CLOUDP-280230: Network peering controller and CRD

.github/workflows/test-e2e.yml

@@ -166,6 +166,7 @@ jobs:
             "long-run",
             "multinamespaced",
             "networkpeering",
+            "networkpeering-controller",
             "privatelink",
             "private-endpoint",
             "project-settings",

.mockery.yaml

@@ -16,3 +16,5 @@ packages:
   github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/privateendpoint:
   github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/maintenancewindow:
   github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/encryptionatrest:
+  github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/networkpeering:
+  github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/networkcontainer:

PROJECT

@@ -126,4 +126,21 @@ resources:
   kind: AtlasIPAccessList
   path: github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1
   version: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: mongodb.com
+  group: atlas
+  kind: AtlasNetworkContainer
+  path: github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1
+  version: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: mongodb.com
+  group: atlas
+  kind: AtlasNetworkPeering
+  path: github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1
+  version: v1
 version: "3"

api/condition.go

@@ -105,6 +105,11 @@ const (
 	IPAccessListReady ConditionType = "IPAccessListReady"
 )
 
+// Atlas Network Container condition types
+const (
+	NetworkContainerReady ConditionType = "NetworkContainerReady"
+)
+
 // Generic condition type
 const (
 	ResourceVersionStatus ConditionType = "ResourceVersionIsValid"

api/v1/atlasnetworkcontainer_types.go

@@ -0,0 +1,106 @@
+/*
+Copyright 2025 MongoDB.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/status"
+)
+
+func init() {
+	SchemeBuilder.Register(&AtlasNetworkContainer{}, &AtlasNetworkContainerList{})
+}
+
+// AtlasNetworkContainer is the Schema for the AtlasNetworkContainer API
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
+// +kubebuilder:printcolumn:name="Provider",type=string,JSONPath=`.spec.provider`
+// +kubebuilder:printcolumn:name="Id",type=string,JSONPath=`.status.id`
+// +kubebuilder:printcolumn:name="Provisioned",type=string,JSONPath=`.status.provisioned`
+// +kubebuilder:subresource:status
+// +groupName:=atlas.mongodb.com
+// +kubebuilder:resource:categories=atlas,shortName=anc
+type AtlasNetworkContainer struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AtlasNetworkContainerSpec          `json:"spec,omitempty"`
+	Status status.AtlasNetworkContainerStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// AtlasNetworkContainerList contains a list of AtlasNetworkContainer
+type AtlasNetworkContainerList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AtlasNetworkContainer `json:"items"`
+}
+
+// +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && !has(self.projectRef)) || (!has(self.externalProjectRef) && has(self.projectRef))",message="must define only one project reference through externalProjectRef or projectRef"
+// +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && has(self.connectionSecret)) || !has(self.externalProjectRef)",message="must define a local connection secret when referencing an external project"
+// +kubebuilder:validation:XValidation:rule="(self.provider == 'GCP' && !has(self.region)) || (self.provider != 'GCP')",message="must not set region for GCP containers"
+// +kubebuilder:validation:XValidation:rule="((self.provider == 'AWS' || self.provider == 'AZURE') && has(self.region)) || (self.provider == 'GCP')",message="must set region for AWS and Azure containers"
+
+// AtlasNetworkContainerSpec defines the desired state of an AtlasNetworkContainer
+type AtlasNetworkContainerSpec struct {
+	ProjectDualReference `json:",inline"`
+
+	// Provider is the name of the cloud provider hosting the network container
+	// +kubebuilder:validation:Enum=AWS;GCP;AZURE
+	// +kubebuilder:validation:Required
+	Provider string `json:"provider"`
+
+	AtlasNetworkContainerConfig `json:",inline"`
+}
+
+// AtlasNetworkContainerConfig defines the Atlas specifics of the desired state of a Network Container
+type AtlasNetworkContainerConfig struct {
+	// ContainerRegion is the provider region name of Atlas network peer container in Atlas region format
+	// This is required by AWS and Azure, but not used by GCP
+	// +optional
+	Region string `json:"region,omitempty"`
+
+	// Atlas CIDR. It needs to be set if ContainerID is not set.
+	// +required
+	CIDRBlock string `json:"cidrBlock"`
+}
+
+func (np *AtlasNetworkContainer) GetStatus() api.Status {
+	return np.Status
+}
+
+func (np *AtlasNetworkContainer) Credentials() *api.LocalObjectReference {
+	return np.Spec.ConnectionSecret
+}
+
+func (np *AtlasNetworkContainer) ProjectDualRef() *ProjectDualReference {
+	return &np.Spec.ProjectDualReference
+}
+
+func (np *AtlasNetworkContainer) UpdateStatus(conditions []api.Condition, options ...api.Option) {
+	np.Status.Conditions = conditions
+	np.Status.ObservedGeneration = np.ObjectMeta.Generation
+
+	for _, o := range options {
+		v := o.(status.AtlasNetworkContainerStatusOption)
+		v(&np.Status)
+	}
+}

