Implementation for cluster identity

Author: shyamradhakrishnan

Makefile

@@ -253,6 +253,8 @@ generate-e2e-templates: $(KUSTOMIZE)
 	$(KUSTOMIZE) build $(OCI_TEMPLATES)/v1beta1/cluster-template-externally-managed-vcn --load-restrictor LoadRestrictionsNone > $(OCI_TEMPLATES)/v1beta1/cluster-template-externally-managed-vcn.yaml
 	$(KUSTOMIZE) build $(OCI_TEMPLATES)/v1beta1/cluster-template-machine-pool --load-restrictor LoadRestrictionsNone > $(OCI_TEMPLATES)/v1beta1/cluster-template-machine-pool.yaml
 	$(KUSTOMIZE) build $(OCI_TEMPLATES)/v1beta1/cluster-template-managed --load-restrictor LoadRestrictionsNone > $(OCI_TEMPLATES)/v1beta1/cluster-template-managed.yaml
+	$(KUSTOMIZE) build $(OCI_TEMPLATES)/v1beta1/cluster-template-managed-cluster-identity --load-restrictor LoadRestrictionsNone > $(OCI_TEMPLATES)/v1beta1/cluster-template-managed-cluster-identity.yaml
+	$(KUSTOMIZE) build $(OCI_TEMPLATES)/v1beta1/cluster-template-cluster-identity --load-restrictor LoadRestrictionsNone > $(OCI_TEMPLATES)/v1beta1/cluster-template-cluster-identity.yaml
 
 .PHONY: test-e2e-run
 test-e2e-run: generate-e2e-templates $(GINKGO) $(ENVSUBST) ## Run e2e tests

api/v1beta1/conditions_consts.go

@@ -99,4 +99,6 @@ const (
 	ApiServerLoadBalancerEventReady = "APIServerLoadBalancerReady"
 	// FailureDomainEventReady used after reconciliation has completed successfully
 	FailureDomainEventReady = "FailureDomainsReady"
+	// NamespaceNotAllowedByIdentity used to indicate cluster in a namespace not allowed by identity.
+	NamespaceNotAllowedByIdentity = "NamespaceNotAllowedByIdentity"
 )

api/v1beta1/ocicluster_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
@@ -39,6 +40,10 @@ type OCIClusterSpec struct {
 	// +optional
 	OCIResourceIdentifier string `json:"ociResourceIdentifier,omitempty"`
 
+	// IdentityRef is a reference to an identity(principal) to be used when reconciling this cluster
+	// +optional
+	IdentityRef *corev1.ObjectReference `json:"identityRef,omitempty"`
+
 	// NetworkSpec encapsulates all things related to OCI network.
 	// +optional
 	NetworkSpec NetworkSpec `json:"networkSpec,omitempty"`

api/v1beta1/ociclusteridentity_types.go

@@ -0,0 +1,101 @@
+/*
+ Copyright (c) 2022, 2023 Oracle and/or its affiliates.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+)
+
+type PrincipalType string
+
+const (
+	// UserPrincipal represents a user principal.
+	UserPrincipal PrincipalType = "UserPrincipal"
+)
+
+// OCIClusterIdentitySpec defines the parameters that are used to create an OCIClusterIdentity.
+type OCIClusterIdentitySpec struct {
+	// Type is the type of OCI Principal used.
+	// UserPrincipal is the only supported value
+	Type PrincipalType `json:"type"`
+
+	// PrincipalSecret is a secret reference which contains the authentication credentials for the principal.
+	// +optional
+	PrincipalSecret corev1.SecretReference `json:"principalSecret,omitempty"`
+
+	// AllowedNamespaces is used to identify the namespaces the clusters are allowed to use the identity from.
+	// Namespaces can be selected either using an array of namespaces or with label selector.
+	// An empty allowedNamespaces object indicates that OCIClusters can use this identity from any namespace.
+	// If this object is nil, no namespaces will be allowed (default behaviour, if this field is not provided)
+	// A namespace should be either in the NamespaceList or match with Selector to use the identity.
+	//
+	// +optional
+	// +nullable
+	AllowedNamespaces *AllowedNamespaces `json:"allowedNamespaces"`
+}
+
+// AllowedNamespaces defines the namespaces the clusters are allowed to use the identity from
+type AllowedNamespaces struct {
+	// A nil or empty list indicates that OCICluster cannot use the identity from any namespace.
+	// NamespaceList takes precedence over the Selector.
+	// +optional
+	// +nullable
+	NamespaceList []string `json:"list"`
+
+	// Selector is a selector of namespaces that OCICluster can
+	// use this Identity from. This is a standard Kubernetes LabelSelector,
+	// a label query over a set of resources. The result of matchLabels and
+	// matchExpressions are ANDed.
+	//
+	// A nil or empty selector indicates that OCICluster cannot use this
+	// OCIClusterIdentity from any namespace.
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector"`
+}
+
+// OCIClusterIdentityStatus defines the observed state of OCIClusterIdentity.
+type OCIClusterIdentityStatus struct {
+	// Conditions defines current service state of the OCIClusterIdentity.
+	// +optional
+	Conditions clusterv1.Conditions `json:"conditions,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// OCIClusterIdentity is the Schema for the OCI Cluster Identity API
+type OCIClusterIdentity struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              OCIClusterIdentitySpec   `json:"spec,omitempty"`
+	Status            OCIClusterIdentityStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// OCIClusterIdentityList contains a list of OCIClusterIdentity.
+type OCIClusterIdentityList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []OCIClusterIdentity `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&OCIClusterIdentity{}, &OCIClusterIdentityList{})
+}

