feat(): vpnkeyrotation apis, webhook, ITs, UTs and service layer (#174)

feat(): vpnkeyrotation apis, webhook, ITs, UTs and service layer 

Signed-off-by: rahulsawra98 <[email protected]

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.18 as builder
+FROM golang:1.19 as builder
 MAINTAINER "Avesha Systems"
 WORKDIR /workspace
 # Copy the Go Modules manifests

Makefile

@@ -83,6 +83,9 @@ test: manifests generate fmt vet envtest ## Run tests.
 test-local: envtest ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./controllers/controller/... -coverprofile cover.out
 
+.PHONY: int-test
+int-test: envtest
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./controllers/controller/... -coverprofile cover.out
 
 .PHONY: generate-yamls
 generate-yamls: manifests kustomize ## Generates the yaml files
@@ -193,7 +196,7 @@ generate-mocks: ## Generate mocks for the controller-runtime.
 
 .PHONY: unit-test
 unit-test: ## Run local unit tests.
-	go test ./service --coverprofile=coverage.out
+	go test -gcflags=-l ./service --coverprofile=coverage.out
 	mkdir -p coverage-report
 	go tool cover -html=coverage.out -o coverage-report/report.html
 

PROJECT

@@ -111,4 +111,15 @@ resources:
   kind: WorkerSliceGwRecycler
   path: github.com/kubeslice/kubeslice-controller/apis/worker/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: kubeslice.io
+  group: controller
+  kind: VpnKeyRotation
+  path: github.com/kubeslice/kubeslice-controller/apis/controller/v1alpha1
+  version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

apis/controller/v1alpha1/sliceconfig_types.go

@@ -42,6 +42,13 @@ type SliceConfigSpec struct {
 	//+kubebuilder:validation:Maximum=32
 	//+kubebuilder:default:=16
 	MaxClusters int `json:"maxClusters,omitempty"`
+	//+kubebuilder:validation:Minimum=30
+	//+kubebuilder:validation:Maximum=90
+	//+kubebuilder:default:=30
+	RotationInterval int `json:"rotationInterval,omitempty"`
+	// RenewBefore is used for renew now!
+	RenewBefore *metav1.Time      `json:"renewBefore,omitempty"`
+	VPNConfig   *VPNConfiguration `json:"vpnConfig,omitempty"`
 }
 
 // ExternalGatewayConfig is the configuration for external gateways like 'istio', etc/
@@ -106,6 +113,14 @@ type SliceNamespaceSelection struct {
 	Clusters  []string `json:"clusters,omitempty"`
 }
 
+// VPNConfiguration defines the additional (optional) VPN Configuration to customise
+type VPNConfiguration struct {
+	//+kubebuilder:default:=AES-256-CBC
+	//+kubebuilder:validation:Required
+	//+kubebuilder:validation:Enum:=AES-256-CBC;AES-128-CBC
+	Cipher string `json:"cipher"`
+}
+
 type KubesliceEvent struct {
 	// Type of the event. Can be one of Error, Success or InProgress
 	Type string `json:"type,omitempty"`

apis/controller/v1alpha1/sliceconfig_webhook.go

@@ -54,6 +54,11 @@ var _ webhook.Defaulter = &SliceConfig{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
 func (r *SliceConfig) Default() {
 	sliceconfigurationlog.Info("default", "name", r.Name)
+	if r.Spec.VPNConfig == nil {
+		r.Spec.VPNConfig = &VPNConfiguration{
+			Cipher: "AES-256-CBC",
+		}
+	}
 }
 
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.

