-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ WIP: new APILifecycle CRD #2857
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,192 @@ | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.10.0 | ||
creationTimestamp: null | ||
name: apilifecycles.apis.kcp.io | ||
spec: | ||
group: apis.kcp.io | ||
names: | ||
categories: | ||
- kcp | ||
kind: APILifecycle | ||
listKind: APILifecycleList | ||
plural: apilifecycles | ||
singular: apilifecycle | ||
scope: Cluster | ||
versions: | ||
- additionalPrinterColumns: | ||
- jsonPath: .metadata.creationTimestamp | ||
name: Age | ||
type: date | ||
name: v1alpha1 | ||
schema: | ||
openAPIV3Schema: | ||
description: APILifecycle | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation | ||
of an object. Servers should convert recognized schemas to the latest | ||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this | ||
object represents. Servers may infer this from the endpoint the client | ||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: Spec holds the desired state. | ||
properties: | ||
hooks: | ||
description: hooks hold all possible lifecycle hooks | ||
properties: | ||
bind: | ||
description: bind is invoked when a binding is created and updated | ||
properties: | ||
url: | ||
description: url where the hook is located | ||
type: string | ||
required: | ||
- url | ||
type: object | ||
type: object | ||
permissionClaims: | ||
description: permissionClaims records decisions about permission claims | ||
requested by the API service provider. Individual claims can be | ||
accepted or rejected. If accepted, the API service provider gets | ||
the requested access to the specified resources in this workspace. | ||
Access is granted per GroupResource, identity, and other properties. | ||
items: | ||
description: PermissionClaim identifies an object by GR and identity | ||
hash. Its purpose is to determine the added permissions that a | ||
service provider may request and that a consumer may accept and | ||
allow the service provider access to. | ||
properties: | ||
all: | ||
description: all claims all resources for the given group/resource. | ||
This is mutually exclusive with resourceSelector. | ||
type: boolean | ||
group: | ||
description: group is the name of an API group. For core groups | ||
this is the empty string '""'. | ||
pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$ | ||
type: string | ||
identityHash: | ||
description: This is the identity for a given APIExport that | ||
the APIResourceSchema belongs to. The hash can be found on | ||
APIExport and APIResourceSchema's status. It will be empty | ||
for core types. Note that one must look this up for a particular | ||
KCP instance. | ||
type: string | ||
resource: | ||
description: 'resource is the name of the resource. Note: it | ||
is worth noting that you can not ask for permissions for resource | ||
provided by a CRD not provided by an api export.' | ||
pattern: ^[a-z][-a-z0-9]*[a-z0-9]$ | ||
type: string | ||
resourceSelector: | ||
description: resourceSelector is a list of claimed resource | ||
selectors. | ||
items: | ||
properties: | ||
name: | ||
description: name of an object within a claimed group/resource. | ||
It matches the metadata.name field of the underlying | ||
object. If namespace is unset, all objects matching | ||
that name will be claimed. | ||
maxLength: 253 | ||
minLength: 1 | ||
pattern: ^([a-z0-9][-a-z0-9_.]*)?[a-z0-9]$ | ||
type: string | ||
namespace: | ||
description: namespace containing the named object. Matches | ||
metadata.namespace field. If "name" is unset, all objects | ||
from the namespace are being claimed. | ||
minLength: 1 | ||
type: string | ||
type: object | ||
x-kubernetes-validations: | ||
- message: at least one field must be set | ||
rule: has(self.__namespace__) || has(self.name) | ||
type: array | ||
required: | ||
- resource | ||
type: object | ||
x-kubernetes-validations: | ||
- message: either "all" or "resourceSelector" must be set | ||
rule: (has(self.all) && self.all) != (has(self.resourceSelector) | ||
&& size(self.resourceSelector) > 0) | ||
- message: logicalclusters cannot be claimed | ||
rule: '!has(self.group) || self.group != "core.kcp.io" || self.resource | ||
!= "logicalclusters" || (has(self.identityHash) && self.identityHash | ||
!= "")' | ||
type: array | ||
reference: | ||
description: reference uniquely identifies an APIExport | ||
type: string | ||
x-kubernetes-validations: | ||
- message: APIExport reference must not be changed | ||
rule: self == oldSelf | ||
required: | ||
- hooks | ||
- reference | ||
type: object | ||
status: | ||
description: Status communicates the observed state. | ||
properties: | ||
conditions: | ||
description: conditions is a list of conditions that apply to the | ||
APIBinding. | ||
items: | ||
description: Condition defines an observation of a object operational | ||
state. | ||
properties: | ||
lastTransitionTime: | ||
description: Last time the condition transitioned from one status | ||
to another. This should be when the underlying condition changed. | ||
If that is not known, then using the time when the API field | ||
changed is acceptable. | ||
format: date-time | ||
type: string | ||
message: | ||
description: A human readable message indicating details about | ||
the transition. This field may be empty. | ||
type: string | ||
reason: | ||
description: The reason for the condition's last transition | ||
in CamelCase. The specific API may choose whether or not this | ||