api/v1/atlasnetworkcontainer_types_test.go

@@ -0,0 +1,101 @@
+package v1
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/common"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/provider"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/test/helper/cel"
+)
+
+func TestGCPRegionCELCcheck(t *testing.T) {
+	for _, tc := range []struct {
+		title          string
+		obj            *AtlasNetworkContainer
+		expectedErrors []string
+	}{
+		{
+			title: "GCP fails with a region",
+			obj: &AtlasNetworkContainer{
+				Spec: AtlasNetworkContainerSpec{
+					Provider: string(provider.ProviderGCP),
+					AtlasNetworkContainerConfig: AtlasNetworkContainerConfig{
+						Region: "some-region",
+					},
+				},
+			},
+			expectedErrors: []string{"spec: Invalid value: \"object\": must not set region for GCP containers"},
+		},
+		{
+			title: "GCP succeeds without a region",
+			obj: &AtlasNetworkContainer{
+				Spec: AtlasNetworkContainerSpec{
+					Provider: string(provider.ProviderGCP),
+				},
+			},
+		},
+		{
+			title: "AWS succeeds with a region",
+			obj: &AtlasNetworkContainer{
+				Spec: AtlasNetworkContainerSpec{
+					Provider: string(provider.ProviderAWS),
+					AtlasNetworkContainerConfig: AtlasNetworkContainerConfig{
+						Region: "some-region",
+					},
+				},
+			},
+		},
+		{
+			title: "Azure succeeds with a region",
+			obj: &AtlasNetworkContainer{
+				Spec: AtlasNetworkContainerSpec{
+					Provider: string(provider.ProviderAzure),
+					AtlasNetworkContainerConfig: AtlasNetworkContainerConfig{
+						Region: "some-region",
+					},
+				},
+			},
+		},
+		{
+			title: "AWS fails without a region",
+			obj: &AtlasNetworkContainer{
+				Spec: AtlasNetworkContainerSpec{
+					Provider: string(provider.ProviderAWS),
+				},
+			},
+			expectedErrors: []string{"spec: Invalid value: \"object\": must set region for AWS and Azure containers"},
+		},
+		{
+			title: "Azure fails without a region",
+			obj: &AtlasNetworkContainer{
+				Spec: AtlasNetworkContainerSpec{
+					Provider: string(provider.ProviderAzure),
+				},
+			},
+			expectedErrors: []string{"spec: Invalid value: \"object\": must set region for AWS and Azure containers"},
+		},
+	} {
+		t.Run(tc.title, func(t *testing.T) {
+			// inject a project to avoid other CEL validations being hit
+			tc.obj.Spec.ProjectRef = &common.ResourceRefNamespaced{Name: "some-project"}
+			unstructuredObject, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&tc.obj)
+			require.NoError(t, err)
+
+			crdPath := "../../config/crd/bases/atlas.mongodb.com_atlasnetworkcontainers.yaml"
+			validator, err := cel.VersionValidatorFromFile(t, crdPath, "v1")
+			assert.NoError(t, err)
+			errs := validator(unstructuredObject, nil)
+
+			require.Equal(t, len(tc.expectedErrors), len(errs), fmt.Sprintf("errs: %v", errs))
+
+			for i, err := range errs {
+				assert.Equal(t, tc.expectedErrors[i], err.Error())
+			}
+		})
+	}
+}

api/v1/atlasnetworkpeering_types.go

@@ -16,6 +16,58 @@ limitations under the License.
 
