aws endpoint service principal lifecycle workflow was implemented

PROJECT

@@ -309,4 +309,16 @@ resources:
   webhooks:
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: instaclustr.com
+  group: clusterresources
+  kind: AWSEndpointServicePrincipal
+  path: github.com/instaclustr/operator/apis/clusterresources/v1beta1
+  version: v1beta1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

apis/clusterresources/v1beta1/awsendpointserviceprincipal_types.go

@@ -0,0 +1,72 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// AWSEndpointServicePrincipalSpec defines the desired state of AWSEndpointServicePrincipal
+type AWSEndpointServicePrincipalSpec struct {
+	// The ID of the cluster data center
+	ClusterDataCenterID string `json:"clusterDataCenterId"`
+
+	// The Instaclustr ID of the AWS endpoint service
+	EndPointServiceID string `json:"endPointServiceId,omitempty"`
+
+	// The IAM Principal ARN
+	PrincipalARN string `json:"principalArn"`
+}
+
+// AWSEndpointServicePrincipalStatus defines the observed state of AWSEndpointServicePrincipal
+type AWSEndpointServicePrincipalStatus struct {
+	// The Instaclustr ID of the IAM Principal ARN
+	ID string `json:"id,omitempty"`
+
+	// The Instaclustr ID of the AWS endpoint service
+	EndPointServiceID string `json:"endPointServiceId,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// AWSEndpointServicePrincipal is the Schema for the awsendpointserviceprincipals API
+type AWSEndpointServicePrincipal struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AWSEndpointServicePrincipalSpec   `json:"spec,omitempty"`
+	Status AWSEndpointServicePrincipalStatus `json:"status,omitempty"`
+}
+
+func (r *AWSEndpointServicePrincipal) NewPatch() client.Patch {
+	return client.MergeFrom(r.DeepCopy())
+}
+
+//+kubebuilder:object:root=true
+
+// AWSEndpointServicePrincipalList contains a list of AWSEndpointServicePrincipal
+type AWSEndpointServicePrincipalList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AWSEndpointServicePrincipal `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&AWSEndpointServicePrincipal{}, &AWSEndpointServicePrincipalList{})
+}

apis/clusterresources/v1beta1/awsendpointserviceprincipal_webhook.go

@@ -0,0 +1,82 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"fmt"
+	"regexp"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+// log is for logging in this package.
+var awsendpointserviceprincipallog = logf.Log.WithName("awsendpointserviceprincipal-resource")
+
+func (r *AWSEndpointServicePrincipal) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+//+kubebuilder:webhook:path=/validate-clusterresources-instaclustr-com-v1beta1-awsendpointserviceprincipal,mutating=false,failurePolicy=fail,sideEffects=None,groups=clusterresources.instaclustr.com,resources=awsendpointserviceprincipals,verbs=create;update,versions=v1beta1,name=vawsendpointserviceprincipal.kb.io,admissionReviewVersions=v1
+
+var _ webhook.Validator = &AWSEndpointServicePrincipal{}
+
+var principalArnPattern, _ = regexp.Compile(`^arn:aws:iam::[0-9]{12}:(root$|user\/[\w+=,.@-]+|role\/[\w+=,.@-]+)$`)
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (r *AWSEndpointServicePrincipal) ValidateCreate() error {
+	awsendpointserviceprincipallog.Info("validate create", "name", r.Name)
+
+	if r.Spec.ClusterDataCenterID == "" ||
+		r.Spec.PrincipalARN == "" {
+		return fmt.Errorf("spec.clusterDataCenterId and spec.principalArn should be filled")
+	}
+
+	if !principalArnPattern.MatchString(r.Spec.PrincipalARN) {
+		return fmt.Errorf("spec.principalArn doesn't match following pattern \"^arn:aws:iam::[0-9]{12}:(root$|user\\/[\\w+=,.@-]+|role\\/[\\w+=,.@-]+)$\"")
+	}
+
+	return nil
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (r *AWSEndpointServicePrincipal) ValidateUpdate(old runtime.Object) error {
+	awsendpointserviceprincipallog.Info("validate update", "name", r.Name)
+
+	oldResource := old.(*AWSEndpointServicePrincipal)
+
+	if r.Status.ID == "" {
+		return r.ValidateCreate()
+	}
+
+	if r.Spec != oldResource.Spec {
+		return fmt.Errorf("all fields in the spec are immutable")
+	}
+
+	return nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *AWSEndpointServicePrincipal) ValidateDelete() error {
+	awsendpointserviceprincipallog.Info("validate delete", "name", r.Name)
+
+	return nil
+}

