feat: introducing v1beta2 api group

PROJECT

@@ -36,4 +36,21 @@ resources:
   kind: Tenant
   path: github.com/clastix/capsule/api/v1beta1
   version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: false
+  domain: clastix.io
+  group: capsule
+  kind: Tenant
+  path: github.com/clastix/capsule/api/v1beta2
+  version: v1beta2
+- api:
+    crdVersion: v1
+    namespaced: false
+  controller: true
+  domain: clastix.io
+  group: capsule
+  kind: CapsuleConfiguration
+  path: github.com/clastix/capsule/api/v1beta2
+  version: v1beta2
 version: "3"

api/v1alpha1/capsuleconfiguration_types.go

@@ -20,6 +20,7 @@ type CapsuleConfigurationSpec struct {
 	ProtectedNamespaceRegexpString string `json:"protectedNamespaceRegex,omitempty"`
 }
 
+// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope=Cluster
 
@@ -31,6 +32,8 @@ type CapsuleConfiguration struct {
 	Spec CapsuleConfigurationSpec `json:"spec,omitempty"`
 }
 
+func (in *CapsuleConfiguration) Hub() {}
+
 // +kubebuilder:object:root=true
 
 // CapsuleConfigurationList contains a list of CapsuleConfiguration.

api/v1beta1/allowed_list.go

@@ -1,5 +1,6 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
+
 //nolint:dupl
 package v1beta1
 

api/v1beta1/deny_wildcard.go

@@ -4,11 +4,11 @@
 package v1beta1
 
 const (
-	denyWildcard = "capsule.clastix.io/deny-wildcard"
+	DenyWildcard = "capsule.clastix.io/deny-wildcard"
 )
 
 func (t *Tenant) IsWildcardDenied() bool {
-	if v, ok := t.Annotations[denyWildcard]; ok && v == "true" {
+	if v, ok := t.Annotations[DenyWildcard]; ok && v == "true" {
 		return true
 	}
 

api/v1beta1/forbidden_list.go

@@ -1,5 +1,6 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
+
 //nolint:dupl
 package v1beta1
 

api/v1beta2/additional_metadata.go

@@ -0,0 +1,9 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+type AdditionalMetadataSpec struct {
+	Labels      map[string]string `json:"labels,omitempty"`
+	Annotations map[string]string `json:"annotations,omitempty"`
+}

api/v1beta2/additional_role_bindings.go

@@ -0,0 +1,12 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import rbacv1 "k8s.io/api/rbac/v1"
+
+type AdditionalRoleBindingsSpec struct {
+	ClusterRoleName string `json:"clusterRoleName"`
+	// kubebuilder:validation:Minimum=1
+	Subjects []rbacv1.Subject `json:"subjects"`
+}

api/v1beta2/allowed_list.go

@@ -0,0 +1,37 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	"regexp"
+	"sort"
+	"strings"
+)
+
+type AllowedListSpec struct {
+	Exact []string `json:"allowed,omitempty"`
+	Regex string   `json:"allowedRegex,omitempty"`
+}
+
+func (in *AllowedListSpec) ExactMatch(value string) (ok bool) {
+	if len(in.Exact) > 0 {
+		sort.SliceStable(in.Exact, func(i, j int) bool {
+			return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
+		})
+
+		i := sort.SearchStrings(in.Exact, value)
+
+		ok = i < len(in.Exact) && in.Exact[i] == value
+	}
+
+	return
+}
+
+func (in *AllowedListSpec) RegexMatch(value string) (ok bool) {
+	if len(in.Regex) > 0 {
+		ok = regexp.MustCompile(in.Regex).MatchString(value)
+	}
+
+	return
+}

api/v1beta2/allowed_list_test.go

@@ -0,0 +1,73 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+//nolint:dupl
+package v1beta2
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAllowedListSpec_ExactMatch(t *testing.T) {
+	type tc struct {
+		In    []string
+		True  []string
+		False []string
+	}
+
+	for _, tc := range []tc{
+		{
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"bing", "bong"},
+		},
+		{
+			[]string{"one", "two", "three"},
+			[]string{"one", "two", "three"},
+			[]string{"a", "b", "c"},
+		},
+		{
+			nil,
+			nil,
+			[]string{"any", "value"},
+		},
+	} {
+		a := AllowedListSpec{
+			Exact: tc.In,
+		}
+
+		for _, ok := range tc.True {
+			assert.True(t, a.ExactMatch(ok))
+		}
+
+		for _, ko := range tc.False {
+			assert.False(t, a.ExactMatch(ko))
+		}
+	}
+}
+
+func TestAllowedListSpec_RegexMatch(t *testing.T) {
+	type tc struct {
+		Regex string
+		True  []string
+		False []string
+	}
+
+	for _, tc := range []tc{
+		{`first-\w+-pattern`, []string{"first-date-pattern", "first-year-pattern"}, []string{"broken", "first-year", "second-date-pattern"}},
+		{``, nil, []string{"any", "value"}},
+	} {
+		a := AllowedListSpec{
+			Regex: tc.Regex,
+		}
+
+		for _, ok := range tc.True {
+			assert.True(t, a.RegexMatch(ok))
+		}
+
+		for _, ko := range tc.False {
+			assert.False(t, a.RegexMatch(ko))
+		}
+	}
+}