apis/controller/v1alpha1/vpnkeyrotation_types.go

@@ -0,0 +1,89 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// VpnKeyRotationSpec defines the desired state of VpnKeyRotation
+type VpnKeyRotationSpec struct {
+	SliceName string `json:"sliceName,omitempty"`
+	// ClusterGatewayMapping represents a map where key is cluster name and value is array of gateways present on that cluster.
+	// This is used to avoid unnecessary reconciliation in worker-operator.
+	ClusterGatewayMapping map[string][]string `json:"clusterGatewayMapping,omitempty"`
+	// CertificateCreationTime is a time when certificate for all the gateway pairs is created/updated
+	CertificateCreationTime *metav1.Time `json:"certificateCreationTime,omitempty"`
+	// CertificateExpiryTime is a time when certificate for all the gateway pairs will expire
+	CertificateExpiryTime *metav1.Time `json:"certificateExpiryTime,omitempty"`
+	RotationInterval      int          `json:"rotationInterval,omitempty"`
+	// clusters contains the list of clusters attached to this slice
+	Clusters []string `json:"clusters,omitempty"`
+	// RotationCount represent the number of times rotation has been already performed.
+	RotationCount int `json:"rotationCount,omitempty"`
+}
+
+// VpnKeyRotationStatus defines the observed state of VpnKeyRotation
+type VpnKeyRotationStatus struct {
+	// This is map of gateway name to the current rotation state
+	CurrentRotationState map[string]StatusOfKeyRotation `json:"currentRotationState,omitempty"`
+	// This is circular array of last n number of rotation status.
+	StatusHistory map[string][]StatusOfKeyRotation `json:"statusHistory,omitempty"`
+}
+
+// StatusOfKeyRotation represent per gateway status
+type StatusOfKeyRotation struct {
+	Status               string      `json:"status,omitempty"`
+	LastUpdatedTimestamp metav1.Time `json:"lastUpdatedTimestamp,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// VpnKeyRotation is the Schema for the vpnkeyrotations API
+type VpnKeyRotation struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   VpnKeyRotationSpec   `json:"spec,omitempty"`
+	Status VpnKeyRotationStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// VpnKeyRotationList contains a list of VpnKeyRotation
+type VpnKeyRotationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []VpnKeyRotation `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&VpnKeyRotation{}, &VpnKeyRotationList{})
+}
+
+// status of key rotation updated by workers
+const (
+	SecretReadInProgress string = "READ_IN_PROGRESS"
+	SecretUpdated        string = "SECRET_UPDATED"
+	InProgress           string = "IN_PROGRESS"
+	Complete             string = "COMPLETE"
+	Error                string = "ERROR"
+)

apis/controller/v1alpha1/vpnkeyrotation_webhook.go

@@ -0,0 +1,83 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+
+	ossEvents "github.com/kubeslice/kubeslice-controller/events"
+	"github.com/kubeslice/kubeslice-controller/util"
+	"github.com/kubeslice/kubeslice-monitoring/pkg/events"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+// log is for logging in this package.
+var (
+	vpnKeyRotationLog                    = util.NewLogger().With("name", "vpnkeyrotation-resource")
+	customVpnKeyRotationCreateValidation func(ctx context.Context, vpn *VpnKeyRotation) error
+	customVpnKeyRotationDeleteValidation func(ctx context.Context, vpn *VpnKeyRotation) error
+	vpnKeyRotationConfigWebhookClient    client.Client
+	eventRecorder                        events.EventRecorder
+)
+
+func (r *VpnKeyRotation) SetupWebhookWithManager(mgr ctrl.Manager, validateCreate func(context.Context, *VpnKeyRotation) error, validateDelete func(context.Context, *VpnKeyRotation) error) error {
+	vpnKeyRotationConfigWebhookClient = mgr.GetClient()
+	customVpnKeyRotationCreateValidation = validateCreate
+	customVpnKeyRotationDeleteValidation = validateDelete
+	eventRecorder = events.NewEventRecorder(mgr.GetClient(), mgr.GetScheme(), ossEvents.EventsMap, events.EventRecorderOptions{
+		Version:   "v1alpha1",
+		Cluster:   util.ClusterController,
+		Component: util.ComponentController,
+		Slice:     util.NotApplicable,
+	})
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+
+// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
+//+kubebuilder:webhook:path=/validate-controller-kubeslice-io-v1alpha1-vpnkeyrotation,mutating=false,failurePolicy=fail,sideEffects=None,groups=controller.kubeslice.io,resources=vpnkeyrotations,verbs=create;update;delete,versions=v1alpha1,name=vvpnkeyrotation.kb.io,admissionReviewVersions={v1,v1beta1}
+
+var _ webhook.Validator = &VpnKeyRotation{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (r *VpnKeyRotation) ValidateCreate() error {
+	sliceconfigurationlog.Info("validate create", "name", r.Name)
+	sliceConfigCtx := util.PrepareKubeSliceControllersRequestContext(context.Background(), vpnKeyRotationConfigWebhookClient, nil, "VpnKeyRotationConfigValidation", &eventRecorder)
+	return customVpnKeyRotationCreateValidation(sliceConfigCtx, r)
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (r *VpnKeyRotation) ValidateUpdate(old runtime.Object) error {
+	vpnKeyRotationLog.Info("validate update", "name", r.Name)
+
+	// TODO(user): fill in your validation logic upon object update.
+	return nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *VpnKeyRotation) ValidateDelete() error {
+	vpnKeyRotationLog.Info("validate delete", "name", r.Name)
+
+	sliceConfigCtx := util.PrepareKubeSliceControllersRequestContext(context.Background(), vpnKeyRotationConfigWebhookClient, nil, "VpnKeyRotationConfigValidation", &eventRecorder)
+	return customVpnKeyRotationDeleteValidation(sliceConfigCtx, r)
+}