/
accountclaim_types.go
207 lines (175 loc) · 7.6 KB
/
accountclaim_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
package v1alpha1
import (
"errors"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
// AccountClaimSpec defines the desired state of AccountClaim
// +k8s:openapi-gen=true
type AccountClaimSpec struct {
LegalEntity LegalEntity `json:"legalEntity"`
AwsCredentialSecret SecretRef `json:"awsCredentialSecret"`
Aws Aws `json:"aws"`
AccountLink string `json:"accountLink"`
AccountOU string `json:"accountOU,omitempty"`
BYOC bool `json:"byoc,omitempty"`
BYOCSecretRef SecretRef `json:"byocSecretRef,omitempty"`
BYOCAWSAccountID string `json:"byocAWSAccountID,omitempty"`
ManualSTSMode bool `json:"manualSTSMode,omitempty"`
STSRoleARN string `json:"stsRoleARN,omitempty"`
STSExternalID string `json:"stsExternalID,omitempty"`
SupportRoleARN string `json:"supportRoleARN,omitempty"`
CustomTags string `json:"customTags,omitempty"`
KmsKeyId string `json:"kmsKeyId,omitempty"`
AccountPool string `json:"accountPool,omitempty"`
FleetManagerConfig FleetManagerConfig `json:"fleetManagerConfig,omitempty"` // FleetmanagerConfig is exclusively designed for use by the fleet manager
}
// AccountClaimStatus defines the observed state of AccountClaim
// +k8s:openapi-gen=true
type AccountClaimStatus struct {
// +listType=map
// +listMapKey=type
Conditions []AccountClaimCondition `json:"conditions"`
State ClaimStatus `json:"state"`
}
// AccountClaimCondition contains details for the current condition of a AWS account claim
type AccountClaimCondition struct {
// Type is the type of the condition.
Type AccountClaimConditionType `json:"type"`
// Status is the status of the condition.
Status corev1.ConditionStatus `json:"status"`
// LastProbeTime is the last time we probed the condition.
// +optional
LastProbeTime metav1.Time `json:"lastProbeTime,omitempty"`
// LastTransitionTime is the last time the condition transitioned from one status to another.
// +optional
LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
// Reason is a unique, one-word, CamelCase reason for the condition's last transition.
// +optional
Reason string `json:"reason,omitempty"`
// Message is a human-readable message indicating details about last transition.
// +optional
Message string `json:"message,omitempty"`
}
// AccountClaimConditionType is a valid value for AccountClaimCondition.Type
type AccountClaimConditionType string
const (
// AccountClaimed is set when an Account is claimed
AccountClaimed AccountClaimConditionType = "Claimed"
// CCSAccountClaimFailed is set when a CCS Account Fails
CCSAccountClaimFailed AccountClaimConditionType = "CCSAccountClaimFailed"
// AccountClaimFailed is set when a standard Account Fails
AccountClaimFailed AccountClaimConditionType = "AccountClaimFailed"
// AccountUnclaimed is set when an Account is not claimed
AccountUnclaimed AccountClaimConditionType = "Unclaimed"
// ClientError is set when an Error regarding the client occurred
ClientError AccountClaimConditionType = "ClientError"
// AuthenticationFailed is set when we get an AWS error from STS role assumption
AuthenticationFailed AccountClaimConditionType = "AuthenticationFailed"
// InvalidAccountClaim is set when the account claim CR is missing required values
InvalidAccountClaim AccountClaimConditionType = "InvalidAccountClaim"
// InternalError is set when a serious internal issue arrises
InternalError AccountClaimConditionType = "InternalError"
)
// ClaimStatus is a valid value from AccountClaim.Status
type ClaimStatus string
const (
// ClaimStatusPending pending status for a claim
ClaimStatusPending ClaimStatus = "Pending"
// ClaimStatusReady ready status for a claim
ClaimStatusReady ClaimStatus = "Ready"
// ClaimStatusError error status for a claim
ClaimStatusError ClaimStatus = "Error"
)
// +genclient
// +kubebuilder:object:root=true
// AccountClaim is the Schema for the accountclaims API
// +k8s:openapi-gen=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state",description="Status the account claim"
// +kubebuilder:printcolumn:name="Account",type="string",JSONPath=".spec.accountLink",description="Account CR link for the account claim"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age since the account claim was created"
// +kubebuilder:resource:path=accountclaims,scope=Namespaced
type AccountClaim struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec AccountClaimSpec `json:"spec,omitempty"`
Status AccountClaimStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// AccountClaimList contains a list of AccountClaim
type AccountClaimList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []AccountClaim `json:"items"`
}
// FleetManagerConfig contains configuration specific to account claims
type FleetManagerConfig struct {
TrustedARN string `json:"trustedARN"`
}
// LegalEntity contains Red Hat specific identifiers to the original creator the clusters
type LegalEntity struct {
Name string `json:"name"`
ID string `json:"id"`
}
// SecretRef contains the name of a secret and its namespace
type SecretRef struct {
Name string `json:"name"`
Namespace string `json:"namespace"`
}
// Aws struct contains specific AWS account configuration options
type Aws struct {
Regions []AwsRegions `json:"regions"`
}
// AwsRegions struct contains specific AwsRegion information, at the moment its just
// name but in the future it will contain specific resource limits etc.
type AwsRegions struct {
Name string `json:"name"`
}
func init() {
SchemeBuilder.Register(&AccountClaim{}, &AccountClaimList{})
}
// ErrAWSSecretRefMissing is an error for missing AWS Secret References
var ErrAWSSecretRefMissing = errors.New("AWSSecretRefMissing")
// ErrBYOCAccountIDMissing is an error for missing Account ID
var ErrBYOCAccountIDMissing = errors.New("BYOCAccountIDMissing")
// ErrBYOCSecretRefMissing is an error for missing BYOC Secret References
var ErrBYOCSecretRefMissing = errors.New("BYOCSecretRefMissing")
// ErrSTSRoleARNMissing is an error for missing STS Role ARN definition in the AccountClaim
var ErrSTSRoleARNMissing = errors.New("STSRoleARNMissing")
// Validates an AccountClaim object
func (a *AccountClaim) Validate() error {
// Validate STS mode first since we only require the
// .Spec.STSRoleARN field to be set
// By design STS doesn't have long lived credentials so they wont
// be present in the AccountClaim
if a.Spec.ManualSTSMode {
return a.validateSTS()
}
if a.Spec.BYOC {
return a.validateBYOC()
}
// we don't do any validation for non-ccs accounts currently, so
// let's keep that behavior
return nil
}
func (a *AccountClaim) validateSTS() error {
if a.Spec.STSRoleARN == "" {
return ErrSTSRoleARNMissing
}
return nil
}
func (a *AccountClaim) validateBYOC() error {
if a.Spec.BYOCAWSAccountID == "" {
return ErrBYOCAccountIDMissing
}
if a.Spec.BYOCSecretRef.Name == "" || a.Spec.BYOCSecretRef.Namespace == "" {
return ErrBYOCSecretRefMissing
}
if a.Spec.AwsCredentialSecret.Name == "" || a.Spec.AwsCredentialSecret.Namespace == "" {
return ErrAWSSecretRefMissing
}
return nil
}