-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
13 changed files
with
768 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
/* | ||
Copyright 2025 MongoDB. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package v1 | ||
|
||
import ( | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
|
||
"github.com/mongodb/mongodb-atlas-kubernetes/v2/api" | ||
"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/status" | ||
) | ||
|
||
func init() { | ||
SchemeBuilder.Register(&AtlasIPAccessList{}, &AtlasIPAccessListList{}) | ||
} | ||
|
||
// +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && !has(self.projectRef)) || (!has(self.externalProjectRef) && has(self.projectRef))",message="must define only one project reference through externalProjectRef or projectRef" | ||
// +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && has(self.connectionSecret)) || !has(self.externalProjectRef)",message="must define a local connection secret when referencing an external project" | ||
|
||
// AtlasIPAccessListSpec defines the desired state of AtlasIPAccessList. | ||
type AtlasIPAccessListSpec struct { | ||
// ProjectReference is the dual external or kubernetes reference with access credentials | ||
ProjectDualReference `json:",inline"` | ||
// Entries is the list of IP Access to be managed | ||
// +kubebuilder:validation:Required | ||
// +kubebuilder:validation:MinItems=1 | ||
Entries []IPAccessEntry `json:"entries"` | ||
} | ||
|
||
// +kubebuilder:validation:XValidation:rule="!(has(self.ipAddress) && (has(self.cidrBlock) || has(self.awsSecurityGroup))) && !(has(self.cidrBlock) && has(self.awsSecurityGroup))",message="Only one of ipAddress, cidrBlock, or awsSecurityGroup may be set." | ||
|
||
type IPAccessEntry struct { | ||
// Entry using an IP address in this access list entry. | ||
// +optional | ||
IPAddress string `json:"ipAddress,omitempty"` | ||
// Range of IP addresses in CIDR notation in this access list entry. | ||
// +optional | ||
CIDRBlock string `json:"cidrBlock,omitempty"` | ||
// Unique identifier of AWS security group in this access list entry. | ||
// +optional | ||
AwsSecurityGroup string `json:"awsSecurityGroup,omitempty"` | ||
// Date and time after which Atlas deletes the temporary access list entry. | ||
// +kubebuilder:validation:Type=string | ||
// +kubebuilder:validation:Format=date-time | ||
// +optional | ||
DeleteAfterDate *metav1.Time `json:"deleteAfterDate,omitempty"` | ||
// Comment associated with this access list entry. | ||
// +optional | ||
Comment string `json:"comment,omitempty"` | ||
} | ||
|
||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
// +kubebuilder:object:root=true | ||
// +kubebuilder:subresource:status | ||
// +groupName:=atlas.mongodb.com | ||
// +kubebuilder:resource:categories=atlas,shortName=aial | ||
// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status` | ||
|
||
// AtlasIPAccessList is the Schema for the atlasipaccesslists API. | ||
type AtlasIPAccessList struct { | ||
metav1.TypeMeta `json:",inline"` | ||
metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
||
Spec AtlasIPAccessListSpec `json:"spec,omitempty"` | ||
Status status.AtlasIPAccessListStatus `json:"status,omitempty"` | ||
} | ||
|
||
// +kubebuilder:object:root=true | ||
|
||
// AtlasIPAccessListList contains a list of AtlasIPAccessList. | ||
type AtlasIPAccessListList struct { | ||
metav1.TypeMeta `json:",inline"` | ||
metav1.ListMeta `json:"metadata,omitempty"` | ||
