From 5ecc1ea7780ea1880bfc645dfb1e06c44008d3d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Thu, 8 Aug 2024 12:31:00 +0200 Subject: [PATCH] feat: make konnect entities spec.konnect.authRef immutable only when entity is already programmed --- api/configuration/v1alpha1/kongroute_types.go | 2 ++ .../v1alpha1/konnect_apiauthconfiguration_types.go | 2 +- api/konnect/v1alpha1/konnect_configuration.go | 1 - api/konnect/v1alpha1/konnect_controlplane_types.go | 2 ++ .../bases/configuration.konghq.com_kongconsumers.yaml | 3 --- .../bases/configuration.konghq.com_kongroutes.yaml | 10 +++++++--- .../bases/configuration.konghq.com_kongservices.yaml | 3 --- ...nnect.konghq.com_konnectapiauthconfigurations.yaml | 2 +- .../konnect.konghq.com_konnectcontrolplanes.yaml | 11 ++++++++--- go.mod | 2 +- go.sum | 4 ++-- 11 files changed, 24 insertions(+), 18 deletions(-) diff --git a/api/configuration/v1alpha1/kongroute_types.go b/api/configuration/v1alpha1/kongroute_types.go index e86b0e22..4461e58e 100644 --- a/api/configuration/v1alpha1/kongroute_types.go +++ b/api/configuration/v1alpha1/kongroute_types.go @@ -37,6 +37,8 @@ import ( // +kubebuilder:printcolumn:name="Programmed",description="The Resource is Programmed on Konnect",type=string,JSONPath=`.status.conditions[?(@.type=='Programmed')].status` // +kubebuilder:validation:XValidation:rule="!has(oldSelf.spec.konnect.authRef) || has(self.spec.konnect.authRef)", message="Konnect Configuration's API auth ref reference is required once set" // +kubebuilder:validation:XValidation:rule="self.spec.protocols.exists(p, p == 'http') ? (has(self.spec.hosts) || has(self.spec.methods) || has(self.spec.paths) || has(self.spec.paths) || has(self.spec.paths) || has(self.spec.headers) ) : true", message="If protocols has 'http', at least one of 'hosts', 'methods', 'paths' or 'headers' must be set" +// +kubebuilder:validation:XValidation:rule="!self.status.conditions.exists(c, c.type == 'Programmed' && c.status == 'True') ? true : self.spec.konnect.authRef == oldSelf.spec.konnect.authRef", message="spec.konnect.authRef is immutable when entity is already Programmed." +// +kubebuilder:validation:XValidation:rule="!self.status.conditions.exists(c, c.type == 'APIAuthValid' && c.status == 'True') ? true : self.spec.konnect.authRef == oldSelf.spec.konnect.authRef", message="spec.konnect.authRef is immutable when entity refers to a Valid API Auth Configuration." type KongRoute struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` diff --git a/api/konnect/v1alpha1/konnect_apiauthconfiguration_types.go b/api/konnect/v1alpha1/konnect_apiauthconfiguration_types.go index baceabe1..60bb19fc 100644 --- a/api/konnect/v1alpha1/konnect_apiauthconfiguration_types.go +++ b/api/konnect/v1alpha1/konnect_apiauthconfiguration_types.go @@ -17,7 +17,7 @@ func init() { // +kubebuilder:object:root=true // +kubebuilder:object:generate=true // +kubebuilder:subresource:status -// +kubebuilder:printcolumn:name="Valid",description="The API authentication information is valid",type=string,JSONPath=`.status.conditions[?(@.type=='Valid')].status` +// +kubebuilder:printcolumn:name="Valid",description="The API authentication information is valid",type=string,JSONPath=`.status.conditions[?