feat: Add Operator bucket validation

* add kubebuild init files, titfile and few command to makefile for running locally

* add kind config yaml for local k8s kind cluster

* modify the make file , deploy working

* define s3 bucket type

* add readme and script for local running

* add input validition and RetryPeriod

* edit titfile

* add aws client functions

* insert create and delete bucket functionality , modify the tiltfile

* add gettter to aws client , and helm commands to localstack

* support encrypt bucket

* add resource map to manage k8s resource agianst aws resource

* fix delete resource

* fix run loclal script, add logs to delete flow

* fix deletion of bucket in aws

* support deletion of bucket policy and creation and deletion of iam role

* support deletion of bucket policy and creation and deletion of iam role

* add bucket name validation

* bucketname validation

* syntax

* refactor: remove unused files in bin folder + update git ignore

* fix: change runLocalenv.sh script variable defenitions

* add tests folder

* update git ignore

* add varieble file to config

* remove region from s3 resource

* move cred var to deploy yaml

* fix: makefile controller-gen

* add devmode var

* add to readme: golang version

* add cleanup bucket function to delete flow

* move config varibels under controllers folder

* edit logs

* test

* change delete logic

* edit logs

* chang looger logic, fix put tgs function

* add logs for update flow

* remove comment

* a

* change kind cluster

* add system test , edit run local script to deploy ingress controller

* change port to 4566, fix putting tags

* edit: readme, add update test

* crate k8s client function

* crate k8s client function

* fix scripts

* edit delete bucket test

* add k8s manger

* add logs to tests, fix update tags function and edit logs

* add CRUD service account function

* add service account functionality, create small app to test conectivety to s3

* merge brunch

* add yaml files for testing, add integration test, add test app

* fix integration test

* change busy wait function, add valisation to edit flow

* fix system test, add to local env empty app, fix iam role function

* edit readme , add script for upload test app

* add service account functions

* code refactor, add verible to config

* change file and folder name

* fix bug in generate rbac

* refactor aws client

* add mount volume for token

* fix package-lock.json

* add configmap for define body, add cluster role for app

* refactor k8s client

* add yaml file for deploying srvices

* add tests for testing response from auth server

* add example for github action

* add create kind cluster to pipline

* add create kind cluster to pipline

* add create kind cluster to pipline

* add create kind cluster to pipline

* ci

* fix bug in create service account flow , add tests

* add to test pods check

* change tests to eventually check

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add ci

* add greeting workflow

* add ci for create local env and run tests on it

* add branch name to ci

* add branch name to ci

* add unit test

* change check metch app , add tests to other pod controllers

* remove unuse code

* add unit test

* add status for bucket

* change findPodsController function

* rename file

* change bucket status to string, add tests

* fix system test

* change unit tests

* add unit test to readme

* add unit test to readme

* add retry for system tests

* add sleep time between tests

* add function to check operator owner on the bucket, add tests for it

* add update status function to reflact bucket status

* add tests for check status and non manage buckets

* add isBucketManagedByOperator function

* add step in github action for checking health of localstack

* change func isBucketManagedByOperator

* change func isBucketManagedByOperator

* refactor code

* fix link in readme

Co-authored-by: Niv Raviv <[email protected]>
Co-authored-by: shaimoria <[email protected]>

Author: 3 people

.github/workflows/github-actions-testing.yml

@@ -53,6 +53,14 @@ jobs:
       - name: Run make deploy system app
         run: make deploy-system-test-app
 
+      - name: wait until localstack is up
+        uses: nev7n/wait_for_response@v1
+        with:
+          url: "http://localhost:4566/localstack/_localstack/health"
+          responseCode: 200
+          timeout: 300000
+          interval: 5000
+
       - name: run system tests
         run: go test ./tests/systemTest/system_test.go -v
 

README.md

@@ -47,7 +47,7 @@ The integretion tests test the functionality of integration between deploying/up
 
 run tests:
 
