kubernetes-retired
diff --git a/‎pkg/bucketaccessrequest/bucketaccessrequest.go
+58-13 b/‎pkg/bucketaccessrequest/bucketaccessrequest.go
+58-13
diff --git a/‎pkg/bucketaccessrequest/bucketaccessrequest_test.go
+179-2 b/‎pkg/bucketaccessrequest/bucketaccessrequest_test.go
+179-2
diff --git a/‎pkg/bucketrequest/bucketrequest.go
+40 b/‎pkg/bucketrequest/bucketrequest.go
+40
@@ -34,34 +34,45 @@ func (b *bucketAccessRequestListener) InitializeBucketClient(bc bucketclientset.
 	b.bucketClient = bc
 }
 
+// Add is in response to user adding a BucketAccessRequest. The call here will respond by creating a BucketAccess Object.
 func (b *bucketAccessRequestListener) Add(ctx context.Context, obj *v1alpha1.BucketAccessRequest) error {
-	glog.V(1).Infof("Add called for BucketAccessRequest %s", obj.Name)
+	glog.V(1).Infof("Add called for BucketAccessRequest %v/%v", obj.Namespace, obj.Name)
 	bucketAccessRequest := obj
 
 	err := b.provisionBucketAccess(ctx, bucketAccessRequest)
 	if err != nil {
 		// Provisioning is 100% finished / not in progress.
 		switch err {
 		case util.ErrBucketAccessAlreadyExists:
-			glog.V(1).Infof("BucketAccess already exist for this BucketAccessRequest %v.", bucketAccessRequest.Name)
+			glog.V(1).Infof("BucketAccess already exist for this BucketAccessRequest %v/%v.", bucketAccessRequest.Namespace, bucketAccessRequest.Name)
 			err = nil
 		default:
-			glog.V(1).Infof("Error occurred processing BucketAccessRequest %v: %v", bucketAccessRequest.Name, err)
+			glog.V(1).Infof("Error occurred processing BucketAccessRequest %v/%v: %v", bucketAccessRequest.Namespace, bucketAccessRequest.Name, err)
 		}
 		return err
 	}
 
-	glog.V(1).Infof("BucketAccessRequest %v is successfully processed.", bucketAccessRequest.Name)
+	glog.V(1).Infof("BucketAccessRequest %v/%v is successfully processed.", bucketAccessRequest.Namespace, bucketAccessRequest.Name)
 	return nil
 }
 
+// Update is called in response to a change to BucketAccessRequest. At this point
+// BucketAccess cannot be changed once created as the Provisioner might have already acted upon the create BucketAccess and created the backend Bucket Credentials
+// Changes to Protocol, Provisioner, BucketInstanceName, BucketRequest cannot be allowed. Best is to delete and recreate a new BucketAccessRequest
+// Changes to ServiceAccount, PolicyActionsConfigMapData and Parameters should be considered in lieu with sidecar implementation
 func (b *bucketAccessRequestListener) Update(ctx context.Context, old, new *v1alpha1.BucketAccessRequest) error {
-	glog.V(1).Infof("Update called for BucketAccessRequest %v", old.Name)
+	glog.V(1).Infof("Update called for BucketAccessRequest %v/%v", old.Namespace,old.Name)
+	if (new.ObjectMeta.DeletionTimestamp != nil) {
+		// BucketAccessRequest is being deleted, check and remove finalizer once BA is deleted
+		return b.removeBucketAccess(ctx, new)
+	}
 	return nil
 }
 
-func (b *bucketAccessRequestListener) Delete(ctx context.Context, obj *v1alpha1.BucketAccessRequest) error {
-	glog.V(1).Infof("Delete called for BucketAccessRequest %v", obj.Name)
+// Delete is in response to user deleting a BucketAccessRequest. The call here will respond by deleting a BucketAccess Object.
+func (b *bucketAccessRequestListener) Delete(ctx context.Context, bucketAccessRequest *v1alpha1.BucketAccessRequest) error {
+	glog.V(1).Infof("Delete called for BucketAccessRequest %v/%v", bucketAccessRequest.Namespace, bucketAccessRequest.Name)
+
 	return nil
 }
 
