Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create AccessLogPolicy CRD #420

Merged
merged 7 commits into from
Oct 4, 2023
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: accesslogpolicies.application-networking.k8s.aws
spec:
group: application-networking.k8s.aws
names:
categories:
- gateway-api
kind: AccessLogPolicy
listKind: AccessLogPolicyList
plural: accesslogpolicies
shortNames:
- alp
singular: accesslogpolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AccessLogPolicySpec defines the desired state of AccessLogPolicy.
properties:
destinationArn:
description: "The Amazon Resource Name (ARN) of the destination that
will store access logs. Supported values are S3 Bucket, CloudWatch
Log Group, and Firehose Delivery Stream ARNs. \n Changes to this
value results in replacement of the VPC Lattice Access Log Subscription."
pattern: ^arn(:[a-z0-9]+([.-][a-z0-9]+)*){2}(:([a-z0-9]+([.-][a-z0-9]+)*)?){2}:([^/].*)?
type: string
targetRef:
description: "TargetRef points to the kubernetes Service or Gateway
resource that will have this policy attached. \n This field is following
the guidelines of Kubernetes Gateway API policy attachment."
properties:
group:
description: Group is the group of the target resource.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the target resource.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
namespace:
description: Namespace is the namespace of the referent. When
unspecified, the local namespace is inferred. Even when policy
targets a resource in a different namespace, it MUST only apply
to traffic originating from the same namespace as the policy.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- name
type: object
required:
- targetRef
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
1 change: 1 addition & 0 deletions config/crds/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@ resources:
- bases/externaldns.k8s.io_dnsendpoints.yaml
- bases/application-networking.k8s.aws_targetgrouppolicies.yaml
- bases/application-networking.k8s.aws_vpcassociationpolicies.yaml
- bases/application-networking.k8s.aws_accesslogpolicies.yaml
18 changes: 18 additions & 0 deletions config/rbac/cluster-role-controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -310,5 +310,23 @@ rules:
- application-networking.k8s.aws
resources:
- vpcassociationpolicies/finalizers
verbs:
- update
- apiGroups:
- application-networking.k8s.aws
resources:
- accesslogpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- application-networking.k8s.aws
resources:
- accesslogpolicies/finalizers
verbs:
- update
1 change: 1 addition & 0 deletions docs/developer.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ kubectl apply -f config/crds/bases/multicluster.x-k8s.io_serviceimports.yaml
kubectl apply -f config/crds/bases/externaldns.k8s.io_dnsendpoints.yaml
kubectl apply -f config/crds/bases/application-networking.k8s.aws_targetgrouppolicies.yaml
kubectl apply -f config/crds/bases/application-networking.k8s.aws_vpcassociationpolicies.yaml
kubectl apply -f config/crds/bases/application-networking.k8s.aws_accesslogpolicies.yaml
kubectl apply -f examples/gatewayclass.yaml
```

Expand Down
94 changes: 94 additions & 0 deletions helm/crds/application-networking.k8s.aws_accesslogpolicies.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
---
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why we duplicate crd and template to helm? may be there is a difference that I couldn't spot

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed this is how we did it with previous CRD additions, such as https://github.com/aws/aws-application-networking-k8s/pull/339/files

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: accesslogpolicies.application-networking.k8s.aws
spec:
group: application-networking.k8s.aws
names:
categories:
- gateway-api
kind: AccessLogPolicy
listKind: AccessLogPolicyList
plural: accesslogpolicies
shortNames:
- alp
singular: accesslogpolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AccessLogPolicySpec defines the desired state of AccessLogPolicy.
properties:
destinationArn:
description: "The Amazon Resource Name (ARN) of the destination that
will store access logs. Supported values are S3 Bucket, CloudWatch
Log Group, and Firehose Delivery Stream ARNs. \n Changes to this
value results in replacement of the VPC Lattice Access Log Subscription."
pattern: ^arn(:[a-z0-9]+([.-][a-z0-9]+)*){2}(:([a-z0-9]+([.-][a-z0-9]+)*)?){2}:([^/].*)?
type: string
targetRef:
description: "TargetRef points to the kubernetes Service or Gateway
resource that will have this policy attached. \n This field is following
the guidelines of Kubernetes Gateway API policy attachment."
properties:
group:
description: Group is the group of the target resource.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the target resource.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
namespace:
description: Namespace is the namespace of the referent. When
unspecified, the local namespace is inferred. Even when policy
targets a resource in a different namespace, it MUST only apply
to traffic originating from the same namespace as the policy.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- group
- kind
- name
type: object
required:
- targetRef
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
18 changes: 18 additions & 0 deletions helm/templates/cluster-role-controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -327,3 +327,21 @@ rules:
- vpcassociationpolicies/finalizers
verbs:
- update
- apiGroups:
- application-networking.k8s.aws
resources:
- accesslogpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- application-networking.k8s.aws
resources:
- accesslogpolicies/finalizers
verbs:
- update
66 changes: 66 additions & 0 deletions pkg/apis/applicationnetworking/v1alpha1/accesslogpolicy_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/gateway-api/apis/v1alpha2"

"github.com/aws/aws-application-networking-k8s/pkg/k8s"
"github.com/aws/aws-application-networking-k8s/pkg/model/core"
)

const (
AccessLogPolicyKind = "AccessLogPolicy"
)

// +genclient
// +kubebuilder:object:root=true
// +kubebuilder:resource:categories=gateway-api,shortName=alp
// +kubebuilder:storageversion
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
type AccessLogPolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Spec AccessLogPolicySpec `json:"spec"`
}

// +kubebuilder:object:root=true
// AccessLogPolicyList contains a list of AccessLogPolicies.
type AccessLogPolicyList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []AccessLogPolicy `json:"items"`
}

// AccessLogPolicySpec defines the desired state of AccessLogPolicy.
type AccessLogPolicySpec struct {
// The Amazon Resource Name (ARN) of the destination that will store access logs.
// Supported values are S3 Bucket, CloudWatch Log Group, and Firehose Delivery Stream ARNs.
//
// Changes to this value results in replacement of the VPC Lattice Access Log Subscription.
// +optional
// +kubebuilder:validation:Pattern=`^arn(:[a-z0-9]+([.-][a-z0-9]+)*){2}(:([a-z0-9]+([.-][a-z0-9]+)*)?){2}:([^/].*)?`
DestinationArn *string `json:"destinationArn,omitempty"`

// TargetRef points to the kubernetes Service or Gateway resource that will have this policy attached.
//
// This field is following the guidelines of Kubernetes Gateway API policy attachment.
TargetRef *v1alpha2.PolicyTargetReference `json:"targetRef"`
}

func (p *AccessLogPolicy) GetTargetRef() *v1alpha2.PolicyTargetReference {
return p.Spec.TargetRef
}

func (p *AccessLogPolicy) GetNamespacedName() types.NamespacedName {
return k8s.NamespacedName(p)
}

func (pl *AccessLogPolicyList) GetItems() []core.Policy {
items := make([]core.Policy, len(pl.Items))
for i, item := range pl.Items {
items[i] = &item
}
return items
}
Loading