Skip to content

Commit

Permalink
Merge pull request #43 from InseeFrLab/add-hability-to-create-user
Browse files Browse the repository at this point in the history
Add hability to create user
  • Loading branch information
JackLemaitre authored Jun 5, 2024
2 parents 9ef45a3 + 1c752dd commit 1cd93b5
Show file tree
Hide file tree
Showing 13 changed files with 1,198 additions and 26 deletions.
78 changes: 77 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,16 @@ At its heart, the operator revolves around CRDs that match S3 resources :
- `buckets.s3.onyxia.sh`
- `policies.s3.onyxia.sh`
- `paths.s3.onyxia.sh`
- `users.s3.onyxia.sh`

The custom resources based on these CRDs are a somewhat simplified projection of the real S3 resources. From the operator's point of view :

- A `Bucket` CR matches a S3 bucket, and only has a name, a quota (actually two, [see Bucket example in *Usage* section below](#bucket)), and optionally, a set of paths
- A `Policy` CR matches a "canned" policy (not a bucket policy, but a global one, that can be attached to a user), and has a name, and its actual content (IAM JSON)
- A `Path` CR matches a set of paths inside of a policy. This is akin to the `paths` property of the `Bucket` CRD, except `Path` is not responsible for Bucket creation.
- A `S3User` CR matches a user in the s3 server, and has a name, a set of policy and a set of group.

Each custom resource based on these CRDs on Kubernetes is to be matched with a resource on the S3 instance. If the CR and the corresponding S3 resource diverge, the operator will create or update the S3 resource to bring it back to .
Each custom resource based on these CRDs on Kubernetes is to be matched with a resource on the S3 instance. If the CR and the corresponding S3 resource diverge, the operator will create or update the S3 resource to bring it back to.

Two important caveats :

Expand Down Expand Up @@ -86,7 +88,56 @@ The parameters are summarized in the table below :
| `bucket-deletion` | false | - | no | Trigger bucket deletion on the S3 backend upon CR deletion. Will fail if bucket is not empty. |
| `policy-deletion` | false | - | no | Trigger policy deletion on the S3 backend upon CR deletion |
| `path-deletion` | false | - | no | Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator. |
| `s3User-deletion` | false | - | no | Trigger S3User deletion on the S3 backend upon CR deletion. |
| `override-existing-secret` | false | - | no | Update secret linked to s3User if already exist, else noop |

## Minimal rights needed to work

The Operator need at least this rights:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"admin:CreatePolicy",
"admin:GetBucketQuota",
"admin:GetPolicy",
"admin:ListPolicy",
"admin:SetBucketQuota",
"admin:CreateUser",
"admin:ListUsers",
"admin:DeleteUser",
"admin:GetUser",
"admin:AddUserToGroup",
"admin:RemoveUserFromGroup",
"admin:AttachUserOrGroupPolicy",
"admin:ListUserPolicies"

],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}

```

## Usage

Expand Down Expand Up @@ -197,6 +248,29 @@ spec:

```

### S3User example

```yaml
apiVersion: s3.onyxia.sh/v1alpha1
kind: S3User
metadata:
labels:
app.kubernetes.io/name: user
app.kubernetes.io/instance: user-sample
app.kubernetes.io/part-of: s3-operator
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/created-by: s3-operator
name: user-sample
spec:
accessKey: user-sample
policies:
- policy-example1
- policy-example2

```

Each S3user is linked to a kubernetes secret which have the same name that the S3User. The secret contains 2 keys: `accessKey` and `secretKey`.

## Operator SDK generated guidelines

<details>
Expand Down Expand Up @@ -276,3 +350,5 @@ make manifests
More information can be found via the [Kubebuilder Documentation](https://book.kubebuilder.io/introduction.html)

</details>


68 changes: 68 additions & 0 deletions api/v1alpha1/s3user_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
/*
Copyright 2023.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.

// S3UserSpec defines the desired state of S3User
type S3UserSpec struct {

// Name of the S3User
// +kubebuilder:validation:Required
AccessKey string `json:"accessKey"`

// Policies associated to the S3User
// +kubebuilder:validation:Optional
Policies []string `json:"policies,omitempty"`
}

// S3UserStatus defines the observed state of S3User
type S3UserStatus struct {
// Status management using Conditions.
// See also : https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

//+kubebuilder:object:root=true
//+kubebuilder:subresource:status

// S3User is the Schema for the S3Users API
type S3User struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Spec S3UserSpec `json:"spec,omitempty"`
Status S3UserStatus `json:"status,omitempty"`
}

//+kubebuilder:object:root=true

// S3UserList contains a list of S3User
type S3UserList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []S3User `json:"items"`
}

func init() {
SchemeBuilder.Register(&S3User{}, &S3UserList{})
}
101 changes: 101 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 1cd93b5

Please sign in to comment.