Merge pull request #296 from vshn/change/fix_connection_details

Make connection details split cluster compatible
vshn · Feb 5, 2025 · 782a3d5 · 782a3d5
2 parents aa52543 + 5e8911e
commit 782a3d5
Show file tree

Hide file tree

Showing 36 changed files with 483 additions and 178 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,5 +1,5 @@
 {
-  "name": "KubeBuilder Example",
+  "name": "AppCat Devcontainer",
   "build": {
     "dockerfile": "./Dockerfile"
   },

diff --git a/Makefile b/Makefile
@@ -150,7 +150,7 @@ test: ## Run tests
 .PHONY: kind-load-branch-tag
 kind-load-branch-tag: ## load docker image with current branch tag into kind
 	tag=$$(git rev-parse --abbrev-ref HEAD) && \
-	kind load docker-image --name kindev ghcr.io/vshn/appcat:"$${tag////_}"
+	kind load docker-image --name kindev ghcr.io/vshn/appcat:"$$(echo $$tag | sed 's#/#_#g')"
 
 # Generate webhook certificates.
 # This is only relevant when debugging.

diff --git a/apis/vshn/v1/dbaas_vshn_mariadb.go b/apis/vshn/v1/dbaas_vshn_mariadb.go
@@ -78,6 +78,9 @@ type VSHNMariaDBParameters struct {
 	// Monitoring contains settings to control monitoring.
 	Monitoring VSHNMonitoring `json:"monitoring,omitempty"`
 
+	// Network contains any network related settings.
+	Network VSHNDBaaSNetworkSpec `json:"network,omitempty"`
+
 	// Security defines the security of a service
 	Security Security `json:"security,omitempty"`
 

diff --git a/apis/vshn/v1/zz_generated.deepcopy.go b/apis/vshn/v1/zz_generated.deepcopy.go
diff --git a/crds/vshn.appcat.vshn.io_vshnmariadbs.yaml b/crds/vshn.appcat.vshn.io_vshnmariadbs.yaml
@@ -4804,6 +4804,31 @@ spec:
                           description: Email necessary to send alerts via email
                           type: string
                       type: object
+                    network:
+                      description: Network contains any network related settings.
+                      properties:
+                        ipFilter:
+                          default:
+                            - 0.0.0.0/0
+                          description: |-
+                            IPFilter is a list of allowed IPv4 CIDR ranges that can access the service.
+                            If no IP Filter is set, you may not be able to reach the service.
+                            A value of `0.0.0.0/0` will open the service to all addresses on the public internet.
+                          items:
+                            type: string
+                          type: array
+                        serviceType:
+                          default: ClusterIP
+                          description: |-
+                            ServiceType defines the type of the service.
+                            Possible enum values:
+                              - `"ClusterIP"` indicates that the service is only reachable from within the cluster.
+                              - `"LoadBalancer"` indicates that the service is reachable from the public internet via dedicated Ipv4 address.
+                          enum:
+                            - ClusterIP
+                            - LoadBalancer
+                          type: string
+                      type: object
                     restore:
                       description: Restore contains settings to control the restore of an instance.
                       properties:

diff --git a/crds/vshn.appcat.vshn.io_xvshnmariadbs.yaml b/crds/vshn.appcat.vshn.io_xvshnmariadbs.yaml
@@ -5518,6 +5518,31 @@ spec:
                         description: Email necessary to send alerts via email
                         type: string
                     type: object
+                  network:
+                    description: Network contains any network related settings.
+                    properties:
+                      ipFilter:
+                        default:
+                        - 0.0.0.0/0
+                        description: |-
+                          IPFilter is a list of allowed IPv4 CIDR ranges that can access the service.
+                          If no IP Filter is set, you may not be able to reach the service.
+                          A value of `0.0.0.0/0` will open the service to all addresses on the public internet.
+                        items:
+                          type: string
+                        type: array
+                      serviceType:
+                        default: ClusterIP
+                        description: |-
+                          ServiceType defines the type of the service.
+                          Possible enum values:
+                            - `"ClusterIP"` indicates that the service is only reachable from within the cluster.
+                            - `"LoadBalancer"` indicates that the service is reachable from the public internet via dedicated Ipv4 address.
+                        enum:
+                        - ClusterIP
+                        - LoadBalancer
+                        type: string
+                    type: object
                   restore:
                     description: Restore contains settings to control the restore
                       of an instance.

