From 525be388ec4fe7ec482ba757c2df3b84eb4454d9 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 10 Aug 2021 17:35:41 +0300 Subject: [PATCH] Add ACL optional field to Source API Signed-off-by: Stefan Prodan --- api/go.mod | 3 +- api/go.sum | 6 +- api/v1beta1/bucket_types.go | 5 + api/v1beta1/gitrepository_types.go | 5 + api/v1beta1/helmchart_types.go | 5 + api/v1beta1/helmrepository_types.go | 5 + api/v1beta1/zz_generated.deepcopy.go | 21 ++++ .../source.toolkit.fluxcd.io_buckets.yaml | 18 +++ ...rce.toolkit.fluxcd.io_gitrepositories.yaml | 18 +++ .../source.toolkit.fluxcd.io_helmcharts.yaml | 18 +++ ...ce.toolkit.fluxcd.io_helmrepositories.yaml | 18 +++ docs/api/source.md | 112 ++++++++++++++++++ go.mod | 2 +- go.sum | 6 +- hack/api-docs/config.json | 4 + 15 files changed, 240 insertions(+), 6 deletions(-) diff --git a/api/go.mod b/api/go.mod index 440169c28..82350f30a 100644 --- a/api/go.mod +++ b/api/go.mod @@ -3,11 +3,12 @@ module github.com/fluxcd/source-controller/api go 1.16 require ( + github.com/fluxcd/pkg/apis/acl v0.0.1 github.com/fluxcd/pkg/apis/meta v0.11.0-rc.1 // TODO(hidde): introduction of the runtime package is temporary, and the dependency should be removed as soon as // all APIs have been updated to the runtime standards (more specifically; have dropped their condition modifying // functions). - github.com/fluxcd/pkg/runtime v0.13.0-rc.2 + github.com/fluxcd/pkg/runtime v0.13.0-rc.3 k8s.io/apimachinery v0.21.3 sigs.k8s.io/controller-runtime v0.9.3 ) diff --git a/api/go.sum b/api/go.sum index e085eee3e..c7f12e9b4 100644 --- a/api/go.sum +++ b/api/go.sum @@ -91,10 +91,12 @@ github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs= github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fluxcd/pkg/apis/acl v0.0.1 h1:biCgZMjpDSv3Q4mZPikUJILx3t2MuNXR4Oa5jRQxaNQ= +github.com/fluxcd/pkg/apis/acl v0.0.1/go.mod h1:y3qOXUFObVWk7jzOjubMnr/u18j1kCeSi6olycnxr/E= github.com/fluxcd/pkg/apis/meta v0.11.0-rc.1 h1:RHHrztAFv9wmjM+Pk7Svt1UdD+1SdnQSp76MWFiM7Hg= github.com/fluxcd/pkg/apis/meta v0.11.0-rc.1/go.mod h1:yUblM2vg+X8TE3A2VvJfdhkGmg+uqBlSPkLk7dxi0UM= -github.com/fluxcd/pkg/runtime v0.13.0-rc.2 h1:+4uTEg+CU++hlr7NpOP4KYp60MtHDOgYvpz/74tbATg= -github.com/fluxcd/pkg/runtime v0.13.0-rc.2/go.mod h1:TmvE2cJl1QkgZNmmlr7XUKoWDQwUiM5/wTUxXsQVoc8= +github.com/fluxcd/pkg/runtime v0.13.0-rc.3 h1:VxtmEL/m3/9wJBhhhWQ48fz8m93B7UiyVi5cXYbiy3E= +github.com/fluxcd/pkg/runtime v0.13.0-rc.3/go.mod h1:5ioX9wb63+RUvHBdjRsFG4uYn6Ll/Yoa7Ema6XKIIuQ= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= diff --git a/api/v1beta1/bucket_types.go b/api/v1beta1/bucket_types.go index d4a5c567d..47f364f5b 100644 --- a/api/v1beta1/bucket_types.go +++ b/api/v1beta1/bucket_types.go @@ -19,6 +19,7 @@ package v1beta1 import ( "time" + "github.com/fluxcd/pkg/apis/acl" "github.com/fluxcd/pkg/apis/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -80,6 +81,10 @@ type BucketSpec struct { // This flag tells the controller to suspend the reconciliation of this source. // +optional Suspend bool `json:"suspend,omitempty"` + + // AccessFrom defines an Access Control List for allowing cross-namespace references to this object. + // +optional + AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"` } // BucketStatus defines the observed state of a bucket diff --git a/api/v1beta1/gitrepository_types.go b/api/v1beta1/gitrepository_types.go index 3a1c71d0f..b3fb84f6b 100644 --- a/api/v1beta1/gitrepository_types.go +++ b/api/v1beta1/gitrepository_types.go @@ -19,6 +19,7 @@ package v1beta1 import ( "time" + "github.com/fluxcd/pkg/apis/acl" "github.com/fluxcd/pkg/apis/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -100,6 +101,10 @@ type GitRepositorySpec struct { // Include defines a list of GitRepository resources which artifacts should be included in the artifact produced for // this resource. Include []GitRepositoryInclude `json:"include,omitempty"` + + // AccessFrom defines an Access Control List for allowing cross-namespace references to this object. + // +optional + AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"` } func (in *GitRepositoryInclude) GetFromPath() string { diff --git a/api/v1beta1/helmchart_types.go b/api/v1beta1/helmchart_types.go index e216a9f93..3c6b95643 100644 --- a/api/v1beta1/helmchart_types.go +++ b/api/v1beta1/helmchart_types.go @@ -19,6 +19,7 @@ package v1beta1 import ( "time" + "github.com/fluxcd/pkg/apis/acl" "github.com/fluxcd/pkg/apis/meta" "github.com/fluxcd/pkg/runtime/conditions" apimeta "k8s.io/apimachinery/pkg/api/meta" @@ -66,6 +67,10 @@ type HelmChartSpec struct { // This flag tells the controller