-1. deploy local env -> see ([Quick-Start](##Quick-Start))
+1. deploy local env -> see ([Quick-Start](#quick-start))
 2. Run
 ```bash
     sh ./tests/integrationTests/testApp/uploadApp.sh

controllers/aws/s3-bucket.go

@@ -18,7 +18,6 @@ import (
 	"github.com/aws/aws-sdk-go/service/s3/s3manager"
 )
 
-
 func (a *AwsClient) ValidateBucketName(name string) error {
 	if len(name) > 4 && name[:4] == "xn--" {
 		return errors.New("bucket name can't start with xn--")
@@ -60,7 +59,11 @@ func (a *AwsClient) HandleBucketDeletion(bucketToDelete string) (bool, error) {
 	a.Log.Info(" Start to delete s3 bucket from aws")
 	isBucketExists, err := a.IsBucketExists(bucketToDelete)
 	if isBucketExists {
-		err := a.cleanupsBucketContent(bucketToDelete)
+		isOwner, err := a.isBucketManagedByOperator(bucketToDelete)
+		if !isOwner {
+			return false, err
+		}
+		err = a.cleanupsBucketContent(bucketToDelete)
 		if err != nil {
 			a.Log.Error(err, "err to cleanup bucket")
 			return false, err
@@ -78,13 +81,16 @@ func (a *AwsClient) HandleBucketDeletion(bucketToDelete string) (bool, error) {
 
 func (a *AwsClient) HandleBucketUpdate(bucketName string, bucketSpec *s3operatorv1.S3BucketSpec) error {
 	a.Log.V(1).Info("HandleBucketUpdate function")
-	_, err := a.updateBucketTags(bucketName, bucketSpec.Tags)
-
+	isOwner, err := a.isBucketManagedByOperator(bucketName)
+	if isOwner {
+		_, err = a.updateBucketTags(bucketName, bucketSpec.Tags)
+	} else if err == nil {
+			err = errors.New("cant update bucket that not manage by operator")
+		}
 	a.Log.Info("finish to HandleBucketUpdate")
 	return err
 }
 
-
 func (a *AwsClient) IsBucketExists(name string) (bool, error) {
 	_, err := a.s3Client.GetBucketLocation(&s3.GetBucketLocationInput{Bucket: aws.String(name)})
 	if err != nil {
@@ -158,6 +164,22 @@ func (a *AwsClient) findIfDiffTags(tagsToUpdate map[string]string, tagsFromAws [
 	a.Log.V(1).Info("returend from find diff Tags", "isDiffTags", isDiffTags, "newTags", newTags)
 	return isDiffTags, newTags
 }
+func (a *AwsClient) isBucketManagedByOperator(bucketName string) (bool, error) {
+	tagsFromAws, err := a.s3Client.GetBucketTagging(&s3.GetBucketTaggingInput{Bucket: aws.String(bucketName)})
+	if err != nil {
+		a.Log.Error(err, "error from GetBucketTagging in checkIfOwnerBucketByTag")
+		return false, err
+	}
+	defaultTag := config.DefaultTag()
+	for _, tag := range tagsFromAws.TagSet {
+		if defaultTag.GoString() == tag.GoString() {
+			return true, nil
+		}
+	}
+	a.Log.Info("bucket is not manage by the operator")
+	return false, nil
+
+}
 
 func (a *AwsClient) createBucket(bucketInput s3.CreateBucketInput) (*s3.CreateBucketOutput, error) {
 	a.Log.Info("Starting to create S3 bucket on AWS", "region", *bucketInput.CreateBucketConfiguration.LocationConstraint)
@@ -226,7 +248,8 @@ func (a *AwsClient) deleteBucket(bucketName string) (*s3.DeleteBucketOutput, err
 	res, err := a.s3Client.DeleteBucket(&s3.DeleteBucketInput{Bucket: aws.String(bucketName)})
 	return res, err
 }
-//cleanupsBucketContent function - delete all the object that inside the bucket (required for deleting bucket)
+
+// cleanupsBucketContent function - delete all the object that inside the bucket (required for deleting bucket)
 func (a *AwsClient) cleanupsBucketContent(bucketName string) error {
 	a.Log.V(1).Info("CleanupsBucket function")
 
@@ -319,4 +342,4 @@ func SetS3Client(Log *logr.Logger, ses *session.Session) *s3.S3 {
 		Log.Info(" succeded create s3Client", "client", *s3Client)
 	}
 	return s3Client
-}
+}

tests/systemTest/system_test.go

@@ -26,10 +26,12 @@ import (
 
 var s3Client *s3.S3
 var bucketName = "bucket-test-operator"
+var notManageBucketName = "not-manage-bucket-test-operator"