diff --git a/pkg/comp-functions/functions/buckets/cloudscalebucket/cloudscalebucket.go b/pkg/comp-functions/functions/buckets/cloudscalebucket/cloudscalebucket.go
@@ -87,7 +87,11 @@ func addBucket(svc *runtime.ServiceRuntime, bucket *appcatv1.ObjectBucket, confi
 func addUser(svc *runtime.ServiceRuntime, bucket *appcatv1.ObjectBucket, config string) error {
 
 	user := &cloudscalev1.ObjectsUser{
-		ObjectMeta: metav1.ObjectMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				runtime.IgnoreConnectionDetailsAnnotation: "true",
+			},
+		},
 		Spec: cloudscalev1.ObjectsUserSpec{
 			ResourceSpec: xpv1.ResourceSpec{
 				ProviderConfigReference: &xpv1.Reference{

diff --git a/pkg/comp-functions/functions/buckets/exoscalebucket/exoscalebucket.go b/pkg/comp-functions/functions/buckets/exoscalebucket/exoscalebucket.go
@@ -80,9 +80,12 @@ func addBucket(svc *runtime.ServiceRuntime, bucket *appcatv1.ObjectBucket, confi
 }
 
 func addUser(svc *runtime.ServiceRuntime, bucket *appcatv1.ObjectBucket, config string) error {
-
 	user := &exoscalev1.IAMKey{
-		ObjectMeta: metav1.ObjectMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				runtime.IgnoreConnectionDetailsAnnotation: "true",
+			},
+		},
 		Spec: exoscalev1.IAMKeySpec{
 			ResourceSpec: xpv1.ResourceSpec{
 				ProviderConfigReference: &xpv1.Reference{

diff --git a/pkg/comp-functions/functions/buckets/miniobucket/miniobucket.go b/pkg/comp-functions/functions/buckets/miniobucket/miniobucket.go
@@ -79,6 +79,9 @@ func addUser(svc *runtime.ServiceRuntime, bucket *appcatv1.ObjectBucket, config
 	user := &miniov1.User{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: bucket.Spec.Parameters.BucketName,
+			Annotations: map[string]string{
+				runtime.IgnoreConnectionDetailsAnnotation: "true",
+			},
 		},
 		Spec: miniov1.UserSpec{
 			ResourceSpec: xpv1.ResourceSpec{
@@ -87,7 +90,7 @@ func addUser(svc *runtime.ServiceRuntime, bucket *appcatv1.ObjectBucket, config
 				},
 				WriteConnectionSecretToReference: &xpv1.SecretReference{
 					Name:      bucket.GetName(),
-					Namespace: "syn-crossplane",
+					Namespace: svc.GetCrossplaneNamespace(),
 				},
 			},
 			ForProvider: miniov1.UserParameters{

diff --git a/pkg/comp-functions/functions/common/backup/backup.go b/pkg/comp-functions/functions/common/backup/backup.go
@@ -67,7 +67,7 @@ func createObjectBucket(ctx context.Context, comp common.InfoGetter, svc *runtim
 			},
 			ResourceSpec: xpv1.ResourceSpec{
 				WriteConnectionSecretToReference: &xpv1.SecretReference{
-					Namespace: comp.GetInstanceNamespace(),
+					Namespace: svc.GetCrossplaneNamespace(),
 					Name:      credentialSecretName,
 				},
 			},

diff --git a/pkg/comp-functions/functions/common/instance_namespace.go b/pkg/comp-functions/functions/common/instance_namespace.go
@@ -89,11 +89,8 @@ func createNamespaceObserver(claimNs string, instance string, svc *runtime.Servi
 			Name: claimNs,
 		},
 	}
-	labels := map[string]string{
-		"appcat.vshn.io/ignore-provider-config": "true",
-	}
 
-	return svc.SetDesiredKubeObject(ns, instance+claimNsObserverSuffix, runtime.KubeOptionAddLabels(labels), runtime.KubeOptionObserve)
+	return svc.SetDesiredKubeObject(ns, instance+claimNsObserverSuffix, runtime.KubeOptionDeployOnControlPlane, runtime.KubeOptionObserve)
 }
 
