Skip to content

Commit

Permalink
private endpoint custom resource API (#1879)
Browse files Browse the repository at this point in the history
  • Loading branch information
helderjs authored Nov 8, 2024
1 parent fdf8f34 commit f7f210d
Show file tree
Hide file tree
Showing 17 changed files with 982 additions and 7 deletions.
9 changes: 9 additions & 0 deletions PROJECT
Original file line number Diff line number Diff line change
Expand Up @@ -95,4 +95,13 @@ resources:
kind: AtlasSearchIndexConfigs
path: github.com/mongodb/mongodb-atlas-kubernetes/api/v1
version: v1
- api:
crdVersion: v1
namespaced: true
controller: true
domain: mongodb.com
group: atlas
kind: AtlasPrivateEndpoint
path: github.com/mongodb/mongodb-atlas-kubernetes/api/v1
version: v1
version: "3"
310 changes: 310 additions & 0 deletions config/crd/bases/atlas.mongodb.com_atlasprivateendpoints.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,310 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: atlasprivateendpoints.atlas.mongodb.com
spec:
group: atlas.mongodb.com
names:
categories:
- atlas
kind: AtlasPrivateEndpoint
listKind: AtlasPrivateEndpointList
plural: atlasprivateendpoints
shortNames:
- pe
singular: atlasprivateendpoint
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.provider
name: Provider
type: string
- jsonPath: .spec.region
name: Region
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1
schema:
openAPIV3Schema:
description: |-
The AtlasPrivateEndpoint custom resource definition (CRD) defines a desired [Private Endpoint](https://www.mongodb.com/docs/atlas/security-private-endpoint/#std-label-private-endpoint-overview) configuration for an Atlas project.
It allows a private connection between your cloud provider and Atlas that doesn't send information through a public network.
You can use private endpoints to create a unidirectional connection to Atlas clusters from your virtual network.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: AtlasPrivateEndpointSpec is the specification of the desired
configuration of a project private endpoint
properties:
awsConfiguration:
description: AWSConfiguration is the specific AWS settings for the
private endpoint
items:
description: AWSPrivateEndpointConfiguration holds the AWS configuration
done on customer network
properties:
id:
description: ID that identifies the private endpoint's network
interface that someone added to this private endpoint service.
type: string
required:
- id
type: object
type: array
azureConfiguration:
description: AzureConfiguration is the specific Azure settings for
the private endpoint
items:
description: AzurePrivateEndpointConfiguration holds the Azure configuration
done on customer network
properties:
id:
description: ID that identifies the private endpoint's network
interface that someone added to this private endpoint service.
type: string
ipAddress:
description: IP address of the private endpoint in your Azure
VNet that someone added to this private endpoint service.
type: string
required:
- id
- ipAddress
type: object
type: array
connectionSecret:
description: LocalObjectReference is a reference to an object in the
same namespace as the referent
properties:
name:
description: |-
Name of the resource being referred to
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
externalProjectRef:
description: ExternalProject holds the Atlas project ID the user belongs
to
properties:
id:
description: ID is the Atlas project ID
type: string
required:
- id
type: object
gcpConfiguration:
description: GCPConfiguration is the specific Google Cloud settings
for the private endpoint
items:
description: GCPPrivateEndpointConfiguration holds the GCP configuration
done on customer network
properties:
endpoints:
description: Endpoints is the list of individual private endpoints
that comprise this endpoint group.
items:
description: GCPPrivateEndpoint holds the GCP forwarding rules
configured on customer network
properties:
ipAddress:
description: IP address to which this Google Cloud consumer
forwarding rule resolves.
type: string
name:
description: Name that identifies the Google Cloud consumer
forwarding rule that you created.
type: string
required:
- ipAddress
- name
type: object
type: array
groupName:
description: GroupName is the label that identifies a set of
endpoints.
type: string
projectId:
description: ProjectID that identifies the Google Cloud project
in which you created the endpoints.
type: string
required:
- endpoints
- groupName
- projectId
type: object
type: array
projectRef:
description: Project is a reference to AtlasProject resource the user
belongs to
properties:
name:
description: Name is the name of the Kubernetes Resource
type: string
namespace:
description: Namespace is the namespace of the Kubernetes Resource
type: string
required:
- name
type: object
provider:
description: Name of the cloud service provider for which you want
