Bulk of changes to bucketaccess and bucket controller

Author: mukhoakash

Diff for: container-object-storage-interface-provisioner-sidecar/pkg/bucket/bucket_controller.go

@@ -120,6 +120,21 @@ func (b *BucketListener) Add(ctx context.Context, inputBucket *v1alpha1.Bucket)
 		return errors.Wrap(err, "Failed to update bucket status")
 	}
 
+	// Now we update the BucketReady status of BucketClaim
+	if bucket.Spec.BucketClaim != nil {
+		ref := bucket.Spec.BucketClaim
+		bucketClaim, err := b.BucketClaims(ref.Namespace).Get(ctx, ref.Name, metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+
+		bucketClaim.Status.BucketReady = true
+
+		if _, err := b.BucketClaims(bucketClaim.Namespace).Update(ctx, bucketClaim, metav1.UpdateOptions{}); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -183,13 +198,13 @@ func (b *BucketListener) Delete(ctx context.Context, inputBucket *v1alpha1.Bucke
 
 	if bucket.Spec.BucketClaim != nil {
 		ref := bucket.Spec.BucketClaim
-		bucketClaim, err := b.bucketClient.ObjectstorageV1alpha1().BucketClaims(ref.Namespace).Get(ctx, ref.Name, metav1.GetOptions{})
+		bucketClaim, err := b.BucketClaims(ref.Namespace).Get(ctx, ref.Name, metav1.GetOptions{})
 		if err != nil {
 			return err
 		}
 
 		controllerutil.RemoveFinalizer(bucketClaim, brFinalizer)
-		if _, err := b.bucketClient.ObjectstorageV1alpha1().BucketClaims(bucketClaim.Namespace).Update(ctx, bucketClaim, metav1.UpdateOptions{}); err != nil {
+		if _, err := b.BucketClaims(bucketClaim.Namespace).Update(ctx, bucketClaim, metav1.UpdateOptions{}); err != nil {
 			return err
 		}
 	}
@@ -204,6 +219,14 @@ func (b *BucketListener) Buckets() bucketapi.BucketInterface {
 	panic("uninitialized listener")
 }
 
+func (b *BucketListener) BucketClaims(namespace string) bucketapi.BucketClaimInterface {
+	if b.bucketClient != nil {
+		return b.bucketClient.ObjectstorageV1alpha1().BucketClaims(namespace)
+	}
+
+	panic ("uninitialized listener")
+}
+
 // InitializeKubeClient initializes the kubernetes client
 func (b *BucketListener) InitializeKubeClient(k kube.Interface) {
 	b.kubeClient = k

Diff for: container-object-storage-interface-provisioner-sidecar/pkg/bucketaccess/bucketaccess_controller.go

@@ -47,26 +47,23 @@ const (
 // BucketAccessListener manages Bucket objects
 type BucketAccessListener struct {
 	provisionerClient cosi.ProvisionerClient
-	provisionerName   string
+	driverName   string
 
 	kubeClient   kube.Interface
 	bucketClient buckets.Interface
 	kubeVersion  *utilversion.Version
-
-	namespace string
 }
 
 // NewBucketAccessListener returns a resource handler for BucketAccess objects
-func NewBucketAccessListener(provisionerName string, client cosi.ProvisionerClient) (*BucketAccessListener, error) {
+func NewBucketAccessListener(driverName string, client cosi.ProvisionerClient) (*BucketAccessListener, error) {
 	ns := os.Getenv("POD_NAMESPACE")
 	if ns == "" {
 		return nil, errors.New("POD_NAMESPACE env var cannot be empty")
 	}
 
 	return &BucketAccessListener{
-		provisionerName:   provisionerName,
+		driverName:   driverName,
 		provisionerClient: client,
-		namespace:         ns,
 	}, nil
 }
 
@@ -77,60 +74,96 @@ func NewBucketAccessListener(provisionerName string, client cosi.ProvisionerClie
 func (bal *BucketAccessListener) Add(ctx context.Context, inputBucketAccess *v1alpha1.BucketAccess) error {
 	bucketAccess := inputBucketAccess.DeepCopy()
 