@@ -137,10 +148,10 @@ func (b *bucketAccessRequestListener) provisionBucketAccess(ctx context.Context,
 	}
 	// bucketaccess.Spec.MintedSecretName - set by the driver
 	bucketaccess.Spec.PolicyActionsConfigMapData, err = util.ReadConfigData(b.kubeClient, bucketAccessClass.PolicyActionsConfigMap)
-	if err != nil {
+	if err != nil && err != util.ErrNilConfigMap {
 		return err
 	}
-	//  bucketaccess.Spec.Principal - set by the driver
+	//  bucketaccess.Spec.Principal - set by the provisioner
 	bucketaccess.Spec.Provisioner = bucketAccessClass.Provisioner
 	bucketaccess.Spec.Parameters = util.CopySS(bucketAccessClass.Parameters)
 
@@ -152,6 +163,10 @@ func (b *bucketAccessRequestListener) provisionBucketAccess(ctx context.Context,
 		return err
 	}
 
+	if !util.CheckFinalizer(bucketAccessRequest, util.BARDeleteFinalizer) {
+		bucketAccessRequest.ObjectMeta.Finalizers = append(bucketAccessRequest.ObjectMeta.Finalizers, util.BARDeleteFinalizer)
+	}
+
 	err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		bucketAccessRequest.Spec.BucketAccessName = bucketaccess.Name
 		_, err := barClient(bucketAccessRequest.Namespace).Update(ctx, bucketAccessRequest, metav1.UpdateOptions{})
@@ -167,17 +182,47 @@ func (b *bucketAccessRequestListener) provisionBucketAccess(ctx context.Context,
 	return nil
 }
 
-func (b *bucketAccessRequestListener) FindBucketAccess(ctx context.Context, bar *v1alpha1.BucketAccessRequest) *v1alpha1.BucketAccess {
+func (b *bucketAccessRequestListener) removeBucketAccess(ctx context.Context, bucketAccessRequest *v1alpha1.BucketAccessRequest) error {
+	bucketaccess := b.FindBucketAccess(ctx, bucketAccessRequest)
+	if bucketaccess == nil {
+		// bucketaccess for this BucketAccessRequest is not found
+		return util.ErrBucketAccessDoesNotExist
+	}
+
+	// time to delete the BucketAccess Object
+	err := b.bucketClient.ObjectstorageV1alpha1().BucketAccesses().Delete(context.Background(), bucketaccess.Name, metav1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+
+	// we can safely remove the finalizer
+	return b.removeBARDeleteFinalizer(ctx, bucketAccessRequest)
+}
+
+func (b *bucketAccessRequestListener) FindBucketAccess(ctx context.Context, bucketAccessRequest *v1alpha1.BucketAccessRequest) *v1alpha1.BucketAccess {
 	bucketAccessList, err := b.bucketClient.ObjectstorageV1alpha1().BucketAccesses().List(ctx, metav1.ListOptions{})
 	if err != nil || len(bucketAccessList.Items) <= 0 {
 		return nil
 	}
 	for _, bucketaccess := range bucketAccessList.Items {
-		if bucketaccess.Spec.BucketAccessRequest.Name == bar.Name &&
-			bucketaccess.Spec.BucketAccessRequest.Namespace == bar.Namespace &&
-			bucketaccess.Spec.BucketAccessRequest.UID == bar.UID {
+		if bucketaccess.Spec.BucketAccessRequest.Name == bucketAccessRequest.Name &&
+			bucketaccess.Spec.BucketAccessRequest.Namespace == bucketAccessRequest.Namespace &&
+			bucketaccess.Spec.BucketAccessRequest.UID == bucketAccessRequest.UID {
 			return &bucketaccess
 		}
 	}
 	return nil
 }
+
+func (b *bucketAccessRequestListener) removeBARDeleteFinalizer(ctx context.Context, bucketAccessRequest *v1alpha1.BucketAccessRequest) error {
+	newFinalizers := []string{}
+	for _, finalizer := range bucketAccessRequest.ObjectMeta.Finalizers {
+		if finalizer != util.BARDeleteFinalizer {
+			newFinalizers = append(newFinalizers, finalizer)
+		}
+	}
+	bucketAccessRequest.ObjectMeta.Finalizers = newFinalizers
+
+	_, err := b.bucketClient.ObjectstorageV1alpha1().BucketAccessRequests(bucketAccessRequest.Namespace).Update(ctx, bucketAccessRequest, metav1.UpdateOptions{})
+	return err
+}
@@ -118,12 +118,22 @@ func TestAddBAR(t *testing.T) {
 
