Merge branch 'GoogleCloudPlatform:master' into keyhandle-beta

Makefile

@@ -138,6 +138,7 @@ generate:
 	go generate ./pkg/dcl/schema/...
 	rm -rf temp-vendor
 	go generate ./pkg/apis/...
+	make -C operator generate
 	make fmt
 
 # Build the docker images
@@ -244,7 +245,7 @@ ensure:
 
 # Should run all needed commands before any PR is sent out.
 .PHONY: ready-pr
-ready-pr: lint manifests resource-docs generate-go-client ensure
+ready-pr: lint manifests resource-docs ensure
 
 # Upgrades dcl dependencies
 .PHONY: upgrade-dcl

apis/bigqueryanalyticshub/v1alpha1/dataexchange_types.go

@@ -109,7 +109,6 @@ type BigQueryAnalyticsHubDataExchangeObservedState struct {
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:categories=gcp,shortName=gcpbigqueryanalyticshubdataexchange;gcpbigqueryanalyticshubdataexchanges
-// +kubebuilder:resource:categories=gcp
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="cnrm.cloud.google.com/managed-by-kcc=true";"cnrm.cloud.google.com/system=true";"cnrm.cloud.google.com/stability-level=alpha"
 // +kubebuilder:printcolumn:name="Age",JSONPath=".metadata.creationTimestamp",type="date"

apis/refs/v1beta1/secret/legacy.go

@@ -15,7 +15,15 @@
 package secret
 
 import (
+	"context"
+	"fmt"
+
 	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/k8s/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 // +kubebuilder:object:generate:=true
@@ -35,3 +43,34 @@ type LegacyValueFrom struct {
 	// +optional
 	SecretKeyRef *v1alpha1.SecretKeyRef `json:"secretKeyRef,omitempty"`
 }
+
+func NormalizedLegacySecret(ctx context.Context, r *v1alpha1.SecretKeyRef, reader client.Reader, otherNamespace string) ([]byte, error) {
+	if r == nil {
+		return nil, nil
+	}
+	if r.Name == "" {
+		return nil, fmt.Errorf("Secret `name` is required ")
+	}
+	nn := types.NamespacedName{
+		Namespace: otherNamespace,
+		Name:      r.Name,
+	}
+
+	secret := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "Secret",
+		},
+	}
+	if err := reader.Get(ctx, nn, secret); err != nil {
+		if apierrors.IsNotFound(err) {
+			return nil, fmt.Errorf("referenced Secret %v not found", nn)
+		}
+		return nil, fmt.Errorf("error reading referenced Secret %v: %w", nn, err)
+	}
+	data, ok := secret.Data[r.Key]
+	if !ok {
+		return nil, fmt.Errorf("%s not found in Secret %s", r.Key, r.Name)
+	}
+	return data, nil
+}

