Skip to content

Commit

Permalink
implement mulittenancy
Browse files Browse the repository at this point in the history
  • Loading branch information
Eneman Donatien authored and Eneman Donatien committed Aug 26, 2024
1 parent d24b8a2 commit 34b85b3
Show file tree
Hide file tree
Showing 28 changed files with 1,149 additions and 107 deletions.
2 changes: 2 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ RUN go mod download
COPY main.go main.go
COPY api/ api/
COPY controllers/ controllers/
COPY internal/ internal/


# Build
# the GOARCH has not a default value to allow the binary be built according to the host where the command
Expand Down
42 changes: 39 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ This Operator SDK based tool aims at managing S3 related resources (buckets, pol

## At a glance

- Current S3 providers : [Minio](https://github.com/InseeFrLab/s3-operator/blob/main/controllers/s3/factory/minioS3Client.go)
- Current S3 providers : [Minio](https://github.com/InseeFrLab/s3-operator/blob/main/internal/s3/factory/minioS3Client.go)
- Currently managed S3 resources : [buckets](https://github.com/InseeFrLab/s3-operator/blob/main/api/v1alpha1/bucket_types.go), [policies](https://github.com/InseeFrLab/s3-operator/blob/main/api/v1alpha1/policy_types.go)

## Compatibility
Expand All @@ -21,14 +21,16 @@ At its heart, the operator revolves around CRDs that match S3 resources :
- `buckets.s3.onyxia.sh`
- `policies.s3.onyxia.sh`
- `paths.s3.onyxia.sh`
- `users.s3.onyxia.sh`
- `s3Users.s3.onyxia.sh`
- `s3Instances.s3.onyxia.sh`

The custom resources based on these CRDs are a somewhat simplified projection of the real S3 resources. From the operator's point of view :

- A `Bucket` CR matches a S3 bucket, and only has a name, a quota (actually two, [see Bucket example in *Usage* section below](#bucket)), and optionally, a set of paths
- A `Policy` CR matches a "canned" policy (not a bucket policy, but a global one, that can be attached to a user), and has a name, and its actual content (IAM JSON)
- A `Path` CR matches a set of paths inside of a policy. This is akin to the `paths` property of the `Bucket` CRD, except `Path` is not responsible for Bucket creation.
- A `S3User` CR matches a user in the s3 server, and has a name, a set of policy and a set of group.
- A `S3Instance` CR matches a s3Instance.

Each custom resource based on these CRDs on Kubernetes is to be matched with a resource on the S3 instance. If the CR and the corresponding S3 resource diverge, the operator will create or update the S3 resource to bring it back to.

Expand Down Expand Up @@ -90,7 +92,7 @@ The parameters are summarized in the table below :
| `path-deletion` | false | - | no | Trigger path deletion on the S3 backend upon CR deletion. Limited to deleting the `.keep` files used by the operator. |
| `s3User-deletion` | false | - | no | Trigger S3User deletion on the S3 backend upon CR deletion. |
| `override-existing-secret` | false | - | no | Update secret linked to s3User if already exist, else noop |

| `s3LabelSelector` | "" | - | no | Filter resource that this instance will manage. If Empty all resource in the cluster will be manage |
## Minimal rights needed to work

The Operator need at least this rights:
Expand Down Expand Up @@ -147,6 +149,29 @@ The Operator need at least this rights:
- The same will happen if you modify a CR - the operator will adjust the S3 bucket or policy accordingly - with the notable exception that it will not delete paths for buckets.
- Upon deleting a CR, the corresponding bucket or policy will be left as is, as mentioned in the [*Description* section above](#description)

An instance of S3Operator can manage multiple S3. On each resource created you can set where to create it. To add multiple instance of S3 see S3Instance example. On each object deployed you can attach it to an existing s3Instance. If no instance is set on the resource, S3Operator will failback to default instance configured by env var.

### S3Instance example

```yaml
apiVersion: s3.onyxia.sh/v1alpha1
kind: S3Instance
metadata:
labels:
app.kubernetes.io/name: bucket
app.kubernetes.io/instance: bucket-sample
app.kubernetes.io/part-of: s3-operator
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/created-by: s3-operator
name: s3-default-instance # Name of the S3Instance
spec:
s3Provider: minio # Type of the Provider. Can be "mockedS3Provider" or "minio"
urlEndpoint: minio.example.com # URL of the Provider
secretName: minio-credentials # Name of the secret containing 2 Keys S3_ACCESS_KEY and S3_SECRET_KEY
region: us-east-1 # Region of the Provider
useSSL: true # useSSL to query the Provider
```
### Bucket example
```yaml
Expand Down Expand Up @@ -182,6 +207,10 @@ spec:
quota:
default: 10000000
# override: 20000000

# Optionnal, let empty if you have configured the default s3 else use an existing s3Instance
s3InstanceRef: "s3-default-instance"


```

Expand All @@ -202,6 +231,9 @@ spec:
# Policy name (on S3 server, as opposed to the name of the CR)
name: dummy-policy