Items []AtlasIPAccessList `json:"items"` | ||
} | ||
|
||
func (ial *AtlasIPAccessList) Credentials() *api.LocalObjectReference { | ||
return ial.Spec.ConnectionSecret | ||
} | ||
|
||
func (ial *AtlasIPAccessList) ProjectDualRef() *ProjectDualReference { | ||
return &ial.Spec.ProjectDualReference | ||
} | ||
|
||
func (ial *AtlasIPAccessList) GetStatus() api.Status { | ||
return ial.Status | ||
} | ||
|
||
func (ial *AtlasIPAccessList) UpdateStatus(conditions []api.Condition, options ...api.Option) { | ||
ial.Status.Conditions = conditions | ||
ial.Status.ObservedGeneration = ial.ObjectMeta.Generation | ||
|
||
for _, o := range options { | ||
v := o.(status.AtlasIPAccessListStatusOption) | ||
v(&ial.Status) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,172 @@ | ||
/* | ||
Copyright 2025 MongoDB. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package v1 | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/runtime" | ||
|
||
"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/common" | ||
"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/pointer" | ||
"github.com/mongodb/mongodb-atlas-kubernetes/v2/test/helper/cel" | ||
) | ||
|
||
func TestIPAccessListProjectRefCELValidations(t *testing.T) { | ||
launchProjectRefCELTests( | ||
t, | ||
func(pdr *ProjectDualReference) AtlasCustomResource { | ||
pe := AtlasIPAccessList{} | ||
if pdr != nil { | ||
setDualRef(pe.ProjectDualRef(), pdr) | ||
} | ||
return &pe | ||
}, | ||
"../../config/crd/bases/atlas.mongodb.com_atlasipaccesslists.yaml", | ||
) | ||
} | ||
|
||
func TestEntryUniqueness(t *testing.T) { | ||
testCases := map[string]struct { | ||
obj AtlasCustomResource | ||
expectedErrors []string | ||
}{ | ||
"should fail if IP and CIDR are set in the same entry": { | ||
obj: &AtlasIPAccessList{ | ||
Spec: AtlasIPAccessListSpec{ | ||
ProjectDualReference: ProjectDualReference{ | ||
ProjectRef: &common.ResourceRefNamespaced{ | ||
Name: "my-project", | ||
}, | ||
}, | ||
Entries: []IPAccessEntry{ | ||
{ | ||
IPAddress: "10.0.0.1", | ||
CIDRBlock: "192.168.0.0/24", | ||
}, | ||
}, | ||
}, | ||
}, | ||
expectedErrors: []string{"spec.entries[0]: Invalid value: \"object\": Only one of ipAddress, cidrBlock, or awsSecurityGroup may be set."}, | ||
}, | ||
"should fail if IP and AWS SG are set in the same entry": { | ||
obj: &AtlasIPAccessList{ | ||
Spec: AtlasIPAccessListSpec{ | ||
ProjectDualReference: ProjectDualReference{ | ||
ProjectRef: &common.ResourceRefNamespaced{ | ||
Name: "my-project", | ||
}, | ||
}, | ||
Entries: []IPAccessEntry{ | ||
{ | ||
IPAddress: "10.0.0.1", | ||
AwsSecurityGroup: "sg-123456", | ||
}, | ||
}, | ||
}, | ||
}, | ||
expectedErrors: []string{"spec.entries[0]: Invalid value: \"object\": Only one of ipAddress, cidrBlock, or awsSecurityGroup may be set."}, | ||
}, | ||
"should fail if CIDR and AWS SG are set in the same entry": { | ||
obj: &AtlasIPAccessList{ | ||
Spec: AtlasIPAccessListSpec{ | ||
ProjectDualReference: ProjectDualReference{ | ||
ProjectRef: &common.ResourceRefNamespaced{ | ||
Name: "my-project", | ||
}, | ||
}, | ||
Entries: []IPAccessEntry{ | ||
{ | ||
CIDRBlock: "192.168.0.0/24", | ||
AwsSecurityGroup: "sg-123456", | ||
}, | ||
}, | ||
}, | ||
}, | ||
expectedErrors: []string{"spec.entries[0]: Invalid value: \"object\": Only one of ipAddress, cidrBlock, or awsSecurityGroup may be set."}, | ||
}, | ||
"should fail with multiple entries wrongly set": { | ||
obj: &AtlasIPAccessList{ | ||
Spec: AtlasIPAccessListSpec{ | ||