apis/secretmanager/v1beta1/secretversion_identity.go

@@ -0,0 +1,114 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1beta1
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/GoogleCloudPlatform/k8s-config-connector/apis/common"
+	refsv1beta1 "github.com/GoogleCloudPlatform/k8s-config-connector/apis/refs/v1beta1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type SecretVersionIdentity struct {
+	id                      string
+	parent                  *SecretVersionParent
+	serviceGeneratedIDKnown *bool
+}
+
+// HasKnownID tells whether Config Connector knows the resource identity.
+// If not, Config Connector saves one GCP GET call, and starts the CREATE call directly.
+// This is mostly for GCP services that do not allow user to specify ID, but assign an ID when creating the object.
+func (i *SecretVersionIdentity) HasKnownID() bool {
+	return *i.serviceGeneratedIDKnown
+}
+
+func (i *SecretVersionIdentity) String() string {
+	return i.parent.String() + "/versions/" + i.id
+}
+
+func (r *SecretVersionIdentity) Parent() *SecretVersionParent {
+	return r.parent
+}
+
+func (r *SecretVersionIdentity) ID() string {
+	return r.id
+}
+
+type SecretVersionParent struct {
+	ProjectID string
+	SecretID  string
+}
+
+func (p *SecretVersionParent) String() string {
+	return "projects/" + p.ProjectID + "/secrets/" + p.SecretID
+}
+
+func NewSecretVersionIdentity(ctx context.Context, reader client.Reader, obj *SecretManagerSecretVersion, u *unstructured.Unstructured) (*SecretVersionIdentity, error) {
+	// Get Parent
+	projectID, err := refsv1beta1.ResolveProjectID(ctx, reader, u)
+	if err != nil {
+		return nil, err
+	}
+	secretExternal, err := obj.Spec.SecretRef.NormalizedExternal(ctx, reader, obj.GetNamespace())
+	if err != nil {
+		return nil, err
+	}
+	secretIdentity, err := ParseSecretExternal(secretExternal)
+	if err != nil {
+		return nil, err
+	}
+	secretID := secretIdentity.ID()
+
+	// If `spec.resourceID` is not empty, it means user wants to acquire the object.
+	desiredVersionID := common.ValueOf(obj.Spec.ResourceID)
+
+	externalRef := common.ValueOf(obj.Status.ExternalRef)
+	if externalRef != "" {
+		actualIdentity, err := ParseSecretVersionExternal(externalRef)
+		if err != nil {
+			return nil, err
+		}
+		if actualIdentity.parent.ProjectID != projectID {
+			return nil, fmt.Errorf("spec.projectRef changed, expect %s, got %s", actualIdentity.parent.ProjectID, projectID)
+		}
+		if actualIdentity.parent.SecretID != secretID {
+			return nil, fmt.Errorf("spec.projectRef changed, expect %s, got %s", actualIdentity.parent.ProjectID, projectID)
+		}
+		if desiredVersionID != "" && actualIdentity.id != desiredVersionID {
+			return nil, fmt.Errorf("cannot reset `metadata.name` or `spec.resourceID` to %s, since it has already assigned to %s",
+				desiredVersionID, actualIdentity.id)
+		}
+		desiredVersionID = actualIdentity.id
+	}
+
+	known := false
+	if externalRef != "" {
+		known = true
+	}
+	if desiredVersionID != "" {
+		known = true
+	}
+	return &SecretVersionIdentity{
+		parent: &SecretVersionParent{
+			ProjectID: projectID,
+			SecretID:  secretID,
+		},
+		id:                      desiredVersionID,
+		serviceGeneratedIDKnown: &known,
+	}, nil
+}

apis/secretmanager/v1beta1/secretversion_reference.go

@@ -83,7 +83,7 @@ func (r *SecretVersionRef) NormalizedExternal(ctx context.Context, reader client
 	return r.External, nil
 }
 
-func ParseSecretVersionExternal(external string) (*SecretIdentity, error) {
+func ParseSecretVersionExternal(external string) (*SecretVersionIdentity, error) {
 	if external == "" {
 		return nil, fmt.Errorf("missing external value")
 	}
@@ -92,8 +92,8 @@ func ParseSecretVersionExternal(external string) (*SecretIdentity, error) {
 	if len(tokens) != 6 || tokens[0] != "projects" || tokens[2] != "secrets" || tokens[4] != "versions" {
 		return nil, fmt.Errorf("format of SecretManagerSecretVersion external=%q was not known (use projects/<projectId>/secrets/<secretID>/versions/<versionID>)", external)
 	}
-	return &SecretIdentity{
-		parent: &SecretParent{ProjectID: tokens[1]},
-		id:     tokens[3],
+	return &SecretVersionIdentity{
+		parent: &SecretVersionParent{ProjectID: tokens[1], SecretID: tokens[3]},
+		id:     tokens[5],
 	}, nil
 }

apis/secretmanager/v1beta1/secretversion_types.go

@@ -28,24 +28,35 @@ type SecretManagerSecretVersionSpec struct {
 	// The resource name of the [Secret][google.cloud.secretmanager.v1.Secret] to create a [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] for.
 	SecretRef *SecretRef `json:"secretRef,omitempty"`
 
-	// Immutable. The SecretVersion name. If not given, the metadata.name will be used.
+	// The SecretVersion number. If given, Config Connector acquires the resource from the Secret Manager service.
+	// If not given, Config Connector adds a new secret version to the GCP service, and you can find out the version number
+	// from `status.observedState.version`
 	ResourceID *string `json:"resourceID,omitempty"`
 
