Initial usage profile integration (#64)

.gitignore

@@ -2,6 +2,9 @@
 dist/
 .github/release-notes.md
 
+# Tools
+bin/
+
 # Build
 appuio-cloud-agent
 *.out
@@ -19,3 +22,6 @@ webhook-certs/
 
 # fuzz testcases
 */testdata/fuzz/
+
+# runing locally
+kubeconfig-control-api

Makefile

@@ -42,8 +42,8 @@ fuzz:
 	go test ./ratio -fuzztime 1m -fuzz .
 
 .PHONY: test-go
-test-go: ## Run unit tests against code
-	go test -race -coverprofile cover.out -covermode atomic ./...
+test-go: envtest ## Run unit tests against code
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test -race -coverprofile cover.out -covermode atomic ./...
 
 .PHONY: fmt
 fmt: ## Run 'go fmt' against code
@@ -54,16 +54,29 @@ vet: ## Run 'go vet' against code
 	go vet ./...
 
 .PHONY: lint
-lint: fmt vet generate ## All-in-one linting
+lint: fmt vet generate manifests ## All-in-one linting
 	@echo 'Check for uncommitted changes ...'
 	git diff --exit-code
 
 .PHONY: generate
 generate: ## Generate additional code and artifacts
 	@go generate ./...
+
+.PHONY: manifests
+manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+	go run sigs.k8s.io/controller-tools/cmd/controller-gen rbac:roleName=appuio-cloud-agent crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	@# Kubebuilder misses the scope field for the webhook generator
 	@yq eval -i '.webhooks[] |= with(select(.name == "validate-request-ratio.appuio.io"); .rules[] |= .scope = "Namespaced")' config/webhook/manifests.yaml
 
 .PHONY: clean
 clean: ## Cleans local build artifacts
 	rm -rf docs/node_modules $(docs_out_dir) dist .cache
+
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+
+.PHONY: envtest
+envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
+$(ENVTEST): $(LOCALBIN)
+	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest

Makefile.vars.mk

@@ -14,6 +14,9 @@ IMG_TAG ?= latest
 # Image URL to use all building/pushing image targets
 CONTAINER_IMG ?= local.dev/$(PROJECT_OWNER)/$(PROJECT_NAME):$(IMG_TAG)
 
+LOCALBIN ?= $(shell pwd)/bin
+ENVTEST ?= $(LOCALBIN)/setup-envtest
+ENVTEST_K8S_VERSION = 1.26.1
 
 ## KIND:setup
 

PROJECT

@@ -1,10 +1,20 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: appuio.io
 layout:
 - go.kubebuilder.io/v3
 projectName: appuio-cloud-agent
 repo: github.com/appuio/appuio-cloud-agent
 resources:
-- controller: true
-  kind: Pod
+- api:
+    crdVersion: v1
+    namespaced: false
+  controller: true
+  domain: appuio.io
+  group: cloudagent
+  kind: ZoneUsageProfile
+  path: github.com/appuio/appuio-cloud-agent/api/v1
   version: v1
 version: "3"

api/v1/groupversion_info.go

@@ -0,0 +1,20 @@
+// Package v1 contains API Schema definitions for the cloudagent.appuio.io v1 API group
+// +kubebuilder:object:generate=true
+// +groupName=cloudagent.appuio.io
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "cloudagent.appuio.io", Version: "v1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1/zoneusageprofile_types.go

@@ -0,0 +1,43 @@
+package v1
+
+import (
+	controlv1 "github.com/appuio/control-api/apis/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ZoneUsageProfileSpec defines the desired state of ZoneUsageProfile
+type ZoneUsageProfileSpec struct {
+	// UpstreamSpec is the spec of the upstream UsageProfile
+	UpstreamSpec controlv1.UsageProfileSpec `json:"upstreamSpec"`
+}
+
+// ZoneUsageProfileStatus defines the observed state of ZoneUsageProfile
+type ZoneUsageProfileStatus struct {
+	// TODO(bastjan): track applied resources to be able to clean up.
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster
+
+// ZoneUsageProfile is the Schema for the ZoneUsageProfiles API
+type ZoneUsageProfile struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ZoneUsageProfileSpec   `json:"spec,omitempty"`
+	Status ZoneUsageProfileStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ZoneUsageProfileList contains a list of ZoneUsageProfile
+type ZoneUsageProfileList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ZoneUsageProfile `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ZoneUsageProfile{}, &ZoneUsageProfileList{})
+}

config.go

@@ -14,6 +14,12 @@ type Config struct {
 	// OrganizationLabel is the label used to mark namespaces to belong to an organization
 	OrganizationLabel string
 