api/v1beta1/zz_generated.deepcopy.go

@@ -100,6 +100,11 @@ func (c *ClientProvider) GetOrBuildClient(region string) (OCIClients, error) {
 	return regionalClient, nil
 }
 
+// GetRegion returns the region from the authentication config provider
+func (c *ClientProvider) GetRegion() (string, error) {
+	return c.ociAuthConfigProvider.Region()
+}
+
 func createClients(region string, oCIAuthConfigProvider common.ConfigurationProvider, logger *logr.Logger) (OCIClients, error) {
 	vcnClient, err := createVncClient(region, oCIAuthConfigProvider, logger)
 	if err != nil {

cloud/scope/clients.go

@@ -18,6 +18,7 @@ package scope
 
 import (
 	infrastructurev1beta1 "github.com/oracle/cluster-api-provider-oci/api/v1beta1"
+	corev1 "k8s.io/api/core/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
@@ -37,6 +38,10 @@ type OCIClusterAccessor interface {
 	GetFreeformTags() map[string]string
 	// GetName returns the name of the cluster.
 	GetName() string
+	// GetNameSpace returns the namespace of the cluster.
+	GetNameSpace() string
+	// GetRegion returns the region of the cluster, if specified in the spec.
+	GetRegion() string
 	// GetNetworkSpec returns the NetworkSpec of the cluster.
 	GetNetworkSpec() *infrastructurev1beta1.NetworkSpec
 	// SetControlPlaneEndpoint sets the control plane endpoint of the cluster.
@@ -47,4 +52,8 @@ type OCIClusterAccessor interface {
 	SetFailureDomain(id string, spec clusterv1.FailureDomainSpec)
 	// SetAvailabilityDomains sets the availability domain.
 	SetAvailabilityDomains(ads map[string]infrastructurev1beta1.OCIAvailabilityDomain)
+	// MarkConditionFalse marks the provided condition as false in the cluster object
+	MarkConditionFalse(t clusterv1.ConditionType, reason string, severity clusterv1.ConditionSeverity, messageFormat string, messageArgs ...interface{})
+	// GetIdentityRef returns the Identity reference of the cluster
+	GetIdentityRef() *corev1.ObjectReference
 }

cloud/scope/cluster_accessor.go

@@ -19,14 +19,33 @@ package scope
 import (
 	infrastructurev1beta1 "github.com/oracle/cluster-api-provider-oci/api/v1beta1"
 	infrav1exp "github.com/oracle/cluster-api-provider-oci/exp/api/v1beta1"
+	corev1 "k8s.io/api/core/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	"sigs.k8s.io/cluster-api/util/conditions"
 )
 
 // OCIManagedCluster is the ClusterAccessor implementation for managed clusters(OKE)
 type OCIManagedCluster struct {
 	OCIManagedCluster *infrav1exp.OCIManagedCluster
 }
 
+func (c OCIManagedCluster) GetNameSpace() string {
+	return c.OCIManagedCluster.Namespace
+}
+
+func (c OCIManagedCluster) GetRegion() string {
+	return c.OCIManagedCluster.Spec.Region
+}
+
+func (c OCIManagedCluster) MarkConditionFalse(t clusterv1.ConditionType, reason string, severity clusterv1.ConditionSeverity, messageFormat string, messageArgs ...interface{}) {
+	conditions.MarkFalse(c.OCIManagedCluster, infrastructurev1beta1.ClusterReadyCondition, reason, severity, messageFormat, messageArgs...)
+
+}
+
+func (c OCIManagedCluster) GetIdentityRef() *corev1.ObjectReference {
+	return c.OCIManagedCluster.Spec.IdentityRef
+}
+
 func (c OCIManagedCluster) GetOCIResourceIdentifier() string {
 	return c.OCIManagedCluster.Spec.OCIResourceIdentifier
 }