feat(CU-8694n3ec4): add policy controller (#33)

* feat(CU-8694n3ec4): add policy controller * fixup! remove useless MinLength for Policy `spec.type` * fixup! simplify k8s error usage * fixup! use `slices.Contains` to simplify code * fixup! fix Policy `spec.spaceName` and `spec.spaceId` validation * fixup! add policy sample * fixup! remove useless label * fixup! fix typo * fixup! add more info to log context * fixup! fix mistake in the policy controller
spacelift-io · Jun 14, 2024 · a16c83e · a16c83e
1 parent 4a80cbd
commit a16c83e
Show file tree

Hide file tree

Showing 32 changed files with 2,157 additions and 33 deletions.
diff --git a/PROJECT b/PROJECT
@@ -40,4 +40,12 @@ resources:
   kind: Context
   path: github.com/spacelift-io/spacelift-operator/api/v1beta1
   version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: app.spacelift.io
+  kind: Policy
+  path: github.com/spacelift-io/spacelift-operator/api/v1beta1
+  version: v1beta1
 version: "3"
diff --git a/api/v1beta1/policy_types.go b/api/v1beta1/policy_types.go
@@ -0,0 +1,84 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/spacelift-io/spacelift-operator/internal/spacelift/models"
+)
+
+// PolicySpec defines the desired state of Policy
+// +kubebuilder:validation:XValidation:rule="(has(self.spaceName) != has(self.spaceId)) || (!has(self.spaceName) && !has(self.spaceId))",message="only one of spaceName or spaceId can be set"
+type PolicySpec struct {
+	// Name of the policy - should be unique in one account
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+	// Body of the policy
+	// +kubebuilder:validation:MinLength=1
+	Body string `json:"body"`
+	// Type of the policy. Possible values are ACCESS, APPROVAL, GIT_PUSH, INITIALIZATION, LOGIN, PLAN, TASK, TRIGGER and NOTIFICATION.
+	// Deprecated values are STACK_ACCESS (use ACCESS instead), TASK_RUN (use TASK instead), and TERRAFORM_PLAN (use PLAN instead).
+	// +kubebuilder:validation:Enum:=ACCESS;APPROVAL;GIT_PUSH;INITIALIZATION;LOGIN;PLAN;TASK;TRIGGER;NOTIFICATION
+	Type string `json:"type"`
+
+	// Description of the policy
+	Description *string  `json:"description,omitempty"`
+	Labels      []string `json:"labels,omitempty"`
+
+	// SpaceName is Name of a Space kubernetes resource of the space the policy is in
+	SpaceName *string `json:"spaceName,omitempty"`
+	// SpaceId is ID (slug) of the space the policy is in
+	SpaceId *string `json:"spaceId,omitempty"`
+
+	AttachedStacksNames []string `json:"attachedStacks,omitempty"`
+	AttachedStacksIds   []string `json:"attachedStacksIds,omitempty"`
+}
+
+// PolicyStatus defines the observed state of Policy
+type PolicyStatus struct {
+	Id string `json:"id"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// Policy is the Schema for the policies API
+type Policy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PolicySpec   `json:"spec,omitempty"`
+	Status PolicyStatus `json:"status,omitempty"`
+}
+
+func (p *Policy) SetPolicy(policy models.Policy) {
+	p.Status.Id = policy.Id
+}
+
+//+kubebuilder:object:root=true
+
+// PolicyList contains a list of Policy
+type PolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Policy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Policy{}, &PolicyList{})
+}
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/cmd/main.go b/cmd/main.go
@@ -113,9 +113,11 @@ func main() {
 	spaceRepo := repository.NewSpaceRepository(mgr.GetClient())
 	contextRepo := repository.NewContextRepository(mgr.GetClient(), mgr.GetScheme())
 	secretRepo := repository.NewSecretRepository(mgr.GetClient())
+	policyRepo := repository.NewPolicyRepository(mgr.GetClient(), mgr.GetScheme())
 	spaceliftRunRepo := spaceliftRepository.NewRunRepository(mgr.GetClient())
 	spaceliftStackRepo := spaceliftRepository.NewStackRepository(mgr.GetClient())
 	spaceliftContextRepo := spaceliftRepository.NewContextRepository(mgr.GetClient())
+	spaceliftPolicyRepo := spaceliftRepository.NewPolicyRepository(mgr.GetClient())
 	runWatcher := watcher.NewRunWatcher(runRepo, spaceliftRunRepo)
 
