WIP: new APILifecycle CRD

config/crds/apis.kcp.io_apilifecycles.yaml

@@ -0,0 +1,192 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.10.0
+ creationTimestamp: null
+ name: apilifecycles.apis.kcp.io
+spec:
+ group: apis.kcp.io
+ names:
+ categories:
+ - kcp
+ kind: APILifecycle
+ listKind: APILifecycleList
+ plural: apilifecycles
+ singular: apilifecycle
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: APILifecycle
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the desired state.
+ properties:
+ hooks:
+ description: hooks hold all possible lifecycle hooks
+ properties:
+ bind:
+ description: bind is invoked when a binding is created and updated
+ properties:
+ url:
+ description: url where the hook is located
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ permissionClaims:
+ description: permissionClaims records decisions about permission claims
+ requested by the API service provider. Individual claims can be
+ accepted or rejected. If accepted, the API service provider gets
+ the requested access to the specified resources in this workspace.
+ Access is granted per GroupResource, identity, and other properties.
+ items:
+ description: PermissionClaim identifies an object by GR and identity
+ hash. Its purpose is to determine the added permissions that a
+ service provider may request and that a consumer may accept and
+ allow the service provider access to.
+ properties:
+ all:
+ description: all claims all resources for the given group/resource.
+ This is mutually exclusive with resourceSelector.
+ type: boolean
+ group:
+ description: group is the name of an API group. For core groups
+ this is the empty string '""'.
+ pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+ type: string
+ identityHash:
+ description: This is the identity for a given APIExport that
+ the APIResourceSchema belongs to. The hash can be found on
+ APIExport and APIResourceSchema's status. It will be empty
+ for core types. Note that one must look this up for a particular
+ KCP instance.
+ type: string
+ resource:
+ description: 'resource is the name of the resource. Note: it
+ is worth noting that you can not ask for permissions for resource
+ provided by a CRD not provided by an api export.'
+ pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+ type: string
+ resourceSelector:
+ description: resourceSelector is a list of claimed resource
+ selectors.
+ items:
+ properties:
+ name:
+ description: name of an object within a claimed group/resource.
+ It matches the metadata.name field of the underlying
+ object. If namespace is unset, all objects matching
+ that name will be claimed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^([a-z0-9][-a-z0-9_.]*)?[a-z0-9]$
+ type: string
+ namespace:
+ description: namespace containing the named object. Matches
+ metadata.namespace field. If "name" is unset, all objects
+ from the namespace are being claimed.
+ minLength: 1
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: at least one field must be set
+ rule: has(self.__namespace__) || has(self.name)
+ type: array
+ required:
+ - resource
+ type: object
+ x-kubernetes-validations:
+ - message: either "all" or "resourceSelector" must be set
+ rule: (has(self.all) && self.all) != (has(self.resourceSelector)
+ && size(self.resourceSelector) > 0)
+ - message: logicalclusters cannot be claimed
+ rule: '!has(self.group) || self.group != "core.kcp.io" || self.resource
+ != "logicalclusters" || (has(self.identityHash) && self.identityHash
+ != "")'
+ type: array
+ reference:
+ description: reference uniquely identifies an APIExport
+ type: string
+ x-kubernetes-validations:
+ - message: APIExport reference must not be changed
+ rule: self == oldSelf
+ required:
+ - hooks
+ - reference
+ type: object
+ status:
+ description: Status communicates the observed state.
+ properties:
+ conditions:
+ description: conditions is a list of conditions that apply to the
+ APIBinding.
+ items:
+ description: Condition defines an observation of a object operational
+ state.
+ properties:
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another. This should be when the underlying condition changed.
+ If that is not known, then using the time when the API field
+ changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: A human readable message indicating details about
+ the transition. This field may be empty.
+ type: string
+ reason:
+ description: The reason for the condition's last transition
+ in CamelCase. The specific API may choose whether or not this
+ field is considered a guaranteed API. This field may not be
+ empty.
+ type: string
+ severity:
+ description: Severity provides an explicit classification of
+ Reason code, so the users or machines can immediately understand
+ the current situation and act accordingly. The Severity field
+ MUST be set only when Status=False.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+ Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important.
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}