-	bucketName := bucketAccess.Spec.BucketName
+	bucketClaimName := bucketAccess.Spec.BucketClaimName
 	klog.V(3).InfoS("Add BucketAccess",
 		"name", bucketAccess.Name,
-		"bucket", bucketName,
+		"bucketClaim", bucketClaimName,
 	)
 
-	if bucketAccess.Status.MintedSecret != nil {
-		klog.V(5).InfoS("AccessAlreadyGranted",
+	bucketAccessClassName := bucketAccess.Spec.BucketAccessClassName
+	klog.V(3).InfoS("Add BucketAccess",
+		"name", bucketAccess.Name,
+		"BucketAccessClassName", bucketAccessClassName,
+	)
+
+	secretCredName := bucketAccess.Spec.CredentialsSecretName
+	if secretCredName == nil {
+		return errors.New("CredentialsSecretName not defined in the BucketAccess")
+	}
+
+	authType := cosi.AuthenticationType_UnknownAuthenticationType
+	if bucketAccess.Spec.AuthenticationType == v1alpha1.AuthenticationTypeKey {
+		authType = cosi.AuthenticationType_Key
+	} else if bucketAccess.Spec.AuthenticationType == v1alpha1.AuthenticationTypeIAM {
+		authType = cosi.AuthenticationType_IAM
+	}
+
+	if authType == cosi.AuthenticationType_IAM && bucketAccess.Spec.ServiceAccountName == "" {
+		return errors.New("Must define ServiceAccountName when AuthenticationType is IAM")
+	}
+
+	namespace := bucketAccess.Namespace
+	bucketClaim, err := bal.BucketClaims(namespace).Get(ctx, bucketClaimName, metav1.GetOptions{})
+	if err != nil {
+		klog.ErrorS(err, "Failed to fetch bucketClaim", "bucketClaim", bucketClaimName)
+		return errors.Wrap(err, "Failed to fetch bucketClaim")
+	}
+
+
+	if bucketClaim.Status.BucketName == "" || bucketClaim.Status.BucketReady != true {
+		err := errors.New("BucketName cannot be empty or BucketNotReady")
+		klog.ErrorS(err,
+			"Invalid arguments",
+			"bucketClaim", bucketClaim.Name,
 			"bucketAccess", bucketAccess.Name,
-			"bucket", bucketName,
 		)
-		return nil
+		return errors.Wrap(err, "Invalid arguments")
 	}
 
-	bucket, err := bal.Buckets().Get(ctx, bucketName, metav1.GetOptions{})
+	bucketAccessClass, err := bal.BucketAccessClasses().Get(ctx, bucketAccessClassName, metav1.GetOptions{})
 	if err != nil {
-		klog.ErrorS(err, "Failed to fetch bucket", "bucket", bucketName)
-		return errors.Wrap(err, "Failed to fetch bucket")
+		klog.ErrorS(err, "Failed to fetch bucketAccessClass", "bucketAccessClass", bucketAccessClassName)
+		return errors.Wrap(err, "Failed to fetch BucketAccessClass")
 	}
 
-	if !strings.EqualFold(bucket.Spec.Provisioner, bal.provisionerName) {
+	if !strings.EqualFold(bucketAccessClass.DriverName, bal.driverName) {
 		klog.V(5).InfoS("Skipping bucketaccess for provisiner",
 			"bucketAccess", bucketAccess.Name,
-			"provisioner", bucket.Spec.Provisioner,
+			"driver", bucketAccessClass.DriverName,
 		)
 		return nil
 	}
 
-	if bucketAccess.Status.AccessGranted {
+
+	if bucketAccess.Status.AccessGranted == true {
 		klog.V(5).InfoS("AccessAlreadyGranted",
-			"bucketaccess", bucketAccess.Name,
-			"bucket", bucket.Name,
+			"bucketAccess", bucketAccess.Name,
+			"bucketClaim", bucketClaimName,
 		)
 		return nil
 	}
 
