Add SecureSourceManagerInstance PrivateConfig field API

apis/refs/v1beta1/privatecaref.go

@@ -0,0 +1,112 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1beta1
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type PrivateCACAPoolRef struct {
+	// A reference to an externally managed PrivateCACAPool.
+	// Should be in the format `projects/{project_id}/locations/{region}/caPools/{caPool}`.
+	External string `json:"external,omitempty"`
+
+	// The `name` of a `PrivateCACAPool` resource.
+	Name string `json:"name,omitempty"`
+	// The `namespace` of a `PrivateCACAPool` resource.
+	Namespace string `json:"namespace,omitempty"`
+}
+
+type PrivateCACAPool struct {
+	Ref        *PrivateCACAPoolRef
+	ResourceID string
+}
+
+// ResolvePrivateCACAPoolRef will resolve a PrivateCACAPoolRef to a PrivateCACAPool.
+func ResolvePrivateCACAPoolRef(ctx context.Context, reader client.Reader, src client.Object, ref *PrivateCACAPoolRef) (*PrivateCACAPoolRef, error) {
+	if ref == nil {
+		return nil, nil
+	}
+
+	if ref.Name == "" && ref.External == "" {
+		return nil, fmt.Errorf("must specify either name or external on PrivateCACAPoolRef")
+	}
+	if ref.Name != "" && ref.External != "" {
+		return nil, fmt.Errorf("cannot specify both name and external on PrivateCACAPoolRef")
+	}
+
+	// External should be in the `projects/{project_id}/locations/{region}/caPools/{caPool}` format
+	if ref.External != "" {
+		tokens := strings.Split(ref.External, "/")
+		if len(tokens) == 6 && tokens[0] == "projects" && tokens[2] == "locations" && tokens[4] == "caPools" {
+			ref = &PrivateCACAPoolRef{
+				External: fmt.Sprintf("projects/%s/locations/%s/caPools/%s", tokens[1], tokens[3], tokens[5]),
+			}
+			return ref, nil
+		}
+		return nil, fmt.Errorf("format of PrivateCACAPoolRef external=%q was not known (use projects/{project_id}/locations/{region}/caPools/{caPool})", ref.External)
+	}
+
+	key := types.NamespacedName{
+		Namespace: ref.Namespace,
+		Name:      ref.Name,
+	}
+	if key.Namespace == "" {
+		key.Namespace = src.GetNamespace()
+	}
+
+	// Fetch object from k8s cluster to construct the external form
+	caPool := &unstructured.Unstructured{}
+	caPool.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   "privateca.cnrm.cloud.google.com",
+		Version: "v1beta1",
+		Kind:    "PrivateCACAPool",
+	})
+	if err := reader.Get(ctx, key, caPool); err != nil {
+		if apierrors.IsNotFound(err) {
+			return nil, fmt.Errorf("referenced PrivateCACAPool %v not found", key)
+		}
+		return nil, fmt.Errorf("error reading referenced PrivateCACAPool %v: %w", key, err)
+	}
+
+	caPoolResourceID, err := GetResourceID(caPool)
+	if err != nil {
+		return nil, err
+	}
+
+	projectID, err := ResolveProjectID(ctx, reader, caPool)
+	if err != nil {
+		return nil, err
+	}
+
+	location, err := GetLocation(caPool)
+	if err != nil {
+		return nil, err
+	}
+
+	ref = &PrivateCACAPoolRef{
+		External: fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectID, location, caPoolResourceID),
+	}
+
+	return ref, nil
+}

apis/securesourcemanager/v1alpha1/instance_types.go

@@ -44,6 +44,9 @@ type SecureSourceManagerInstanceSpec struct {
 
 	// Optional. Immutable. Customer-managed encryption key name.
 	KmsKeyRef *refs.KMSCryptoKeyRef `json:"kmsKeyRef,omitempty"`
+
+	// Optional. PrivateConfig includes settings for private instance.
+	PrivateConfig *Instance_PrivateConfig `json:"privateConfig,omitempty"`
 }
 
 // SecureSourceManagerInstanceStatus defines the config connector machine state of SecureSourceManagerInstance

config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_securesourcemanagerinstances.securesourcemanager.cnrm.cloud.google.com.yaml