field is considered a guaranteed API. This field may not be | ||
empty. | ||
type: string | ||
severity: | ||
description: Severity provides an explicit classification of | ||
Reason code, so the users or machines can immediately understand | ||
the current situation and act accordingly. The Severity field | ||
MUST be set only when Status=False. | ||
type: string | ||
status: | ||
description: Status of the condition, one of True, False, Unknown. | ||
type: string | ||
type: | ||
description: Type of condition in CamelCase or in foo.example.com/CamelCase. | ||
Many .condition.type values are consistent across resources | ||
like Available, but because arbitrary conditions can be useful | ||
(see .node.status.conditions), the ability to deconflict is | ||
important. | ||
type: string | ||
required: | ||
- lastTransitionTime | ||
- status | ||
- type | ||
type: object | ||
type: array | ||
type: object | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
/* | ||
Copyright 2022 The KCP Authors. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package v1alpha1 | ||
|
||
import ( | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
|
||
conditionsv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/third_party/conditions/apis/conditions/v1alpha1" | ||
) | ||
|
||
// APILifecycle | ||
// | ||
// +crd | ||
// +genclient | ||
// +genclient:nonNamespaced | ||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
// +kubebuilder:subresource:status | ||
// +kubebuilder:resource:scope=Cluster,categories=kcp | ||
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" | ||
type APILifecycle struct { | ||
metav1.TypeMeta `json:",inline"` | ||
// +optional | ||
metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
||
// Spec holds the desired state. | ||
// +required | ||
// +kubebuilder:validation:Required | ||
Spec APILifecycleSpec `json:"spec,omitempty"` | ||
|
||
// Status communicates the observed state. | ||
// +optional | ||
Status APILifecycleStatus `json:"status,omitempty"` | ||
} | ||
|
||
func (in *APILifecycle) GetConditions() conditionsv1alpha1.Conditions { | ||
return in.Status.Conditions | ||
} | ||
|
||
func (in *APILifecycle) SetConditions(conditions conditionsv1alpha1.Conditions) { | ||
in.Status.Conditions = conditions | ||
} | ||
|
||
// APILifecycleSpec records the APIs and implementations that are to be bound. | ||
type APILifecycleSpec struct { | ||
// reference uniquely identifies an APIExport | ||
// | ||
// +required | ||
// +kubebuilder:validation:Required | ||
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="APIExport reference must not be changed" | ||
Reference string `json:"reference"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what is a reference? By what? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. looking at https://github.com/kcp-dev/kcp/pull/2857/files#diff-8974af955051bac46bc873a4f200e0bb99601d12b165ae055fe0d6f287d12d8dR102 this indicates being the APIExport name; shoudn't this be the export hash instead? I believe we have prior art referencing API exports in kcp that could be reused here. |
||
|
||
// hooks hold all possible lifecycle hooks | ||
// | ||
// +required | ||
// +kubebuilder:validation:Required | ||
Hooks APILifecycleHooks `json:"hooks"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what are these hooks in the future? Am hesitant to want a (core) API to go in without a clear plan where it is heading. |
||
|
||
// permissionClaims records decisions about permission claims requested by the API service provider. | ||
// Individual claims can be accepted or rejected. If accepted, the API service provider gets the | ||
// requested access to the specified resources in this workspace. Access is granted per | ||
// GroupResource, identity, and other properties. | ||
// | ||
// +optional | ||
PermissionClaims []PermissionClaim `json:"permissionClaims,omitempty"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Where are these coming from? How do they interact with the |
||
} | ||
|
||
// APILifecycleHooks defines the lifecycle hooks | ||
type APILifecycleHooks struct { | ||
// bind is invoked when a binding is created and updated | ||
// +optional | ||
Bind *APILifecycleHook `json:"bind"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what does "when" mean exactly? |
||
} | ||
|
||
type APILifecycleHook struct { | ||
// url where the hook is located | ||
URL string `json:"url"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what is this URL ? a webhook? manifests? What's the payload on post? What does it return? |
||
} | ||
|
||
// APIBindingStatus records which schemas are bound. | ||
type APILifecycleStatus struct { | ||
|
||
// conditions is a list of conditions that apply to the APIBinding. | ||
// | ||
// +optional | ||
Conditions conditionsv1alpha1.Conditions `json:"conditions,omitempty"` | ||
} | ||
|
||
// These are valid conditions of APIBinding. | ||
const ( | ||
// APILifecycleValid is a condition for APIBinding that reflects the validity of the referenced APIExport. | ||
APILifecycleValid conditionsv1alpha1.ConditionType = "APIExportValid" | ||
) | ||
|
||
// APILifecyleList is a list of APIBinding resources | ||
// | ||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
type APILifecycleList struct { | ||
metav1.TypeMeta `json:",inline"` | ||
metav1.ListMeta `json:"metadata"` | ||
|
||
Items []APILifecycle `json:"items"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this needs much more explanation. It's maybe the most important part of the PR.