-	if bucket.Status.BucketID == "" {
-		err := errors.New("BucketID cannot be empty")
-		klog.ErrorS(err,
-			"Invalid arguments",
-			"bucket", bucket.Name,
-			"bucketAccess", bucketAccess.Name,
-		)
-		return errors.Wrap(err, "Invalid arguments")
+	bucket, err := bal.Buckets().Get(ctx, bucketClaim.Status.BucketName, metav1.GetOptions{})
+	if err != nil {
+		klog.ErrorS(err, "Failed to fetch bucket", "bucket", bucketClaim.Status.BucketName)
+		return errors.Wrap(err, "Failed to fetch bucket")
 	}
 
-	req := &cosi.ProvisionerGrantBucketAccessRequest{
+	if bucket.Status.BucketStatus != true || bucket.Status.BucketID == "" {
+		return errors.New("BucketAccess can't be granted to bucket not in Ready state and without a bucketID")
+	}
+
+	accountName := "ba-" + bucketAccess.UID
+
+	req := &cosi.DriverGrantBucketAccessRequest{
 		BucketId:     bucket.Status.BucketID,
-		AccountName:  bucketAccess.Name,
-		AccessPolicy: bucketAccess.Spec.PolicyActionsConfigMapData,
+		AccountName:  accountName,
+		AuthenticationType: authType,
+		Parameters: bucketAccessClass.Parameters,
 	}
 
 	// This needs to be idempotent
-	rsp, err := bal.provisionerClient.ProvisionerGrantBucketAccess(ctx, req)
+	rsp, err := bal.provisionerClient.DriverGrantBucketAccess(ctx, req)
 	if err != nil {
 		if status.Code(err) != codes.AlreadyExists {
 			klog.ErrorS(err,
@@ -142,9 +175,8 @@ func (bal *BucketAccessListener) Add(ctx context.Context, inputBucketAccess *v1a
 		}
 
 	}
-	ns := bal.namespace
-	mintedSecretName := "ba-" + string(bucketAccess.UID)
-	if _, err := bal.Secrets(ns).Get(ctx, mintedSecretName, metav1.GetOptions{}); err != nil {
+
+	if _, err := bal.Secrets(namespace).Get(ctx, secretCredName, metav1.GetOptions{}); err != nil {
 		if !kubeerrors.IsNotFound(err) {
 			klog.ErrorS(err,
 				"Failed to create secrets",
@@ -156,10 +188,10 @@ func (bal *BucketAccessListener) Add(ctx context.Context, inputBucketAccess *v1a
 		// if secret doesn't exist, create it
 		credentials := rsp.Credentials
 
-		if _, err := bal.Secrets(ns).Create(ctx, &corev1.Secret{
+		if _, err := bal.Secrets(namespace).Create(ctx, &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      mintedSecretName,
-				Namespace: ns,
+				Name:      secretCredName,
+				Namespace: namespace,
 			},
 			StringData: map[string]string{
 				Credentials: credentials,
@@ -179,7 +211,7 @@ func (bal *BucketAccessListener) Add(ctx context.Context, inputBucketAccess *v1a
 	bucketAccess.Status.AccountID = rsp.AccountId
 	bucketAccess.Status.MintedSecret = &corev1.SecretReference{
 		Namespace: bal.namespace,
-		Name:      mintedSecretName,
+		Name:      secretCredName,
 	}
 	bucketAccess.Status.AccessGranted = true
 
@@ -263,6 +295,20 @@ func (b *BucketAccessListener) Buckets() bucketapi.BucketInterface {
 	panic("uninitialized listener")
 }
 
+func (b *BucketAccessListener) BucketClaims(namespace string) bucketapi.BucketClaimInterface {
+	if b.bucketClient != nil {
+		return b.bucketClient.ObjectstorageV1alpha1().BucketClaims(namespace)
+	}
+	panic("uninitialized listener")
+}
+
+func (b *BucketAccessListener) BucketAccessClasses() bucketapi.BucketClaimInterface {
+	if b.bucketClient != nil {
+		return b.bucketClient.ObjectstorageV1alpha1().BucketAccessClasses()
+	}
+	panic("uninitialized listener")
+}
+
 // InitializeKubeClient initializes the kubernetes client
 func (b *BucketAccessListener) InitializeKubeClient(k kube.Interface) {
 	b.kubeClient = k