@@ -94,6 +94,51 @@ spec:
               location:
                 description: Immutable. Location of the instance.
                 type: string
+              privateConfig:
+                description: Optional. PrivateConfig includes settings for private
+                  instance.
+                properties:
+                  caPoolRef:
+                    description: Required. Immutable. CA pool resource, resource must
+                      in the format of `projects/{project}/locations/{location}/caPools/{ca_pool}`.
+                    oneOf:
+                    - not:
+                        required:
+                        - external
+                      required:
+                      - name
+                    - not:
+                        anyOf:
+                        - required:
+                          - name
+                        - required:
+                          - namespace
+                      required:
+                      - external
+                    properties:
+                      external:
+                        description: A reference to an externally managed PrivateCACAPool.
+                          Should be in the format `projects/{project_id}/locations/{region}/caPools/{caPool}`.
+                        type: string
+                      name:
+                        description: The `name` of a `PrivateCACAPool` resource.
+                        type: string
+                      namespace:
+                        description: The `namespace` of a `PrivateCACAPool` resource.
+                        type: string
+                    type: object
+                  httpServiceAttachment:
+                    description: Output only. Service Attachment for HTTP, resource
+                      is in the format of `projects/{project}/regions/{region}/serviceAttachments/{service_attachment}`.
+                    type: string
+                  isPrivate:
+                    description: Required. Immutable. Indicate if it's private instance.
+                    type: boolean
+                  sshServiceAttachment:
+                    description: Output only. Service Attachment for SSH, resource
+                      is in the format of `projects/{project}/regions/{region}/serviceAttachments/{service_attachment}`.
+                    type: string
+                type: object
               projectRef:
                 description: Immutable. The Project that this resource belongs to.
                 oneOf:

config/tests/samples/create/harness.go

@@ -855,6 +855,7 @@ func MaybeSkip(t *testing.T, name string, resources []*unstructured.Unstructured
 			case schema.GroupKind{Group: "secretmanager.cnrm.cloud.google.com", Kind: "SecretManagerSecretVersion"}:
 
 			case schema.GroupKind{Group: "securesourcemanager.cnrm.cloud.google.com", Kind: "SecureSourceManagerInstance"}:
+			case schema.GroupKind{Group: "securesourcemanager.cnrm.cloud.google.com", Kind: "SecureSourceManagerRepository"}:
 
 			case schema.GroupKind{Group: "servicedirectory.cnrm.cloud.google.com", Kind: "ServiceDirectoryNamespace"}:
 			case schema.GroupKind{Group: "servicedirectory.cnrm.cloud.google.com", Kind: "ServiceDirectoryService"}:

mockgcp/mocksecuresourcemanager/repository.go

@@ -0,0 +1,167 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mocksecuresourcemanager
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	longrunning "google.golang.org/genproto/googleapis/longrunning"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/emptypb"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/common/projects"
+	pb "github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp/generated/mockgcp/cloud/securesourcemanager/v1"
+)
+
+func (s *secureSourceManagerServer) GetRepository(ctx context.Context, req *pb.GetRepositoryRequest) (*pb.Repository, error) {
+	name, err := s.parseRepositoryName(req.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	fqn := name.String()
+
+	obj := &pb.Repository{}
+	if err := s.storage.Get(ctx, fqn, obj); err != nil {
+		if status.Code(err) == codes.NotFound {
+			return nil, status.Errorf(codes.NotFound, "Resource '%s' was not found", fqn)
+		}
+		return nil, err
+	}
+
+	return obj, nil
+}
+
+func (s *secureSourceManagerServer) CreateRepository(ctx context.Context, req *pb.CreateRepositoryRequest) (*longrunning.Operation, error) {
+	reqName := req.Parent + "/repositories/" + req.RepositoryId
+	name, err := s.parseRepositoryName(reqName)
+	if err != nil {
+		return nil, err
+	}
+
+	fqn := name.String()
+
+	now := time.Now()
+
+	obj := proto.Clone(req.Repository).(*pb.Repository)
+	obj.Name = fqn
+
+	obj.CreateTime = timestamppb.New(now)
+	obj.UpdateTime = timestamppb.New(now)
+
+	instanceName, err := s.parseInstanceName(obj.GetInstance())
+	if err != nil {
+		return nil, err
+	}
+
+	obj.InitialConfig = req.GetRepository().GetInitialConfig()
+
+	prefix := fmt.Sprintf("https://%s-%d", instanceName.InstanceID, name.Project.Number)
+	domain := "." + name.Location + ".sourcemanager.dev"
+	obj.Uris = &pb.Repository_URIs{
+		Html:     prefix + domain + fmt.Sprintf("/%s/%s", name.Project.ID, req.GetRepositoryId()),
+		Api:      prefix + "-api" + domain + fmt.Sprintf("/v1/projects/%s/locations/%s/repositories/%s", name.Project.ID, name.Location, req.GetRepositoryId()),
+		GitHttps: prefix + "-git" + domain + fmt.Sprintf("/%s/%s.git", name.Project.ID, req.GetRepositoryId()),
+	}
+
+	if err := s.storage.Create(ctx, fqn, obj); err != nil {
+		return nil, err
+	}
+
+	op := &pb.OperationMetadata{
+		CreateTime: timestamppb.New(now),
+		Target:     name.String(),
+		Verb:       "create",
+		ApiVersion: "v1",
+	}
+	opPrefix := fmt.Sprintf("projects/%s/locations/%s", name.Project.ID, name.Location)
+	return s.operations.StartLRO(ctx, opPrefix, op, func() (proto.Message, error) {
+		op.EndTime = timestamppb.Now()
+		return obj, nil
+	})
+}
+
+func (s *secureSourceManagerServer) DeleteRepository(ctx context.Context, req *pb.DeleteRepositoryRequest) (*longrunning.Operation, error) {
+	name, err := s.parseRepositoryName(req.GetName())
+	if err != nil {
+		return nil, err
+	}
+
+	fqn := name.String()
+	now := time.Now()
+
+	deleted := &pb.Repository{}
+	if err := s.storage.Delete(ctx, fqn, deleted); err != nil {
+		return nil, err
+	}
+
+	op := &pb.OperationMetadata{
+		CreateTime: timestamppb.New(now),
+		Target:     name.String(),
+		Verb:       "delete",
+		ApiVersion: "v1",
+	}
+	opPrefix := fmt.Sprintf("projects/%s/locations/%s", name.Project.ID, name.Location)
+	return s.operations.StartLRO(ctx, opPrefix, op, func() (proto.Message, error) {
+		op.EndTime = timestamppb.Now()
+		return &emptypb.Empty{}, nil
+	})
+}
+
+type RepositoryName struct {
+	Project      *projects.ProjectData
+	Location     string
+	RepositoryID string
+}
+
+func (n *RepositoryName) String() string {
+	return fmt.Sprintf("projects/%s/locations/%s/repositories/%s", n.Project.ID, n.Location, n.RepositoryID)
+}
+
+// func (n *RepositoryName) Target() string {
+// 	return fmt.Sprintf("projects/%s/locations/%s/repositories/%s", n.Project.ID, n.Location, n.RepositoryID)
+// }
+
+// parseRepositoryName parses a string into a RepositoryName.
+// The expected form is projects/*/locations/*/repositories/*
+func (s *MockService) parseRepositoryName(name string) (*RepositoryName, error) {
+	tokens := strings.Split(name, "/")
+
+	if len(tokens) == 6 && tokens[0] == "projects" && tokens[2] == "locations" && tokens[4] == "repositories" {
+		projectName, err := projects.ParseProjectName(tokens[0] + "/" + tokens[1])
+		if err != nil {
+			return nil, err
+		}
+		project, err := s.Projects.GetProject(projectName)
+		if err != nil {
+			return nil, err
+		}
+
+		name := &RepositoryName{
+			Project:      project,
+			Location:     tokens[3],
+			RepositoryID: tokens[5],
+		}
+		return name, nil
+	} else {
+		return nil, status.Errorf(codes.InvalidArgument, "name %q is not valid", name)
+	}
+}