(@.type=='APIAuthValid')].status` // +kubebuilder:printcolumn:name="OrgID",description="Konnect Organization ID this API authentication configuration belongs to.",type=string,JSONPath=`.status.organizationID` // +kubebuilder:printcolumn:name="ServerURL",description="Configured server URL.",type=string,JSONPath=`.status.serverURL` // +kubebuilder:validation:XValidation:rule="self.spec.type != 'token' || (self.spec.token.startsWith('spat_') || self.spec.token.startsWith('kpat_'))", message="Konnect tokens have to start with spat_ or kpat_" diff --git a/api/konnect/v1alpha1/konnect_configuration.go b/api/konnect/v1alpha1/konnect_configuration.go index 70239afc..f0bba516 100644 --- a/api/konnect/v1alpha1/konnect_configuration.go +++ b/api/konnect/v1alpha1/konnect_configuration.go @@ -6,7 +6,6 @@ type KonnectConfiguration struct { // that should be used for this Konnect Configuration. // // +kubebuilder:validation:Required - // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="authRef is immutable" APIAuthConfigurationRef KonnectAPIAuthConfigurationRef `json:"authRef"` // NOTE: Place for extending the KonnectConfiguration object. diff --git a/api/konnect/v1alpha1/konnect_controlplane_types.go b/api/konnect/v1alpha1/konnect_controlplane_types.go index ef95c824..285df392 100644 --- a/api/konnect/v1alpha1/konnect_controlplane_types.go +++ b/api/konnect/v1alpha1/konnect_controlplane_types.go @@ -19,6 +19,8 @@ func init() { // +kubebuilder:printcolumn:name="Programmed",description="The Resource is Programmed on Konnect",type=string,JSONPath=`.status.conditions[?(@.type=='Programmed')].status` // +kubebuilder:printcolumn:name="ID",description="Konnect ID",type=string,JSONPath=`.status.id` // +kubebuilder:printcolumn:name="OrgID",description="Konnect Organization ID this resource belongs to.",type=string,JSONPath=`.status.organizationID` +// +kubebuilder:validation:XValidation:rule="!self.status.conditions.exists(c, c.type == 'Programmed' && c.status == 'True') ? true : self.spec.konnect.authRef == oldSelf.spec.konnect.authRef", message="spec.konnect.authRef is immutable when entity is already Programmed." +// +kubebuilder:validation:XValidation:rule="!self.status.conditions.exists(c, c.type == 'APIAuthValid' && c.status == 'True') ? true : self.spec.konnect.authRef == oldSelf.spec.konnect.authRef", message="spec.konnect.authRef is immutable when entity refers to a Valid API Auth Configuration." type KonnectControlPlane struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` diff --git a/config/crd/bases/configuration.konghq.com_kongconsumers.yaml b/config/crd/bases/configuration.konghq.com_kongconsumers.yaml index 50bb2a2d..f4968e22 100644 --- a/config/crd/bases/configuration.konghq.com_kongconsumers.yaml +++ b/config/crd/bases/configuration.konghq.com_kongconsumers.yaml @@ -123,9 +123,6 @@ spec: required: - name type: object - x-kubernetes-validations: - - message: authRef is immutable - rule: self == oldSelf required: - authRef type: object diff --git a/config/crd/bases/configuration.konghq.com_kongroutes.yaml b/config/crd/bases/configuration.konghq.com_kongroutes.yaml index 762c2f05..85145acf 100644 --- a/config/crd/bases/configuration.konghq.com_kongroutes.yaml +++ b/config/crd/bases/configuration.konghq.com_kongroutes.yaml @@ -130,9 +130,6 @@ spec: required: - name type: object - x-kubernetes-validations: - - message: authRef is immutable - rule: self == oldSelf required: - authRef type: object @@ -364,6 +361,13 @@ spec: rule: 'self.spec.protocols.exists(p, p == ''http'') ? (has(self.spec.hosts) || has(self.spec.methods) || has(self.spec.paths) || has(self.spec.paths) || has(self.spec.paths) || has(self.spec.headers) ) : true' + - message: spec.konnect.authRef is immutable when entity is already Programmed. + rule: '!self.status.conditions.exists(c, c.type == ''Programmed'' && c.status + == ''True'') ? true : self.spec.konnect.authRef == oldSelf.spec.konnect.authRef' + - message: spec.konnect.authRef is immutable when entity refers to a Valid + API Auth Configuration. + rule: '!self.status.conditions.exists(c, c.type == ''APIAuthValid'' && c.status + == ''True'') ? true : self.spec.konnect.authRef == oldSelf.spec.konnect.authRef' served: true storage: true subresources: diff --git a/config/crd/bases/configuration.konghq.com_kongservices.yaml b/config/crd/bases/configuration.konghq.com_kongservices.yaml index ea717a2a..a80de5a7 100644 --- a/config/crd/bases/configuration.konghq.com_kongservices.yaml +++ b/config/crd/bases/configuration.konghq.com_kongservices.yaml @@ -115,9 +115,6 @@ spec: required: - name type: object - x-kubernetes-validations: - - message: authRef is immutable - rule: self == oldSelf required: - authRef type: object diff --git a/config/crd/bases/konnect.konghq.com_konnectapiauthconfigurations.yaml b/config/crd/bases/konnect.konghq.com_konnectapiauthconfigurations.yaml index f48425b8..17c1b956 100644 --- a/config/crd/bases/konnect.konghq.com_konnectapiauthconfigurations.yaml +++ b/config/crd/bases/konnect.konghq.com_konnectapiauthconfigurations.yaml @@ -16,7 +16,7 @@ spec: versions: - additionalPrinterColumns: - description: The API authentication information is valid - jsonPath: .status.conditions[?(@.type=='Valid')].status + jsonPath: .status.conditions[?(@.type=='APIAuthValid')].status name: Valid type: string - description: Konnect Organization ID this API authentication configuration belongs diff --git a/config/crd/bases/konnect.konghq.com_konnectcontrolplanes.yaml b/config/crd/bases/konnect.konghq.com_konnectcontrolplanes.yaml index 8f38296f..5de9a73b 100644 --- a/config/crd/bases/konnect.konghq.com_konnectcontrolplanes.yaml +++ b/config/crd/bases/konnect.konghq.com_konnectcontrolplanes.yaml @@ -81,9 +81,6 @@ spec: required: - name type: object - x-kubernetes-validations: - - message: authRef is immutable - rule: self == oldSelf required: - authRef type: object @@ -230,6 +227,14 @@ spec: type: string type: object type: object + x-kubernetes-validations: + - message: spec.konnect.authRef is immutable when entity is already Programmed. + rule: '!self.status.conditions.exists(c, c.type == ''Programmed'' && c.status + == ''True'') ? true : self.spec.konnect.authRef == oldSelf.spec.konnect.authRef' + - message: spec.konnect.authRef is immutable when entity refers to a Valid + API Auth Configuration. + rule: '!self.status.conditions.exists(c, c.type == ''APIAuthValid'' && c.status + == ''True'') ? true : self.spec.konnect.authRef == oldSelf.spec.konnect.authRef' served: true storage: true subresources: diff --git a/go.mod b/go.mod index 0a94a546..8e4b4786 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/kong/kubernetes-configuration go 1.22.4 require ( - github.com/Kong/sdk-konnect-go v0.0.0-20240723160412-999d9a987e1a + github.com/Kong/sdk-konnect-go v0.0.1 github.com/kong/go-kong v0.57.1 github.com/stretchr/testify v1.9.0 k8s.io/api v0.30.3 diff --git a/go.sum b/go.sum index ed71d9df..465caf39 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -github.com/Kong/sdk-konnect-go v0.0.0-20240723160412-999d9a987e1a h1:0mQhPVVA2/+uTVmoKrEIGf+0eTrNyr80Ssv1zGs/1Lk= -github.com/Kong/sdk-konnect-go v0.0.0-20240723160412-999d9a987e1a/go.mod h1:ipu67aQNnwDzu/LXKePG46cVqkkZnAHKWpsbhTEI8xE= +github.com/Kong/sdk-konnect-go v0.0.1 h1:yxDRzT7gBriM9ZD3MDJCoEVBwtzEpcujuxLK1Ga5ObM= +github.com/Kong/sdk-konnect-go v0.0.1/go.mod h1:75YzLhfnYfmCvBJgkafzVuREwBAec2/jihCW2fyn6hY= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=