Diff for: container-object-storage-interface-provisioner-sidecar/pkg/provisioner/client.go

@@ -34,37 +34,37 @@ type COSIProvisionerClient struct {
 	provisionerClient cosi.ProvisionerClient
 }
 
-func (c *COSIProvisionerClient) ProvisionerGetInfo(ctx context.Context,
-	in *cosi.ProvisionerGetInfoRequest,
-	opts ...grpc.CallOption) (*cosi.ProvisionerGetInfoResponse, error) {
+func (c *COSIProvisionerClient) DriverGetInfo(ctx context.Context,
+	in *cosi.DriverGetInfoRequest,
+	opts ...grpc.CallOption) (*cosi.DriverGetInfoResponse, error) {
 
-	return c.identityClient.ProvisionerGetInfo(ctx, in, opts...)
+	return c.identityClient.DriverGetInfo(ctx, in, opts...)
 }
 
 func (c *COSIProvisionerClient) ProvisionerCreateBucket(ctx context.Context,
-	in *cosi.ProvisionerCreateBucketRequest,
-	opts ...grpc.CallOption) (*cosi.ProvisionerCreateBucketResponse, error) {
+	in *cosi.DriverCreateBucketRequest,
+	opts ...grpc.CallOption) (*cosi.DriverCreateBucketResponse, error) {
 
-	return c.provisionerClient.ProvisionerCreateBucket(ctx, in, opts...)
+	return c.provisionerClient.DriverCreateBucket(ctx, in, opts...)
 }
 
-func (c *COSIProvisionerClient) ProvisionerDeleteBucket(ctx context.Context,
-	in *cosi.ProvisionerDeleteBucketRequest,
-	opts ...grpc.CallOption) (*cosi.ProvisionerDeleteBucketResponse, error) {
+func (c *COSIProvisionerClient) DriverDeleteBucket(ctx context.Context,
+	in *cosi.DriverDeleteBucketRequest,
+	opts ...grpc.CallOption) (*cosi.DriverDeleteBucketResponse, error) {
 
-	return c.provisionerClient.ProvisionerDeleteBucket(ctx, in, opts...)
+	return c.provisionerClient.DriverDeleteBucket(ctx, in, opts...)
 }
 
-func (c *COSIProvisionerClient) ProvisionerGrantBucketAccess(ctx context.Context,
-	in *cosi.ProvisionerGrantBucketAccessRequest,
-	opts ...grpc.CallOption) (*cosi.ProvisionerGrantBucketAccessResponse, error) {
+func (c *COSIProvisionerClient) DriverGrantBucketAccess(ctx context.Context,
+	in *cosi.DriverGrantBucketAccessRequest,
+	opts ...grpc.CallOption) (*cosi.DriverGrantBucketAccessResponse, error) {
 
-	return c.provisionerClient.ProvisionerGrantBucketAccess(ctx, in, opts...)
+	return c.provisionerClient.DriverGrantBucketAccess(ctx, in, opts...)
 }
 
-func (c *COSIProvisionerClient) ProvisionerRevokeBucketAccess(ctx context.Context,
-	in *cosi.ProvisionerRevokeBucketAccessRequest,
-	opts ...grpc.CallOption) (*cosi.ProvisionerRevokeBucketAccessResponse, error) {
+func (c *COSIProvisionerClient) DriverRevokeBucketAccess(ctx context.Context,
+	in *cosi.DriverRevokeBucketAccessRequest,
+	opts ...grpc.CallOption) (*cosi.DriverRevokeBucketAccessResponse, error) {
 
-	return c.provisionerClient.ProvisionerRevokeBucketAccess(ctx, in, opts...)
+	return c.provisionerClient.DriverRevokeBucketAccess(ctx, in, opts...)
 }