 // Create the namespace for the service instance

diff --git a/pkg/comp-functions/functions/common/mailgun_alerting.go b/pkg/comp-functions/functions/common/mailgun_alerting.go
@@ -109,31 +109,25 @@ func deployAlertmanagerConfig(ctx context.Context, name, email, instanceNamespac
 
 	xRef := xkube.Reference{
 		DependsOn: &xkube.DependsOn{
-			APIVersion: "v1",
-			Kind:       "Secret",
-			Namespace:  instanceNamespace,
-			Name:       alertManagerConfigSecretName,
+			Name: alertManagerConfigSecretName,
 		},
 	}
 
 	patchSecretWithOtherSecret := xkube.Reference{
 		PatchesFrom: &xkube.PatchesFrom{
 			DependsOn: xkube.DependsOn{
-				APIVersion: "v1",
-				Kind:       "Secret",
-				Namespace:  svc.Config.Data["emailAlertingSecretNamespace"],
-				Name:       svc.Config.Data["emailAlertingSecretName"],
+				Name: alertManagerConfigSecretName,
 			},
-			FieldPath: ptr.To("data.password"),
+			FieldPath: ptr.To("status.atProvider.manifest.data.password"),
 		},
 		ToFieldPath: ptr.To("data.password"),
 	}
 
-	if err := svc.SetDesiredKubeObject(secret, alertManagerConfigSecretName, runtime.KubeOptionAddRefs(patchSecretWithOtherSecret)); err != nil {
+	if err := svc.SetDesiredKubeObject(secret, alertManagerConfigSecretName, runtime.KubeOptionAddRefs(patchSecretWithOtherSecret), runtime.KubeOptionAllowDeletion); err != nil {
 		return err
 	}
 
-	return svc.SetDesiredKubeObject(ac, alertManagerConfigName, runtime.KubeOptionAddRefs(xRef))
+	return svc.SetDesiredKubeObject(ac, alertManagerConfigName, runtime.KubeOptionAddRefs(xRef), runtime.KubeOptionAllowDeletion)
 }
 
 func mailAlertingEnabled(config *v1.ConfigMap) bool {

diff --git a/pkg/comp-functions/functions/common/netpol.go b/pkg/comp-functions/functions/common/netpol.go
@@ -79,3 +79,27 @@ func CustomCreateNetworkPolicy(sourceNS []string, instanceNs, name string, allow
 
 	return nil
 }
+
+// AddLoadbalancerNetpolicy will allow all traffic to the namespace, so that the loabalancer
+// connection works as well.
+func AddLoadbalancerNetpolicy(svc *runtime.ServiceRuntime, comp InfoGetter) error {
+	np := &netv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "allow-all",
+			Namespace: comp.GetInstanceNamespace(),
+		},
+		Spec: netv1.NetworkPolicySpec{
+			PodSelector: metav1.LabelSelector{},
+			Ingress: []netv1.NetworkPolicyIngressRule{
+				{},
+			},
+		},
+	}
+
+	err := svc.SetDesiredKubeObject(np, comp.GetName()+"-allow-all")
+	if err != nil {
+		return fmt.Errorf("cannot deploy allow all network policy: %w", err)
+	}
+
+	return nil
+}
diff --git a/pkg/comp-functions/functions/common/password.go b/pkg/comp-functions/functions/common/password.go
@@ -69,7 +69,7 @@ func AddGenericSecret(comp InfoGetter, svc *runtime.ServiceRuntime, suffix strin
 		cd = o(secret, cd)
 	}
 
-	return secretObjectName, svc.SetDesiredKubeObject(secret, secretObjectName, runtime.KubeOptionAddConnectionDetails(comp.GetInstanceNamespace(), cd...))
+	return secretObjectName, svc.SetDesiredKubeObject(secret, secretObjectName, runtime.KubeOptionAddConnectionDetails(svc.GetCrossplaneNamespace(), cd...))
 }
 
 func genPassword() (string, error) {

diff --git a/pkg/comp-functions/functions/common/postgresql.go b/pkg/comp-functions/functions/common/postgresql.go
@@ -48,7 +48,9 @@ func (a *PostgreSQLDependencyBuilder) SetCustomMaintenanceSchedule(timeOfDayMain
 	return a
 }
 