 var namespace = "k8s-s3-operator-system"
 var logger logr.Logger
 var k8sClient client.Client
 var s3Bucket s3operatorv1.S3Bucket
+var s3BucketNotManage s3operatorv1.S3Bucket
 var graceTime = time.Duration(7)
 var serviceAccountName = "system-test-serviceaccount"
 var appName = "system-test-app"
@@ -51,63 +53,44 @@ func TestMain(m *testing.M) {
 
 	s3Bucket = s3operatorv1.S3Bucket{ObjectMeta: metav1.ObjectMeta{Name: bucketName, Namespace: namespace},
 		Spec: s3operatorv1.S3BucketSpec{Serviceaccount: serviceAccountName, Selector: map[string]string{"app": appName}}}
+	s3BucketNotManage = s3operatorv1.S3Bucket{ObjectMeta: metav1.ObjectMeta{Name: notManageBucketName, Namespace: namespace},
+		Spec: s3operatorv1.S3BucketSpec{Serviceaccount: serviceAccountName, Selector: map[string]string{"app": appName}}}
 	var exitVal int
 	for i := 1; i <= 3; i++ { // retry to pass tests
 		logger.Info("Run system tests", "tryNumber", i)
 		exitVal = m.Run()
 		if exitVal == 0 {
 			logger.Info("pass all test", "tryNumber", i)
 			break
-		}else{
+		} else {
+			cleanup()
 			time.Sleep(graceTime * time.Second)
 		}
 	}
 	logger.Info("finish to run all tests")
-
+	cleanup()
 	os.Exit(exitVal)
 }
 
 func TestCreateBucket(t *testing.T) {
 	t.Log("start TestCreateBucket")
-	g := NewWithT(t)
-	t.Log("check bucket not exsits")
-	_, err := s3Client.GetBucketLocation(&s3.GetBucketLocationInput{Bucket: aws.String(bucketName)})
-	g.Expect(err).To(HaveOccurred())
+	checkBucketExsist(t,bucketName,false)
 
 	t.Log("create new bucket resource", "bucket_name", bucketName)
 
-	err = k8sClient.Create(context.Background(), &s3Bucket)
-	g.Expect(err).NotTo(HaveOccurred())
-	time.Sleep(graceTime * time.Second)
+	createBucketResource(t,&s3Bucket)
 
-	t.Log("check bucket exsits")
-	_, err = s3Client.GetBucketLocation(&s3.GetBucketLocationInput{Bucket: aws.String(bucketName)})
-	g.Expect(err).NotTo(HaveOccurred())
+	checkBucketExsist(t,bucketName,true)
 
 	t.Log("finish TestCreateBucket")
 
 }
 func TestBucketUpdateTag(t *testing.T) {
 	t.Log("start TestBucketUpdateTag")
-	g := NewWithT(t)
 
-	t.Log("get bucket tagging expect not to have error and the only tag is the default tag ")
-	tags, err := s3Client.GetBucketTagging(&s3.GetBucketTaggingInput{Bucket: aws.String(bucketName)})
-	g.Expect(err).NotTo(HaveOccurred())
-	t.Log("got tags from aws", tags.TagSet)
-	g.Expect(len(tags.TagSet)).Should(Equal(1))
-
-	t.Log("update bucket tags expect not to have error and to add the new tag")
-	k8sClient.Get(context.Background(), types.NamespacedName{Namespace: namespace, Name: bucketName}, &s3Bucket)
-	s3Bucket.Spec.Tags = map[string]string{"testKey": "testValue"}
-	err = k8sClient.Update(context.TODO(), &s3Bucket)
-	g.Expect(err).NotTo(HaveOccurred())
-	time.Sleep(graceTime * time.Second)
-	tags, err = s3Client.GetBucketTagging(&s3.GetBucketTaggingInput{Bucket: aws.String(bucketName)})
-	t.Log("got tags from aws", tags.TagSet)
-
-	g.Expect(err).NotTo(HaveOccurred())
-	g.Expect(len(tags.TagSet)).Should(Equal(2))
+	checkBucketTags(t,bucketName,1)
+	updateBucketTags(t,bucketName,&s3Bucket)
+	checkBucketTags(t,bucketName,2)
 
 	t.Log("finish TestBucketUpdateTag")
 
@@ -153,21 +136,103 @@ func TestDeleteBucketData(t *testing.T) {
 
 func TestDeleteBucket(t *testing.T) {
 	t.Log("start TestDeleteBucket")
+	deleteBucket(t,bucketName,&s3Bucket)
+
+	checkBucketExsist(t, bucketName, false)
+
+	t.Log("finish TestDeleteBucket")
+
+}
+func TestTryCreateBucketExsistNotManage(t *testing.T) {
+	t.Log("start TestTryCreateBucketExsistNotManage")
 	g := NewWithT(t)
 
-	t.Log("check bucket exsist expect not to have error", bucketName)
+	_,err := s3Client.CreateBucket(&s3.CreateBucketInput{Bucket: aws.String(notManageBucketName)})
+	g.Expect(err).NotTo(HaveOccurred())