 // Test add with multipleBRs
 func TestAddWithMultipleBAR(t *testing.T) {
-	runCreateBucketWithMultipleBA(t, "addWithMultipleBR")
+	runCreateBucketWithMultipleBA(t, "addWithMultipleBAR")
 }
 
 // Test add idempotency
 func TestAddBARIdempotency(t *testing.T) {
-	runCreateBucketIdempotency(t, "addWithMultipleBR")
+	runCreateBucketIdempotency(t, "addBARIdempotency")
+}
+
+// Test  delete BAR
+func TestDeleteBAR(t *testing.T) {
+	runDeleteBucketAccessRequest(t, "deleteBAR")
+}
+
+// Test  delete BAR Idempotency
+func TestDeleteBARIdempotency(t *testing.T) {
+	runDeleteBucketAccessRequestIdempotency(t, "deleteBARIdempotency")
 }
 
 func runCreateBucketAccess(t *testing.T, name string) {
@@ -329,3 +339,170 @@ func runCreateBucketIdempotency(t *testing.T, name string) {
 		t.Fatalf("Expecting a single BucketAccess created but found %v", len(bucketAccessList.Items))
 	}
 }
+
+func runDeleteBucketAccessRequest(t *testing.T, name string) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	client := bucketclientset.NewSimpleClientset()
+	kubeClient := fake.NewSimpleClientset()
+
+	listener := NewListener()
+	listener.InitializeKubeClient(kubeClient)
+	listener.InitializeBucketClient(client)
+
+	_, err := kubeClient.CoreV1().ServiceAccounts(sa1.Namespace).Create(ctx, &sa1, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Error occurred when creating ServiceAccount: %v", err)
+	}
+	defer kubeClient.CoreV1().ServiceAccounts(sa1.Namespace).Delete(ctx, sa1.Name, metav1.DeleteOptions{})
+
+	_, err = kubeClient.CoreV1().ConfigMaps(cosiConfigMap.Namespace).Create(ctx, &cosiConfigMap, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Error occurred when creating ConfigMap: %v", err)
+	}
+	defer kubeClient.CoreV1().ConfigMaps(cosiConfigMap.Namespace).Delete(ctx, cosiConfigMap.Name, metav1.DeleteOptions{})
+
+	bucketaccessclass, err := util.CreateBucketAccessClass(ctx, client, &goldAccessClass)
+	if err != nil {
+		t.Fatalf("Error occurred when creating BucketAccessClass: %v", err)
+	}
+
+	bucketrequest, err := util.CreateBucketRequest(ctx, client, &bucketRequest1)
+	if err != nil {
+		t.Fatalf("Error occurred when creating BucketRequest: %v", err)
+	}
+
+	bucketaccessrequest, err := util.CreateBucketAccessRequest(ctx, client, &bucketAccessRequest1)
+	if err != nil {
+		t.Fatalf("Error occurred when creating BucketAccessRequest: %v", err)
+	}
+
+	listener.Add(ctx, bucketaccessrequest)
+
+	bucketAccessList := util.GetBucketAccesses(ctx, client, 1)
+	defer util.DeleteObjects(ctx, client, *bucketrequest, *bucketaccessrequest, *bucketaccessclass, bucketAccessList.Items)
+
+	if len(bucketAccessList.Items) != 1 {
+		t.Fatalf("Expecting a single BucketAccess created but found %v", len(bucketAccessList.Items))
+	}
+	bucketaccess := bucketAccessList.Items[0]
+
+	bucketaccessrequest2, err := client.ObjectstorageV1alpha1().BucketAccessRequests(bucketaccessrequest.Namespace).Get(ctx, bucketaccessrequest.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Error occurred when updating BucketAccessRequest: %v", err)
+	}
+
+	if !util.ValidateBucketAccess(bucketaccess, *bucketaccessrequest, *bucketaccessclass) {
+		t.Fatalf("Failed to compare the resulting BucketAccess with the BucketAccessRequest %v and BucketAccessClass %v", bucketaccessrequest, bucketaccessclass)
+	}
+
+	//peform delete and see if the bucketAccessRequest can be deleted
+	err = client.ObjectstorageV1alpha1().BucketAccessRequests(bucketaccessrequest2.Namespace).Delete(ctx, bucketaccessrequest2.Name, metav1.DeleteOptions{})
+	if err != nil {
+		t.Fatalf("Error occurred when deleting BucketAccessRequest: %v", err)
+	}
+
+	// force update for the finalizer
+	old := bucketaccessrequest
+	now := metav1.Now()
+	bucketaccessrequest2.ObjectMeta.DeletionTimestamp = &now
+	listener.Update(ctx, old, bucketaccessrequest2)
+
+	// there should not be a corresponding BucketAccess
+	bucketAccessList = util.GetBucketAccesses(ctx, client, 0)
+	if len(bucketAccessList.Items) > 0 {
+		t.Fatalf("Expecting BucketAccess object be deleted but found %v", bucketAccessList.Items)
+	}
+}
+
+func runDeleteBucketAccessRequestIdempotency(t *testing.T, name string) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	client := bucketclientset.NewSimpleClientset()