 	if err = (&controller.RunReconciler{
@@ -154,6 +156,15 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "Context")
 		os.Exit(1)
 	}
+	if err = (&controller.PolicyReconciler{
+		StackRepository:           stackRepo,
+		PolicyRepository:          policyRepo,
+		SpaceRepository:           spaceRepo,
+		SpaceliftPolicyRepository: spaceliftPolicyRepo,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Policy")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

diff --git a/config/crd/bases/app.spacelift.io_policies.yaml b/config/crd/bases/app.spacelift.io_policies.yaml
@@ -0,0 +1,104 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: policies.app.spacelift.io
+spec:
+  group: app.spacelift.io
+  names:
+    kind: Policy
+    listKind: PolicyList
+    plural: policies
+    singular: policy
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Policy is the Schema for the policies API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PolicySpec defines the desired state of Policy
+            properties:
+              attachedStacks:
+                items:
+                  type: string
+                type: array
+              attachedStacksIds:
+                items:
+                  type: string
+                type: array
+              body:
+                description: Body of the policy
+                minLength: 1
+                type: string
+              description:
+                description: Description of the policy
+                type: string
+              labels:
+                items:
+                  type: string
+                type: array
+              name:
+                description: Name of the policy - should be unique in one account
+                minLength: 1
+                type: string
+              spaceId:
+                description: SpaceId is ID (slug) of the space the policy is in
+                type: string
+              spaceName:
+                description: SpaceName is Name of a Space kubernetes resource of the
+                  space the policy is in
+                type: string
+              type:
+                description: Type of the policy. Possible values are ACCESS, APPROVAL,
+                  GIT_PUSH, INITIALIZATION, LOGIN, PLAN, TASK, TRIGGER and NOTIFICATION.
+                  Deprecated values are STACK_ACCESS (use ACCESS instead), TASK_RUN
+                  (use TASK instead), and TERRAFORM_PLAN (use PLAN instead).
+                enum:
+                - ACCESS
+                - APPROVAL
+                - GIT_PUSH
+                - INITIALIZATION
+                - LOGIN
+                - PLAN
+                - TASK
+                - TRIGGER
+                - NOTIFICATION
+                type: string
+            required:
+            - body
+            - name
+            - type
+            type: object
+            x-kubernetes-validations:
+            - message: only one of spaceName or spaceId can be set
+              rule: (has(self.spaceName) != has(self.spaceId)) || (!has(self.spaceName)
+                && !has(self.spaceId))
+          status:
+            description: PolicyStatus defines the observed state of Policy
+            properties:
+              id:
+                type: string
+            required:
+            - id
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
 - bases/app.spacelift.io_stacks.yaml
 - bases/app.spacelift.io_spaces.yaml
 - bases/app.spacelift.io_contexts.yaml
+- bases/app.spacelift.io_policies.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patches:
@@ -14,6 +15,7 @@ patches:
 #- path: patches/webhook_in_runs.yaml
 #- path: patches/webhook_in_stacks.yaml
 #- path: patches/webhook_in_contexts.yaml
+#- path: patches/webhook_in_policies.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
@@ -22,6 +24,7 @@ patches:
 #- path: patches/cainjection_in_stacks.yaml
 #- path: patches/cainjection_in_spaces.yaml
 #- path: patches/cainjection_in_contexts.yaml
+#- path: patches/cainjection_in_policies.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/config/crd/patches/cainjection_in_policies.yaml b/config/crd/patches/cainjection_in_policies.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
+  name: policies.app.spacelift.io