to create the private endpoint service.
enum:
- AWS
- GCP
- AZURE
type: string
region:
description: Region of the chosen cloud provider in which you want
to create the private endpoint service.
type: string
required:
- provider
- region
type: object
x-kubernetes-validations:
- message: must define only one project reference through externalProjectRef
or projectRef
rule: (has(self.externalProjectRef) && !has(self.projectRef)) || (!has(self.externalProjectRef)
&& has(self.projectRef))
- message: must define a local connection secret when referencing an external
project
rule: (has(self.externalProjectRef) && has(self.connectionSecret)) ||
!has(self.externalProjectRef)
status:
description: AtlasPrivateEndpointStatus is the most recent observed status
of the AtlasPrivateEndpoint cluster. Read-only.
properties:
conditions:
description: Conditions is the list of statuses showing the current
state of the Atlas Custom Resource
items:
description: Condition describes the state of an Atlas Custom Resource
at a certain point.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of Atlas Custom Resource condition.
type: string
required:
- status
- type
type: object
type: array
endpoints:
description: Endpoints are the status of the endpoints connected to
the service
items:
description: EndpointInterfaceStatus is the most recent observed
status the interfaces attached to the configured service. Read-only.
properties:
ID:
description: ID is the external identifier set on the specification
to configure the interface
type: string
InterfaceStatus:
description: InterfaceStatus is the state of the private endpoint
interface
type: string
connectionName:
description: ConnectionName is the label that Atlas generates
that identifies the Azure private endpoint connection
type: string
error:
description: Error is the description of the failure occurred
when configuring the private endpoint
type: string
gcpForwardingRules:
description: GCPForwardingRules is the status of the customer
GCP private endpoint(forwarding rules)
items:
description: GCPForwardingRule is the most recent observed
status the GCP forwarding rules configured for an interface.
Read-only.
properties:
name:
type: string
status:
type: string
type: object
type: array
type: object
type: array
error:
description: Error is the description of the failure occurred when
configuring the private endpoint
type: string
observedGeneration:
description: |-
ObservedGeneration indicates the generation of the resource specification that the Atlas Operator is aware of.
The Atlas Operator updates this field to the 'metadata.generation' as soon as it starts reconciliation of the resource.
format: int64
type: integer
resourceId:
description: ResourceID is the root-relative path that identifies
of the Atlas Azure Private Link Service
type: string
serviceAttachmentNames:
description: ServiceAttachmentNames is the list of URLs that identifies
endpoints that Atlas can use to access one service across the private
connection
items:
type: string
type: array
serviceId:
description: ServiceID is the unique identifier of the private endpoint
service in Atlas
type: string
serviceName:
description: ServiceName is the unique identifier of the Amazon Web
Services (AWS) PrivateLink endpoint service or Azure Private Link
Service managed by Atlas
type: string
serviceStatus:
description: ServiceStatus is the state of the private endpoint service
type: string
required:
- conditions
type: object
type: object
served: true
storage: true
subresources:
status: {}
1 change: 1 addition & 0 deletions config/crd/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@ resources:
- bases/atlas.mongodb.com_atlasstreamconnections.yaml
- bases/atlas.mongodb.com_atlassearchindexconfigs.yaml
- bases/atlas.mongodb.com_atlasbackupcompliancepolicies.yaml
- bases/atlas.mongodb.com_atlasprivateendpoints.yaml
configurations:
- kustomizeconfig.yaml
8 changes: 8 additions & 0 deletions config/crd/patches/cainjection_in_atlasprivateendpoints.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: atlasprivateendpoints.atlas.mongodb.com
17 changes: 17 additions & 0 deletions config/crd/patches/webhook_in_atlasprivateendpoints.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: atlasprivateendpoints.atlas.mongodb.com
spec:
conversion:
strategy: Webhook
webhookClientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert
24 changes: 24 additions & 0 deletions config/rbac/atlasprivateendpoint_editor_role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# permissions for end users to edit atlasprivateendpoints.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: atlasprivateendpoint-editor-role
rules:
- apiGroups:
- atlas.mongodb.com
resources:
- atlasprivateendpoints
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- atlas.mongodb.com
resources:
- atlasprivateendpoints/status
verbs:
- get
Loading

0 comments on commit f7f210d

Please sign in to comment.