to suspend the reconciliation of this source. // +optional Suspend bool `json:"suspend,omitempty"` + + // AccessFrom defines an Access Control List for allowing cross-namespace references to this object. + // +optional + AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"` } // LocalHelmChartSourceReference contains enough information to let you locate diff --git a/api/v1beta1/helmrepository_types.go b/api/v1beta1/helmrepository_types.go index 593710a55..006e94c36 100644 --- a/api/v1beta1/helmrepository_types.go +++ b/api/v1beta1/helmrepository_types.go @@ -19,6 +19,7 @@ package v1beta1 import ( "time" + "github.com/fluxcd/pkg/apis/acl" "github.com/fluxcd/pkg/apis/meta" "github.com/fluxcd/pkg/runtime/conditions" apimeta "k8s.io/apimachinery/pkg/api/meta" @@ -69,6 +70,10 @@ type HelmRepositorySpec struct { // This flag tells the controller to suspend the reconciliation of this source. // +optional Suspend bool `json:"suspend,omitempty"` + + // AccessFrom defines an Access Control List for allowing cross-namespace references to this object. + // +optional + AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"` } // HelmRepositoryStatus defines the observed state of the HelmRepository. diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index fd20920de..443f17a31 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -21,6 +21,7 @@ limitations under the License. package v1beta1 import ( + "github.com/fluxcd/pkg/apis/acl" "github.com/fluxcd/pkg/apis/meta" "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -120,6 +121,11 @@ func (in *BucketSpec) DeepCopyInto(out *BucketSpec) { *out = new(string) **out = **in } + if in.AccessFrom != nil { + in, out := &in.AccessFrom, &out.AccessFrom + *out = new(acl.AccessFrom) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketSpec. @@ -284,6 +290,11 @@ func (in *GitRepositorySpec) DeepCopyInto(out *GitRepositorySpec) { *out = make([]GitRepositoryInclude, len(*in)) copy(*out, *in) } + if in.AccessFrom != nil { + in, out := &in.AccessFrom, &out.AccessFrom + *out = new(acl.AccessFrom) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositorySpec. @@ -420,6 +431,11 @@ func (in *HelmChartSpec) DeepCopyInto(out *HelmChartSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.AccessFrom != nil { + in, out := &in.AccessFrom, &out.AccessFrom + *out = new(acl.AccessFrom) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChartSpec. @@ -533,6 +549,11 @@ func (in *HelmRepositorySpec) DeepCopyInto(out *HelmRepositorySpec) { *out = new(v1.Duration) **out = **in } + if in.AccessFrom != nil { + in, out := &in.AccessFrom, &out.AccessFrom + *out = new(acl.AccessFrom) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRepositorySpec. diff --git a/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml b/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml index 393fa2430..3a809426a 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml @@ -45,6 +45,24 @@ spec: spec: description: BucketSpec defines the desired state of an S3 compatible bucket properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object bucketName: description: The bucket name. type: string diff --git a/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml index 3a4b1ebd0..f6765bc8c 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml @@ -47,6 +47,24 @@ spec: spec: description: GitRepositorySpec defines the desired state of a Git repository. properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object gitImplementation: default: go-git description: Determines which git client library to use. Defaults to go-git, valid values are ('go-git', 'libgit2'). diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml index 7e5e71a7c..fd2c60ea6 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml @@ -56,6 +56,24 @@ spec: spec: description: HelmChartSpec defines the desired state of a Helm chart. properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object chart: description: The name or path the Helm chart is available at in the SourceRef. type: string diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml index a20e176ff..28628a005 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml @@ -47,6 +47,24 @@ spec: spec: description: HelmRepositorySpec defines the reference to a Helm repository. properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object interval: description: The interval at which to check the upstream for updates. type: string diff --git a/docs/api/source.md b/docs/api/source.md index 2942612da..3bd73de07 100644 --- a/docs/api/source.md +++ b/docs/api/source.md @@ -200,6 +200,20 @@ bool

