BUILD-284: Integrate Shared Resources Operator with Cluster Storage

Operator

Co-authored-by: Adam Kaplan <adam.kaplan@redhat.com>
Co-authored-by: Gabe Montero <gmontero@redhat.com>

Makefile

@@ -32,6 +32,7 @@ $(call add-crd-gen,imageregistry,./imageregistry/v1,./imageregistry/v1,./imagere
 $(call add-crd-gen,operator,./operator/v1,./operator/v1,./operator/v1)
 $(call add-crd-gen,operator-alpha,./operator/v1alpha1,./operator/v1alpha1,./operator/v1alpha1)
 $(call add-crd-gen,operatoringress,./operatoringress/v1,./operatoringress/v1,./operatoringress/v1)
+$(call add-crd-gen,sharedresource,./sharedresource/v1alpha1,./sharedresource/v1alpha1,./sharedresource/v1alpha1)
 $(call add-crd-gen,quota,./quota/v1,./quota/v1,./quota/v1)
 $(call add-crd-gen,samples,./samples/v1,./samples/v1,./samples/v1)
 $(call add-crd-gen,security,./security/v1,./security/v1,./security/v1)

hack/lib/init.sh

@@ -31,6 +31,7 @@ operatorcontrolplane/v1alpha1 \
 operatoringress/v1 \
 operator/v1alpha1 \
 project/v1 \
+sharedresource/v1alpha1 \
 quota/v1 \
 route/v1 \
 samples/v1 \

hack/update-deepcopy.sh

@@ -10,7 +10,7 @@ verify="${VERIFY:-}"
 GOFLAGS="" bash ${CODEGEN_PKG}/generate-groups.sh "deepcopy" \
   github.com/openshift/api/generated \
   github.com/openshift/api \
-  "apiserver:v1 apps:v1 authorization:v1 build:v1 config:v1 helm:v1beta1 console:v1 console:v1alpha1 image:v1,docker10,dockerpre012 imageregistry:v1 kubecontrolplane:v1 legacyconfig:v1 cloudnetwork:v1 network:v1 networkoperator:v1 oauth:v1 openshiftcontrolplane:v1 operator:v1 operator:v1alpha1 operatorcontrolplane:v1alpha1 operatoringress:v1 osin:v1 project:v1 quota:v1 route:v1 samples:v1 security:v1 securityinternal:v1 servicecertsigner:v1alpha1 template:v1 user:v1 machine:v1beta1" \
+  "apiserver:v1 apps:v1 authorization:v1 build:v1 config:v1 helm:v1beta1 console:v1 console:v1alpha1 image:v1,docker10,dockerpre012 imageregistry:v1 kubecontrolplane:v1 legacyconfig:v1 cloudnetwork:v1 network:v1 networkoperator:v1 oauth:v1 openshiftcontrolplane:v1 operator:v1 operator:v1alpha1 operatorcontrolplane:v1alpha1 operatoringress:v1 osin:v1 project:v1 quota:v1 route:v1 samples:v1 security:v1 securityinternal:v1 servicecertsigner:v1alpha1 sharedresource:v1alpha1 template:v1 user:v1 machine:v1beta1" \
   --go-header-file ${SCRIPT_ROOT}/hack/empty.txt \
   ${verify}
 

install.go

@@ -56,6 +56,7 @@ import (
 	"github.com/openshift/api/samples"
 	"github.com/openshift/api/security"
 	"github.com/openshift/api/servicecertsigner"
+	"github.com/openshift/api/sharedresource"
 	"github.com/openshift/api/template"
 	"github.com/openshift/api/user"
 