# Optionnal, let empty if you have configured the default s3 else use an existing s3Instance
s3InstanceRef: "s3-default-instance"

# Content of the policy, as a multiline string
# This should be IAM compliant JSON - follow the guidelines of the actual
# S3 provider you're using, as sometimes only a subset is available.
Expand Down Expand Up @@ -245,6 +277,8 @@ spec:
- /home/alice
- /home/bob

# Optionnal, let empty if you have configured the default s3 else use an existing s3Instance
s3InstanceRef: "s3-default-instance"

```

Expand All @@ -266,6 +300,8 @@ spec:
policies:
- policy-example1
- policy-example2
# Optionnal, let empty if you have configured the default s3 else use an existing s3Instance
s3InstanceRef: "s3-default-instance"

```

Expand Down
6 changes: 5 additions & 1 deletion api/v1alpha1/bucket_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,18 @@ type BucketSpec struct {
// +kubebuilder:validation:Optional
Paths []string `json:"paths,omitempty"`

// s3InstanceRef where create the bucket
// +kubebuilder:validation:Optional
S3InstanceRef string `json:"s3InstanceRef,omitempty"`

// Quota to apply to the bucket
// +kubebuilder:validation:Required
Quota Quota `json:"quota"`
}

// BucketStatus defines the observed state of Bucket
type BucketStatus struct {
// Status management using Conditions.
// Status management using Conditions.
// See also : https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
Expand Down
4 changes: 4 additions & 0 deletions api/v1alpha1/path_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ type PathSpec struct {
// Paths (folders) to create inside the bucket
// +kubebuilder:validation:Optional
Paths []string `json:"paths,omitempty"`

// s3InstanceRef where create the Paths
// +kubebuilder:validation:Optional
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
}

// PathStatus defines the observed state of Path
Expand Down
6 changes: 5 additions & 1 deletion api/v1alpha1/policy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,15 @@ type PolicySpec struct {
// +kubebuilder:validation:Required
// Content of the policy (IAM JSON format)
PolicyContent string `json:"policyContent"`

// s3InstanceRef where create the Policy
// +kubebuilder:validation:Optional
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
}

// PolicyStatus defines the observed state of Policy
type PolicyStatus struct {
// Status management using Conditions.
// Status management using Conditions.
// See also : https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
Expand Down
84 changes: 84 additions & 0 deletions api/v1alpha1/s3instance_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
/*
Copyright 2023.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.

// S3InstanceSpec defines the desired state of S3Instance
type S3InstanceSpec struct {

// type of the S3Instance
// +kubebuilder:validation:Required
S3Provider string `json:"s3Provider"`

// url of the S3Instance
// +kubebuilder:validation:Required
UrlEndpoint string `json:"urlEndpoint"`

// SecretName associated to the S3Instance containing accessKey and secretKey
// +kubebuilder:validation:Required
SecretName string `json:"secretName"`

// region associated to the S3Instance
// +kubebuilder:validation:Required
Region string `json:"region"`

// useSSL when connecting to the S3Instance
// +kubebuilder:validation:Optional
UseSSL bool `json:"useSSL,omitempty"`

// CaCertificatesBase64 associated to the S3InstanceUrl
// +kubebuilder:validation:Optional
CaCertificatesBase64 []string `json:"caCertificateBase64,omitempty"`
}

// S3InstanceStatus defines the observed state of S3Instance
type S3InstanceStatus struct {
// Status management using Conditions.
// See also : https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

//+kubebuilder:object:root=true
//+kubebuilder:subresource:status

// S3Instance is the Schema for the S3Instances API
type S3Instance struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Spec S3InstanceSpec `json:"spec,omitempty"`
Status S3InstanceStatus `json:"status,omitempty"`
}

//+kubebuilder:object:root=true

// S3InstanceList contains a list of S3Instance
type S3InstanceList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []S3Instance `json:"items"`
}

func init() {
SchemeBuilder.Register(&S3Instance{}, &S3InstanceList{})
}
4 changes: 4 additions & 0 deletions api/v1alpha1/s3user_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ type S3UserSpec struct {
// SecretName associated to the S3User
// +kubebuilder:validation:Optional
SecretName string `json:"secretName"`

// s3InstanceRef where create the user
// +kubebuilder:validation:Optional
S3InstanceRef string `json:"s3InstanceRef,omitempty"`
}

// S3UserStatus defines the observed state of S3User
Expand Down
103 changes: 102 additions & 1 deletion api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions config/crd/bases/s3.onyxia.sh_buckets.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@ spec:
required:
- default
type: object
s3InstanceRef:
description: s3InstanceRef where create the bucket
type: string
required:
- name
- quota
Expand Down
3 changes: 3 additions & 0 deletions config/crd/bases/s3.onyxia.sh_paths.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ spec:
items:
type: string
type: array
s3InstanceRef:
description: s3InstanceRef where create the Paths
type: string
required:
- bucketName
type: object
Expand Down
Loading

0 comments on commit 34b85b3

Please sign in to comment.