This flag tells the controller to suspend the reconciliation of this source.

+ + +accessFrom
+ + +github.com/fluxcd/pkg/apis/acl.AccessFrom + + + + +(Optional) +

AccessFrom defines an Access Control List for allowing cross-namespace references to this object.

+ + @@ -425,6 +439,20 @@ This option is available only when using the ‘go-git’ GitImplementat this resource.

+ + +accessFrom
+ + +github.com/fluxcd/pkg/apis/acl.AccessFrom + + + + +(Optional) +

AccessFrom defines an Access Control List for allowing cross-namespace references to this object.

+ + @@ -593,6 +621,20 @@ bool

This flag tells the controller to suspend the reconciliation of this source.

+ + +accessFrom
+ + +github.com/fluxcd/pkg/apis/acl.AccessFrom + + + + +(Optional) +

AccessFrom defines an Access Control List for allowing cross-namespace references to this object.

+ + @@ -755,6 +797,20 @@ bool

This flag tells the controller to suspend the reconciliation of this source.

+ + +accessFrom
+ + +github.com/fluxcd/pkg/apis/acl.AccessFrom + + + + +(Optional) +

AccessFrom defines an Access Control List for allowing cross-namespace references to this object.

+ + @@ -1003,6 +1059,20 @@ bool

This flag tells the controller to suspend the reconciliation of this source.

+ + +accessFrom
+ + +github.com/fluxcd/pkg/apis/acl.AccessFrom + + + + +(Optional) +

AccessFrom defines an Access Control List for allowing cross-namespace references to this object.

+ + @@ -1388,6 +1458,20 @@ This option is available only when using the ‘go-git’ GitImplementat this resource.

+ + +accessFrom
+ + +github.com/fluxcd/pkg/apis/acl.AccessFrom + + + + +(Optional) +

AccessFrom defines an Access Control List for allowing cross-namespace references to this object.

+ + @@ -1648,6 +1732,20 @@ bool

This flag tells the controller to suspend the reconciliation of this source.

+ + +accessFrom
+ + +github.com/fluxcd/pkg/apis/acl.AccessFrom + + + + +(Optional) +

AccessFrom defines an Access Control List for allowing cross-namespace references to this object.

+ + @@ -1843,6 +1941,20 @@ bool

This flag tells the controller to suspend the reconciliation of this source.

+ + +accessFrom
+ + +github.com/fluxcd/pkg/apis/acl.AccessFrom + + + + +(Optional) +

AccessFrom defines an Access Control List for allowing cross-namespace references to this object.

