Add ACL optional field to Source API

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
fluxcd · Aug 12, 2021 · 525be38 · 525be38
1 parent 5980619
commit 525be38
Show file tree

Hide file tree

Showing 15 changed files with 240 additions and 6 deletions.
diff --git a/api/go.mod b/api/go.mod
@@ -3,11 +3,12 @@ module github.com/fluxcd/source-controller/api
 go 1.16
 
 require (
+	github.com/fluxcd/pkg/apis/acl v0.0.1
 	github.com/fluxcd/pkg/apis/meta v0.11.0-rc.1
 	// TODO(hidde): introduction of the runtime package is temporary, and the dependency should be removed as soon as
 	//  all APIs have been updated to the runtime standards (more specifically; have dropped their condition modifying
 	//  functions).
-	github.com/fluxcd/pkg/runtime v0.13.0-rc.2
+	github.com/fluxcd/pkg/runtime v0.13.0-rc.3
 	k8s.io/apimachinery v0.21.3
 	sigs.k8s.io/controller-runtime v0.9.3
 )
diff --git a/api/go.sum b/api/go.sum
@@ -91,10 +91,12 @@ github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs=
 github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fluxcd/pkg/apis/acl v0.0.1 h1:biCgZMjpDSv3Q4mZPikUJILx3t2MuNXR4Oa5jRQxaNQ=
+github.com/fluxcd/pkg/apis/acl v0.0.1/go.mod h1:y3qOXUFObVWk7jzOjubMnr/u18j1kCeSi6olycnxr/E=
 github.com/fluxcd/pkg/apis/meta v0.11.0-rc.1 h1:RHHrztAFv9wmjM+Pk7Svt1UdD+1SdnQSp76MWFiM7Hg=
 github.com/fluxcd/pkg/apis/meta v0.11.0-rc.1/go.mod h1:yUblM2vg+X8TE3A2VvJfdhkGmg+uqBlSPkLk7dxi0UM=
-github.com/fluxcd/pkg/runtime v0.13.0-rc.2 h1:+4uTEg+CU++hlr7NpOP4KYp60MtHDOgYvpz/74tbATg=
-github.com/fluxcd/pkg/runtime v0.13.0-rc.2/go.mod h1:TmvE2cJl1QkgZNmmlr7XUKoWDQwUiM5/wTUxXsQVoc8=
+github.com/fluxcd/pkg/runtime v0.13.0-rc.3 h1:VxtmEL/m3/9wJBhhhWQ48fz8m93B7UiyVi5cXYbiy3E=
+github.com/fluxcd/pkg/runtime v0.13.0-rc.3/go.mod h1:5ioX9wb63+RUvHBdjRsFG4uYn6Ll/Yoa7Ema6XKIIuQ=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=

diff --git a/api/v1beta1/bucket_types.go b/api/v1beta1/bucket_types.go
@@ -19,6 +19,7 @@ package v1beta1
 import (
 	"time"
 
+	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -80,6 +81,10 @@ type BucketSpec struct {
 	// This flag tells the controller to suspend the reconciliation of this source.
 	// +optional
 	Suspend bool `json:"suspend,omitempty"`
+
+	// AccessFrom defines an Access Control List for allowing cross-namespace references to this object.
+	// +optional
+	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
 }
 
 // BucketStatus defines the observed state of a bucket

diff --git a/api/v1beta1/gitrepository_types.go b/api/v1beta1/gitrepository_types.go
@@ -19,6 +19,7 @@ package v1beta1
 import (
 	"time"
 
+	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -100,6 +101,10 @@ type GitRepositorySpec struct {
 	// Include defines a list of GitRepository resources which artifacts should be included in the artifact produced for
 	// this resource.
 	Include []GitRepositoryInclude `json:"include,omitempty"`
+
+	// AccessFrom defines an Access Control List for allowing cross-namespace references to this object.
+	// +optional
+	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
 }
 
 func (in *GitRepositoryInclude) GetFromPath() string {

diff --git a/api/v1beta1/helmchart_types.go b/api/v1beta1/helmchart_types.go
@@ -19,6 +19,7 @@ package v1beta1
 import (
 	"time"
 
+	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/conditions"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
@@ -66,6 +67,10 @@ type HelmChartSpec struct {
 	// This flag tells the controller to suspend the reconciliation of this source.
 	// +optional
 	Suspend bool `json:"suspend,omitempty"`
+
+	// AccessFrom defines an Access Control List for allowing cross-namespace references to this object.
+	// +optional
+	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
 }
 
 // LocalHelmChartSourceReference contains enough information to let you locate

diff --git a/api/v1beta1/helmrepository_types.go b/api/v1beta1/helmrepository_types.go
@@ -19,6 +19,7 @@ package v1beta1
 import (
 	"time"
 
+	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/conditions"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
@@ -69,6 +70,10 @@ type HelmRepositorySpec struct {
 	// This flag tells the controller to suspend the reconciliation of this source.
 	// +optional
 	Suspend bool `json:"suspend,omitempty"`
+
+	// AccessFrom defines an Access Control List for allowing cross-namespace references to this object.
+	// +optional
+	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
 }
 
 // HelmRepositoryStatus defines the observed state of the HelmRepository.

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml b/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml
@@ -45,6 +45,24 @@ spec:
           spec:
             description: BucketSpec defines the desired state of an S3 compatible bucket
             properties:
+              accessFrom:
+                description: AccessFrom defines an Access Control List for allowing cross-namespace references to this object.
+                properties:
+                  namespaceSelectors:
+                    description: NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.
+                    items:
+                      description: NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.
+                      properties:
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - namespaceSelectors
+                type: object
               bucketName:
                 description: The bucket name.
                 type: string

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml
@@ -47,6 +47,24 @@ spec:
           spec:
             description: GitRepositorySpec defines the desired state of a Git repository.
             properties:
+              accessFrom:
+                description: AccessFrom defines an Access Control List for allowing cross-namespace references to this object.
+                properties:
+                  namespaceSelectors:
+                    description: NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.
+                    items:
+                      description: NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.
+                      properties:
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - namespaceSelectors
+                type: object
               gitImplementation:
                 default: go-git
                 description: Determines which git client library to use. Defaults to go-git, valid values are ('go-git', 'libgit2').

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml
@@ -56,6 +56,24 @@ spec:
           spec:
             description: HelmChartSpec defines the desired state of a Helm chart.
             properties:
+              accessFrom:
+                description: AccessFrom defines an Access Control List for allowing cross-namespace references to this object.
+                properties:
+                  namespaceSelectors:
+                    description: NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.
+                    items:
+                      description: NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.
+                      properties:
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - namespaceSelectors
+                type: object
               chart:
                 description: The name or path the Helm chart is available at in the SourceRef.
                 type: string

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
@@ -47,6 +47,24 @@ spec:
           spec:
             description: HelmRepositorySpec defines the reference to a Helm repository.
             properties:
+              accessFrom:
+                description: AccessFrom defines an Access Control List for allowing cross-namespace references to this object.
+                properties:
+                  namespaceSelectors:
+                    description: NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.
+                    items:
+                      description: NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.
+                      properties:
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - namespaceSelectors
+                type: object
               interval:
                 description: The interval at which to check the upstream for updates.
                 type: string