+	kubeClient := fake.NewSimpleClientset()
+
+	listener := NewListener()
+	listener.InitializeKubeClient(kubeClient)
+	listener.InitializeBucketClient(client)
+
+	_, err := kubeClient.CoreV1().ServiceAccounts(sa1.Namespace).Create(ctx, &sa1, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Error occurred when creating ServiceAccount: %v", err)
+	}
+	defer kubeClient.CoreV1().ServiceAccounts(sa1.Namespace).Delete(ctx, sa1.Name, metav1.DeleteOptions{})
+
+	_, err = kubeClient.CoreV1().ConfigMaps(cosiConfigMap.Namespace).Create(ctx, &cosiConfigMap, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Error occurred when creating ConfigMap: %v", err)
+	}
+	defer kubeClient.CoreV1().ConfigMaps(cosiConfigMap.Namespace).Delete(ctx, cosiConfigMap.Name, metav1.DeleteOptions{})
+
+	bucketaccessclass, err := util.CreateBucketAccessClass(ctx, client, &goldAccessClass)
+	if err != nil {
+		t.Fatalf("Error occurred when creating BucketAccessClass: %v", err)
+	}
+
+	bucketrequest, err := util.CreateBucketRequest(ctx, client, &bucketRequest1)
+	if err != nil {
+		t.Fatalf("Error occurred when creating BucketRequest: %v", err)
+	}
+
+	bucketaccessrequest, err := util.CreateBucketAccessRequest(ctx, client, &bucketAccessRequest1)
+	if err != nil {
+		t.Fatalf("Error occurred when creating BucketAccessRequest: %v", err)
+	}
+
+	listener.Add(ctx, bucketaccessrequest)
+
+	bucketAccessList := util.GetBucketAccesses(ctx, client, 1)
+	defer util.DeleteObjects(ctx, client, *bucketrequest, *bucketaccessrequest, *bucketaccessclass, bucketAccessList.Items)
+
+	if len(bucketAccessList.Items) != 1 {
+		t.Fatalf("Expecting a single BucketAccess created but found %v", len(bucketAccessList.Items))
+	}
+	bucketaccess := bucketAccessList.Items[0]
+
+	bucketaccessrequest2, err := client.ObjectstorageV1alpha1().BucketAccessRequests(bucketaccessrequest.Namespace).Get(ctx, bucketaccessrequest.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Error occurred when updating BucketAccessRequest: %v", err)
+	}
+
+	if !util.ValidateBucketAccess(bucketaccess, *bucketaccessrequest, *bucketaccessclass) {
+		t.Fatalf("Failed to compare the resulting BucketAccess with the BucketAccessRequest %v and BucketAccessClass %v", bucketaccessrequest, bucketaccessclass)
+	}
+
+	//peform delete and see if the bucketAccessRequest can be deleted
+	err = client.ObjectstorageV1alpha1().BucketAccessRequests(bucketaccessrequest2.Namespace).Delete(ctx, bucketaccessrequest2.Name, metav1.DeleteOptions{})
+	if err != nil {
+		t.Fatalf("Error occurred when deleting BucketAccessRequest: %v", err)
+	}
+
+	// force update for the finalizer
+	old := bucketaccessrequest
+	now := metav1.Now()
+	bucketaccessrequest2.ObjectMeta.DeletionTimestamp = &now
+	listener.Update(ctx, old, bucketaccessrequest2)
+
+	//there should not be a corresponding BucketAccess
+	bucketAccessList = util.GetBucketAccesses(ctx, client, 0)
+	if len(bucketAccessList.Items) > 0 {
+		t.Fatalf("Expecting BucketAccess object be deleted but found %v", bucketAccessList.Items)
+	}
+
+	//Create a duplicate update
+	listener.Update(ctx, old, bucketaccessrequest2)
+	//there should not be a corresponding BucketAccess
+	bucketAccessList = util.GetBucketAccesses(ctx, client, 0)
+	if len(bucketAccessList.Items) > 0 {
+		t.Fatalf("Expecting BucketAccess object be deleted but found %v", bucketAccessList.Items)
+	}
+
+	// call the delete directly the second time
+	listener.Delete(ctx, bucketaccessrequest)
+	bucketAccessList = util.GetBucketAccesses(ctx, client, 0)
+	if len(bucketAccessList.Items) != 0 {
+		t.Fatalf("Expecting a single BucketAccess created but found %v", len(bucketAccessList.Items))
+	}
+}
@@ -62,6 +62,11 @@ func (b *bucketRequestListener) Add(ctx context.Context, obj *v1alpha1.BucketReq
 // update processes any updates  made to the bucket request
 func (b *bucketRequestListener) Update(ctx context.Context, old, new *v1alpha1.BucketRequest) error {
 	glog.V(3).Infof("Update called for BucketRequest  %v", old.Name)
+	if (old.ObjectMeta.DeletionTimestamp == nil) &&
+		(new.ObjectMeta.DeletionTimestamp != nil) {
+		// BucketRequest is being deleted, check and remove finalizer once BA is deleted
+		return b.removeBucket(ctx, new)
+	}
 	return nil
 }
 