ProjectDualReference: ProjectDualReference{ | ||
ProjectRef: &common.ResourceRefNamespaced{ | ||
Name: "my-project", | ||
}, | ||
}, | ||
Entries: []IPAccessEntry{ | ||
{ | ||
IPAddress: "10.0.0.1", | ||
CIDRBlock: "192.168.0.0/24", | ||
}, | ||
{ | ||
CIDRBlock: "192.168.1.0/24", | ||
AwsSecurityGroup: "sg-123456", | ||
}, | ||
}, | ||
}, | ||
}, | ||
expectedErrors: []string{ | ||
"spec.entries[0]: Invalid value: \"object\": Only one of ipAddress, cidrBlock, or awsSecurityGroup may be set.", | ||
"spec.entries[1]: Invalid value: \"object\": Only one of ipAddress, cidrBlock, or awsSecurityGroup may be set.", | ||
}, | ||
}, | ||
"should pass when correctly configured": { | ||
obj: &AtlasIPAccessList{ | ||
Spec: AtlasIPAccessListSpec{ | ||
ProjectDualReference: ProjectDualReference{ | ||
ProjectRef: &common.ResourceRefNamespaced{ | ||
Name: "my-project", | ||
}, | ||
}, | ||
Entries: []IPAccessEntry{ | ||
{ | ||
IPAddress: "10.0.0.1", | ||
DeleteAfterDate: pointer.MakePtr(metav1.Now()), | ||
}, | ||
{ | ||
CIDRBlock: "192.168.0.0/24", | ||
Comment: "My Network", | ||
}, | ||
{ | ||
AwsSecurityGroup: "sg-123456", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
for name, tc := range testCases { | ||
t.Run(name, func(t *testing.T) { | ||
unstructuredObject, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&tc.obj) | ||
require.NoError(t, err) | ||
|
||
validator, err := cel.VersionValidatorFromFile(t, "../../config/crd/bases/atlas.mongodb.com_atlasipaccesslists.yaml", "v1") | ||
assert.NoError(t, err) | ||
errs := validator(unstructuredObject, nil) | ||
|
||
require.Equal(t, len(tc.expectedErrors), len(errs)) | ||
|
||
for i, err := range errs { | ||
assert.Equal(t, tc.expectedErrors[i], err.Error()) | ||
} | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
/* | ||
Copyright 2024 MongoDB. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package status | ||
|
||
import ( | ||
"github.com/mongodb/mongodb-atlas-kubernetes/v2/api" | ||
) | ||
|
||
// AtlasIPAccessListStatus is the most recent observed status of the AtlasIPAccessList cluster. Read-only. | ||
type AtlasIPAccessListStatus struct { | ||
api.Common `json:",inline"` | ||
// | ||
// Status is the state of the ip access list | ||
Entries []IPAccessEntryStatus `json:"entries,omitempty"` | ||
} | ||
|
||
type IPAccessEntryStatus struct { | ||
// Entry is the ip access Atlas is managing | ||
Entry string `json:"entry"` | ||
// Status is the correspondent state of the entry | ||
Status string `json:"status"` | ||
} | ||
|
||
// +kubebuilder:object:generate=false | ||
|
||
type AtlasIPAccessListStatusOption func(s *AtlasIPAccessListStatus) | ||
|
||
func AddIPAccessListEntryStatus(entry, entryStatus string) AtlasIPAccessListStatusOption { | ||
return func(s *AtlasIPAccessListStatus) { | ||
for ix, ipEntryStatus := range s.Entries { | ||
if ipEntryStatus.Entry == entry { | ||
s.Entries[ix].Status = entryStatus | ||
|
||
return | ||
} | ||
} | ||
|
||
s.Entries = append( | ||
s.Entries, | ||
IPAccessEntryStatus{ | ||
Entry: entry, | ||
Status: entryStatus, | ||
}, | ||
) | ||
} | ||
} | ||
|
||
func RemoveIPAccessListEntryStatus(entry string) AtlasIPAccessListStatusOption { | ||
return func(s *AtlasIPAccessListStatus) { | ||
for ix, ipEntryStatus := range s.Entries { | ||
if ipEntryStatus.Entry == entry { | ||
s.Entries = append(s.Entries[:ix], s.Entries[ix+1:]...) | ||
|
||
return | ||
} | ||
} | ||
} | ||
} |
Oops, something went wrong.