@@ -88,6 +89,7 @@ var (
 		samples.Install,
 		security.Install,
 		servicecertsigner.Install,
+		sharedresource.Install,
 		template.Install,
 		user.Install,
 		machine.Install,

sharedresource/OWNERS

@@ -0,0 +1,5 @@
+reviewers:
+  - bparees
+  - gabemontero
+  - adambkaplan
+  - coreydaley

sharedresource/install.go

@@ -0,0 +1,26 @@
+package sharedresource
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	v1alpha1 "github.com/openshift/api/sharedresource/v1alpha1"
+)
+
+const (
+	GroupName = "sharedresource.openshift.io"
+)
+
+var (
+	schemeBuilder = runtime.NewSchemeBuilder(v1alpha1.Install)
+	// Install is a function which adds every version of this group to a scheme
+	Install = schemeBuilder.AddToScheme
+)
+
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+func Kind(kind string) schema.GroupKind {
+	return schema.GroupKind{Group: GroupName, Kind: kind}
+}

sharedresource/v1alpha1/0000_10_sharedconfigmap.crd.yaml

@@ -0,0 +1,105 @@
+# this is the boilerplate crd def that controller-gen reads and modifies with the
+# contents from shared_configmap_type.go
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: sharedconfigmaps.sharedresource.openshift.io
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/979
+    displayName: SharedConfigMap
+    description: Extension for sharing ConfigMaps across Namespaces
+spec:
+  scope: Cluster
+  group: sharedresource.openshift.io
+  names:
+    plural: sharedconfigmaps
+    singular: sharedconfigmap
+    kind: SharedConfigMap
+    listKind: SharedConfigMapList
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      "schema":
+        "openAPIV3Schema":
+          description: "SharedConfigMap allows a ConfigMap to be shared across namespaces. Pods can mount the shared ConfigMap by adding a CSI volume to the pod specification using the \"csi.sharedresource.openshift.io\" CSI driver and a reference to the SharedConfigMap in the volume attributes: \n spec:  volumes:  - name: shared-configmap    csi:      driver: csi.sharedresource.openshift.io      volumeAttributes:        sharedConfigMap: my-share \n For the mount to be successful, the pod's service account must be granted permission to 'use' the named SharedConfigMap object within its namespace with an appropriate Role and RoleBinding. For compactness, here are example `oc` invocations for creating such Role and RoleBinding objects. \n  `oc create role shared-resource-my-share --verb=use --resource=sharedconfigmaps.sharedresource.openshift.io --resource-name=my-share`  `oc create rolebinding shared-resource-my-share --role=shared-resource-my-share --serviceaccount=my-namespace:default` \n Shared resource objects, in this case ConfigMaps, have default permissions of list, get, and watch for system authenticated users. \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. These capabilities should not be used by applications needing long term support."
+          type: object
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: spec is the specification of the desired shared configmap
+              type: object
+              required:
+                - configMapRef
+              properties:
+                configMapRef:
+                  description: configMapRef is a reference to the ConfigMap to share
+                  type: object
+                  required:
+                    - name
+                    - namespace
+                  properties:
+                    name:
+                      description: name represents the name of the ConfigMap that is being referenced.
+                      type: string
+                    namespace:
+                      description: namespace represents the namespace where the referenced ConfigMap is located.
+                      type: string
+                description:
+                  description: description is a user readable explanation of what the backing resource provides.
+                  type: string
+            status:
+              description: status is the observed status of the shared configmap
+              type: object
+              properties:
+                conditions:
+                  description: conditions represents any observations made on this particular shared resource by the underlying CSI driver or Share controller.
+                  type: array
+                  items:
+                    description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions.  For example, type FooStatus struct{     // Represents the observations of a foo's current state.     // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"     // +patchMergeKey=type     // +patchStrategy=merge     // +listType=map     // +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n     // other fields }"
+                    type: object
+                    required:
+                      - lastTransitionTime
+                      - message
+                      - reason
+                      - status
+                      - type
+                    properties:
+                      lastTransitionTime:
+                        description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                        type: string
+                        format: date-time
+                      message:
+                        description: message is a human readable message indicating details about the transition. This may be an empty string.
+                        type: string
+                        maxLength: 32768
+                      observedGeneration:
+                        description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+                        type: integer
+                        format: int64
+                        minimum: 0
+                      reason:
+                        description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+                        type: string
+                        maxLength: 1024
+                        minLength: 1
+                        pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      status:
+                        description: status of the condition, one of True, False, Unknown.
+                        type: string
+                        enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                      type:
+                        description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                        type: string
+                        maxLength: 316
+                        pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