config/system-crds/bootstrap.go

@@ -52,6 +52,7 @@ func Bootstrap(ctx context.Context, crdClient apiextensionsclient.Interface, dis
  crds := []metav1.GroupResource{
  {Group: apis.GroupName, Resource: "apiexports"},
  {Group: apis.GroupName, Resource: "apibindings"},
+ {Group: apis.GroupName, Resource: "apilifecycles"},
  {Group: apis.GroupName, Resource: "apiresourceschemas"},
  {Group: apis.GroupName, Resource: "apiexportendpointslices"},
  {Group: core.GroupName, Resource: "logicalclusters"},

pkg/apis/apis/v1alpha1/register.go

@@ -59,6 +59,9 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 
  &APIConversion{},
  &APIConversionList{},
+
+ &APILifecycle{},
+ &APILifecycleList{},
  )
  metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
  return nil

pkg/apis/apis/v1alpha1/types_apilifecycle.go

@@ -0,0 +1,116 @@
+/*
+Copyright 2022 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ conditionsv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/third_party/conditions/apis/conditions/v1alpha1"
+)
+
+// APILifecycle
+//
+// +crd
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster,categories=kcp
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+type APILifecycle struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ // Spec holds the desired state.
+ // +required
+ // +kubebuilder:validation:Required
+ Spec APILifecycleSpec `json:"spec,omitempty"`
+
+ // Status communicates the observed state.
+ // +optional
+ Status APILifecycleStatus `json:"status,omitempty"`
+}
+
+func (in *APILifecycle) GetConditions() conditionsv1alpha1.Conditions {
+ return in.Status.Conditions
+}
+
+func (in *APILifecycle) SetConditions(conditions conditionsv1alpha1.Conditions) {
+ in.Status.Conditions = conditions
+}
+
+// APILifecycleSpec records the APIs and implementations that are to be bound.
+type APILifecycleSpec struct {
+ // reference uniquely identifies an APIExport
+ //
+ // +required
+ // +kubebuilder:validation:Required
+ // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="APIExport reference must not be changed"
+ Reference string `json:"reference"`
+
+ // hooks hold all possible lifecycle hooks
+ //
+ // +required
+ // +kubebuilder:validation:Required
+ Hooks APILifecycleHooks `json:"hooks"`
+
+ // permissionClaims records decisions about permission claims requested by the API service provider.
+ // Individual claims can be accepted or rejected. If accepted, the API service provider gets the
+ // requested access to the specified resources in this workspace. Access is granted per
+ // GroupResource, identity, and other properties.
+ //
+ // +optional
+ PermissionClaims []PermissionClaim `json:"permissionClaims,omitempty"`
+}
+
+// APILifecycleHooks defines the lifecycle hooks
+type APILifecycleHooks struct {
+ // bind is invoked when a binding is created and updated
+ // +optional
+ Bind *APILifecycleHook `json:"bind"`
+}
+
+type APILifecycleHook struct {
+ // url where the hook is located
+ URL string `json:"url"`
+}
+
+// APIBindingStatus records which schemas are bound.
+type APILifecycleStatus struct {
+
+ // conditions is a list of conditions that apply to the APIBinding.
+ //
+ // +optional
+ Conditions conditionsv1alpha1.Conditions `json:"conditions,omitempty"`
+}
+
+// These are valid conditions of APIBinding.
+const (
+ // APILifecycleValid is a condition for APIBinding that reflects the validity of the referenced APIExport.
+ APILifecycleValid conditionsv1alpha1.ConditionType = "APIExportValid"
+)
+
+// APILifecyleList is a list of APIBinding resources
+//
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type APILifecycleList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata"`
+
+ Items []APILifecycle `json:"items"`
+}