Merge pull request #3250 from ericpang777/ssmins-cmek-ex

Add SecureSourceManagerInstance CMEK example

apis/refs/v1beta1/kmsrefs.go

@@ -58,9 +58,9 @@ func ResolveKMSCryptoKeyRef(ctx context.Context, reader client.Reader, src clien
 	// External should be in the `projects/[kms_project_id]/locations/[region]/keyRings/[key_ring_id]/cryptoKeys/[key]` format
 	if ref.External != "" {
 		tokens := strings.Split(ref.External, "/")
-		if len(tokens) == 8 && tokens[0] == "project" && tokens[2] == "locations" && tokens[4] == "keyRings" && tokens[6] == "cryptoKeys" {
+		if len(tokens) == 8 && tokens[0] == "projects" && tokens[2] == "locations" && tokens[4] == "keyRings" && tokens[6] == "cryptoKeys" {
 			ref = &KMSCryptoKeyRef{
-				External: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", tokens[1], tokens[3], tokens[5]),
+				External: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", tokens[1], tokens[3], tokens[5], tokens[7]),
 			}
 			return ref, nil
 		}
@@ -142,7 +142,7 @@ func ResolveKMSKeyRingRef(ctx context.Context, reader client.Reader, src client.
 	// External should be in the `projects/[kms_project_id]/locations/[region]/keyRings/[key_ring_id]` format
 	if ref.External != "" {
 		tokens := strings.Split(ref.External, "/")
-		if len(tokens) == 6 && tokens[0] == "project" && tokens[2] == "locations" && tokens[4] == "keyRings" {
+		if len(tokens) == 6 && tokens[0] == "projects" && tokens[2] == "locations" && tokens[4] == "keyRings" {
 			ref = &KMSKeyRingRef{
 				External: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s", tokens[1], tokens[3], tokens[5]),
 			}

mockgcp/mocksecuresourcemanager/instance.go

@@ -70,6 +70,10 @@ func (s *secureSourceManagerServer) CreateInstance(ctx context.Context, req *pb.
 	// TODO: State should be Creating at first, ACTIVE once done
 	obj.State = pb.Instance_ACTIVE
 
+	if req.GetInstance().GetKmsKey() != "" {
+		obj.KmsKey = req.GetInstance().GetKmsKey()
+	}
+
 	// TODO: Only fill in when ACTIVE
 	prefix := fmt.Sprintf("%s-%d", name.InstanceID, name.Project.Number)
 	domain := "." + name.Location + ".sourcemanager.dev"

pkg/controller/direct/securesourcemanager/instance_controller.go

@@ -74,6 +74,14 @@ func (m *secureSourceManagerInstanceModel) AdapterForObject(ctx context.Context,
 		return nil, err
 	}
 
+	if obj.Spec.KmsKeyRef != nil {
+		kmsKeyRef, err := refs.ResolveKMSCryptoKeyRef(ctx, reader, u, obj.Spec.KmsKeyRef)
+		if err != nil {
+			return nil, err
+		}
+		obj.Spec.KmsKeyRef = kmsKeyRef
+	}
+
 	mapCtx := &direct.MapContext{}
 	desired := SecureSourceManagerInstanceSpec_ToProto(mapCtx, &obj.Spec)
 	if mapCtx.Err() != nil {
@@ -233,7 +241,9 @@ func (a *secureSourceManagerInstanceAdapter) Delete(ctx context.Context, deleteO
 
 	err = op.Wait(ctx)
 	if err != nil {
-		return false, fmt.Errorf("waiting for delete of Instance %q: %w", a.id.External, err)
+		if !strings.Contains(err.Error(), "(line 15:3): missing \"value\" field") {
+			return false, fmt.Errorf("deleting Instance %s: %w", a.id.External, err)
+		}
 	}
 	return true, nil
 }

pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/_generated_object_securesourcemanagerinstancecmek.golden.yaml

@@ -0,0 +1,33 @@
+apiVersion: securesourcemanager.cnrm.cloud.google.com/v1alpha1
+kind: SecureSourceManagerInstance
+metadata:
+  finalizers:
+  - cnrm.cloud.google.com/finalizer
+  - cnrm.cloud.google.com/deletion-defender
+  generation: 1
+  labels:
+    cnrm-test: "true"
+  name: ssminstance-${uniqueId}
+  namespace: ${uniqueId}
+spec:
+  kmsKeyRef:
+    name: kmscryptokey-${uniqueId}
+  location: us-central1
+  projectRef:
+    external: ${projectId}
+status:
+  conditions:
+  - lastTransitionTime: "1970-01-01T00:00:00Z"
+    message: The resource is up to date
+    reason: UpToDate
+    status: "True"
+    type: Ready
+  externalRef: projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}
+  observedGeneration: 1
+  observedState:
+    hostConfig:
+      api: ssminstance-${uniqueId}-${projectNumber}-api.us-central1.sourcemanager.dev
+      gitHTTP: ssminstance-${uniqueId}-${projectNumber}-git.us-central1.sourcemanager.dev
+      gitSSH: ssminstance-${uniqueId}-${projectNumber}-ssh.us-central1.sourcemanager.dev
+      html: ssminstance-${uniqueId}-${projectNumber}.us-central1.sourcemanager.dev
+    state: ACTIVE