+ + diff --git a/go.mod b/go.mod index 8bb96a629..e6fbde4b4 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/fluxcd/pkg/gitutil v0.1.0 github.com/fluxcd/pkg/helmtestserver v0.2.0 github.com/fluxcd/pkg/lockedfile v0.1.0 - github.com/fluxcd/pkg/runtime v0.13.0-rc.2 + github.com/fluxcd/pkg/runtime v0.13.0-rc.3 github.com/fluxcd/pkg/ssh v0.1.0 github.com/fluxcd/pkg/testserver v0.1.0 github.com/fluxcd/pkg/untar v0.1.0 diff --git a/go.sum b/go.sum index 628a1b830..4dfeaa047 100644 --- a/go.sum +++ b/go.sum @@ -226,6 +226,8 @@ github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZM github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc= github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fluxcd/pkg/apis/acl v0.0.1 h1:biCgZMjpDSv3Q4mZPikUJILx3t2MuNXR4Oa5jRQxaNQ= +github.com/fluxcd/pkg/apis/acl v0.0.1/go.mod h1:y3qOXUFObVWk7jzOjubMnr/u18j1kCeSi6olycnxr/E= github.com/fluxcd/pkg/apis/meta v0.11.0-rc.1 h1:RHHrztAFv9wmjM+Pk7Svt1UdD+1SdnQSp76MWFiM7Hg= github.com/fluxcd/pkg/apis/meta v0.11.0-rc.1/go.mod h1:yUblM2vg+X8TE3A2VvJfdhkGmg+uqBlSPkLk7dxi0UM= github.com/fluxcd/pkg/gittestserver v0.3.2 h1:oc1OoZ4b+kAu0vu/RT9wUwuQZxSqEjBOlQWYYA+YeLM= @@ -236,8 +238,8 @@ github.com/fluxcd/pkg/helmtestserver v0.2.0 h1:cE7YHDmrWI0hr9QpaaeQ0vQ16Z0IiqZKi github.com/fluxcd/pkg/helmtestserver v0.2.0/go.mod h1:Yie8n7xuu5Nvf1Q7302LKsubJhWpwzCaK0rLJvmF7aI= github.com/fluxcd/pkg/lockedfile v0.1.0 h1:YsYFAkd6wawMCcD74ikadAKXA4s2sukdxrn7w8RB5eo= github.com/fluxcd/pkg/lockedfile v0.1.0/go.mod h1:EJLan8t9MiOcgTs8+puDjbE6I/KAfHbdvIy9VUgIjm8= -github.com/fluxcd/pkg/runtime v0.13.0-rc.2 h1:+4uTEg+CU++hlr7NpOP4KYp60MtHDOgYvpz/74tbATg= -github.com/fluxcd/pkg/runtime v0.13.0-rc.2/go.mod h1:TmvE2cJl1QkgZNmmlr7XUKoWDQwUiM5/wTUxXsQVoc8= +github.com/fluxcd/pkg/runtime v0.13.0-rc.3 h1:VxtmEL/m3/9wJBhhhWQ48fz8m93B7UiyVi5cXYbiy3E= +github.com/fluxcd/pkg/runtime v0.13.0-rc.3/go.mod h1:5ioX9wb63+RUvHBdjRsFG4uYn6Ll/Yoa7Ema6XKIIuQ= github.com/fluxcd/pkg/ssh v0.1.0 h1:cym2bqiT4IINOdLV0J6GYxer16Ii/7b2+RlK3CG+CnA= github.com/fluxcd/pkg/ssh v0.1.0/go.mod h1:KUuVhaB6AX3IHTGCd3Ti/nesn5t1Nz4zCThFkkjHctM= github.com/fluxcd/pkg/testserver v0.1.0 h1:nOYgM1HYFZNNSUFykuWDmrsxj4jQxUCvmLHWOQeqmyA= diff --git a/hack/api-docs/config.json b/hack/api-docs/config.json index 45c968401..26c4082f8 100644 --- a/hack/api-docs/config.json +++ b/hack/api-docs/config.json @@ -22,6 +22,10 @@ { "typeMatchPrefix": "^github.com/fluxcd/pkg/apis/meta", "docsURLTemplate": "https://godoc.org/github.com/fluxcd/pkg/apis/meta#{{ .TypeIdentifier }}" + }, + { + "typeMatchPrefix": "^github.com/fluxcd/pkg/apis/acl", + "docsURLTemplate": "https://godoc.org/github.com/fluxcd/pkg/apis/acl#{{ .TypeIdentifier }}" } ], "typeDisplayNamePrefixOverrides": {