha1/targetgrouppolicy_types.go b/pkg/apis/applicationnetworking/v1alpha1/targetgrouppolicy_types.go index 019044e0..9e7a130b 100644 --- a/pkg/apis/applicationnetworking/v1alpha1/targetgrouppolicy_types.go +++ b/pkg/apis/applicationnetworking/v1alpha1/targetgrouppolicy_types.go @@ -2,7 +2,10 @@ package v1alpha1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/gateway-api/apis/v1alpha2" + + "github.com/aws/aws-application-networking-k8s/pkg/k8s" ) const ( @@ -125,3 +128,11 @@ const ( HealthCheckProtocolVersionHTTP1 HealthCheckProtocolVersion = "HTTP1" HealthCheckProtocolVersionHTTP2 HealthCheckProtocolVersion = "HTTP2" ) + +func (p *TargetGroupPolicy) GetTargetRef() *v1alpha2.PolicyTargetReference { + return p.Spec.TargetRef +} + +func (p *TargetGroupPolicy) GetNamespacedName() types.NamespacedName { + return k8s.NamespacedName(p) +} diff --git a/pkg/apis/applicationnetworking/v1alpha1/vpcassociationpolicy_types.go b/pkg/apis/applicationnetworking/v1alpha1/vpcassociationpolicy_types.go new file mode 100644 index 00000000..927b494e --- /dev/null +++ b/pkg/apis/applicationnetworking/v1alpha1/vpcassociationpolicy_types.go @@ -0,0 +1,71 @@ +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/apis/v1alpha2" + + "github.com/aws/aws-application-networking-k8s/pkg/k8s" +) + +const ( + VpcAssociationPolicyKind = "VpcAssociationPolicy" +) + +// +genclient +// +kubebuilder:object:root=true +// +kubebuilder:resource:categories=gateway-api,shortName=vap +// +kubebuilder:storageversion +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +type VpcAssociationPolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec VpcAssociationPolicySpec `json:"spec"` +} + +// +kubebuilder:object:root=true +// VpcAssociationPolicyList contains a list of VpcAssociationPolicies. +type VpcAssociationPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []VpcAssociationPolicy `json:"items"` +} + +// +kubebuilder:validation:MaxLength=32 +// +kubebuilder:validation:MinLength=3 +// +kubebuilder:validation:Pattern=`^sg-[0-9a-z]+$` +type SecurityGroupId string + +// VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy. +type VpcAssociationPolicySpec struct { + + // SecurityGroupIds defines the security groups enforced on the VpcServiceNetworkAssociation. + // Security groups does not take effect if AssociateWithVpc is set to false. + // + // For more details, please check the VPC Lattice documentation https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html + // + // +optional + // +kubebuilder:validation:MinItems=1 + SecurityGroupIds []SecurityGroupId `json:"securityGroupIds,omitempty"` + + // AssociateWithVpc indicates whether the VpcServiceNetworkAssociation should be created for the current VPC of k8s cluster. + // + // Both this flag and Gateway annotation "application-networking.k8s.aws/lattice-vpc-association" are reserved tentatively for backward compatibility. + // Either one of them set to true or both of them undefined will result in the VpcServiceNetworkAssociation created. + // +optional + AssociateWithVpc *bool `json:"associateWithVpc,omitempty"` + + // TargetRef points to the kubernetes Gateway resource that will have this policy attached. + // + // This field is following the guidelines of Kubernetes Gateway API policy attachment. + TargetRef *v1alpha2.PolicyTargetReference `json:"targetRef"` +} + +func (p *VpcAssociationPolicy) GetTargetRef() *v1alpha2.PolicyTargetReference { + return p.Spec.TargetRef +} + +func (p *VpcAssociationPolicy) GetNamespacedName() types.NamespacedName { + return k8s.NamespacedName(p) +} diff --git a/pkg/apis/applicationnetworking/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/applicationnetworking/v1alpha1/zz_generated.deepcopy.go index 02c25443..9d83c8d0 100644 --- a/pkg/apis/applicationnetworking/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/applicationnetworking/v1alpha1/zz_generated.deepcopy.go @@ -166,3 +166,91 @@ func (in *TargetGroupPolicySpec) DeepCopy() *TargetGroupPolicySpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VpcAssociationPolicy) DeepCopyInto(out *VpcAssociationPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VpcAssociationPolicy. +func (in *VpcAssociationPolicy) DeepCopy() *VpcAssociationPolicy { + if in == nil { + return nil + } + out := new(VpcAssociationPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *VpcAssociationPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VpcAssociationPolicyList) DeepCopyInto(out *VpcAssociationPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]VpcAssociationPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VpcAssociationPolicyList. +func (in *VpcAssociationPolicyList) DeepCopy() *VpcAssociationPolicyList { + if in == nil { + return nil + } + out := new(VpcAssociationPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *VpcAssociationPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VpcAssociationPolicySpec) DeepCopyInto(out *VpcAssociationPolicySpec) { + *out = *in + if in.SecurityGroupIds != nil { + in, out := &in.SecurityGroupIds, &out.SecurityGroupIds + *out = make([]SecurityGroupId, len(*in)) + copy(*out, *in) + } + if in.AssociateWithVpc != nil { + in, out := &in.AssociateWithVpc, &out.AssociateWithVpc + *out = new(bool) + **out = **in + } + if in.TargetRef != nil { + in, out := &in.TargetRef, &out.TargetRef + *out = new(v1alpha2.PolicyTargetReference) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VpcAssociationPolicySpec. +func (in *VpcAssociationPolicySpec) DeepCopy() *VpcAssociationPolicySpec { + if in == nil { + return nil + } + out := new(VpcAssociationPolicySpec) + in.DeepCopyInto(out) + return out +} diff --git a/pkg/apis/applicationnetworking/v1alpha1/zz_generated.register.go b/pkg/apis/applicationnetworking/v1alpha1/zz_generated.register.go index 3635e30b..3ee000e2 100644 --- a/pkg/apis/applicationnetworking/v1alpha1/zz_generated.register.go +++ b/pkg/apis/applicationnetworking/v1alpha1/zz_generated.register.go @@ -59,6 +59,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &TargetGroupPolicy{}, &TargetGroupPolicyList{}, + &VpcAssociationPolicy{}, + &VpcAssociationPolicyList{}, ) // AddToGroupVersion allows the serialization of client types like ListOptions. v1.AddToGroupVersion(scheme, SchemeGroupVersion) diff --git a/pkg/model/core/policy.go b/pkg/model/core/policy.go new file mode 100644 index 00000000..36de5b3f --- /dev/null +++ b/pkg/model/core/policy.go @@ -0,0 +1,11 @@ +package core + +import ( + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + +type Policy interface { + GetNamespacedName() types.NamespacedName + GetTargetRef() *v1alpha2.PolicyTargetReference +}