+	// UserDefaultOrganizationAnnotation is the annotation the default organization setting for a user is stored in.
+	UserDefaultOrganizationAnnotation string
+
+	// QuotaOverrideNamespace is the namespace where the quota overrides for organizations are stored.
+	QuotaOverrideNamespace string
+
 	// MemoryPerCoreLimit is the fair use limit of memory usage per CPU core
 	// it is deprecated and will be removed in a future version.
 	// Use MemoryPerCoreLimits: {Limit: "XGi"} instead.

config.yaml

@@ -1,6 +1,11 @@
 ---
 # The label used to mark namespaces to belong to an organization
 OrganizationLabel: appuio.io/organization
+# UserDefaultOrganizationAnnotation is the annotation the default organization setting for a user is stored in.
+UserDefaultOrganizationAnnotation: appuio.io/default-organization
+
+# QuotaOverrideNamespace is the namespace where the quota overrides for organizations are stored.
+QuotaOverrideNamespace: appuio-cloud
 
 # The fair use limit of memory usage per CPU core.
 # It is possible to select limits by node selector labels.

config/crd/bases/cloudagent.appuio.io_zoneusageprofiles.yaml

@@ -0,0 +1,65 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  name: zoneusageprofiles.cloudagent.appuio.io
+spec:
+  group: cloudagent.appuio.io
+  names:
+    kind: ZoneUsageProfile
+    listKind: ZoneUsageProfileList
+    plural: zoneusageprofiles
+    singular: zoneusageprofile
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ZoneUsageProfile is the Schema for the ZoneUsageProfiles API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ZoneUsageProfileSpec defines the desired state of ZoneUsageProfile
+            properties:
+              upstreamSpec:
+                description: UpstreamSpec is the spec of the upstream UsageProfile
+                properties:
+                  namespaceCount:
+                    description: NamespaceCount is the number of namespaces an organization
+                      with this usage profile can create per zone.
+                    type: integer
+                  resources:
+                    additionalProperties:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: Resources is the set of resources which are created
+                      in each namespace for which the usage profile is applied. The
+                      key is used as the name of the resource and the value is the
+                      resource definition.
+                    type: object
+                type: object
+            required:
+            - upstreamSpec
+            type: object
+          status:
+            description: ZoneUsageProfileStatus defines the observed state of ZoneUsageProfile
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/kustomization.yaml

@@ -0,0 +1,21 @@
+# This kustomization.yaml is not intended to be run by itself,
+# since it depends on service name and namespace that are out of this kustomize package.
+# It should be run by config/default
+resources:
+- bases/cloudagent.appuio.io_zoneusageprofiles.yaml
+#+kubebuilder:scaffold:crdkustomizeresource
+
+patchesStrategicMerge:
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# patches here are for enabling the conversion webhook for each CRD
+#- patches/webhook_in_zoneusageprofiles.yaml
+#+kubebuilder:scaffold:crdkustomizewebhookpatch
+
+# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
+# patches here are for enabling the CA injection for each CRD
+#- patches/cainjection_in_zoneusageprofiles.yaml
+#+kubebuilder:scaffold:crdkustomizecainjectionpatch
+
+# the following config is for teaching kustomize how to do kustomization for CRDs.
+configurations:
+- kustomizeconfig.yaml

config/crd/kustomizeconfig.yaml

@@ -0,0 +1,19 @@
+# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+nameReference:
+- kind: Service
+  version: v1
+  fieldSpecs:
+  - kind: CustomResourceDefinition
+    version: v1
+    group: apiextensions.k8s.io
+    path: spec/conversion/webhook/clientConfig/service/name
+
+namespace:
+- kind: CustomResourceDefinition
+  version: v1
+  group: apiextensions.k8s.io
+  path: spec/conversion/webhook/clientConfig/service/namespace
+  create: false
+
+varReference:
+- path: metadata/annotations

config/crd/patches/cainjection_in_zoneusageprofiles.yaml

@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: zoneusageprofiles.cloudagent.appuio.io