apis/clusterresources/v1beta1/webhook_suite_test.go

@@ -129,6 +129,9 @@ var _ = BeforeSuite(func() {
 	err = (&RedisUser{}).SetupWebhookWithManager(mgr)
 	Expect(err).NotTo(HaveOccurred())
 
+	err = (&AWSEndpointServicePrincipal{}).SetupWebhookWithManager(mgr)
+	Expect(err).NotTo(HaveOccurred())
+
 	//+kubebuilder:scaffold:webhook
 
 	go func() {

config/crd/bases/clusterresources.instaclustr.com_awsendpointserviceprincipals.yaml

@@ -0,0 +1,68 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.2
+  creationTimestamp: null
+  name: awsendpointserviceprincipals.clusterresources.instaclustr.com
+spec:
+  group: clusterresources.instaclustr.com
+  names:
+    kind: AWSEndpointServicePrincipal
+    listKind: AWSEndpointServicePrincipalList
+    plural: awsendpointserviceprincipals
+    singular: awsendpointserviceprincipal
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: AWSEndpointServicePrincipal is the Schema for the awsendpointserviceprincipals
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AWSEndpointServicePrincipalSpec defines the desired state
+              of AWSEndpointServicePrincipal
+            properties:
+              clusterDataCenterId:
+                description: The ID of the cluster data center
+                type: string
+              endPointServiceId:
+                description: The Instaclustr ID of the AWS endpoint service
+                type: string
+              principalArn:
+                description: The IAM Principal ARN
+                type: string
+            required:
+            - clusterDataCenterId
+            - principalArn
+            type: object
+          status:
+            description: AWSEndpointServicePrincipalStatus defines the observed state
+              of AWSEndpointServicePrincipal
+            properties:
+              endPointServiceId:
+                description: The Instaclustr ID of the AWS endpoint service
+                type: string
+              id:
+                description: The Instaclustr ID of the IAM Principal ARN
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/kustomization.yaml

@@ -26,6 +26,7 @@ resources:
 - bases/clusterresources.instaclustr.com_awsencryptionkeys.yaml
 - bases/clusterresources.instaclustr.com_cassandrausers.yaml
 - bases/clusterresources.instaclustr.com_opensearchusers.yaml
+- bases/clusterresources.instaclustr.com_awsendpointserviceprincipals.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -54,6 +55,7 @@ patchesStrategicMerge:
 #- patches/webhook_in_awsencryptionkeys.yaml
 #- patches/webhook_in_cassandrausers.yaml
 #- patches/webhook_in_clusterbackups.yaml
+#- patches/webhook_in_awsendpointserviceprincipals.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
@@ -85,6 +87,7 @@ patchesStrategicMerge:
 #- patches/cainjection_in_postgresqls.yaml
 #- patches/cainjection_in_clusterbackups.yaml
 #- patches/cainjection_in_maintenanceevents.yaml
+#- patches/cainjection_in_awsendpointserviceprincipals.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

config/crd/patches/cainjection_in_clusterresources_awsendpointserviceprincipals.yaml

@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: awsendpointserviceprincipals.clusterresources.instaclustr.com

config/crd/patches/webhook_in_clusterresources_awsendpointserviceprincipals.yaml

@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: awsendpointserviceprincipals.clusterresources.instaclustr.com
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1