+	checkBucketExsist(t, notManageBucketName, true)
+
+	createBucketResource(t,&s3BucketNotManage)
+	checkBucketStatus(t,notManageBucketName,&s3BucketNotManage,"failed")
+
+}
+func TestValidateUpdateOnlyManageBuckets(t *testing.T) {
+	t.Log("start TestValidateUpdateOnlyManageBuckets")
+	checkBucketExsist(t, notManageBucketName, true)
+	updateBucketTags(t, notManageBucketName,&s3BucketNotManage)
+	checkBucketStatus(t,notManageBucketName,&s3BucketNotManage,"failed")
+
+}
+
+func TestValidateDeleteOnlyManageBuckets(t *testing.T) {
+	t.Log("start TestValidateDeleteOnlyManageBuckets")
+	deleteBucket(t,notManageBucketName,&s3BucketNotManage)
+
+	checkBucketExsist(t, notManageBucketName, true)
+
+	t.Log("finish TestValidateDeleteOnlyManageBuckets")
+
+}
+
+func checkBucketExsist(t *testing.T, bucketName string, expectBucket bool) {
+	g := NewWithT(t)
 	_, err := s3Client.GetBucketLocation(&s3.GetBucketLocationInput{Bucket: aws.String(bucketName)})
+	if expectBucket {
+		t.Log("check bucket exsist expect not to have error", bucketName)
+		g.Expect(err).NotTo(HaveOccurred())
+	} else {
+		t.Log("check bucket exsist expect to get error", bucketName)
+		g.Expect(err).To(HaveOccurred())
+
+	}
+}
+func createBucketResource(t *testing.T,s3Bucket *s3operatorv1.S3Bucket){
+	g := NewWithT(t)
+	err := k8sClient.Create(context.Background(), s3Bucket)
+	g.Expect(err).NotTo(HaveOccurred())
+	time.Sleep(graceTime * time.Second)
+}
+func updateBucketTags(t *testing.T, bucketName string, s3Bucket *s3operatorv1.S3Bucket) {
+	g := NewWithT(t)
+	t.Log("update bucket tags expect not to have error and to add the new tag")
+	err := k8sClient.Get(context.Background(), types.NamespacedName{Namespace: namespace, Name: bucketName}, s3Bucket)
 	g.Expect(err).NotTo(HaveOccurred())
 
-	t.Log("delete bucket resource expect not to have error")
-	err = k8sClient.Delete(context.Background(), &s3Bucket)
+	s3Bucket.Spec.Tags = map[string]string{"testKey": "testValue"}
+	err = k8sClient.Update(context.TODO(), s3Bucket)
 	g.Expect(err).NotTo(HaveOccurred())
 	time.Sleep(graceTime * time.Second)
+}
 
-	t.Log("check bucket exsist expect to get error", bucketName)
-	_, err = s3Client.GetBucketLocation(&s3.GetBucketLocationInput{Bucket: aws.String(bucketName)})
-	g.Expect(err).To(HaveOccurred())
+func deleteBucket(t *testing.T, bucketName string,s3Bucket *s3operatorv1.S3Bucket){
+	g := NewWithT(t)
+	checkBucketExsist(t, bucketName, true)
 
-	t.Log("finish TestDeleteBucket")
+	t.Log("delete bucket resource expect not to have error")
+	err := k8sClient.Delete(context.Background(), s3Bucket)
+	g.Expect(err).NotTo(HaveOccurred())
+	time.Sleep(graceTime * time.Second)
+}
+func checkBucketTags(t *testing.T,bucketName string, expectedTags int){
+	g := NewWithT(t)
+	t.Log("get bucket tagging expect not to have error ")
+	tags, err := s3Client.GetBucketTagging(&s3.GetBucketTaggingInput{Bucket: aws.String(bucketName)})
+	g.Expect(err).NotTo(HaveOccurred())
+	t.Log("got tags from aws", tags.TagSet)
+	g.Expect(len(tags.TagSet)).Should(Equal(expectedTags))
+}
+func checkBucketStatus(t *testing.T, bucketName string,s3Bucket *s3operatorv1.S3Bucket, expectedSatus string){
+	g := NewWithT(t)
+	err := k8sClient.Get(context.Background(), types.NamespacedName{Namespace: namespace, Name: bucketName}, s3Bucket)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(s3Bucket.Status.Status).Should(Equal(expectedSatus))
 
 }
+func cleanup(){
+	s3Client.DeleteBucket(&s3.DeleteBucketInput{Bucket: aws.String(bucketName)})
+	s3Client.DeleteBucket(&s3.DeleteBucketInput{Bucket: aws.String(notManageBucketName)})
+
+	k8sClient.Delete(context.Background(),&s3Bucket)
+	k8sClient.Delete(context.Background(),&s3BucketNotManage)
+
+
+}