@@ -128,6 +133,10 @@ func (b *bucketRequestListener) provisionBucketRequestOperation(ctx context.Cont
 		return err
 	}
 
+	if !util.CheckFinalizer(bucketRequest, util.BRDeleteFinalizer) {
+		bucketRequest.ObjectMeta.Finalizers = append(bucketRequest.ObjectMeta.Finalizers, util.BRDeleteFinalizer)
+	}
+
 	err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		bucketRequest.Spec.BucketInstanceName = bucket.Name
 		_, err := b.bucketClient.ObjectstorageV1alpha1().BucketRequests(bucketRequest.Namespace).Update(ctx, bucketRequest, metav1.UpdateOptions{})
@@ -143,6 +152,24 @@ func (b *bucketRequestListener) provisionBucketRequestOperation(ctx context.Cont
 	return nil
 }
 
+// When a BR is deleted before the finalizer is removed then the bucket corresponding to the BR should be deleted.
+func (b *bucketRequestListener) removeBucket(ctx context.Context, bucketRequest *v1alpha1.BucketRequest) error {
+	bucket := b.FindBucket(ctx, bucketRequest)
+	if bucket == nil {
+		// bucket for this BucketRequest is not found
+		return util.ErrBucketDoesNotExist
+	}
+
+	// time to delete the Bucket Object
+	err := b.bucketClient.ObjectstorageV1alpha1().Buckets().Delete(context.Background(), bucket.Name, metav1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+
+	// we can safely remove the finalizer
+	return b.removeBRDeleteFinalizer(ctx, bucketRequest)
+}
+
 // GetBucketClass returns BucketClassName. If no bucket class was in the request it returns empty
 // TODO this methods can be more sophisticate to address bucketClass overrides using annotations just like SC.
 func (b *bucketRequestListener) GetBucketClass(bucketRequest *v1alpha1.BucketRequest) string {
@@ -173,6 +200,19 @@ func (b *bucketRequestListener) FindBucket(ctx context.Context, br *v1alpha1.Buc
 	return nil
 }
 
+func (b *bucketRequestListener) removeBRDeleteFinalizer(ctx context.Context, bucketRequest *v1alpha1.BucketRequest) error {
+	newFinalizers := []string{}
+	for _, finalizer := range bucketRequest.ObjectMeta.Finalizers {
+		if finalizer != util.BRDeleteFinalizer {
+			newFinalizers = append(newFinalizers, finalizer)
+		}
+	}
+	bucketRequest.ObjectMeta.Finalizers = newFinalizers
+
+	_, err := b.bucketClient.ObjectstorageV1alpha1().BucketRequests(bucketRequest.Namespace).Update(ctx, bucketRequest, metav1.UpdateOptions{})
+	return err
+}
+
 // cloneTheBucket clones a bucket to a different namespace when a BR is for brownfield.
 func (b *bucketRequestListener) cloneTheBucket(bucketRequest *v1alpha1.BucketRequest) error {
 	glog.V(1).Infof("Clone called for Bucket %s", bucketRequest.Spec.BucketInstanceName)