-func (a *PostgreSQLDependencyBuilder) CreateDependency() error {
+// CreateDependency applies the postgresql instance to the desired state.
+// It returns the name of the secret that will contain the connection details.
+func (a *PostgreSQLDependencyBuilder) CreateDependency() (string, error) {
 	// Unfortunately k8up and stackgres backups don't match up very well...
 	// if no daily backup is set we just do the default.
 	retention := 6
@@ -62,7 +64,7 @@ func (a *PostgreSQLDependencyBuilder) CreateDependency() error {
 
 			pgBouncerConfigBytes, err := json.Marshal(a.pgBouncerConfig)
 			if err != nil {
-				return err
+				return "", err
 			}
 			pgBouncerRaw = k8sruntime.RawExtension{
 				Raw: pgBouncerConfigBytes,
@@ -90,7 +92,7 @@ func (a *PostgreSQLDependencyBuilder) CreateDependency() error {
 	if a.psqlParams != nil {
 		err := mergo.Merge(params, a.psqlParams, mergo.WithOverride)
 		if err != nil {
-			return err
+			return "", err
 		}
 
 		// Mergo doesn't override non-default values with default values. So
@@ -110,9 +112,13 @@ func (a *PostgreSQLDependencyBuilder) CreateDependency() error {
 	// and would therefore override any value we set before the merge.
 	params.Instances = a.comp.GetInstances()
 
+	// We have to ignore the provideconfig on the composite itself.
 	pg := &vshnv1.XVSHNPostgreSQL{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: a.comp.GetName() + PgInstanceNameSuffix,
+			Labels: map[string]string{
+				runtime.ProviderConfigIgnoreLabel: "true",
+			},
 		},
 		Spec: vshnv1.XVSHNPostgreSQLSpec{
 			Parameters: *params,
@@ -125,15 +131,20 @@ func (a *PostgreSQLDependencyBuilder) CreateDependency() error {
 		},
 	}
 
+	// But pass the parent's provider config properly to the instance.
+	if v, exists := a.comp.GetLabels()[runtime.ProviderConfigLabel]; exists {
+		pg.Labels[runtime.ProviderConfigLabel] = v
+	}
+
 	err := CustomCreateNetworkPolicy([]string{a.comp.GetInstanceNamespace()}, pg.GetInstanceNamespace(), pg.GetName()+"-"+a.comp.GetServiceName(), false, a.svc)
 	if err != nil {
-		return err
+		return "", err
 	}
 
 	err = DisableBilling(pg.GetInstanceNamespace(), a.svc)
 	if err != nil {
-		return err
+		return "", err
 	}
 
-	return a.svc.SetDesiredComposedResource(pg)
+	return PgSecretName, a.svc.SetDesiredComposedResource(pg)
 }
diff --git a/pkg/comp-functions/functions/common/release.go b/pkg/comp-functions/functions/common/release.go
@@ -70,7 +70,7 @@ func getDesiredRelease(svc *runtime.ServiceRuntime, releaseName string) (*xhelmv
 }
 
 // NewRelease returns a new release with some defaults set.
-func NewRelease(ctx context.Context, svc *runtime.ServiceRuntime, comp InfoGetter, values map[string]any, cd ...xhelmv1.ConnectionDetail) (*xhelmv1.Release, error) {
+func NewRelease(ctx context.Context, svc *runtime.ServiceRuntime, comp InfoGetter, values map[string]any, resName string, cd ...xhelmv1.ConnectionDetail) (*xhelmv1.Release, error) {
 
 	vb, err := json.Marshal(values)
 	if err != nil {
@@ -101,7 +101,7 @@ func NewRelease(ctx context.Context, svc *runtime.ServiceRuntime, comp InfoGette
 				},
 				WriteConnectionSecretToReference: &xpv1.SecretReference{
 					Name:      comp.GetName() + "-connection",
-					Namespace: comp.GetInstanceNamespace(),
+					Namespace: svc.GetCrossplaneNamespace(),
 				},
 			},
 			ConnectionDetails: cd,

diff --git a/pkg/comp-functions/functions/common/tls.go b/pkg/comp-functions/functions/common/tls.go
@@ -171,7 +171,7 @@ func CreateTLSCerts(ctx context.Context, ns string, serviceName string, svc *run
 		},
 	}
 
-	err = svc.SetDesiredKubeObject(serverCert, serviceName+"-server-cert", runtime.KubeOptionAddConnectionDetails(ns, cd...))
+	err = svc.SetDesiredKubeObject(serverCert, serviceName+"-server-cert", runtime.KubeOptionAddConnectionDetails(svc.GetCrossplaneNamespace(), cd...))
 	if err != nil {
 		err = fmt.Errorf("cannot create serverCert object: %w", err)
 		return serverCertsSecret, err