-	// TODO: Below fields are legacy KCC API. We should mark as deprecated once switch to use SciFi controller.
+	// Should enable or disable the current SecretVersion.
+	// - Enabled version can be accessed and described.
+	// - Disabled version cannot be accessed, but the secret's contents still exist
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// The actual secret data. Config Connector supports secret data stored in Kubernetes secret or plain data (base64)
+	SecretData *SecretData_OneOf `json:"secretData,omitempty"`
 
+	// DEPRECATED. You do not need to set this field in direct reconciler mode. Use delete-policy annotation instead. https://cloud.google.com/config-connector/docs/how-to/managing-deleting-resources#keeping_resources_after_deletion
 	// The deletion policy for the secret version. Setting 'ABANDON' allows the resource
 	// to be abandoned rather than deleted. Setting 'DISABLE' allows the resource to be
 	// disabled rather than deleted. Default is 'DELETE'. Possible values are:
 	// * DELETE
 	// * DISABLE
 	// * ABANDON.
 	DeletionPolicy *string `json:"deletionPolicy,omitempty"`
-	// The current state of the SecretVersion.
-	Enabled *bool `json:"enabled,omitempty"`
-	// Immutable. If set to 'true', the secret data is expected to be base64-encoded string and would be sent as is.
+
+	// DEPRECATED. You do not need to set this field in direct reconciler mode.
 	IsSecretDataBase64 *bool `json:"isSecretDataBase64,omitempty"`
-	// Immutable. The secret data. Must be no larger than 64KiB.
-	SecretData *refsv1beta1secret.Legacy `json:"secretData,omitempty"`
+}
+
+type SecretData_OneOf struct {
+	*refsv1beta1secret.Legacy `json:",inline"`
+	// TODO: support getting secret data from other places.
 }
 
 // SecretManagerSecretVersionStatus defines the config connector machine state of SecretManagerSecretVersion
@@ -57,43 +68,28 @@ type SecretManagerSecretVersionStatus struct {
 	// ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.
 	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
 
-	/*NOTYET
 	// A unique specifier for the SecretManagerSecretVersion resource in GCP.
 	ExternalRef *string `json:"externalRef,omitempty"`
 
 	// ObservedState is the state of the resource as most recently observed in GCP.
 	ObservedState *SecretManagerSecretVersionObservedState `json:"observedState,omitempty"`
-	*/
 
-	// Note: Below fields should be under status.observedState. To keep it here to make the resource backward compatible.
-
-	// Output only. The time at which the
-	// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] was created.
+	// DEPRECATING NOTE: Please use status.observedState.createTime instead.
 	CreateTime *string `json:"createTime,omitempty" tf:"create_time,omitempty"`
 
-	// Output only. The time this
-	// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] was destroyed.
-	// Only present if
-	// [state][google.cloud.secretmanager.v1.SecretVersion.state] is
-	// [DESTROYED][google.cloud.secretmanager.v1.SecretVersion.State.DESTROYED].
+	// DEPRECATING NOTE: Please use status.observedState.destroyTime instead.
 	DestroyTime *string `json:"destroyTime,omitempty" tf:"destroy_time,omitempty"`
 
-	// Output only. The resource name of the
-	// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the
-	// format `projects/*/secrets/*/versions/*`.
-	//
-	// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] IDs in a
-	// [Secret][google.cloud.secretmanager.v1.Secret] start at 1 and are
-	// incremented for each subsequent version of the secret.
+	// DEPRECATING NOTE: Please use status.observedState.name instead.
 	Name *string `json:"name,omitempty"`
 
-	// The version of the Secret.
+	// DEPRECATED.
 	Version *string `json:"version,omitempty"`
 }
 
-// SecretManagerSecretVersionObservedState is the state of the SecretManagerSecretVersion resource as most recently observed in GCP.
+// SecretManagerSecretVersionObserved is the state of the SecretManagerSecretVersion resource as most recently observed in GCP.
 // +kcc:proto=google.cloud.secretmanager.v1.SecretVersion
-type SecretManagerSecretVersionObservation struct {
+type SecretManagerSecretVersionObservedState struct {
 	// Output only. The time at which the
 	// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] was created.
 	CreateTime *string `json:"createTime,omitempty" tf:"create_time,omitempty"`