api/v1beta2/capsuleconfiguration_funcs.go

@@ -0,0 +1,131 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
+
+	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
+)
+
+func (in *CapsuleConfiguration) ConvertTo(raw conversion.Hub) error {
+	dst, ok := raw.(*capsulev1alpha1.CapsuleConfiguration)
+	if !ok {
+		return fmt.Errorf("expected type *capsulev1alpha1.CapsuleConfiguration, got %T", dst)
+	}
+
+	dst.ObjectMeta = in.ObjectMeta
+	dst.Spec.ProtectedNamespaceRegexpString = in.Spec.ProtectedNamespaceRegexpString
+	dst.Spec.UserGroups = in.Spec.UserGroups
+	dst.Spec.ProtectedNamespaceRegexpString = in.Spec.ProtectedNamespaceRegexpString
+
+	annotations := dst.GetAnnotations()
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+
+	if in.Spec.NodeMetadata != nil {
+		annotations[capsulev1alpha1.ForbiddenNodeLabelsAnnotation] = strings.Join(in.Spec.NodeMetadata.ForbiddenLabels.Exact, ",")
+		annotations[capsulev1alpha1.ForbiddenNodeLabelsRegexpAnnotation] = in.Spec.NodeMetadata.ForbiddenLabels.Regex
+		annotations[capsulev1alpha1.ForbiddenNodeAnnotationsAnnotation] = strings.Join(in.Spec.NodeMetadata.ForbiddenAnnotations.Exact, ",")
+		annotations[capsulev1alpha1.ForbiddenNodeAnnotationsRegexpAnnotation] = in.Spec.NodeMetadata.ForbiddenAnnotations.Regex
+	}
+
+	annotations[capsulev1alpha1.EnableTLSConfigurationAnnotationName] = fmt.Sprintf("%t", in.Spec.EnableTLSReconciler)
+	annotations[capsulev1alpha1.TLSSecretNameAnnotation] = in.Spec.CapsuleResources.TLSSecretName
+	annotations[capsulev1alpha1.MutatingWebhookConfigurationName] = in.Spec.CapsuleResources.MutatingWebhookConfigurationName
+	annotations[capsulev1alpha1.ValidatingWebhookConfigurationName] = in.Spec.CapsuleResources.ValidatingWebhookConfigurationName
+
+	dst.SetAnnotations(annotations)
+
+	return nil
+}
+
+func (in *CapsuleConfiguration) ConvertFrom(raw conversion.Hub) error {
+	src, ok := raw.(*capsulev1alpha1.CapsuleConfiguration)
+	if !ok {
+		return fmt.Errorf("expected type *capsulev1alpha1.CapsuleConfiguration, got %T", src)
+	}
+
+	in.ObjectMeta = src.ObjectMeta
+	in.Spec.ProtectedNamespaceRegexpString = src.Spec.ProtectedNamespaceRegexpString
+	in.Spec.UserGroups = src.Spec.UserGroups
+	in.Spec.ProtectedNamespaceRegexpString = src.Spec.ProtectedNamespaceRegexpString
+
+	annotations := src.GetAnnotations()
+
+	if value, found := annotations[capsulev1alpha1.ForbiddenNodeLabelsAnnotation]; found {
+		if in.Spec.NodeMetadata == nil {
+			in.Spec.NodeMetadata = &NodeMetadata{}
+		}
+
+		in.Spec.NodeMetadata.ForbiddenLabels.Exact = strings.Split(value, ",")
+
+		delete(annotations, capsulev1alpha1.ForbiddenNodeLabelsAnnotation)
+	}
+
+	if value, found := annotations[capsulev1alpha1.ForbiddenNodeLabelsRegexpAnnotation]; found {
+		if in.Spec.NodeMetadata == nil {
+			in.Spec.NodeMetadata = &NodeMetadata{}
+		}
+
+		in.Spec.NodeMetadata.ForbiddenLabels.Regex = value
+
+		delete(annotations, capsulev1alpha1.ForbiddenNodeLabelsRegexpAnnotation)
+	}
+
+	if value, found := annotations[capsulev1alpha1.ForbiddenNodeAnnotationsAnnotation]; found {
+		if in.Spec.NodeMetadata == nil {
+			in.Spec.NodeMetadata = &NodeMetadata{}
+		}
+
+		in.Spec.NodeMetadata.ForbiddenAnnotations.Exact = strings.Split(value, ",")
+
+		delete(annotations, capsulev1alpha1.ForbiddenNodeAnnotationsAnnotation)
+	}
+
+	if value, found := annotations[capsulev1alpha1.ForbiddenNodeAnnotationsRegexpAnnotation]; found {
+		if in.Spec.NodeMetadata == nil {
+			in.Spec.NodeMetadata = &NodeMetadata{}
+		}
+
+		in.Spec.NodeMetadata.ForbiddenAnnotations.Regex = value
+
+		delete(annotations, capsulev1alpha1.ForbiddenNodeAnnotationsRegexpAnnotation)
+	}
+
+	if value, found := annotations[capsulev1alpha1.EnableTLSConfigurationAnnotationName]; found {
+		v, _ := strconv.ParseBool(value)
+
+		in.Spec.EnableTLSReconciler = v
+
+		delete(annotations, capsulev1alpha1.EnableTLSConfigurationAnnotationName)
+	}
+
+	if value, found := annotations[capsulev1alpha1.TLSSecretNameAnnotation]; found {
+		in.Spec.CapsuleResources.TLSSecretName = value
+
+		delete(annotations, capsulev1alpha1.TLSSecretNameAnnotation)
+	}
+
+	if value, found := annotations[capsulev1alpha1.MutatingWebhookConfigurationName]; found {
+		in.Spec.CapsuleResources.MutatingWebhookConfigurationName = value
+
+		delete(annotations, capsulev1alpha1.MutatingWebhookConfigurationName)
+	}
+
+	if value, found := annotations[capsulev1alpha1.ValidatingWebhookConfigurationName]; found {
+		in.Spec.CapsuleResources.ValidatingWebhookConfigurationName = value
+
+		delete(annotations, capsulev1alpha1.ValidatingWebhookConfigurationName)
+	}
+
+	in.SetAnnotations(annotations)
+
+	return nil
+}