sharedresource/v1alpha1/0000_10_sharedsecret.crd.yaml

@@ -0,0 +1,105 @@
+# this is the boilerplate crd def that controller-gen reads and modifies with the
+# contents from shared_secret_type.go
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: sharedsecrets.sharedresource.openshift.io
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/979
+    displayName: SharedSecret
+    description: Extension for sharing Secrets across Namespaces
+spec:
+  scope: Cluster
+  group: sharedresource.openshift.io
+  names:
+    plural: sharedsecrets
+    singular: sharedsecret
+    kind: SharedSecret
+    listKind: SharedSecretList
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      "schema":
+        "openAPIV3Schema":
+          description: "SharedSecret allows a Secret to be shared across namespaces. Pods can mount the shared Secret by adding a CSI volume to the pod specification using the \"csi.sharedresource.openshift.io\" CSI driver and a reference to the SharedSecret in the volume attributes: \n spec:  volumes:  - name: shared-secret    csi:      driver: csi.sharedresource.openshift.io      volumeAttributes:        sharedSecret: my-share \n For the mount to be successful, the pod's service account must be granted permission to 'use' the named SharedSecret object within its namespace with an appropriate Role and RoleBinding. For compactness, here are example `oc` invocations for creating such Role and RoleBinding objects. \n  `oc create role shared-resource-my-share --verb=use --resource=sharedsecrets.sharedresource.openshift.io --resource-name=my-share`  `oc create rolebinding shared-resource-my-share --role=shared-resource-my-share --serviceaccount=my-namespace:default` \n Shared resource objects, in this case Secrets, have default permissions of list, get, and watch for system authenticated users. \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. These capabilities should not be used by applications needing long term support."
+          type: object
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: spec is the specification of the desired shared secret
+              type: object
+              required:
+                - secretRef
+              properties:
+                description:
+                  description: description is a user readable explanation of what the backing resource provides.
+                  type: string
+                secretRef:
+                  description: secretRef is a reference to the Secret to share
+                  type: object
+                  required:
+                    - name
+                    - namespace
+                  properties:
+                    name:
+                      description: name represents the name of the Secret that is being referenced.
+                      type: string
+                    namespace:
+                      description: namespace represents the namespace where the referenced Secret is located.
+                      type: string
+            status:
+              description: status is the observed status of the shared secret
+              type: object
+              properties:
+                conditions:
+                  description: conditions represents any observations made on this particular shared resource by the underlying CSI driver or Share controller.
+                  type: array
+                  items:
+                    description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions.  For example, type FooStatus struct{     // Represents the observations of a foo's current state.     // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"     // +patchMergeKey=type     // +patchStrategy=merge     // +listType=map     // +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n     // other fields }"
+                    type: object
+                    required:
+                      - lastTransitionTime
+                      - message
+                      - reason
+                      - status
+                      - type
+                    properties:
+                      lastTransitionTime:
+                        description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                        type: string
+                        format: date-time
+                      message:
+                        description: message is a human readable message indicating details about the transition. This may be an empty string.
+                        type: string
+                        maxLength: 32768
+                      observedGeneration:
+                        description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+                        type: integer
+                        format: int64
+                        minimum: 0
+                      reason:
+                        description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+                        type: string
+                        maxLength: 1024
+                        minLength: 1
+                        pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      status:
+                        description: status of the condition, one of True, False, Unknown.
+                        type: string
+                        enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                      type:
+                        description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                        type: string
+                        maxLength: 316
+                        pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

sharedresource/v1alpha1/doc.go

@@ -0,0 +1,7 @@
+// +k8s:deepcopy-gen=package,register
+// +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-gen=true
+
+// +groupName=sharedresource.openshift.io
+// Package v1alplha1 is the v1alpha1 version of the API.
+package v1alpha1