 package v1
 
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/status"
+)
+
+func init() {
+	SchemeBuilder.Register(&AtlasNetworkPeering{}, &AtlasNetworkPeeringList{})
+}
+
+// AtlasNetworkPeering is the Schema for the AtlasNetworkPeering API
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
+// +kubebuilder:printcolumn:name="Provider",type=string,JSONPath=`.spec.provider`
+// +kubebuilder:printcolumn:name="Id",type=string,JSONPath=`.status.id`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
+// +kubebuilder:printcolumn:name="Container Provisioned",type=string,JSONPath=`.status.containerProvisioned`
+// +kubebuilder:subresource:status
+// +groupName:=atlas.mongodb.com
+// +kubebuilder:resource:categories=atlas,shortName=anp
+type AtlasNetworkPeering struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AtlasNetworkPeeringSpec          `json:"spec,omitempty"`
+	Status status.AtlasNetworkPeeringStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// AtlasNetworkPeeringList contains a list of AtlasNetworkPeering
+type AtlasNetworkPeeringList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AtlasNetworkPeering `json:"items"`
+}
+
+// +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && !has(self.projectRef)) || (!has(self.externalProjectRef) && has(self.projectRef))",message="must define only one project reference through externalProjectRef or projectRef"
+// +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && has(self.connectionSecret)) || !has(self.externalProjectRef)",message="must define a local connection secret when referencing an external project"
+
+// AtlasNetworkPeeringSpec defines the desired state of AtlasNetworkPeering
+type AtlasNetworkPeeringSpec struct {
+	ProjectDualReference `json:",inline"`
+
+	AtlasNetworkPeeringConfig `json:",inline"`
+
+	AtlasProviderContainerConfig `json:",inline"`
+}
+
+// AtlasNetworkPeeringConfig defines the Atlas specifics of the desired state of Peering Connections
 type AtlasNetworkPeeringConfig struct {
 	// Name of the cloud service provider for which you want to create the network peering service.
 	// +kubebuilder:validation:Enum=AWS;GCP;AZURE
@@ -36,17 +88,19 @@ type AtlasNetworkPeeringConfig struct {
 	GCPConfiguration *GCPNetworkPeeringConfiguration `json:"gcpConfiguration,omitempty"`
 }
 
+// AtlasProviderContainerConfig defines the Atlas specifics of the desired state of Peering Container
 type AtlasProviderContainerConfig struct {
-	// ContainerRegion is the provider region name of Atlas network peer container. If not set, AccepterRegionName is used.
+	// ContainerRegion is the provider region name of Atlas network peer container in Atlas region format
 	// +optional
 	ContainerRegion string `json:"containerRegion"`
 	// Atlas CIDR. It needs to be set if ContainerID is not set.
 	// +optional
 	AtlasCIDRBlock string `json:"atlasCidrBlock"`
 }
 
+// AWSNetworkPeeringConfiguration defines tha Atlas desired state for AWS
 type AWSNetworkPeeringConfiguration struct {
-	// AccepterRegionName is the provider region name of user's vpc.
+	// AccepterRegionName is the provider region name of user's vpc in AWS native region format
 	AccepterRegionName string `json:"accepterRegionName"`
 	// AccountID of the user's vpc.
 	AWSAccountID string `json:"awsAccountId,omitempty"`
@@ -56,6 +110,7 @@ type AWSNetworkPeeringConfiguration struct {
 	VpcID string `json:"vpcId,omitempty"`
 }
 
+// AzureNetworkPeeringConfiguration defines tha Atlas desired state for Azure
 type AzureNetworkPeeringConfiguration struct {
 	//AzureDirectoryID is the unique identifier for an Azure AD directory.
 	AzureDirectoryID string `json:"azureDirectoryId,omitempty"`
@@ -67,9 +122,32 @@ type AzureNetworkPeeringConfiguration struct {
 	VNetName string `json:"vnetName,omitempty"`
 }
 
+// GCPNetworkPeeringConfiguration defines tha Atlas desired state for Google
 type GCPNetworkPeeringConfiguration struct {
 	// User GCP Project ID. Its applicable only for GCP.
 	GCPProjectID string `json:"gcpProjectId,omitempty"`
 	// GCP Network Peer Name. Its applicable only for GCP.
 	NetworkName string `json:"networkName,omitempty"`
 }
+
+func (np *AtlasNetworkPeering) GetStatus() api.Status {
+	return np.Status
+}
+
+func (np *AtlasNetworkPeering) Credentials() *api.LocalObjectReference {
+	return np.Spec.ConnectionSecret
+}
+
+func (np *AtlasNetworkPeering) ProjectDualRef() *ProjectDualReference {
+	return &np.Spec.ProjectDualReference
+}
+
+func (np *AtlasNetworkPeering) UpdateStatus(conditions []api.Condition, options ...api.Option) {
+	np.Status.Conditions = conditions
+	np.Status.ObservedGeneration = np.ObjectMeta.Generation
+
+	for _, o := range options {
+		v := o.(status.AtlasNetworkPeeringStatusOption)
+		v(&np.Status)
+	}
+}